func (r *RBACAuthorizer) Authorize(attr authorizer.Attributes) error {
if r.superUser != "" && attr.GetUserName() == r.superUser {
return nil
}
userInfo := &user.DefaultInfo{
Name: attr.GetUserName(),
Groups: attr.GetGroups(),
}
ctx := api.WithNamespace(api.WithUser(api.NewContext(), userInfo), attr.GetNamespace())
// Frame the authorization request as a privilege escalation check.
var requestedRule rbac.PolicyRule
if attr.IsResourceRequest() {
requestedRule = rbac.PolicyRule{
Verbs: []string{attr.GetVerb()},
APIGroups: []string{attr.GetAPIGroup()}, // TODO(ericchiang): add api version here too?
Resources: []string{attr.GetResource()},
ResourceNames: []string{attr.GetName()},
}
} else {
requestedRule = rbac.PolicyRule{
NonResourceURLs: []string{attr.GetPath()},
}
}
return validation.ConfirmNoEscalation(ctx, r.authorizationRuleResolver, []rbac.PolicyRule{requestedRule})
}
// OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes
// Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes
func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) {
// Build a context to hold the namespace and user info
ctx := kapi.NewContext()
ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())
ctx = kapi.WithUser(ctx, &user.DefaultInfo{
Name: kattrs.GetUserName(),
Groups: kattrs.GetGroups(),
})
// If the passed attributes already satisfy our interface, use it directly
if oattrs, ok := kattrs.(oauthorizer.AuthorizationAttributes); ok {
return ctx, oattrs
}
// Otherwise build what we can
oattrs := &oauthorizer.DefaultAuthorizationAttributes{
Verb: kattrs.GetVerb(),
Resource: kattrs.GetResource(),
// TODO: add to kube authorizer attributes
// APIVersion string
// APIGroup string
// ResourceName string
// RequestAttributes interface{}
// NonResourceURL bool
// URL string
}
return ctx, oattrs
}
// subjectMatches returns true if specified user and group properties in the policy match the attributes
func subjectMatches(p api.Policy, a authorizer.Attributes) bool {
matched := false
// If the policy specified a user, ensure it matches
if len(p.Spec.User) > 0 {
if p.Spec.User == "*" {
matched = true
} else {
matched = p.Spec.User == a.GetUserName()
if !matched {
return false
}
}
}
// If the policy specified a group, ensure it matches
if len(p.Spec.Group) > 0 {
if p.Spec.Group == "*" {
matched = true
} else {
matched = false
for _, group := range a.GetGroups() {
if p.Spec.Group == group {
matched = true
}
}
if !matched {
return false
}
}
}
return matched
}
func (ka *allowTestAuthorizer) Authorize(a authorizer.Attributes) (string, error) {
var (
tenantName string
ns *api.Namespace
err error
)
if authorizer.IsWhiteListedUser(a.GetUserName()) {
return "", nil
} else {
if !a.IsReadOnly() && a.GetResource() == "tenants" {
return "", errors.New("only admin can write tenant")
}
}
if a.GetNamespace() != "" {
ns, err = ka.kubeClient.Namespaces().Get(a.GetNamespace())
if err != nil {
glog.Error(err)
return "", err
}
tenantName = ns.Tenant
} else {
if a.GetTenant() != "" {
te, err := ka.kubeClient.Tenants().Get(a.GetTenant())
if err != nil {
glog.Error(err)
return "", err
}
tenantName = te.Name
}
}
if tenantName == "" || tenantName == TenantTest {
return TenantTest, nil
}
return "", errors.New("Keystone authorization failed")
}
// OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes
// Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes
func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) {
// Build a context to hold the namespace and user info
ctx := kapi.NewContext()
ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())
ctx = kapi.WithUser(ctx, &user.DefaultInfo{
Name: kattrs.GetUserName(),
Groups: kattrs.GetGroups(),
})
// If we recognize the type, use the embedded type. Do NOT use it directly, because not all things that quack are ducks.
if castAdapterAttributes, ok := kattrs.(AdapterAttributes); ok {
return ctx, castAdapterAttributes.authorizationAttributes
}
// Otherwise build what we can
oattrs := &oauthorizer.DefaultAuthorizationAttributes{
Verb: kattrs.GetVerb(),
APIGroup: kattrs.GetAPIGroup(),
APIVersion: kattrs.GetAPIVersion(),
Resource: kattrs.GetResource(),
ResourceName: kattrs.GetName(),
NonResourceURL: kattrs.IsResourceRequest() == false,
URL: kattrs.GetPath(),
// TODO: add to kube authorizer attributes
// RequestAttributes interface{}
}
if len(kattrs.GetSubresource()) > 0 {
oattrs.Resource = kattrs.GetResource() + "/" + kattrs.GetSubresource()
}
return ctx, oattrs
}
// Authorize makes a REST request to the remote service describing the attempted action as a JSON
// serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is
// provided bellow.
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "spec": {
// "resourceAttributes": {
// "namespace": "kittensandponies",
// "verb": "GET",
// "group": "group3",
// "resource": "pods"
// },
// "user": "******",
// "group": [
// "group1",
// "group2"
// ]
// }
// }
//
// The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or
// disallow access. A permissive response would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": true
// }
// }
//
// To disallow access, the remote service would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": false,
// "reason": "user does not have read access to the namespace"
// }
// }
//
func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (err error) {
r := &v1beta1.SubjectAccessReview{
Spec: v1beta1.SubjectAccessReviewSpec{
User: attr.GetUserName(),
Groups: attr.GetGroups(),
},
}
if attr.IsResourceRequest() {
r.Spec.ResourceAttributes = &v1beta1.ResourceAttributes{
Namespace: attr.GetNamespace(),
Verb: attr.GetVerb(),
Group: attr.GetAPIGroup(),
Version: attr.GetAPIVersion(),
Resource: attr.GetResource(),
Subresource: attr.GetSubresource(),
Name: attr.GetName(),
}
} else {
r.Spec.NonResourceAttributes = &v1beta1.NonResourceAttributes{
Path: attr.GetPath(),
Verb: attr.GetVerb(),
}
}
key, err := json.Marshal(r.Spec)
if err != nil {
return err
}
if entry, ok := w.responseCache.Get(string(key)); ok {
r.Status = entry.(v1beta1.SubjectAccessReviewStatus)
} else {
result := w.WithExponentialBackoff(func() restclient.Result {
return w.RestClient.Post().Body(r).Do()
})
if err := result.Error(); err != nil {
// An error here indicates bad configuration or an outage. Log for debugging.
glog.Errorf("Failed to make webhook authorizer request: %v", err)
return err
}
var statusCode int
if result.StatusCode(&statusCode); statusCode < 200 || statusCode >= 300 {
return fmt.Errorf("Error contacting webhook: %d", statusCode)
}
if err := result.Into(r); err != nil {
return err
}
if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
}
}
if r.Status.Allowed {
return nil
}
if r.Status.Reason != "" {
return errors.New(r.Status.Reason)
}
return errors.New("unauthorized")
}
// alice can't act as anyone and bob can't do anything but act-as someone
func (impersonateAuthorizer) Authorize(a authorizer.Attributes) error {
if a.GetUserName() == "alice" && a.GetVerb() != "impersonate" {
return nil
}
if a.GetUserName() == "bob" && a.GetVerb() == "impersonate" {
return nil
}
return errors.New("I can't allow that. Go ask alice.")
}
// Authorize makes a REST request to the remote service describing the attempted action as a JSON
// serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is
// provided bellow.
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "spec": {
// "resourceAttributes": {
// "namespace": "kittensandponies",
// "verb": "GET",
// "group": "group3",
// "resource": "pods"
// },
// "user": "******",
// "group": [
// "group1",
// "group2"
// ]
// }
// }
//
// The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or
// disallow access. A permissive response would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": true
// }
// }
//
// To disallow access, the remote service would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": false,
// "reason": "user does not have read access to the namespace"
// }
// }
//
func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (err error) {
r := &v1beta1.SubjectAccessReview{
Spec: v1beta1.SubjectAccessReviewSpec{
User: attr.GetUserName(),
Groups: attr.GetGroups(),
},
}
if attr.IsResourceRequest() {
r.Spec.ResourceAttributes = &v1beta1.ResourceAttributes{
Namespace: attr.GetNamespace(),
Verb: attr.GetVerb(),
Group: attr.GetAPIGroup(),
Version: attr.GetAPIVersion(),
Resource: attr.GetResource(),
Subresource: attr.GetSubresource(),
Name: attr.GetName(),
}
} else {
r.Spec.NonResourceAttributes = &v1beta1.NonResourceAttributes{
Path: attr.GetPath(),
Verb: attr.GetVerb(),
}
}
key, err := json.Marshal(r.Spec)
if err != nil {
return err
}
if entry, ok := w.responseCache.Get(string(key)); ok {
r.Status = entry.(v1beta1.SubjectAccessReviewStatus)
} else {
result := w.RestClient.Post().Body(r).Do()
if err := result.Error(); err != nil {
return err
}
if err := result.Into(r); err != nil {
return err
}
go func() {
if r.Status.Allowed {
w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
} else {
w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
}
}()
}
if r.Status.Allowed {
return nil
}
if r.Status.Reason != "" {
return errors.New(r.Status.Reason)
}
return errors.New("unauthorized")
}
func (p policy) subjectMatches(a authorizer.Attributes) bool {
if p.User != "" {
// Require user match
if p.User != a.GetUserName() {
return false
}
}
if p.Group != "" {
// Require group match
for _, group := range a.GetGroups() {
if p.Group == group {
return true
}
}
return false
}
return true
}
// Authorize makes a REST request to the remote service describing the attempted action as a JSON
// serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is
// provided bellow.
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "spec": {
// "resourceAttributes": {
// "namespace": "kittensandponies",
// "verb": "GET",
// "group": "group3",
// "resource": "pods"
// },
// "user": "******",
// "group": [
// "group1",
// "group2"
// ]
// }
// }
//
// The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or
// disallow access. A permissive response would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": true
// }
// }
//
// To disallow access, the remote service would return:
//
// {
// "apiVersion": "authorization.k8s.io/v1beta1",
// "kind": "SubjectAccessReview",
// "status": {
// "allowed": false,
// "reason": "user does not have read access to the namespace"
// }
// }
//
func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (err error) {
r := &v1beta1.SubjectAccessReview{
Spec: v1beta1.SubjectAccessReviewSpec{
User: attr.GetUserName(),
Groups: attr.GetGroups(),
},
}
if attr.IsResourceRequest() {
r.Spec.ResourceAttributes = &v1beta1.ResourceAttributes{
Namespace: attr.GetNamespace(),
Verb: attr.GetVerb(),
Group: attr.GetAPIGroup(),
Version: attr.GetAPIVersion(),
Resource: attr.GetResource(),
Subresource: attr.GetSubresource(),
Name: attr.GetName(),
}
} else {
r.Spec.NonResourceAttributes = &v1beta1.NonResourceAttributes{
Path: attr.GetPath(),
Verb: attr.GetVerb(),
}
}
result := w.RestClient.Post().Body(r).Do()
if err := result.Error(); err != nil {
return err
}
if err := result.Into(r); err != nil {
return err
}
if r.Status.Allowed {
return nil
}
if r.Status.Reason != "" {
return errors.New(r.Status.Reason)
}
return errors.New("unauthorized")
}
// Authorizer implements authorizer.Authorize
func (ka *keystoneAuthorizer) Authorize(a authorizer.Attributes) (string, error) {
var (
tenantName string
ns *api.Namespace
err error
)
if a.GetNamespace() != "" {
ns, err = ka.kubeClient.Namespaces().Get(a.GetNamespace())
if err != nil {
return "", err
}
tenantName = ns.Tenant
} else {
if a.GetTenant() != "" {
te, err := ka.kubeClient.Tenants().Get(a.GetTenant())
if err != nil {
return "", err
}
tenantName = te.Name
}
}
if authorizer.IsWhiteListedUser(a.GetUserName()) {
if a.GetUserName() != api.UserAdmin {
return tenantName, nil
} else {
return api.TenantDefault, nil
}
} else {
if !a.IsReadOnly() && a.GetResource() == "tenants" {
return "", errors.New("only admin can write tenant")
}
}
authConfig := &authConfig{
AuthUrl: ka.authUrl,
Username: a.GetUserName(),
Password: a.GetPassword(),
}
osClient, err := newOpenstackClient(authConfig)
if err != nil {
glog.Errorf("%v", err)
return "", err
}
tenant, err := osClient.getTenant()
if err != nil {
glog.Errorf("%v", err)
return "", err
}
if tenantName == "" || tenantName == tenant.Name {
return tenant.Name, nil
}
return "", errors.New("Keystone authorization failed")
}
// alice can't act as anyone and bob can't do anything but act-as someone
func (impersonateAuthorizer) Authorize(a authorizer.Attributes) error {
// alice can impersonate service accounts and do other actions
if a.GetUserName() == "alice" && a.GetVerb() == "impersonate" && a.GetResource() == "serviceaccounts" {
return nil
}
if a.GetUserName() == "alice" && a.GetVerb() != "impersonate" {
return nil
}
// bob can impersonate anyone, but that it
if a.GetUserName() == "bob" && a.GetVerb() == "impersonate" {
return nil
}
// service accounts can do everything
if strings.HasPrefix(a.GetUserName(), serviceaccount.ServiceAccountUsernamePrefix) {
return nil
}
return errors.New("I can't allow that. Go ask alice.")
}
func (allowAliceAuthorizer) Authorize(a authorizer.Attributes) error {
if a.GetUserName() == "alice" {
return nil
}
return errors.New("I can't allow that. Go ask alice.")
}