// DescribeRoleBinding prints out information about a role binding and its associated role
func DescribeRoleBinding(roleBinding *authorizationapi.RoleBinding, role *authorizationapi.Role, err error) (string, error) {
users, groups, sas, others := authorizationapi.SubjectsStrings(roleBinding.Namespace, roleBinding.Subjects)
return tabbedString(func(out *tabwriter.Writer) error {
formatMeta(out, roleBinding.ObjectMeta)
formatString(out, "Role", roleBinding.RoleRef.Namespace+"/"+roleBinding.RoleRef.Name)
formatString(out, "Users", strings.Join(users, ", "))
formatString(out, "Groups", strings.Join(groups, ", "))
formatString(out, "ServiceAccounts", strings.Join(sas, ", "))
formatString(out, "Subjects", strings.Join(others, ", "))
switch {
case err != nil:
formatString(out, "Policy Rules", fmt.Sprintf("error: %v", err))
case role != nil:
fmt.Fprint(out, PolicyRuleHeadings+"\n")
for _, rule := range role.Rules {
DescribePolicyRule(out, rule, "")
}
default:
formatString(out, "Policy Rules", "<none>")
}
return nil
})
}
func printRoleBinding(roleBinding *authorizationapi.RoleBinding, w io.Writer, opts kctl.PrintOptions) error {
if opts.WithNamespace {
if _, err := fmt.Fprintf(w, "%s\t", roleBinding.Namespace); err != nil {
return err
}
}
users, groups, sas, others := authorizationapi.SubjectsStrings(roleBinding.Namespace, roleBinding.Subjects)
_, err := fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\n", roleBinding.Name, roleBinding.RoleRef.Namespace+"/"+roleBinding.RoleRef.Name, strings.Join(users, ", "), strings.Join(groups, ", "), strings.Join(sas, ", "), strings.Join(others, ", "))
return err
}
func printRoleBinding(roleBinding *authorizationapi.RoleBinding, w io.Writer, withNamespace, wide bool, columnLabels []string) error {
if withNamespace {
if _, err := fmt.Fprintf(w, "%s\t", roleBinding.Namespace); err != nil {
return err
}
}
users, groups, sas, others := authorizationapi.SubjectsStrings(roleBinding.Namespace, roleBinding.Subjects)
_, err := fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\n", roleBinding.Name, roleBinding.RoleRef.Namespace+"/"+roleBinding.RoleRef.Name, strings.Join(users, ", "), strings.Join(groups, ", "), strings.Join(sas, ", "), strings.Join(others, ", "))
return err
}
func printRoleBinding(roleBinding *authorizationapi.RoleBinding, w io.Writer, opts kctl.PrintOptions) error {
if opts.WithNamespace {
if _, err := fmt.Fprintf(w, "%s\t", roleBinding.Namespace); err != nil {
return err
}
}
users, groups, sas, others := authorizationapi.SubjectsStrings(roleBinding.Namespace, roleBinding.Subjects)
if _, err := fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v", roleBinding.Name, roleBinding.RoleRef.Namespace+"/"+roleBinding.RoleRef.Name, strings.Join(users, ", "), strings.Join(groups, ", "), strings.Join(sas, ", "), strings.Join(others, ", ")); err != nil {
return err
}
if err := appendItemLabels(roleBinding.Labels, w, opts.ColumnLabels, opts.ShowLabels); err != nil {
return err
}
return nil
}
func DescribePolicyBinding(policyBinding *authorizationapi.PolicyBinding) (string, error) {
return tabbedString(func(out *tabwriter.Writer) error {
formatMeta(out, policyBinding.ObjectMeta)
formatString(out, "Last Modified", policyBinding.LastModified)
formatString(out, "Policy", policyBinding.PolicyRef.Namespace)
// using .List() here because I always want the sorted order that it provides
for _, key := range sets.StringKeySet(policyBinding.RoleBindings).List() {
roleBinding := policyBinding.RoleBindings[key]
users, groups, sas, others := authorizationapi.SubjectsStrings(roleBinding.Namespace, roleBinding.Subjects)
formatString(out, "RoleBinding["+key+"]", " ")
formatString(out, "\tRole", roleBinding.RoleRef.Name)
formatString(out, "\tUsers", strings.Join(users, ", "))
formatString(out, "\tGroups", strings.Join(groups, ", "))
formatString(out, "\tServiceAccounts", strings.Join(sas, ", "))
formatString(out, "\tSubjects", strings.Join(others, ", "))
}
return nil
})
}
func (o *RemoveFromProjectOptions) Run() error {
bindingList, err := o.Client.PolicyBindings(o.BindingNamespace).List(kapi.ListOptions{})
if err != nil {
return err
}
sort.Sort(authorizationapi.PolicyBindingSorter(bindingList.Items))
usersRemoved := sets.String{}
groupsRemoved := sets.String{}
sasRemoved := sets.String{}
othersRemoved := sets.String{}
subjectsToRemove := authorizationapi.BuildSubjects(o.Users, o.Groups, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
for _, currPolicyBinding := range bindingList.Items {
for _, currBinding := range authorizationapi.SortRoleBindings(currPolicyBinding.RoleBindings, true) {
originalSubjects := make([]kapi.ObjectReference, len(currBinding.Subjects))
copy(originalSubjects, currBinding.Subjects)
oldUsers, oldGroups, oldSAs, oldOthers := authorizationapi.SubjectsStrings(currBinding.Namespace, originalSubjects)
oldUsersSet, oldGroupsSet, oldSAsSet, oldOtherSet := sets.NewString(oldUsers...), sets.NewString(oldGroups...), sets.NewString(oldSAs...), sets.NewString(oldOthers...)
currBinding.Subjects = removeSubjects(currBinding.Subjects, subjectsToRemove)
newUsers, newGroups, newSAs, newOthers := authorizationapi.SubjectsStrings(currBinding.Namespace, currBinding.Subjects)
newUsersSet, newGroupsSet, newSAsSet, newOtherSet := sets.NewString(newUsers...), sets.NewString(newGroups...), sets.NewString(newSAs...), sets.NewString(newOthers...)
if len(currBinding.Subjects) == len(originalSubjects) {
continue
}
_, err = o.Client.RoleBindings(o.BindingNamespace).Update(currBinding)
if err != nil {
return err
}
roleDisplayName := fmt.Sprintf("%s/%s", currBinding.RoleRef.Namespace, currBinding.RoleRef.Name)
if len(currBinding.RoleRef.Namespace) == 0 {
roleDisplayName = currBinding.RoleRef.Name
}
if diff := oldUsersSet.Difference(newUsersSet); len(diff) != 0 {
fmt.Fprintf(o.Out, "Removing %s from users %v in project %s.\n", roleDisplayName, diff.List(), o.BindingNamespace)
usersRemoved.Insert(diff.List()...)
}
if diff := oldGroupsSet.Difference(newGroupsSet); len(diff) != 0 {
fmt.Fprintf(o.Out, "Removing %s from groups %v in project %s.\n", roleDisplayName, diff.List(), o.BindingNamespace)
groupsRemoved.Insert(diff.List()...)
}
if diff := oldSAsSet.Difference(newSAsSet); len(diff) != 0 {
fmt.Fprintf(o.Out, "Removing %s from serviceaccounts %v in project %s.\n", roleDisplayName, diff.List(), o.BindingNamespace)
sasRemoved.Insert(diff.List()...)
}
if diff := oldOtherSet.Difference(newOtherSet); len(diff) != 0 {
fmt.Fprintf(o.Out, "Removing %s from subjects %v in project %s.\n", roleDisplayName, diff.List(), o.BindingNamespace)
othersRemoved.Insert(diff.List()...)
}
}
}
if diff := sets.NewString(o.Users...).Difference(usersRemoved); len(diff) != 0 {
fmt.Fprintf(o.Out, "Users %v were not bound to roles in project %s.\n", diff.List(), o.BindingNamespace)
}
if diff := sets.NewString(o.Groups...).Difference(groupsRemoved); len(diff) != 0 {
fmt.Fprintf(o.Out, "Groups %v were not bound to roles in project %s.\n", diff.List(), o.BindingNamespace)
}
return nil
}