func UserToSubject(u user.Info) pkix.Name {
return pkix.Name{
CommonName: u.GetName(),
SerialNumber: u.GetUID(),
Organization: u.GetGroups(),
}
}
// List returns the set of namespace names the user has access to view
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) {
keys := sets.String{}
user := userInfo.GetName()
groups := userInfo.GetGroups()
obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
for _, group := range groups {
obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
}
namespaceList := &kapi.NamespaceList{}
for key := range keys {
namespace, exists, err := ac.namespaceStore.GetByKey(key)
if err != nil {
return nil, err
}
if exists {
namespaceList.Items = append(namespaceList.Items, *namespace.(*kapi.Namespace))
}
}
return namespaceList, nil
}
// constraintAppliesTo inspects the constraint's users and groups against the userInfo to determine
// if it is usable by the userInfo.
func ConstraintAppliesTo(constraint *kapi.SecurityContextConstraints, userInfo user.Info) bool {
for _, user := range constraint.Users {
if userInfo.GetName() == user {
return true
}
}
for _, userGroup := range userInfo.GetGroups() {
if constraintSupportsGroup(userGroup, constraint.Groups) {
return true
}
}
return false
}
// GetRequestAttributes populates authorizer attributes for the requests to the kubelet API.
// Default attributes are {apiVersion=v1,verb=proxy,resource=nodes,resourceName=<node name>}
// More specific verb/resource is set for the following request patterns:
// /stats/* => verb=<api verb from request>, resource=nodes/stats
// /metrics/* => verb=<api verb from request>, resource=nodes/metrics
// /logs/* => verb=<api verb from request>, resource=nodes/log
func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) kauthorizer.Attributes {
// Default verb/resource is proxy nodes, which allows full access to the kubelet API
attrs := oauthorizer.DefaultAuthorizationAttributes{
APIVersion: "v1",
APIGroup: "",
Verb: "proxy",
Resource: "nodes",
ResourceName: n.nodeName,
URL: r.URL.Path,
}
namespace := ""
userName := u.GetName()
groups := u.GetGroups()
apiVerb := ""
switch r.Method {
case "POST":
apiVerb = "create"
case "GET":
apiVerb = "get"
case "PUT":
apiVerb = "update"
case "PATCH":
apiVerb = "patch"
case "DELETE":
apiVerb = "delete"
}
// Override verb/resource for specific paths
// Updates to these rules require updating NodeAdminRole and NodeReaderRole in bootstrap policy
switch {
case isSubpath(r, "/stats"):
attrs.Verb = apiVerb
attrs.Resource = authorizationapi.NodeStatsResource
case isSubpath(r, "/metrics"):
attrs.Verb = apiVerb
attrs.Resource = authorizationapi.NodeMetricsResource
case isSubpath(r, "/logs"):
attrs.Verb = apiVerb
attrs.Resource = authorizationapi.NodeLogResource
}
// TODO: handle other things like /healthz/*? not sure if "non-resource" urls on the kubelet make sense to authorize against master non-resource URL policy
glog.V(2).Infof("Node request attributes: namespace=%s, user=%s, groups=%v, attrs=%#v", namespace, userName, groups, attrs)
return authzadapter.KubernetesAuthorizerAttributes(namespace, userName, groups, attrs)
}
// AppliesToUser returns true if this binding applies to the provided user.
func (a ClusterRoleBindingAdapter) AppliesToUser(user user.Info) bool {
if authorizationapi.SubjectsContainUser(a.roleBinding.Subjects, a.roleBinding.Namespace, user.GetName()) {
return true
}
if authorizationapi.SubjectsContainAnyGroup(a.roleBinding.Subjects, user.GetGroups()) {
return true
}
return false
}
func AddUserToLSAR(user user.Info, lsar *LocalSubjectAccessReview) *LocalSubjectAccessReview {
origScopes := user.GetExtra()[ScopesKey]
scopes := make([]string, len(origScopes), len(origScopes))
copy(scopes, origScopes)
lsar.User = user.GetName()
lsar.Groups = sets.NewString(user.GetGroups()...)
lsar.Scopes = scopes
return lsar
}
func appliesToUser(ruleUsers, ruleGroups sets.String, user user.Info) bool {
if ruleUsers.Has(user.GetName()) {
return true
}
for _, currGroup := range user.GetGroups() {
if ruleGroups.Has(currGroup) {
return true
}
}
return false
}
// List returns the set of namespace names the user has access to view
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) {
keys := sets.String{}
user := userInfo.GetName()
groups := userInfo.GetGroups()
obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
for _, group := range groups {
obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
}
allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], ac.clusterPolicyLister.ClusterPolicies())
if err != nil {
return nil, err
}
namespaceList := &kapi.NamespaceList{}
for key := range keys {
namespaceObj, exists, err := ac.namespaceStore.GetByKey(key)
if err != nil {
return nil, err
}
if exists {
namespace := *namespaceObj.(*kapi.Namespace)
if allowedNamespaces.Has("*") || allowedNamespaces.Has(namespace.Name) {
namespaceList.Items = append(namespaceList.Items, namespace)
}
}
}
return namespaceList, nil
}
func doesApplyToUser(ruleUsers, ruleGroups util.StringSet, user user.Info) bool {
if ruleUsers.Has(user.GetName()) {
return true
}
for _, currGroup := range user.GetGroups() {
if ruleGroups.Has(currGroup) {
return true
}
}
return false
}
func appliesToUser(user user.Info, subject rbac.Subject) (bool, error) {
switch subject.Kind {
case rbac.UserKind:
return subject.Name == rbac.UserAll || user.GetName() == subject.Name, nil
case rbac.GroupKind:
return has(user.GetGroups(), subject.Name), nil
case rbac.ServiceAccountKind:
if subject.Namespace == "" {
return false, fmt.Errorf("subject of kind service account without specified namespace")
}
return serviceaccount.MakeUsername(subject.Namespace, subject.Name) == user.GetName(), nil
default:
return false, fmt.Errorf("unknown subject kind: %s", subject.Kind)
}
}
func appliesToUser(user user.Info, subject rbac.Subject) (bool, error) {
switch subject.Kind {
case rbac.UserKind:
return subject.Name == rbac.UserAll || user.GetName() == subject.Name, nil
case rbac.GroupKind:
return has(user.GetGroups(), subject.Name), nil
case rbac.ServiceAccountKind:
if subject.Namespace == "" {
return false, fmt.Errorf("subject of kind service account without specified namespace")
}
// TODO(ericchiang): Is there a better way of matching a service account name?
return "system:serviceaccount:"+subject.Name+":"+subject.Namespace == user.GetName(), nil
default:
return false, fmt.Errorf("unknown subject kind: %s", subject.Kind)
}
}
func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) field.ErrorList {
var errors field.ErrorList
oldTags := map[string]api.TagReference{}
if old != nil && old.Spec.Tags != nil {
oldTags = old.Spec.Tags
}
for tag, tagRef := range stream.Spec.Tags {
if tagRef.From == nil {
continue
}
if len(tagRef.From.Namespace) == 0 {
continue
}
if stream.Namespace == tagRef.From.Namespace {
continue
}
if oldRef, ok := oldTags[tag]; ok && !tagRefChanged(oldRef, tagRef, stream.Namespace) {
continue
}
streamName, _, err := parseFromReference(stream, tagRef.From)
fromPath := field.NewPath("spec", "tags").Key(tag).Child("from")
if err != nil {
errors = append(errors, field.Invalid(fromPath.Child("name"), tagRef.From.Name, "must be of the form <tag>, <repo>:<tag>, <id>, or <repo>@<id>"))
continue
}
subjectAccessReview := authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "get",
Group: api.GroupName,
Resource: "imagestreams",
ResourceName: streamName,
},
User: user.GetName(),
Groups: sets.NewString(user.GetGroups()...),
}
ctx := kapi.WithNamespace(kapi.NewContext(), tagRef.From.Namespace)
glog.V(4).Infof("Performing SubjectAccessReview for user=%s, groups=%v to %s/%s", user.GetName(), user.GetGroups(), tagRef.From.Namespace, streamName)
resp, err := v.subjectAccessReviewClient.CreateSubjectAccessReview(ctx, &subjectAccessReview)
if err != nil || resp == nil || (resp != nil && !resp.Allowed) {
errors = append(errors, field.Forbidden(fromPath, fmt.Sprintf("%s/%s", tagRef.From.Namespace, streamName)))
continue
}
}
return errors
}
func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool {
switch subject.Kind {
case rbac.UserKind:
return subject.Name == rbac.UserAll || user.GetName() == subject.Name
case rbac.GroupKind:
return has(user.GetGroups(), subject.Name)
case rbac.ServiceAccountKind:
// default the namespace to namespace we're working in if its available. This allows rolebindings that reference
// SAs in th local namespace to avoid having to qualify them.
saNamespace := namespace
if len(subject.Namespace) > 0 {
saNamespace = subject.Namespace
}
if len(saNamespace) == 0 {
return false
}
return serviceaccount.MakeUsername(saNamespace, subject.Name) == user.GetName()
default:
return false
}
}
