func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage { once := new(sync.Once) var ( authorizationRuleResolver rbacregistryvalidation.AuthorizationRuleResolver rolesStorage rest.StandardStorage roleBindingsStorage rest.StandardStorage clusterRolesStorage rest.StandardStorage clusterRoleBindingsStorage rest.StandardStorage ) initializeStorage := func() { once.Do(func() { rolesStorage = rolestore.NewREST(restOptionsGetter) roleBindingsStorage = rolebindingstore.NewREST(restOptionsGetter) clusterRolesStorage = clusterrolestore.NewREST(restOptionsGetter) clusterRoleBindingsStorage = clusterrolebindingstore.NewREST(restOptionsGetter) authorizationRuleResolver = rbacregistryvalidation.NewDefaultRuleResolver( role.AuthorizerAdapter{Registry: role.NewRegistry(rolesStorage)}, rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(roleBindingsStorage)}, clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterRolesStorage)}, clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterRoleBindingsStorage)}, ) }) } storage := map[string]rest.Storage{} if apiResourceConfigSource.ResourceEnabled(version.WithResource("roles")) { initializeStorage() storage["roles"] = rolepolicybased.NewStorage(rolesStorage, authorizationRuleResolver) } if apiResourceConfigSource.ResourceEnabled(version.WithResource("rolebindings")) { initializeStorage() storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, p.Authorizer, authorizationRuleResolver) } if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterroles")) { initializeStorage() storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, authorizationRuleResolver) } if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterrolebindings")) { initializeStorage() storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, p.Authorizer, authorizationRuleResolver) } return storage }
func newRBACAuthorizer(config *master.Config) authorizer.Authorizer { optsGetter := &testRESTOptionsGetter{config} roleRegistry := role.AuthorizerAdapter{Registry: role.NewRegistry(rolestore.NewREST(optsGetter))} roleBindingRegistry := rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(rolebindingstore.NewREST(optsGetter))} clusterRoleRegistry := clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterrolestore.NewREST(optsGetter))} clusterRoleBindingRegistry := clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterrolebindingstore.NewREST(optsGetter))} return rbac.New(roleRegistry, roleBindingRegistry, clusterRoleRegistry, clusterRoleBindingRegistry) }