func UserToSubject(u user.Info) pkix.Name { return pkix.Name{ CommonName: u.GetName(), SerialNumber: u.GetUID(), Organization: u.GetGroups(), } }
// List returns the set of namespace names the user has access to view func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) { keys := sets.String{} user := userInfo.GetName() groups := userInfo.GetGroups() obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } for _, group := range groups { obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } } namespaceList := &kapi.NamespaceList{} for key := range keys { namespace, exists, err := ac.namespaceStore.GetByKey(key) if err != nil { return nil, err } if exists { namespaceList.Items = append(namespaceList.Items, *namespace.(*kapi.Namespace)) } } return namespaceList, nil }
// constraintAppliesTo inspects the constraint's users and groups against the userInfo to determine // if it is usable by the userInfo. func ConstraintAppliesTo(constraint *kapi.SecurityContextConstraints, userInfo user.Info) bool { for _, user := range constraint.Users { if userInfo.GetName() == user { return true } } for _, userGroup := range userInfo.GetGroups() { if constraintSupportsGroup(userGroup, constraint.Groups) { return true } } return false }
// GetRequestAttributes populates authorizer attributes for the requests to the kubelet API. // Default attributes are {apiVersion=v1,verb=proxy,resource=nodes,resourceName=<node name>} // More specific verb/resource is set for the following request patterns: // /stats/* => verb=<api verb from request>, resource=nodes/stats // /metrics/* => verb=<api verb from request>, resource=nodes/metrics // /logs/* => verb=<api verb from request>, resource=nodes/log func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) kauthorizer.Attributes { // Default verb/resource is proxy nodes, which allows full access to the kubelet API attrs := oauthorizer.DefaultAuthorizationAttributes{ APIVersion: "v1", APIGroup: "", Verb: "proxy", Resource: "nodes", ResourceName: n.nodeName, URL: r.URL.Path, } namespace := "" userName := u.GetName() groups := u.GetGroups() apiVerb := "" switch r.Method { case "POST": apiVerb = "create" case "GET": apiVerb = "get" case "PUT": apiVerb = "update" case "PATCH": apiVerb = "patch" case "DELETE": apiVerb = "delete" } // Override verb/resource for specific paths // Updates to these rules require updating NodeAdminRole and NodeReaderRole in bootstrap policy switch { case isSubpath(r, "/stats"): attrs.Verb = apiVerb attrs.Resource = authorizationapi.NodeStatsResource case isSubpath(r, "/metrics"): attrs.Verb = apiVerb attrs.Resource = authorizationapi.NodeMetricsResource case isSubpath(r, "/logs"): attrs.Verb = apiVerb attrs.Resource = authorizationapi.NodeLogResource } // TODO: handle other things like /healthz/*? not sure if "non-resource" urls on the kubelet make sense to authorize against master non-resource URL policy glog.V(2).Infof("Node request attributes: namespace=%s, user=%s, groups=%v, attrs=%#v", namespace, userName, groups, attrs) return authzadapter.KubernetesAuthorizerAttributes(namespace, userName, groups, attrs) }
// AppliesToUser returns true if this binding applies to the provided user. func (a ClusterRoleBindingAdapter) AppliesToUser(user user.Info) bool { if authorizationapi.SubjectsContainUser(a.roleBinding.Subjects, a.roleBinding.Namespace, user.GetName()) { return true } if authorizationapi.SubjectsContainAnyGroup(a.roleBinding.Subjects, user.GetGroups()) { return true } return false }
func AddUserToLSAR(user user.Info, lsar *LocalSubjectAccessReview) *LocalSubjectAccessReview { origScopes := user.GetExtra()[ScopesKey] scopes := make([]string, len(origScopes), len(origScopes)) copy(scopes, origScopes) lsar.User = user.GetName() lsar.Groups = sets.NewString(user.GetGroups()...) lsar.Scopes = scopes return lsar }
func appliesToUser(ruleUsers, ruleGroups sets.String, user user.Info) bool { if ruleUsers.Has(user.GetName()) { return true } for _, currGroup := range user.GetGroups() { if ruleGroups.Has(currGroup) { return true } } return false }
// List returns the set of namespace names the user has access to view func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) { keys := sets.String{} user := userInfo.GetName() groups := userInfo.GetGroups() obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } for _, group := range groups { obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } } allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], ac.clusterPolicyLister.ClusterPolicies()) if err != nil { return nil, err } namespaceList := &kapi.NamespaceList{} for key := range keys { namespaceObj, exists, err := ac.namespaceStore.GetByKey(key) if err != nil { return nil, err } if exists { namespace := *namespaceObj.(*kapi.Namespace) if allowedNamespaces.Has("*") || allowedNamespaces.Has(namespace.Name) { namespaceList.Items = append(namespaceList.Items, namespace) } } } return namespaceList, nil }
func doesApplyToUser(ruleUsers, ruleGroups util.StringSet, user user.Info) bool { if ruleUsers.Has(user.GetName()) { return true } for _, currGroup := range user.GetGroups() { if ruleGroups.Has(currGroup) { return true } } return false }
func appliesToUser(user user.Info, subject rbac.Subject) (bool, error) { switch subject.Kind { case rbac.UserKind: return subject.Name == rbac.UserAll || user.GetName() == subject.Name, nil case rbac.GroupKind: return has(user.GetGroups(), subject.Name), nil case rbac.ServiceAccountKind: if subject.Namespace == "" { return false, fmt.Errorf("subject of kind service account without specified namespace") } return serviceaccount.MakeUsername(subject.Namespace, subject.Name) == user.GetName(), nil default: return false, fmt.Errorf("unknown subject kind: %s", subject.Kind) } }
func appliesToUser(user user.Info, subject rbac.Subject) (bool, error) { switch subject.Kind { case rbac.UserKind: return subject.Name == rbac.UserAll || user.GetName() == subject.Name, nil case rbac.GroupKind: return has(user.GetGroups(), subject.Name), nil case rbac.ServiceAccountKind: if subject.Namespace == "" { return false, fmt.Errorf("subject of kind service account without specified namespace") } // TODO(ericchiang): Is there a better way of matching a service account name? return "system:serviceaccount:"+subject.Name+":"+subject.Namespace == user.GetName(), nil default: return false, fmt.Errorf("unknown subject kind: %s", subject.Kind) } }
func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) field.ErrorList { var errors field.ErrorList oldTags := map[string]api.TagReference{} if old != nil && old.Spec.Tags != nil { oldTags = old.Spec.Tags } for tag, tagRef := range stream.Spec.Tags { if tagRef.From == nil { continue } if len(tagRef.From.Namespace) == 0 { continue } if stream.Namespace == tagRef.From.Namespace { continue } if oldRef, ok := oldTags[tag]; ok && !tagRefChanged(oldRef, tagRef, stream.Namespace) { continue } streamName, _, err := parseFromReference(stream, tagRef.From) fromPath := field.NewPath("spec", "tags").Key(tag).Child("from") if err != nil { errors = append(errors, field.Invalid(fromPath.Child("name"), tagRef.From.Name, "must be of the form <tag>, <repo>:<tag>, <id>, or <repo>@<id>")) continue } subjectAccessReview := authorizationapi.SubjectAccessReview{ Action: authorizationapi.AuthorizationAttributes{ Verb: "get", Group: api.GroupName, Resource: "imagestreams", ResourceName: streamName, }, User: user.GetName(), Groups: sets.NewString(user.GetGroups()...), } ctx := kapi.WithNamespace(kapi.NewContext(), tagRef.From.Namespace) glog.V(4).Infof("Performing SubjectAccessReview for user=%s, groups=%v to %s/%s", user.GetName(), user.GetGroups(), tagRef.From.Namespace, streamName) resp, err := v.subjectAccessReviewClient.CreateSubjectAccessReview(ctx, &subjectAccessReview) if err != nil || resp == nil || (resp != nil && !resp.Allowed) { errors = append(errors, field.Forbidden(fromPath, fmt.Sprintf("%s/%s", tagRef.From.Namespace, streamName))) continue } } return errors }
func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool { switch subject.Kind { case rbac.UserKind: return subject.Name == rbac.UserAll || user.GetName() == subject.Name case rbac.GroupKind: return has(user.GetGroups(), subject.Name) case rbac.ServiceAccountKind: // default the namespace to namespace we're working in if its available. This allows rolebindings that reference // SAs in th local namespace to avoid having to qualify them. saNamespace := namespace if len(subject.Namespace) > 0 { saNamespace = subject.Namespace } if len(saNamespace) == 0 { return false } return serviceaccount.MakeUsername(saNamespace, subject.Name) == user.GetName() default: return false } }