mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-18 21:29:50 +00:00
07b05616a0
Bumps [k8s.io/kubernetes](https://github.com/kubernetes/kubernetes) from 1.26.2 to 1.27.2. - [Release notes](https://github.com/kubernetes/kubernetes/releases) - [Commits](https://github.com/kubernetes/kubernetes/compare/v1.26.2...v1.27.2) --- updated-dependencies: - dependency-name: k8s.io/kubernetes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
96 lines
3.2 KiB
Go
96 lines
3.2 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package authorizerfactory
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
|
)
|
|
|
|
// alwaysAllowAuthorizer is an implementation of authorizer.Attributes
|
|
// which always says yes to an authorization request.
|
|
// It is useful in tests and when using kubernetes in an open manner.
|
|
type alwaysAllowAuthorizer struct{}
|
|
|
|
func (alwaysAllowAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
|
return authorizer.DecisionAllow, "", nil
|
|
}
|
|
|
|
func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
|
|
return []authorizer.ResourceRuleInfo{
|
|
&authorizer.DefaultResourceRuleInfo{
|
|
Verbs: []string{"*"},
|
|
APIGroups: []string{"*"},
|
|
Resources: []string{"*"},
|
|
},
|
|
}, []authorizer.NonResourceRuleInfo{
|
|
&authorizer.DefaultNonResourceRuleInfo{
|
|
Verbs: []string{"*"},
|
|
NonResourceURLs: []string{"*"},
|
|
},
|
|
}, false, nil
|
|
}
|
|
|
|
func NewAlwaysAllowAuthorizer() *alwaysAllowAuthorizer {
|
|
return new(alwaysAllowAuthorizer)
|
|
}
|
|
|
|
// alwaysDenyAuthorizer is an implementation of authorizer.Attributes
|
|
// which always says no to an authorization request.
|
|
// It is useful in unit tests to force an operation to be forbidden.
|
|
type alwaysDenyAuthorizer struct{}
|
|
|
|
func (alwaysDenyAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (decision authorizer.Decision, reason string, err error) {
|
|
return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil
|
|
}
|
|
|
|
func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
|
|
return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil
|
|
}
|
|
|
|
func NewAlwaysDenyAuthorizer() *alwaysDenyAuthorizer {
|
|
return new(alwaysDenyAuthorizer)
|
|
}
|
|
|
|
type privilegedGroupAuthorizer struct {
|
|
groups []string
|
|
}
|
|
|
|
func (r *privilegedGroupAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
|
if attr.GetUser() == nil {
|
|
return authorizer.DecisionNoOpinion, "Error", errors.New("no user on request.")
|
|
}
|
|
for _, attr_group := range attr.GetUser().GetGroups() {
|
|
for _, priv_group := range r.groups {
|
|
if priv_group == attr_group {
|
|
return authorizer.DecisionAllow, "", nil
|
|
}
|
|
}
|
|
}
|
|
return authorizer.DecisionNoOpinion, "", nil
|
|
}
|
|
|
|
// NewPrivilegedGroups is for use in loopback scenarios
|
|
func NewPrivilegedGroups(groups ...string) *privilegedGroupAuthorizer {
|
|
return &privilegedGroupAuthorizer{
|
|
groups: groups,
|
|
}
|
|
}
|