Merge pull request #2629 from wansir/authorizer

Reorder request filters

pkg/apiserver/apiserver.go

@@ -41,7 +41,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
 	authorizationoptions "kubesphere.io/kubesphere/pkg/apiserver/authorization/options"
 	"kubesphere.io/kubesphere/pkg/apiserver/authorization/path"
-	"kubesphere.io/kubesphere/pkg/apiserver/authorization/proxy"
 	unionauthorizer "kubesphere.io/kubesphere/pkg/apiserver/authorization/union"
 	apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
 	"kubesphere.io/kubesphere/pkg/apiserver/dispatch"
@@ -265,12 +264,6 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
 				s.Config.AuditingOptions.WebhookUrl, stopCh))
 	}
 
-	if s.Config.MultiClusterOptions.Enable {
-		clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(),
-			s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister())
-		handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher)
-	}
-
 	var authorizers authorizer.Authorizer
 
 	switch s.Config.AuthorizationOptions.Mode {
@@ -284,10 +277,15 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
 		excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*", "/kapis/version"}
 		pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
 		amOperator := am.NewReadOnlyOperator(s.InformerFactory)
-		authorizers = unionauthorizer.New(pathAuthorizer, proxy.NewAuthorizer(s.Config.MultiClusterOptions.Enable), authorizerfactory.NewRBACAuthorizer(amOperator))
+		authorizers = unionauthorizer.New(pathAuthorizer, authorizerfactory.NewRBACAuthorizer(amOperator))
 	}
 
 	handler = filters.WithAuthorization(handler, authorizers)
+	if s.Config.MultiClusterOptions.Enable {
+		clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(),
+			s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister())
+		handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher)
+	}
 
 	loginRecorder := im.NewLoginRecorder(s.KubernetesClient.KubeSphere())
 	// authenticators are unordered

pkg/apiserver/authorization/proxy/doc.go

-/*
-Copyright 2020 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy

pkg/apiserver/authorization/proxy/proxy.go

-/*
-Copyright 2020 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy
-
-import (
-	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
-)
-
-// NewAuthorizer returns an authorizer which accepts cluster proxy request.
-// If multi-cluster mode is enabled, request should authorize by target apiserver.
-func NewAuthorizer(multiClusterEnabled bool) authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
-		// in multi cluster mode, the request will be dispatch.
-		if multiClusterEnabled && a.GetCluster() != "" {
-			return authorizer.DecisionAllow, "", nil
-		}
-		return authorizer.DecisionNoOpinion, "", nil
-	})
-}

pkg/apiserver/authorization/proxy/proxy_test.go

-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy
-
-import (
-	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
-	"testing"
-)
-
-func TestNewAuthorizer(t *testing.T) {
-	tests := []struct {
-		multiClusterEnabled bool
-		request             authorizer.AttributesRecord
-		expectResult        authorizer.Decision
-	}{
-		{
-			multiClusterEnabled: false,
-			request: authorizer.AttributesRecord{
-				Workspace:         "ws",
-				Namespace:         "ns",
-				KubernetesRequest: false,
-				ResourceRequest:   false,
-			},
-			expectResult: authorizer.DecisionNoOpinion,
-		},
-		{
-			multiClusterEnabled: false,
-			request: authorizer.AttributesRecord{
-				Cluster:           "cluster1",
-				Workspace:         "ws",
-				Namespace:         "ns",
-				KubernetesRequest: false,
-				ResourceRequest:   false,
-			},
-			expectResult: authorizer.DecisionNoOpinion,
-		},
-		{
-			multiClusterEnabled: true,
-			request: authorizer.AttributesRecord{
-				Cluster:           "cluster1",
-				Workspace:         "ws",
-				Namespace:         "ns",
-				KubernetesRequest: false,
-				ResourceRequest:   false,
-			},
-			expectResult: authorizer.DecisionAllow,
-		},
-		{
-			multiClusterEnabled: true,
-			request: authorizer.AttributesRecord{
-				Workspace:         "ws",
-				Namespace:         "ns",
-				KubernetesRequest: false,
-				ResourceRequest:   false,
-			},
-			expectResult: authorizer.DecisionNoOpinion,
-		},
-	}
-	for i, test := range tests {
-		a := NewAuthorizer(test.multiClusterEnabled)
-		result, _, _ := a.Authorize(test.request)
-		if result != test.expectResult {
-			t.Errorf("case %d, got %#v, expected %#v", i, result, test.expectResult)
-		}
-	}
-}