func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr admission.Attributes) error {
strategy := build.Spec.Strategy
resource, err := resourceForStrategyType(strategy)
if err != nil {
return admission.NewForbidden(attr, err)
}
subjectAccessReview := authorizationapi.AddUserToLSAR(attr.GetUserInfo(),
&authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "create",
Group: resource.Group,
Resource: resource.Resource,
Content: build,
ResourceName: resourceName(build.ObjectMeta),
},
})
return a.checkAccess(strategy, subjectAccessReview, attr)
}
func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (bool, string, error) {
var (
result *authzapi.SubjectAccessReviewResponse
err error
)
// Extract namespace from context
namespace, _ := kapi.NamespaceFrom(ctx)
// Extract user from context
user := ""
groups := sets.NewString()
userInfo, ok := kapi.UserFrom(ctx)
if ok {
user = userInfo.GetName()
groups.Insert(userInfo.GetGroups()...)
}
// Make sure we don't run a subject access review on our own permissions
if len(user) == 0 && len(groups) == 0 {
user = bootstrappolicy.UnauthenticatedUsername
groups = sets.NewString(bootstrappolicy.UnauthenticatedGroup)
}
if len(namespace) > 0 {
result, err = r.client.LocalSubjectAccessReviews(namespace).Create(
authzapi.AddUserToLSAR(userInfo, &authzapi.LocalSubjectAccessReview{Action: getAction(namespace, a)}))
} else {
result, err = r.client.SubjectAccessReviews().Create(
authzapi.AddUserToSAR(userInfo, &authzapi.SubjectAccessReview{Action: getAction(namespace, a)}))
}
if err != nil {
glog.Errorf("error running subject access review: %v", err)
return false, "", kerrs.NewInternalError(err)
}
glog.V(2).Infof("allowed=%v, reason=%s", result.Allowed, result.Reason)
return result.Allowed, result.Reason, nil
}
