func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attributes { attribs := authorizer.AttributesRecord{} ctx, ok := r.requestContextMapper.Get(req) if ok { user, ok := api.UserFrom(ctx) if ok { attribs.User = user } } attribs.ReadOnly = IsReadOnlyReq(*req) apiRequestInfo, _ := r.apiRequestInfoResolver.GetAPIRequestInfo(req) // If a path follows the conventions of the REST object store, then // we can extract the resource. Otherwise, not. attribs.Resource = apiRequestInfo.Resource // If the request specifies a namespace, then the namespace is filled in. // Assumes there is no empty string namespace. Unspecified results // in empty (does not understand defaulting rules.) attribs.Namespace = apiRequestInfo.Namespace return &attribs }
// GetRequestAttributes populates authorizer attributes for the requests to the kubelet API. // Default attributes are: {apiVersion=v1,verb=<http verb from request>,resource=nodes,name=<node name>,subresource=proxy} // More specific verb/resource is set for the following request patterns: // /stats/* => verb=<api verb from request>, resource=nodes, name=<node name>, subresource=stats // /metrics/* => verb=<api verb from request>, resource=nodes, name=<node name>, subresource=metrics // /logs/* => verb=<api verb from request>, resource=nodes, name=<node name>, subresource=log // /spec/* => verb=<api verb from request>, resource=nodes, name=<node name>, subresource=spec func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) authorizer.Attributes { apiVerb := "" switch r.Method { case "POST": apiVerb = "create" case "GET": apiVerb = "get" case "PUT": apiVerb = "update" case "PATCH": apiVerb = "patch" case "DELETE": apiVerb = "delete" } requestPath := r.URL.Path // Default attributes mirror the API attributes that would allow this access to the kubelet API attrs := authorizer.AttributesRecord{ User: u, Verb: apiVerb, Namespace: "", APIGroup: "", APIVersion: "v1", Resource: "nodes", Subresource: "proxy", Name: string(n.nodeName), ResourceRequest: true, Path: requestPath, } // Override subresource for specific paths // This allows subdividing access to the kubelet API switch { case isSubpath(requestPath, statsPath): attrs.Subresource = "stats" case isSubpath(requestPath, metricsPath): attrs.Subresource = "metrics" case isSubpath(requestPath, logsPath): // "log" to match other log subresources (pods/log, etc) attrs.Subresource = "log" case isSubpath(requestPath, specPath): attrs.Subresource = "spec" } glog.V(5).Infof("Node request attributes: attrs=%#v", attrs) return attrs }
func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attributes { attribs := authorizer.AttributesRecord{} ctx, ok := r.requestContextMapper.Get(req) if ok { user, ok := api.UserFrom(ctx) if ok { attribs.User = user } } requestInfo, _ := r.requestInfoResolver.GetRequestInfo(req) // Start with common attributes that apply to resource and non-resource requests attribs.ResourceRequest = requestInfo.IsResourceRequest attribs.Path = requestInfo.Path attribs.Verb = requestInfo.Verb // If the request was for a resource in an API group, include that info attribs.APIGroup = requestInfo.APIGroup // If a path follows the conventions of the REST object store, then // we can extract the resource. Otherwise, not. attribs.Resource = requestInfo.Resource // If the request specifies a namespace, then the namespace is filled in. // Assumes there is no empty string namespace. Unspecified results // in empty (does not understand defaulting rules.) attribs.Namespace = requestInfo.Namespace return &attribs }
func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attributes { attribs := authorizer.AttributesRecord{} ctx, ok := r.requestContextMapper.Get(req) if ok { user, ok := api.UserFrom(ctx) if ok { attribs.User = user } } apiRequestInfo, _ := r.apiRequestInfoResolver.GetAPIRequestInfo(req) attribs.Verb = apiRequestInfo.Verb // Check whether meaningful api information can be resolved for the current path if isAPIResourceRequest(r.apiRequestInfoResolver.APIPrefixes, req) { attribs.APIGroup = apiRequestInfo.APIGroup // If a path follows the conventions of the REST object store, then // we can extract the resource. Otherwise, not. attribs.Resource = apiRequestInfo.Resource // If the request specifies a namespace, then the namespace is filled in. // Assumes there is no empty string namespace. Unspecified results // in empty (does not understand defaulting rules.) attribs.Namespace = apiRequestInfo.Namespace } else { // If a request does not fall into an api namespace/resource pattern, it's a special path. attribs.NonResourcePath = req.URL.Path } return &attribs }
func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attributes { attribs := authorizer.AttributesRecord{} ctx, ok := r.requestContextMapper.Get(req) if ok { user, ok := api.UserFrom(ctx) if ok { attribs.User = user } } requestInfo, _ := r.requestInfoResolver.GetRequestInfo(req) // Start with common attributes that apply to resource and non-resource requests attribs.ResourceRequest = requestInfo.IsResourceRequest attribs.Path = requestInfo.Path attribs.Verb = requestInfo.Verb attribs.APIGroup = requestInfo.APIGroup attribs.APIVersion = requestInfo.APIVersion attribs.Resource = requestInfo.Resource attribs.Subresource = requestInfo.Subresource attribs.Namespace = requestInfo.Namespace attribs.Name = requestInfo.Name return &attribs }
func (r *requestAttributeGetter) GetAttribs(req *http.Request) (authorizer.Attributes, error) { attribs := authorizer.AttributesRecord{} ctx, ok := r.requestContextMapper.Get(req) if !ok { return nil, errors.New("no context found for request") } user, ok := api.UserFrom(ctx) if ok { attribs.User = user } requestInfo, found := request.RequestInfoFrom(ctx) if !found { return nil, errors.New("no RequestInfo found in the context") } // Start with common attributes that apply to resource and non-resource requests attribs.ResourceRequest = requestInfo.IsResourceRequest attribs.Path = requestInfo.Path attribs.Verb = requestInfo.Verb attribs.APIGroup = requestInfo.APIGroup attribs.APIVersion = requestInfo.APIVersion attribs.Resource = requestInfo.Resource attribs.Subresource = requestInfo.Subresource attribs.Namespace = requestInfo.Namespace attribs.Name = requestInfo.Name return &attribs, nil }
func GetAuthorizerAttributes(ctx api.Context) (authorizer.Attributes, error) { attribs := authorizer.AttributesRecord{} user, ok := api.UserFrom(ctx) if ok { attribs.User = user } requestInfo, found := request.RequestInfoFrom(ctx) if !found { return nil, errors.New("no RequestInfo found in the context") } // Start with common attributes that apply to resource and non-resource requests attribs.ResourceRequest = requestInfo.IsResourceRequest attribs.Path = requestInfo.Path attribs.Verb = requestInfo.Verb attribs.APIGroup = requestInfo.APIGroup attribs.APIVersion = requestInfo.APIVersion attribs.Resource = requestInfo.Resource attribs.Subresource = requestInfo.Subresource attribs.Namespace = requestInfo.Namespace attribs.Name = requestInfo.Name return &attribs, nil }