diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 76ca4426ae1677ca08a4820bd9e902b91d43e583..323ec1de1a06879e78cf77eaf1fae16a37630964 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -25,6 +25,7 @@ import ( "kubesphere.io/kubesphere/pkg/apiserver/filters" "kubesphere.io/kubesphere/pkg/apiserver/request" "kubesphere.io/kubesphere/pkg/informers" + configv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/config/v1alpha2" iamv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/iam/v1alpha2" loggingv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/logging/v1alpha2" monitoringv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/monitoring/v1alpha2" @@ -33,7 +34,6 @@ import ( operationsv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/operations/v1alpha2" resourcesv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/resources/v1alpha2" resourcev1alpha3 "kubesphere.io/kubesphere/pkg/kapis/resources/v1alpha3" - "kubesphere.io/kubesphere/pkg/kapis/serverconfig/v1alpha2" servicemeshv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2" terminalv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/terminal/v1alpha2" "kubesphere.io/kubesphere/pkg/models/iam/am" @@ -133,7 +133,7 @@ func (s *APIServer) PrepareRun() error { } func (s *APIServer) installKubeSphereAPIs() { - urlruntime.Must(v1alpha2.AddToContainer(s.container, s.Config)) + urlruntime.Must(configv1alpha2.AddToContainer(s.container, s.Config)) urlruntime.Must(resourcev1alpha3.AddToContainer(s.container, s.InformerFactory)) // Need to refactor devops api registration, too much dependencies //urlruntime.Must(devopsv1alpha2.AddToContainer(s.container, s.DevopsClient, s.DBClient.Database(), nil, s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory(), s.S3Client)) @@ -181,20 +181,20 @@ func (s *APIServer) buildHandlerChain() { } handler := s.Server.Handler - handler = filters.WithKubeAPIServer(handler, s.KubernetesClient.Config(), &errorResponder{}) handler = filters.WithMultipleClusterDispatcher(handler, dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Tower().V1alpha1().Agents().Lister())) excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*"} pathAuthorizer, _ := path.NewAuthorizer(excludedPaths) - authorizer := unionauthorizer.New(pathAuthorizer, - authorizerfactory.NewOPAAuthorizer(am.NewFakeAMOperator())) - handler = filters.WithAuthorization(handler, authorizer) + // union authorizers are ordered, don't change the order here + authorizers := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer(am.NewFakeAMOperator())) + handler = filters.WithAuthorization(handler, authorizers) + + // authenticators are unordered authn := unionauth.New(anonymous.NewAuthenticator(), basictoken.New(basic.NewBasicAuthenticator(im.NewFakeOperator())), - bearertoken.New(jwttoken.NewTokenAuthenticator( - token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient)))) + bearertoken.New(jwttoken.NewTokenAuthenticator(token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient)))) handler = filters.WithAuthentication(handler, authn) handler = filters.WithRequestInfo(handler, requestInfoResolver) s.Server.Handler = handler diff --git a/pkg/apiserver/authorization/path/path.go b/pkg/apiserver/authorization/path/path.go index 4df9c41a5f98f7bf2a649f6f882284dba1cda48d..435cca19823aea445c3bfb9ca62a8ed7f6c97ffa 100644 --- a/pkg/apiserver/authorization/path/path.go +++ b/pkg/apiserver/authorization/path/path.go @@ -47,10 +47,6 @@ func NewAuthorizer(alwaysAllowPaths []string) (authorizer.Authorizer, error) { } return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) { - if a.IsResourceRequest() { - return authorizer.DecisionNoOpinion, "", nil - } - pth := strings.TrimPrefix(a.GetPath(), "/") if paths.Has(pth) { return authorizer.DecisionAllow, "", nil diff --git a/pkg/apiserver/filters/authorization.go b/pkg/apiserver/filters/authorization.go index fb63f97ba7e9812ad28b220dc2821cd7d594c354..44c9ba4dbd9ae2581569594321f78cba7bf34dc5 100644 --- a/pkg/apiserver/filters/authorization.go +++ b/pkg/apiserver/filters/authorization.go @@ -13,23 +13,23 @@ import ( ) // WithAuthorization passes all authorized requests on to handler, and returns forbidden error otherwise. -func WithAuthorization(handler http.Handler, a authorizer.Authorizer) http.Handler { - if a == nil { +func WithAuthorization(handler http.Handler, authorizers authorizer.Authorizer) http.Handler { + if authorizers == nil { klog.Warningf("Authorization is disabled") return handler } - serializer := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion() + defaultSerializer := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion() return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { ctx := req.Context() - attributes, err := GetAuthorizerAttributes(ctx) + attributes, err := getAuthorizerAttributes(ctx) if err != nil { responsewriters.InternalError(w, req, err) } - authorized, reason, err := a.Authorize(attributes) + authorized, reason, err := authorizers.Authorize(attributes) if authorized == authorizer.DecisionAllow { handler.ServeHTTP(w, req) return @@ -41,11 +41,11 @@ func WithAuthorization(handler http.Handler, a authorizer.Authorizer) http.Handl } klog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason) - responsewriters.Forbidden(ctx, attributes, w, req, reason, serializer) + responsewriters.Forbidden(ctx, attributes, w, req, reason, defaultSerializer) }) } -func GetAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) { +func getAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) { attribs := authorizer.AttributesRecord{} user, ok := request.UserFrom(ctx) diff --git a/pkg/kapis/serverconfig/v1alpha2/register.go b/pkg/kapis/config/v1alpha2/register.go similarity index 100% rename from pkg/kapis/serverconfig/v1alpha2/register.go rename to pkg/kapis/config/v1alpha2/register.go