func cacheKey(ctx kapi.Context, a authorizer.AuthorizationAttributes) (string, error) { if a.GetRequestAttributes() != nil { // TODO: see if we can serialize this? return "", errors.New("cannot cache request attributes") } keyData := map[string]interface{}{ "verb": a.GetVerb(), "apiVersion": a.GetAPIVersion(), "apiGroup": a.GetAPIGroup(), "resource": a.GetResource(), "resourceName": a.GetResourceName(), "nonResourceURL": a.IsNonResourceURL(), "url": a.GetURL(), } if namespace, ok := kapi.NamespaceFrom(ctx); ok { keyData["namespace"] = namespace } if user, ok := kapi.UserFrom(ctx); ok { keyData["user"] = user.GetName() keyData["groups"] = user.GetGroups() } key, err := json.Marshal(keyData) return string(key), err }
func getAction(namespace string, attributes authorizer.AuthorizationAttributes) authzapi.AuthorizationAttributes { return authzapi.AuthorizationAttributes{ Namespace: namespace, Verb: attributes.GetVerb(), Resource: attributes.GetResource(), ResourceName: attributes.GetResourceName(), // TODO: missing from authorizer.AuthorizationAttributes: // Content // TODO: missing from authzapi.AuthorizationAttributes // APIVersion // APIGroup // RequestAttributes (unserializable?) // IsNonResourceURL // URL (doesn't make sense for remote authz?) } }
func (impersonateAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { user, exists := kapi.UserFrom(ctx) if !exists { return false, "missing user", nil } switch { case user.GetName() == "system:admin": return true, "", nil case user.GetName() == "tester": return false, "", fmt.Errorf("works on my machine") case user.GetName() == "deny-me": return false, "denied", nil } if len(user.GetGroups()) == 1 && user.GetGroups()[0] == "wheel" && a.GetVerb() == "impersonate" && a.GetResource() == "systemusers" { return true, "", nil } if len(user.GetGroups()) == 1 && user.GetGroups()[0] == "sa-impersonater" && a.GetVerb() == "impersonate" && a.GetResource() == "serviceaccounts" { return true, "", nil } if len(user.GetGroups()) == 1 && user.GetGroups()[0] == "regular-impersonater" && a.GetVerb() == "impersonate" && a.GetResource() == "users" { return true, "", nil } return false, "deny by default", nil }