Add auth-controller to sync policy

api/auth/register.go

@@ -72,6 +72,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
  &PolicyList{},
  &Rule{},
  &RuleList{},
+ &Binding{},
 
  &ConfigMap{},
  &ConfigMapList{})

api/auth/types.go

@@ -263,11 +263,31 @@ type Statement struct {
 type PolicyStatus struct {
  // +optional
  Phase PolicyPhase
+
  // +optional
- // Rules represents rules that have been saved into the storage.
- Rules []string
+ // Subjects represents the objects the policy applies to.
+ Subjects []Subject
 }
 
+const (
+ DefaultRuleModel = `
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = g(r.sub, p.sub) && keyMatchCustom(r.obj, p.obj) && keyMatchCustom(r.act, p.act)
+`
+)
+
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -303,6 +323,23 @@ type RuleSpec struct {
  V6 string `json:"v6"`
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Binding references the objects a policy applies to, but does not contain it.
+type Binding struct {
+ metav1.TypeMeta
+
+ // Subjects holds references to the objects the policy applies to.
+ // +optional
+ Subjects []Subject
+}
+
+// Subject references a user can specify by id or name.
+type Subject struct {
+ ID string
+ Name string
+}
+
 // +genclient
 // +genclient:nonNamespaced
 // +genclient:skipVerbs=deleteCollection

api/auth/v1/conversion.go

@@ -28,6 +28,8 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
  funcs := []func(scheme *runtime.Scheme) error{
  AddFieldLabelConversionsForLocalIdentify,
  AddFieldLabelConversionsForAPIKey,
+ AddFieldLabelConversionsForPolicy,
+ AddFieldLabelConversionsForRule,
  }
  for _, f := range funcs {
  if err := f(scheme); err != nil {
@@ -112,4 +114,3 @@ func AddFieldLabelConversionsForRule(scheme *runtime.Scheme) error {
  }
  })
 }
-

api/auth/v1/register.go

@@ -60,6 +60,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
  &PolicyList{},
  &Rule{},
  &RuleList{},
+ &Binding{},
 
  &ConfigMap{},
  &ConfigMapList{},

api/auth/v1/types.go

@@ -292,10 +292,29 @@ type PolicyStatus struct {
  // +optional
  Phase PolicyPhase `json:"phase" protobuf:"bytes,1,opt,name=phase,casttype=PolicyPhase"`
  // +optional
- // Rules represents rules that have been saved into the storage.
- Rules []string `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+ // Subjects represents the objects the policy applies to.
+ Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
 }
 
+const (
+ DefaultRuleModel = `
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = g(r.sub, p.sub) && keyMatchCustom(r.obj, p.obj) && keyMatchCustom(r.act, p.act)
+`
+)
+
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -333,6 +352,23 @@ type RuleSpec struct {
  V6 string `json:"v6" protobuf:"bytes,8,opt,name=v6"`
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Binding references the objects a policy applies to, but does not contain it.
+type Binding struct {
+ metav1.TypeMeta `json:",inline"`
+
+ // Subjects holds references to the objects the policy applies to.
+ // +optional
+ Subjects []Subject `json:"subject" protobuf:"bytes,1,rep,name=subject"`
+}
+
+// Subject references a user can specify by id or name.
+type Subject struct {
+ ID string `json:"id" protobuf:"bytes,1,opt,name=id"`
+ Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+}
+
 // +genclient
 // +genclient:nonNamespaced
 // +genclient:skipVerbs=deleteCollection