func (ka *allowTestAuthorizer) Authorize(a authorizer.Attributes) (string, error) {
var (
tenantName string
ns *api.Namespace
err error
)
if authorizer.IsWhiteListedUser(a.GetUserName()) {
return "", nil
} else {
if !a.IsReadOnly() && a.GetResource() == "tenants" {
return "", errors.New("only admin can write tenant")
}
}
if a.GetNamespace() != "" {
ns, err = ka.kubeClient.Namespaces().Get(a.GetNamespace())
if err != nil {
glog.Error(err)
return "", err
}
tenantName = ns.Tenant
} else {
if a.GetTenant() != "" {
te, err := ka.kubeClient.Tenants().Get(a.GetTenant())
if err != nil {
glog.Error(err)
return "", err
}
tenantName = te.Name
}
}
if tenantName == "" || tenantName == TenantTest {
return TenantTest, nil
}
return "", errors.New("Keystone authorization failed")
}
// Authorizer implements authorizer.Authorize
func (ka *keystoneAuthorizer) Authorize(a authorizer.Attributes) (string, error) {
var (
tenantName string
ns *api.Namespace
err error
)
if a.GetNamespace() != "" {
ns, err = ka.kubeClient.Namespaces().Get(a.GetNamespace())
if err != nil {
return "", err
}
tenantName = ns.Tenant
} else {
if a.GetTenant() != "" {
te, err := ka.kubeClient.Tenants().Get(a.GetTenant())
if err != nil {
return "", err
}
tenantName = te.Name
}
}
if authorizer.IsWhiteListedUser(a.GetUserName()) {
if a.GetUserName() != api.UserAdmin {
return tenantName, nil
} else {
return api.TenantDefault, nil
}
} else {
if !a.IsReadOnly() && a.GetResource() == "tenants" {
return "", errors.New("only admin can write tenant")
}
}
authConfig := &authConfig{
AuthUrl: ka.authUrl,
Username: a.GetUserName(),
Password: a.GetPassword(),
}
osClient, err := newOpenstackClient(authConfig)
if err != nil {
glog.Errorf("%v", err)
return "", err
}
tenant, err := osClient.getTenant()
if err != nil {
glog.Errorf("%v", err)
return "", err
}
if tenantName == "" || tenantName == tenant.Name {
return tenant.Name, nil
}
return "", errors.New("Keystone authorization failed")
}
func (p policy) matches(a authorizer.Attributes) bool {
if p.subjectMatches(a) {
if p.Readonly == false || (p.Readonly == a.IsReadOnly()) {
if p.Resource == "" || (p.Resource == a.GetResource()) {
if p.Namespace == "" || (p.Namespace == a.GetNamespace()) {
return true
}
}
}
}
return false
}
func verbMatches(p api.Policy, a authorizer.Attributes) bool {
// TODO: match on verb
// All policies allow read only requests
if a.IsReadOnly() {
return true
}
// Allow if policy is not readonly
if !p.Spec.Readonly {
return true
}
return false
}
func (p policy) matches(a authorizer.Attributes) bool {
if p.subjectMatches(a) {
if p.Readonly == false || (p.Readonly == a.IsReadOnly()) {
switch {
case p.NonResourcePath != "":
if p.NonResourcePath == a.GetNonResourcePath() {
return true
}
// When the path is a non-resource path it cannot match.
case len(a.GetNonResourcePath()) == 0 && (p.Resource == "" || (p.Resource == a.GetResource())):
if p.Namespace == "" || (p.Namespace == a.GetNamespace()) {
return true
}
}
}
}
return false
}