mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-19 13:49:53 +00:00
34fc1d847e
to v1.18.0 Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
269 lines
14 KiB
Go
269 lines
14 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package v1beta1
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
// +genclient
|
|
// +genclient:nonNamespaced
|
|
// +genclient:onlyVerbs=create
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// SubjectAccessReview checks whether or not a user or group can perform an action.
|
|
type SubjectAccessReview struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Spec holds information about the request being evaluated
|
|
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
|
|
|
// Status is filled in by the server and indicates whether the request is allowed or not
|
|
// +optional
|
|
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
|
}
|
|
|
|
// +genclient
|
|
// +genclient:nonNamespaced
|
|
// +genclient:onlyVerbs=create
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
|
|
// spec.namespace means "in all namespaces". Self is a special case, because users should always be able
|
|
// to check whether they can perform an action
|
|
type SelfSubjectAccessReview struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Spec holds information about the request being evaluated. user and groups must be empty
|
|
Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
|
|
|
// Status is filled in by the server and indicates whether the request is allowed or not
|
|
// +optional
|
|
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
|
}
|
|
|
|
// +genclient
|
|
// +genclient:onlyVerbs=create
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
|
|
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
|
|
// checking.
|
|
type LocalSubjectAccessReview struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
|
|
// you made the request against. If empty, it is defaulted.
|
|
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
|
|
|
// Status is filled in by the server and indicates whether the request is allowed or not
|
|
// +optional
|
|
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
|
}
|
|
|
|
// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
|
|
type ResourceAttributes struct {
|
|
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
|
|
// "" (empty) is defaulted for LocalSubjectAccessReviews
|
|
// "" (empty) is empty for cluster-scoped resources
|
|
// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
|
|
// +optional
|
|
Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
|
|
// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
|
|
// +optional
|
|
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
|
// Group is the API Group of the Resource. "*" means all.
|
|
// +optional
|
|
Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
|
|
// Version is the API Version of the Resource. "*" means all.
|
|
// +optional
|
|
Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
|
|
// Resource is one of the existing resource types. "*" means all.
|
|
// +optional
|
|
Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
|
|
// Subresource is one of the existing resource types. "" means none.
|
|
// +optional
|
|
Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
|
|
// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
|
|
// +optional
|
|
Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
|
|
}
|
|
|
|
// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
|
|
type NonResourceAttributes struct {
|
|
// Path is the URL path of the request
|
|
// +optional
|
|
Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
|
|
// Verb is the standard HTTP verb
|
|
// +optional
|
|
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
|
}
|
|
|
|
// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
|
// and NonResourceAuthorizationAttributes must be set
|
|
type SubjectAccessReviewSpec struct {
|
|
// ResourceAuthorizationAttributes describes information for a resource access request
|
|
// +optional
|
|
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
|
// NonResourceAttributes describes information for a non-resource access request
|
|
// +optional
|
|
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
|
|
|
// User is the user you're testing for.
|
|
// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
|
|
// +optional
|
|
User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
|
|
// Groups is the groups you're testing for.
|
|
// +optional
|
|
Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
|
|
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
|
|
// it needs a reflection here.
|
|
// +optional
|
|
Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
|
|
// UID information about the requesting user.
|
|
// +optional
|
|
UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"`
|
|
}
|
|
|
|
// ExtraValue masks the value so protobuf can generate
|
|
// +protobuf.nullable=true
|
|
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
|
type ExtraValue []string
|
|
|
|
func (t ExtraValue) String() string {
|
|
return fmt.Sprintf("%v", []string(t))
|
|
}
|
|
|
|
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
|
// and NonResourceAuthorizationAttributes must be set
|
|
type SelfSubjectAccessReviewSpec struct {
|
|
// ResourceAuthorizationAttributes describes information for a resource access request
|
|
// +optional
|
|
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
|
// NonResourceAttributes describes information for a non-resource access request
|
|
// +optional
|
|
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
|
}
|
|
|
|
// SubjectAccessReviewStatus
|
|
type SubjectAccessReviewStatus struct {
|
|
// Allowed is required. True if the action would be allowed, false otherwise.
|
|
Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
|
|
// Denied is optional. True if the action would be denied, otherwise
|
|
// false. If both allowed is false and denied is false, then the
|
|
// authorizer has no opinion on whether to authorize the action. Denied
|
|
// may not be true if Allowed is true.
|
|
// +optional
|
|
Denied bool `json:"denied,omitempty" protobuf:"varint,4,opt,name=denied"`
|
|
// Reason is optional. It indicates why a request was allowed or denied.
|
|
// +optional
|
|
Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
|
|
// EvaluationError is an indication that some error occurred during the authorization check.
|
|
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
|
|
// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
|
|
// +optional
|
|
EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
|
|
}
|
|
|
|
// +genclient
|
|
// +genclient:nonNamespaced
|
|
// +genclient:onlyVerbs=create
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
|
|
// The returned list of actions may be incomplete depending on the server's authorization mode,
|
|
// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
|
|
// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
|
|
// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
|
|
// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
|
|
type SelfSubjectRulesReview struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Spec holds information about the request being evaluated.
|
|
Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
|
|
|
// Status is filled in by the server and indicates the set of actions a user can perform.
|
|
// +optional
|
|
Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
|
}
|
|
|
|
type SelfSubjectRulesReviewSpec struct {
|
|
// Namespace to evaluate rules for. Required.
|
|
Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
|
|
}
|
|
|
|
// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
|
|
// the set of authorizers the server is configured with and any errors experienced during evaluation.
|
|
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
|
|
// even if that list is incomplete.
|
|
type SubjectRulesReviewStatus struct {
|
|
// ResourceRules is the list of actions the subject is allowed to perform on resources.
|
|
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
|
|
ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
|
|
// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
|
|
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
|
|
NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
|
|
// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
|
|
// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
|
|
Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
|
|
// EvaluationError can appear in combination with Rules. It indicates an error occurred during
|
|
// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
|
|
// ResourceRules and/or NonResourceRules may be incomplete.
|
|
// +optional
|
|
EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"`
|
|
}
|
|
|
|
// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
|
|
// may contain duplicates, and possibly be incomplete.
|
|
type ResourceRule struct {
|
|
// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
|
|
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
|
|
|
|
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
|
|
// the enumerated resources in any API group will be allowed. "*" means all.
|
|
// +optional
|
|
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
|
|
// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
|
|
// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
|
|
// +optional
|
|
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
|
|
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
|
|
// +optional
|
|
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
|
|
}
|
|
|
|
// NonResourceRule holds information that describes a rule for the non-resource
|
|
type NonResourceRule struct {
|
|
// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
|
|
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
|
|
|
|
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
|
|
// final step in the path. "*" means all.
|
|
// +optional
|
|
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
|
|
}
|