Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
ed17876e
Commit
ed17876e
authored
Jun 01, 2018
by
Mike Danese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
plumb apiAudience to TokenReview registry
parent
162699ca
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
28 additions
and
7 deletions
+28
-7
master.go
pkg/master/master.go
+1
-1
storage_authentication.go
pkg/registry/authentication/rest/storage_authentication.go
+3
-2
BUILD
pkg/registry/authentication/tokenreview/BUILD
+1
-0
storage.go
pkg/registry/authentication/tokenreview/storage.go
+23
-4
No files found.
pkg/master/master.go
View file @
ed17876e
...
@@ -335,7 +335,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
...
@@ -335,7 +335,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
// handlers that we have.
// handlers that we have.
restStorageProviders
:=
[]
RESTStorageProvider
{
restStorageProviders
:=
[]
RESTStorageProvider
{
auditregistrationrest
.
RESTStorageProvider
{},
auditregistrationrest
.
RESTStorageProvider
{},
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authentication
.
Authenticator
},
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authentication
.
Authenticator
,
APIAudiences
:
c
.
GenericConfig
.
Authentication
.
APIAudiences
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorization
.
Authorizer
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorization
.
Authorizer
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
autoscalingrest
.
RESTStorageProvider
{},
autoscalingrest
.
RESTStorageProvider
{},
batchrest
.
RESTStorageProvider
{},
batchrest
.
RESTStorageProvider
{},
...
...
pkg/registry/authentication/rest/storage_authentication.go
View file @
ed17876e
...
@@ -31,6 +31,7 @@ import (
...
@@ -31,6 +31,7 @@ import (
type
RESTStorageProvider
struct
{
type
RESTStorageProvider
struct
{
Authenticator
authenticator
.
Request
Authenticator
authenticator
.
Request
APIAudiences
authenticator
.
Audiences
}
}
func
(
p
RESTStorageProvider
)
NewRESTStorage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
(
genericapiserver
.
APIGroupInfo
,
bool
)
{
func
(
p
RESTStorageProvider
)
NewRESTStorage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
(
genericapiserver
.
APIGroupInfo
,
bool
)
{
...
@@ -56,7 +57,7 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
...
@@ -56,7 +57,7 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
func
(
p
RESTStorageProvider
)
v1beta1Storage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
map
[
string
]
rest
.
Storage
{
func
(
p
RESTStorageProvider
)
v1beta1Storage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
map
[
string
]
rest
.
Storage
{
storage
:=
map
[
string
]
rest
.
Storage
{}
storage
:=
map
[
string
]
rest
.
Storage
{}
// tokenreviews
// tokenreviews
tokenReviewStorage
:=
tokenreview
.
NewREST
(
p
.
Authenticator
)
tokenReviewStorage
:=
tokenreview
.
NewREST
(
p
.
Authenticator
,
p
.
APIAudiences
)
storage
[
"tokenreviews"
]
=
tokenReviewStorage
storage
[
"tokenreviews"
]
=
tokenReviewStorage
return
storage
return
storage
...
@@ -65,7 +66,7 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag
...
@@ -65,7 +66,7 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag
func
(
p
RESTStorageProvider
)
v1Storage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
map
[
string
]
rest
.
Storage
{
func
(
p
RESTStorageProvider
)
v1Storage
(
apiResourceConfigSource
serverstorage
.
APIResourceConfigSource
,
restOptionsGetter
generic
.
RESTOptionsGetter
)
map
[
string
]
rest
.
Storage
{
storage
:=
map
[
string
]
rest
.
Storage
{}
storage
:=
map
[
string
]
rest
.
Storage
{}
// tokenreviews
// tokenreviews
tokenReviewStorage
:=
tokenreview
.
NewREST
(
p
.
Authenticator
)
tokenReviewStorage
:=
tokenreview
.
NewREST
(
p
.
Authenticator
,
p
.
APIAudiences
)
storage
[
"tokenreviews"
]
=
tokenReviewStorage
storage
[
"tokenreviews"
]
=
tokenReviewStorage
return
storage
return
storage
...
...
pkg/registry/authentication/tokenreview/BUILD
View file @
ed17876e
...
@@ -17,6 +17,7 @@ go_library(
...
@@ -17,6 +17,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/klog:go_default_library",
],
],
)
)
...
...
pkg/registry/authentication/tokenreview/storage.go
View file @
ed17876e
...
@@ -18,6 +18,7 @@ package tokenreview
...
@@ -18,6 +18,7 @@ package tokenreview
import
(
import
(
"context"
"context"
"errors"
"fmt"
"fmt"
"net/http"
"net/http"
...
@@ -27,15 +28,22 @@ import (
...
@@ -27,15 +28,22 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapirequest
"k8s.io/apiserver/pkg/endpoints/request"
genericapirequest
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/klog"
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/apis/authentication"
)
)
var
badAuthenticatorAuds
=
apierrors
.
NewInternalError
(
errors
.
New
(
"error validating audiences"
))
type
REST
struct
{
type
REST
struct
{
tokenAuthenticator
authenticator
.
Request
tokenAuthenticator
authenticator
.
Request
apiAudiences
[]
string
}
}
func
NewREST
(
tokenAuthenticator
authenticator
.
Request
)
*
REST
{
func
NewREST
(
tokenAuthenticator
authenticator
.
Request
,
apiAudiences
[]
string
)
*
REST
{
return
&
REST
{
tokenAuthenticator
:
tokenAuthenticator
}
return
&
REST
{
tokenAuthenticator
:
tokenAuthenticator
,
apiAudiences
:
apiAudiences
,
}
}
}
func
(
r
*
REST
)
NamespaceScoped
()
bool
{
func
(
r
*
REST
)
NamespaceScoped
()
bool
{
...
@@ -68,14 +76,24 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
...
@@ -68,14 +76,24 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
fakeReq
:=
&
http
.
Request
{
Header
:
http
.
Header
{}}
fakeReq
:=
&
http
.
Request
{
Header
:
http
.
Header
{}}
fakeReq
.
Header
.
Add
(
"Authorization"
,
"Bearer "
+
tokenReview
.
Spec
.
Token
)
fakeReq
.
Header
.
Add
(
"Authorization"
,
"Bearer "
+
tokenReview
.
Spec
.
Token
)
auds
:=
tokenReview
.
Spec
.
Audiences
if
len
(
auds
)
==
0
{
auds
=
r
.
apiAudiences
}
if
len
(
auds
)
>
0
{
fakeReq
=
fakeReq
.
WithContext
(
authenticator
.
WithAudiences
(
fakeReq
.
Context
(),
auds
))
}
resp
,
ok
,
err
:=
r
.
tokenAuthenticator
.
AuthenticateRequest
(
fakeReq
)
resp
,
ok
,
err
:=
r
.
tokenAuthenticator
.
AuthenticateRequest
(
fakeReq
)
tokenReview
.
Status
.
Authenticated
=
ok
tokenReview
.
Status
.
Authenticated
=
ok
if
err
!=
nil
{
if
err
!=
nil
{
tokenReview
.
Status
.
Error
=
err
.
Error
()
tokenReview
.
Status
.
Error
=
err
.
Error
()
}
}
// TODO(mikedanese): verify the response audience matches one of apiAuds if
if
len
(
auds
)
>
0
&&
resp
!=
nil
&&
len
(
authenticator
.
Audiences
(
auds
)
.
Intersect
(
resp
.
Audiences
))
==
0
{
// non-empty
klog
.
Errorf
(
"error validating audience. want=%q got=%q"
,
auds
,
resp
.
Audiences
)
return
nil
,
badAuthenticatorAuds
}
if
resp
!=
nil
&&
resp
.
User
!=
nil
{
if
resp
!=
nil
&&
resp
.
User
!=
nil
{
tokenReview
.
Status
.
User
=
authentication
.
UserInfo
{
tokenReview
.
Status
.
User
=
authentication
.
UserInfo
{
...
@@ -87,6 +105,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
...
@@ -87,6 +105,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
for
k
,
v
:=
range
resp
.
User
.
GetExtra
()
{
for
k
,
v
:=
range
resp
.
User
.
GetExtra
()
{
tokenReview
.
Status
.
User
.
Extra
[
k
]
=
authentication
.
ExtraValue
(
v
)
tokenReview
.
Status
.
User
.
Extra
[
k
]
=
authentication
.
ExtraValue
(
v
)
}
}
tokenReview
.
Status
.
Audiences
=
resp
.
Audiences
}
}
return
tokenReview
,
nil
return
tokenReview
,
nil
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment