func AddUserToLSAR(user user.Info, lsar *LocalSubjectAccessReview) *LocalSubjectAccessReview { origScopes := user.GetExtra()[ScopesKey] scopes := make([]string, len(origScopes), len(origScopes)) copy(scopes, origScopes) lsar.User = user.GetName() lsar.Groups = sets.NewString(user.GetGroups()...) lsar.Scopes = scopes return lsar }
// List returns the set of namespace names the user has access to view func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) { keys := sets.String{} user := userInfo.GetName() groups := userInfo.GetGroups() obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } for _, group := range groups { obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } } allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], ac.clusterPolicyLister.ClusterPolicies()) if err != nil { return nil, err } namespaceList := &kapi.NamespaceList{} for key := range keys { namespaceObj, exists, err := ac.namespaceStore.GetByKey(key) if err != nil { return nil, err } if exists { namespace := *namespaceObj.(*kapi.Namespace) if allowedNamespaces.Has("*") || allowedNamespaces.Has(namespace.Name) { namespaceList.Items = append(namespaceList.Items, namespace) } } } return namespaceList, nil }