// List returns the set of namespace names the user has access to view
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) {
keys := sets.String{}
user := userInfo.GetName()
groups := userInfo.GetGroups()
obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
for _, group := range groups {
obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
}
allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], ac.clusterPolicyLister.ClusterPolicies())
if err != nil {
return nil, err
}
namespaceList := &kapi.NamespaceList{}
for key := range keys {
namespaceObj, exists, err := ac.namespaceStore.GetByKey(key)
if err != nil {
return nil, err
}
if exists {
namespace := *namespaceObj.(*kapi.Namespace)
if allowedNamespaces.Has("*") || allowedNamespaces.Has(namespace.Name) {
namespaceList.Items = append(namespaceList.Items, namespace)
}
}
}
return namespaceList, nil
}
func (s *REST) Watch(ctx kapi.Context, options *kapi.ListOptions) (watch.Interface, error) {
if ctx == nil {
return nil, fmt.Errorf("Context is nil")
}
userInfo, exists := kapi.UserFrom(ctx)
if !exists {
return nil, fmt.Errorf("no user")
}
includeAllExistingProjects := (options != nil) && options.ResourceVersion == "0"
allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], s.authCache.GetClusterPolicyLister().ClusterPolicies())
if err != nil {
return nil, err
}
watcher := projectauth.NewUserProjectWatcher(userInfo, allowedNamespaces, s.projectCache, s.authCache, includeAllExistingProjects)
s.authCache.AddWatcher(watcher)
go watcher.Watch()
return watcher, nil
}