Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
水淹萌龙
kubesphere
提交
570ef8b6
K
kubesphere
项目概览
水淹萌龙
/
kubesphere
与 Fork 源项目一致
Fork自
KubeSphere / kubesphere
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
kubesphere
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
未验证
提交
570ef8b6
编写于
2月 25, 2020
作者:
H
hongming
提交者:
GitHub
2月 25, 2020
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
code refactor (#1923)
Signed-off-by:
N
hongming
<
talonwan@yunify.com
>
上级
0664eeb5
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
98 addition
and
104 deletion
+98
-104
pkg/kapis/iam/v1alpha2/register.go
pkg/kapis/iam/v1alpha2/register.go
+2
-2
pkg/kapis/tenant/v1alpha2/register.go
pkg/kapis/tenant/v1alpha2/register.go
+4
-4
pkg/models/iam/am.go
pkg/models/iam/am.go
+24
-24
pkg/models/iam/policy/policy.go
pkg/models/iam/policy/policy.go
+51
-37
pkg/models/iam/types.go
pkg/models/iam/types.go
+0
-22
pkg/models/iam/utils.go
pkg/models/iam/utils.go
+2
-1
pkg/models/tenant/devops.go
pkg/models/tenant/devops.go
+9
-9
pkg/models/tenant/tenant.go
pkg/models/tenant/tenant.go
+6
-5
未找到文件。
pkg/kapis/iam/v1alpha2/register.go
浏览文件 @
570ef8b6
...
...
@@ -126,14 +126,14 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, ldapClient ldapp
To
(
handler
.
ListClusterRoleRules
)
.
Doc
(
"List all policy rules of the specified cluster role."
)
.
Param
(
ws
.
PathParameter
(
"clusterrole"
,
"cluster role name"
))
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
[]
iam
.
SimpleRule
{})
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
[]
policy
.
SimpleRule
{})
.
Metadata
(
restfulspec
.
KeyOpenAPITags
,
[]
string
{
constants
.
AccessManagementTag
}))
ws
.
Route
(
ws
.
GET
(
"/namespaces/{namespace}/roles/{role}/rules"
)
.
To
(
handler
.
ListRoleRules
)
.
Doc
(
"List all policy rules of the specified role in the given namespace."
)
.
Param
(
ws
.
PathParameter
(
"namespace"
,
"kubernetes namespace"
))
.
Param
(
ws
.
PathParameter
(
"role"
,
"role name"
))
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
[]
iam
.
SimpleRule
{})
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
[]
policy
.
SimpleRule
{})
.
Metadata
(
restfulspec
.
KeyOpenAPITags
,
[]
string
{
constants
.
AccessManagementTag
}))
ws
.
Route
(
ws
.
GET
(
"/rulesmapping/clusterroles"
)
.
To
(
handler
.
ClusterRulesMapping
)
.
...
...
pkg/kapis/tenant/v1alpha2/register.go
浏览文件 @
570ef8b6
...
...
@@ -29,7 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/apiserver/runtime"
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/iam"
"kubesphere.io/kubesphere/pkg/models/iam
/policy
"
"kubesphere.io/kubesphere/pkg/server/errors"
"kubesphere.io/kubesphere/pkg/server/params"
"kubesphere.io/kubesphere/pkg/simple/client/k8s"
...
...
@@ -63,19 +63,19 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, db *mysql.Databa
To
(
handler
.
ListWorkspaceRules
)
.
Param
(
ws
.
PathParameter
(
"workspace"
,
"workspace name"
))
.
Doc
(
"List the rules of the specified workspace for the current user"
)
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
iam
.
SimpleRule
{})
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
policy
.
SimpleRule
{})
.
Metadata
(
restfulspec
.
KeyOpenAPITags
,
[]
string
{
constants
.
TenantResourcesTag
}))
ws
.
Route
(
ws
.
GET
(
"/namespaces/{namespace}/rules"
)
.
To
(
handler
.
ListNamespaceRules
)
.
Param
(
ws
.
PathParameter
(
"namespace"
,
"the name of the namespace"
))
.
Doc
(
"List the rules of the specified namespace for the current user"
)
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
iam
.
SimpleRule
{})
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
policy
.
SimpleRule
{})
.
Metadata
(
restfulspec
.
KeyOpenAPITags
,
[]
string
{
constants
.
TenantResourcesTag
}))
ws
.
Route
(
ws
.
GET
(
"/devops/{devops}/rules"
)
.
To
(
handler
.
ListDevopsRules
)
.
Param
(
ws
.
PathParameter
(
"devops"
,
"devops project ID"
))
.
Doc
(
"List the rules of the specified DevOps project for the current user"
)
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
iam
.
SimpleRule
{})
.
Returns
(
http
.
StatusOK
,
api
.
StatusOK
,
policy
.
SimpleRule
{})
.
Metadata
(
restfulspec
.
KeyOpenAPITags
,
[]
string
{
constants
.
TenantResourcesTag
}))
ws
.
Route
(
ws
.
GET
(
"/workspaces/{workspace}/namespaces"
)
.
To
(
handler
.
ListNamespaces
)
.
...
...
pkg/models/iam/am.go
浏览文件 @
570ef8b6
...
...
@@ -51,12 +51,12 @@ type AccessManagementInterface interface {
ListRoles
(
namespace
string
,
conditions
*
params
.
Conditions
,
orderBy
string
,
reverse
bool
,
limit
int
,
offset
int
)
(
*
models
.
PageableResponse
,
error
)
ListClusterRoles
(
conditions
*
params
.
Conditions
,
orderBy
string
,
reverse
bool
,
limit
int
,
offset
int
)
(
*
models
.
PageableResponse
,
error
)
ListClusterRoleBindings
(
clusterRole
string
)
([]
*
rbacv1
.
ClusterRoleBinding
,
error
)
GetClusterRoleSimpleRules
(
clusterRole
string
)
([]
SimpleRule
,
error
)
GetRoleSimpleRules
(
namespace
string
,
role
string
)
([]
SimpleRule
,
error
)
GetClusterRoleSimpleRules
(
clusterRole
string
)
([]
policy
.
SimpleRule
,
error
)
GetRoleSimpleRules
(
namespace
string
,
role
string
)
([]
policy
.
SimpleRule
,
error
)
GetRoles
(
namespace
,
username
string
)
([]
*
rbacv1
.
Role
,
error
)
GetClusterPolicyRules
(
username
string
)
([]
rbacv1
.
PolicyRule
,
error
)
GetPolicyRules
(
namespace
,
username
string
)
([]
rbacv1
.
PolicyRule
,
error
)
GetWorkspaceRoleSimpleRules
(
workspace
,
roleName
string
)
[]
SimpleRule
GetWorkspaceRoleSimpleRules
(
workspace
,
roleName
string
)
[]
policy
.
SimpleRule
GetWorkspaceRole
(
workspace
,
username
string
)
(
*
rbacv1
.
ClusterRole
,
error
)
GetWorkspaceRoleMap
(
username
string
)
(
map
[
string
]
string
,
error
)
}
...
...
@@ -97,12 +97,12 @@ func NewAMOperator(informers informers.SharedInformerFactory) *amOperator {
return
&
amOperator
{
informers
:
informers
,
resources
:
resourceGetter
}
}
func
(
am
*
amOperator
)
GetDevopsRoleSimpleRules
(
role
string
)
[]
SimpleRule
{
var
rules
[]
SimpleRule
func
(
am
*
amOperator
)
GetDevopsRoleSimpleRules
(
role
string
)
[]
policy
.
SimpleRule
{
var
rules
[]
policy
.
SimpleRule
switch
role
{
case
"developer"
:
rules
=
[]
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"view"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -110,7 +110,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
}
break
case
"owner"
:
rules
=
[]
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
}},
...
...
@@ -119,7 +119,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
}
break
case
"maintainer"
:
rules
=
[]
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -130,7 +130,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
case
"reporter"
:
fallthrough
default
:
rules
=
[]
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -412,13 +412,13 @@ func (am *amOperator) ListClusterRoles(conditions *params.Conditions, orderBy st
return
am
.
resources
.
ListResources
(
""
,
v1alpha2
.
ClusterRoles
,
conditions
,
orderBy
,
reverse
,
limit
,
offset
)
}
func
(
am
*
amOperator
)
GetWorkspaceRoleSimpleRules
(
workspace
,
roleName
string
)
[]
SimpleRule
{
func
(
am
*
amOperator
)
GetWorkspaceRoleSimpleRules
(
workspace
,
roleName
string
)
[]
policy
.
SimpleRule
{
workspaceRules
:=
make
([]
SimpleRule
,
0
)
workspaceRules
:=
make
([]
policy
.
SimpleRule
,
0
)
switch
roleName
{
case
constants
.
WorkspaceAdmin
:
workspaceRules
=
[]
SimpleRule
{
workspaceRules
=
[]
policy
.
SimpleRule
{
{
Name
:
"workspaces"
,
Actions
:
[]
string
{
"edit"
,
"delete"
,
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"edit"
,
"delete"
,
"create"
,
"view"
}},
{
Name
:
"devops"
,
Actions
:
[]
string
{
"edit"
,
"delete"
,
"create"
,
"view"
}},
...
...
@@ -428,7 +428,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{
Name
:
"repos"
,
Actions
:
[]
string
{
"view"
,
"manage"
}},
}
case
constants
.
WorkspaceRegular
:
workspaceRules
=
[]
SimpleRule
{
workspaceRules
=
[]
policy
.
SimpleRule
{
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"devops"
,
Actions
:
[]
string
{
"view"
,
"create"
}},
{
Name
:
"projects"
,
Actions
:
[]
string
{
"view"
,
"create"
}},
...
...
@@ -436,7 +436,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{
Name
:
"repos"
,
Actions
:
[]
string
{
"view"
}},
}
case
constants
.
WorkspaceViewer
:
workspaceRules
=
[]
SimpleRule
{
workspaceRules
=
[]
policy
.
SimpleRule
{
{
Name
:
"workspaces"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"devops"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -446,7 +446,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{
Name
:
"repos"
,
Actions
:
[]
string
{
"view"
}},
}
case
constants
.
WorkspacesManager
:
workspaceRules
=
[]
SimpleRule
{
workspaceRules
=
[]
policy
.
SimpleRule
{
{
Name
:
"workspaces"
,
Actions
:
[]
string
{
"edit"
,
"delete"
,
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"edit"
,
"delete"
,
"create"
,
"view"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -457,7 +457,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
}
// Convert cluster role to rules
func
(
am
*
amOperator
)
GetClusterRoleSimpleRules
(
clusterRoleName
string
)
([]
SimpleRule
,
error
)
{
func
(
am
*
amOperator
)
GetClusterRoleSimpleRules
(
clusterRoleName
string
)
([]
policy
.
SimpleRule
,
error
)
{
clusterRoleLister
:=
am
.
informers
.
Rbac
()
.
V1
()
.
ClusterRoles
()
.
Lister
()
clusterRole
,
err
:=
clusterRoleLister
.
Get
(
clusterRoleName
)
...
...
@@ -470,7 +470,7 @@ func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]Simpl
return
getClusterSimpleRule
(
clusterRole
.
Rules
),
nil
}
func
(
am
*
amOperator
)
GetUserClusterSimpleRules
(
username
string
)
([]
SimpleRule
,
error
)
{
func
(
am
*
amOperator
)
GetUserClusterSimpleRules
(
username
string
)
([]
policy
.
SimpleRule
,
error
)
{
clusterRules
,
err
:=
am
.
GetUserClusterRules
(
username
)
if
err
!=
nil
{
return
nil
,
err
...
...
@@ -479,7 +479,7 @@ func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule,
}
// Convert roles to rules
func
(
am
*
amOperator
)
GetRoleSimpleRules
(
namespace
string
,
roleName
string
)
([]
SimpleRule
,
error
)
{
func
(
am
*
amOperator
)
GetRoleSimpleRules
(
namespace
string
,
roleName
string
)
([]
policy
.
SimpleRule
,
error
)
{
roleLister
:=
am
.
informers
.
Rbac
()
.
V1
()
.
Roles
()
.
Lister
()
role
,
err
:=
roleLister
.
Roles
(
namespace
)
.
Get
(
roleName
)
...
...
@@ -492,8 +492,8 @@ func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]S
return
ConvertToSimpleRule
(
role
.
Rules
),
nil
}
func
getClusterSimpleRule
(
policyRules
[]
rbacv1
.
PolicyRule
)
[]
SimpleRule
{
rules
:=
make
([]
SimpleRule
,
0
)
func
getClusterSimpleRule
(
policyRules
[]
rbacv1
.
PolicyRule
)
[]
policy
.
SimpleRule
{
rules
:=
make
([]
policy
.
SimpleRule
,
0
)
for
i
:=
0
;
i
<
len
(
policy
.
ClusterRoleRuleMapping
);
i
++
{
validActions
:=
make
([]
string
,
0
)
...
...
@@ -503,17 +503,17 @@ func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
}
}
if
len
(
validActions
)
>
0
{
rules
=
append
(
rules
,
SimpleRule
{
Name
:
policy
.
ClusterRoleRuleMapping
[
i
]
.
Name
,
Actions
:
validActions
})
rules
=
append
(
rules
,
policy
.
SimpleRule
{
Name
:
policy
.
ClusterRoleRuleMapping
[
i
]
.
Name
,
Actions
:
validActions
})
}
}
return
rules
}
func
ConvertToSimpleRule
(
policyRules
[]
rbacv1
.
PolicyRule
)
[]
SimpleRule
{
simpleRules
:=
make
([]
SimpleRule
,
0
)
func
ConvertToSimpleRule
(
policyRules
[]
rbacv1
.
PolicyRule
)
[]
policy
.
SimpleRule
{
simpleRules
:=
make
([]
policy
.
SimpleRule
,
0
)
for
i
:=
0
;
i
<
len
(
policy
.
RoleRuleMapping
);
i
++
{
rule
:=
SimpleRule
{
Name
:
policy
.
RoleRuleMapping
[
i
]
.
Name
}
rule
:=
policy
.
SimpleRule
{
Name
:
policy
.
RoleRuleMapping
[
i
]
.
Name
}
rule
.
Actions
=
make
([]
string
,
0
)
for
j
:=
0
;
j
<
len
(
policy
.
RoleRuleMapping
[
i
]
.
Actions
);
j
++
{
if
rulesMatchesAction
(
policyRules
,
policy
.
RoleRuleMapping
[
i
]
.
Actions
[
j
])
{
...
...
pkg/models/iam/policy/policy.go
浏览文件 @
570ef8b6
...
...
@@ -21,21 +21,20 @@ package policy
import
(
"encoding/json"
"io/ioutil"
"kubesphere.io/kubesphere/pkg/models/iam"
"k8s.io/api/rbac/v1"
)
const
(
rulesConfigPath
=
iam
.
ConfigPath
+
"/rules.json"
clusterRulesConfigPath
=
iam
.
ConfigPath
+
"/clusterrules.json"
configPath
=
"/etc/kubesphere/iam"
rulesConfigPath
=
configPath
+
"/rules.json"
clusterRulesConfigPath
=
configPath
+
"/clusterrules.json"
)
func
init
()
{
rulesConfig
,
err
:=
ioutil
.
ReadFile
(
rulesConfigPath
)
if
err
==
nil
{
config
:=
&
[]
iam
.
Rule
{}
config
:=
&
[]
Rule
{}
json
.
Unmarshal
(
rulesConfig
,
config
)
if
len
(
*
config
)
>
0
{
RoleRuleMapping
=
*
config
...
...
@@ -45,7 +44,7 @@ func init() {
clusterRulesConfig
,
err
:=
ioutil
.
ReadFile
(
clusterRulesConfigPath
)
if
err
==
nil
{
config
:=
&
[]
iam
.
Rule
{}
config
:=
&
[]
Rule
{}
json
.
Unmarshal
(
clusterRulesConfig
,
config
)
if
len
(
*
config
)
>
0
{
ClusterRoleRuleMapping
=
*
config
...
...
@@ -54,9 +53,9 @@ func init() {
}
var
(
ClusterRoleRuleMapping
=
[]
iam
.
Rule
{
ClusterRoleRuleMapping
=
[]
Rule
{
{
Name
:
"workspaces"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"manage"
,
Rules
:
[]
v1
.
PolicyRule
{
...
...
@@ -71,7 +70,7 @@ var (
},
{
Name
:
"monitoring"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -87,7 +86,7 @@ var (
},
{
Name
:
"alerting"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -113,7 +112,7 @@ var (
},
{
Name
:
"logging"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -125,7 +124,7 @@ var (
},
{
Name
:
"accounts"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -192,7 +191,7 @@ var (
},
},
{
Name
:
"roles"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -238,7 +237,7 @@ var (
},
},
{
Name
:
"storageclasses"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -282,7 +281,7 @@ var (
},
},
{
Name
:
"nodes"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -313,7 +312,7 @@ var (
},
},
{
Name
:
"repos"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -353,7 +352,7 @@ var (
},
},
{
Name
:
"apps"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -366,7 +365,7 @@ var (
},
},
{
Name
:
"components"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -379,9 +378,9 @@ var (
},
}}
RoleRuleMapping
=
[]
iam
.
Rule
{{
RoleRuleMapping
=
[]
Rule
{{
Name
:
"projects"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -418,7 +417,7 @@ var (
},
{
Name
:
"monitoring"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -435,7 +434,7 @@ var (
{
Name
:
"alerting"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -461,7 +460,7 @@ var (
},
{
Name
:
"members"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -507,7 +506,7 @@ var (
},
{
Name
:
"roles"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -548,7 +547,7 @@ var (
},
{
Name
:
"deployments"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -604,7 +603,7 @@ var (
},
},
{
Name
:
"statefulsets"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -658,7 +657,7 @@ var (
},
},
{
Name
:
"daemonsets"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -703,7 +702,7 @@ var (
},
},
{
Name
:
"pods"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"terminal"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -735,7 +734,7 @@ var (
},
{
Name
:
"services"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -777,7 +776,7 @@ var (
},
{
Name
:
"internet"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -819,7 +818,7 @@ var (
{
Name
:
"routes"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -859,7 +858,7 @@ var (
},
},
{
Name
:
"volumes"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -899,7 +898,7 @@ var (
},
},
{
Name
:
"applications"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
...
...
@@ -953,7 +952,7 @@ var (
},
{
Name
:
"jobs"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -986,7 +985,7 @@ var (
},
{
Name
:
"cronjobs"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -1019,7 +1018,7 @@ var (
},
{
Name
:
"secrets"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -1052,7 +1051,7 @@ var (
},
{
Name
:
"configmaps"
,
Actions
:
[]
iam
.
Action
{
Actions
:
[]
Action
{
{
Name
:
"view"
,
Rules
:
[]
v1
.
PolicyRule
{
{
Verbs
:
[]
string
{
"get"
,
"list"
},
...
...
@@ -1085,3 +1084,18 @@ var (
},
}
)
type
Action
struct
{
Name
string
`json:"name"`
Rules
[]
v1
.
PolicyRule
`json:"rules"`
}
type
Rule
struct
{
Name
string
`json:"name"`
Actions
[]
Action
`json:"actions"`
}
type
SimpleRule
struct
{
Name
string
`json:"name" description:"rule name"`
Actions
[]
string
`json:"actions" description:"actions"`
}
pkg/models/iam/types.go
浏览文件 @
570ef8b6
...
...
@@ -19,12 +19,10 @@
package
iam
import
(
"k8s.io/api/rbac/v1"
"time"
)
const
(
ConfigPath
=
"/etc/kubesphere/iam"
KindTokenReview
=
"TokenReview"
)
...
...
@@ -37,23 +35,3 @@ type User struct {
Groups
[]
string
`json:"groups,omitempty"`
Password
string
`json:"password,omitempty"`
}
type
Action
struct
{
Name
string
`json:"name"`
Rules
[]
v1
.
PolicyRule
`json:"rules"`
}
type
Rule
struct
{
Name
string
`json:"name"`
Actions
[]
Action
`json:"actions"`
}
type
SimpleRule
struct
{
Name
string
`json:"name" description:"rule name"`
Actions
[]
string
`json:"actions" description:"actions"`
}
type
RoleList
struct
{
ClusterRoles
[]
*
v1
.
ClusterRole
`json:"clusterRole" description:"cluster role list"`
Roles
[]
*
v1
.
Role
`json:"roles" description:"role list"`
}
pkg/models/iam/utils.go
浏览文件 @
570ef8b6
...
...
@@ -20,6 +20,7 @@ package iam
import
(
rbacv1
"k8s.io/api/rbac/v1"
"kubesphere.io/kubesphere/pkg/models/iam/policy"
"strings"
)
...
...
@@ -32,7 +33,7 @@ func RulesMatchesRequired(rules []rbacv1.PolicyRule, required rbacv1.PolicyRule)
return
false
}
func
rulesMatchesAction
(
rules
[]
rbacv1
.
PolicyRule
,
action
Action
)
bool
{
func
rulesMatchesAction
(
rules
[]
rbacv1
.
PolicyRule
,
action
policy
.
Action
)
bool
{
for
_
,
required
:=
range
action
.
Rules
{
if
!
RulesMatchesRequired
(
rules
,
required
)
{
...
...
pkg/models/tenant/devops.go
浏览文件 @
570ef8b6
...
...
@@ -26,7 +26,7 @@ import (
"kubesphere.io/kubesphere/pkg/db"
"kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/devops"
"kubesphere.io/kubesphere/pkg/models/iam"
"kubesphere.io/kubesphere/pkg/models/iam
/policy
"
"kubesphere.io/kubesphere/pkg/server/params"
dsClient
"kubesphere.io/kubesphere/pkg/simple/client/devops"
"kubesphere.io/kubesphere/pkg/simple/client/mysql"
...
...
@@ -38,7 +38,7 @@ type DevOpsProjectOperator interface {
CreateDevOpsProject
(
username
string
,
workspace
string
,
req
*
v1alpha2
.
DevOpsProject
)
(
*
v1alpha2
.
DevOpsProject
,
error
)
GetDevOpsProjectsCount
(
username
string
)
(
uint32
,
error
)
DeleteDevOpsProject
(
projectId
,
username
string
)
error
GetUserDevOpsSimpleRules
(
username
,
projectId
string
)
([]
iam
.
SimpleRule
,
error
)
GetUserDevOpsSimpleRules
(
username
,
projectId
string
)
([]
policy
.
SimpleRule
,
error
)
}
type
devopsProjectOperator
struct
{
...
...
@@ -208,7 +208,7 @@ func (o *devopsProjectOperator) CreateDevOpsProject(username string, workspace s
return
project
,
nil
}
func
(
o
*
devopsProjectOperator
)
GetUserDevOpsSimpleRules
(
username
,
projectId
string
)
([]
iam
.
SimpleRule
,
error
)
{
func
(
o
*
devopsProjectOperator
)
GetUserDevOpsSimpleRules
(
username
,
projectId
string
)
([]
policy
.
SimpleRule
,
error
)
{
role
,
err
:=
o
.
getProjectUserRole
(
username
,
projectId
)
if
err
!=
nil
{
...
...
@@ -236,12 +236,12 @@ func (o *devopsProjectOperator) getProjectUserRole(username, projectId string) (
return
membership
.
Role
,
nil
}
func
GetDevopsRoleSimpleRules
(
role
string
)
[]
iam
.
SimpleRule
{
var
rules
[]
iam
.
SimpleRule
func
GetDevopsRoleSimpleRules
(
role
string
)
[]
policy
.
SimpleRule
{
var
rules
[]
policy
.
SimpleRule
switch
role
{
case
"developer"
:
rules
=
[]
iam
.
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"view"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -249,7 +249,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
}
break
case
"owner"
:
rules
=
[]
iam
.
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
}},
...
...
@@ -258,7 +258,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
}
break
case
"maintainer"
:
rules
=
[]
iam
.
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"create"
,
"edit"
,
"view"
,
"delete"
,
"trigger"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
@@ -269,7 +269,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
case
"reporter"
:
fallthrough
default
:
rules
=
[]
iam
.
SimpleRule
{
rules
=
[]
policy
.
SimpleRule
{
{
Name
:
"pipelines"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"roles"
,
Actions
:
[]
string
{
"view"
}},
{
Name
:
"members"
,
Actions
:
[]
string
{
"view"
}},
...
...
pkg/models/tenant/tenant.go
浏览文件 @
570ef8b6
...
...
@@ -29,6 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/iam"
"kubesphere.io/kubesphere/pkg/models/iam/policy"
"kubesphere.io/kubesphere/pkg/server/params"
"kubesphere.io/kubesphere/pkg/simple/client/mysql"
"strconv"
...
...
@@ -41,8 +42,8 @@ type Interface interface {
ListWorkspaces
(
username
string
,
conditions
*
params
.
Conditions
,
orderBy
string
,
reverse
bool
,
limit
,
offset
int
)
(
*
models
.
PageableResponse
,
error
)
ListNamespaces
(
username
string
,
conditions
*
params
.
Conditions
,
orderBy
string
,
reverse
bool
,
limit
,
offset
int
)
(
*
models
.
PageableResponse
,
error
)
ListDevopsProjects
(
username
string
,
conditions
*
params
.
Conditions
,
orderBy
string
,
reverse
bool
,
limit
int
,
offset
int
)
(
*
models
.
PageableResponse
,
error
)
GetWorkspaceSimpleRules
(
workspace
,
username
string
)
([]
iam
.
SimpleRule
,
error
)
GetNamespaceSimpleRules
(
namespace
,
username
string
)
([]
iam
.
SimpleRule
,
error
)
GetWorkspaceSimpleRules
(
workspace
,
username
string
)
([]
policy
.
SimpleRule
,
error
)
GetNamespaceSimpleRules
(
namespace
,
username
string
)
([]
policy
.
SimpleRule
,
error
)
CountDevOpsProjects
(
username
string
)
(
uint32
,
error
)
DeleteDevOpsProject
(
username
,
projectId
string
)
error
GetUserDevopsSimpleRules
(
username
string
,
devops
string
)
(
interface
{},
error
)
...
...
@@ -122,7 +123,7 @@ func (t *tenantOperator) ListWorkspaces(username string, conditions *params.Cond
return
&
models
.
PageableResponse
{
Items
:
result
,
TotalCount
:
len
(
workspaces
)},
nil
}
func
(
t
*
tenantOperator
)
GetWorkspaceSimpleRules
(
workspace
,
username
string
)
([]
iam
.
SimpleRule
,
error
)
{
func
(
t
*
tenantOperator
)
GetWorkspaceSimpleRules
(
workspace
,
username
string
)
([]
policy
.
SimpleRule
,
error
)
{
clusterRules
,
err
:=
t
.
am
.
GetClusterPolicyRules
(
username
)
if
err
!=
nil
{
return
nil
,
err
...
...
@@ -150,7 +151,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]
if
err
!=
nil
{
if
apierrors
.
IsNotFound
(
err
)
{
return
[]
iam
.
SimpleRule
{},
nil
return
[]
policy
.
SimpleRule
{},
nil
}
klog
.
Error
(
err
)
...
...
@@ -160,7 +161,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]
return
t
.
am
.
GetWorkspaceRoleSimpleRules
(
workspace
,
workspaceRole
.
Annotations
[
constants
.
DisplayNameAnnotationKey
]),
nil
}
func
(
t
*
tenantOperator
)
GetNamespaceSimpleRules
(
namespace
,
username
string
)
([]
iam
.
SimpleRule
,
error
)
{
func
(
t
*
tenantOperator
)
GetNamespaceSimpleRules
(
namespace
,
username
string
)
([]
policy
.
SimpleRule
,
error
)
{
clusterRules
,
err
:=
t
.
am
.
GetClusterPolicyRules
(
username
)
if
err
!=
nil
{
return
nil
,
err
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录