Commit e1638f11 authored by deads2k's avatar deads2k

run authorization from a cache

parent 2c4e618b
...@@ -39,7 +39,6 @@ import ( ...@@ -39,7 +39,6 @@ import (
"k8s.io/kubernetes/pkg/apis/autoscaling" "k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/batch" "k8s.io/kubernetes/pkg/apis/batch"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apiserver" "k8s.io/kubernetes/pkg/apiserver"
"k8s.io/kubernetes/pkg/apiserver/authenticator" "k8s.io/kubernetes/pkg/apiserver/authenticator"
"k8s.io/kubernetes/pkg/apiserver/openapi" "k8s.io/kubernetes/pkg/apiserver/openapi"
...@@ -52,20 +51,10 @@ import ( ...@@ -52,20 +51,10 @@ import (
generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi" generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver" "k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation" genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client" kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
"k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/role"
roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
"k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/pkg/util/wait" "k8s.io/kubernetes/pkg/util/wait"
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union" authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
...@@ -246,16 +235,16 @@ func Run(s *options.APIServer) error { ...@@ -246,16 +235,16 @@ func Run(s *options.APIServer) error {
glog.Fatalf("Invalid Authentication Config: %v", err) glog.Fatalf("Invalid Authentication Config: %v", err)
} }
authorizationModeNames := strings.Split(s.AuthorizationMode, ",") privilegedLoopbackToken := uuid.NewRandom().String()
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
modeEnabled := func(mode string) bool { if err != nil {
for _, m := range authorizationModeNames { glog.Fatalf("Failed to create clientset: %v", err)
if m == mode {
return true
}
}
return false
} }
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
}
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
authorizationConfig := authorizer.AuthorizationConfig{ authorizationConfig := authorizer.AuthorizationConfig{
PolicyFile: s.AuthorizationPolicyFile, PolicyFile: s.AuthorizationPolicyFile,
...@@ -263,39 +252,15 @@ func Run(s *options.APIServer) error { ...@@ -263,39 +252,15 @@ func Run(s *options.APIServer) error {
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL, WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL, WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
RBACSuperUser: s.AuthorizationRBACSuperUser, RBACSuperUser: s.AuthorizationRBACSuperUser,
InformerFactory: sharedInformers,
} }
if modeEnabled(genericoptions.ModeRBAC) { authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
mustGetRESTOptions := func(resource string) generic.RESTOptions {
config, err := storageFactory.NewConfig(rbac.Resource(resource))
if err != nil {
glog.Fatalf("Unable to get %s storage: %v", resource, err)
}
return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
}
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig) apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
if err != nil { if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err) glog.Fatalf("Invalid Authorization Config: %v", err)
} }
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",") admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
privilegedLoopbackToken := uuid.NewRandom().String()
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
if err != nil {
glog.Fatalf("Failed to create clientset: %v", err)
}
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
}
// TODO(dims): We probably need to add an option "EnableLoopbackToken" // TODO(dims): We probably need to add an option "EnableLoopbackToken"
if apiAuthenticator != nil { if apiAuthenticator != nil {
...@@ -314,7 +279,6 @@ func Run(s *options.APIServer) error { ...@@ -314,7 +279,6 @@ func Run(s *options.APIServer) error {
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer) apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
} }
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer) pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer) admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
......
...@@ -32,7 +32,6 @@ import ( ...@@ -32,7 +32,6 @@ import (
"k8s.io/kubernetes/pkg/admission" "k8s.io/kubernetes/pkg/admission"
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/unversioned" "k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apiserver/authenticator" "k8s.io/kubernetes/pkg/apiserver/authenticator"
apiserveropenapi "k8s.io/kubernetes/pkg/apiserver/openapi" apiserveropenapi "k8s.io/kubernetes/pkg/apiserver/openapi"
authorizerunion "k8s.io/kubernetes/pkg/auth/authorizer/union" authorizerunion "k8s.io/kubernetes/pkg/auth/authorizer/union"
...@@ -41,19 +40,10 @@ import ( ...@@ -41,19 +40,10 @@ import (
"k8s.io/kubernetes/pkg/generated/openapi" "k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver" "k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation" genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
"k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/generic" "k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/generic/registry" "k8s.io/kubernetes/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/role"
roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
"k8s.io/kubernetes/pkg/routes" "k8s.io/kubernetes/pkg/routes"
"k8s.io/kubernetes/pkg/util/wait" "k8s.io/kubernetes/pkg/util/wait"
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union" authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
...@@ -136,16 +126,16 @@ func Run(s *options.ServerRunOptions) error { ...@@ -136,16 +126,16 @@ func Run(s *options.ServerRunOptions) error {
glog.Fatalf("Invalid Authentication Config: %v", err) glog.Fatalf("Invalid Authentication Config: %v", err)
} }
authorizationModeNames := strings.Split(s.AuthorizationMode, ",") privilegedLoopbackToken := uuid.NewRandom().String()
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
modeEnabled := func(mode string) bool { if err != nil {
for _, m := range authorizationModeNames { glog.Fatalf("Failed to create clientset: %v", err)
if m == mode {
return true
}
}
return false
} }
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
}
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
authorizationConfig := authorizer.AuthorizationConfig{ authorizationConfig := authorizer.AuthorizationConfig{
PolicyFile: s.AuthorizationPolicyFile, PolicyFile: s.AuthorizationPolicyFile,
...@@ -153,39 +143,15 @@ func Run(s *options.ServerRunOptions) error { ...@@ -153,39 +143,15 @@ func Run(s *options.ServerRunOptions) error {
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL, WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL, WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
RBACSuperUser: s.AuthorizationRBACSuperUser, RBACSuperUser: s.AuthorizationRBACSuperUser,
InformerFactory: sharedInformers,
} }
if modeEnabled(genericoptions.ModeRBAC) { authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
mustGetRESTOptions := func(resource string) generic.RESTOptions {
config, err := storageFactory.NewConfig(rbac.Resource(resource))
if err != nil {
glog.Fatalf("Unable to get %s storage: %v", resource, err)
}
return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
}
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig) apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
if err != nil { if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err) glog.Fatalf("Invalid Authorization Config: %v", err)
} }
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",") admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
privilegedLoopbackToken := uuid.NewRandom().String()
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
if err != nil {
glog.Fatalf("Failed to create clientset: %v", err)
}
client, err := s.NewSelfClient(privilegedLoopbackToken)
if err != nil {
glog.Errorf("Failed to create clientset: %v", err)
}
// TODO(dims): We probably need to add an option "EnableLoopbackToken" // TODO(dims): We probably need to add an option "EnableLoopbackToken"
if apiAuthenticator != nil { if apiAuthenticator != nil {
...@@ -204,7 +170,6 @@ func Run(s *options.ServerRunOptions) error { ...@@ -204,7 +170,6 @@ func Run(s *options.ServerRunOptions) error {
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer) apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
} }
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer) pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer) admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
......
...@@ -24,11 +24,8 @@ import ( ...@@ -24,11 +24,8 @@ import (
"k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/authorizer/union" "k8s.io/kubernetes/pkg/auth/authorizer/union"
"k8s.io/kubernetes/pkg/controller/informers"
"k8s.io/kubernetes/pkg/genericapiserver/options" "k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/rbac/role"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
) )
...@@ -117,10 +114,7 @@ type AuthorizationConfig struct { ...@@ -117,10 +114,7 @@ type AuthorizationConfig struct {
// User which can bootstrap role policies // User which can bootstrap role policies
RBACSuperUser string RBACSuperUser string
RBACClusterRoleRegistry clusterrole.Registry InformerFactory informers.SharedInformerFactory
RBACClusterRoleBindingRegistry clusterrolebinding.Registry
RBACRoleRegistry role.Registry
RBACRoleBindingRegistry rolebinding.Registry
} }
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects // NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
...@@ -167,10 +161,10 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au ...@@ -167,10 +161,10 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
authorizers = append(authorizers, webhookAuthorizer) authorizers = append(authorizers, webhookAuthorizer)
case options.ModeRBAC: case options.ModeRBAC:
rbacAuthorizer := rbac.New( rbacAuthorizer := rbac.New(
config.RBACRoleRegistry, config.InformerFactory.Roles().Lister(),
config.RBACRoleBindingRegistry, config.InformerFactory.RoleBindings().Lister(),
config.RBACClusterRoleRegistry, config.InformerFactory.ClusterRoles().Lister(),
config.RBACClusterRoleBindingRegistry, config.InformerFactory.ClusterRoleBindings().Lister(),
config.RBACSuperUser, config.RBACSuperUser,
) )
authorizers = append(authorizers, rbacAuthorizer) authorizers = append(authorizers, rbacAuthorizer)
......
...@@ -22,10 +22,6 @@ import ( ...@@ -22,10 +22,6 @@ import (
"k8s.io/kubernetes/pkg/apis/rbac/validation" "k8s.io/kubernetes/pkg/apis/rbac/validation"
"k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user" "k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/rbac/role"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
) )
type RequestToRuleMapper interface { type RequestToRuleMapper interface {
...@@ -55,14 +51,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo ...@@ -55,14 +51,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return false, "", ruleResolutionError return false, "", ruleResolutionError
} }
func New(roleRegistry role.Registry, roleBindingRegistry rolebinding.Registry, clusterRoleRegistry clusterrole.Registry, clusterRoleBindingRegistry clusterrolebinding.Registry, superUser string) *RBACAuthorizer { func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister, superUser string) *RBACAuthorizer {
authorizer := &RBACAuthorizer{ authorizer := &RBACAuthorizer{
superUser: superUser, superUser: superUser,
authorizationRuleResolver: validation.NewDefaultRuleResolver( authorizationRuleResolver: validation.NewDefaultRuleResolver(
role.AuthorizerAdapter{Registry: roleRegistry}, roles, roleBindings, clusterRoles, clusterRoleBindings,
rolebinding.AuthorizerAdapter{Registry: roleBindingRegistry},
clusterrole.AuthorizerAdapter{Registry: clusterRoleRegistry},
clusterrolebinding.AuthorizerAdapter{Registry: clusterRoleBindingRegistry},
), ),
} }
return authorizer return authorizer
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment