Move authz subjectAccessReview to auth/api directory

TomatoAres · Dec 25, 2019 · 3538f8e · 3538f8e
1 parent 51335d4
commit 3538f8e
Show file tree

Hide file tree

Showing 30 changed files with 4,161 additions and 1,347 deletions.
diff --git a/api/auth/register.go b/api/auth/register.go
@@ -78,6 +78,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
  &Role{},
  &RoleList{},
  &PolicyBinding{},
+ &SubjectAccessReview{},
  &Group{},
  &GroupList{},
 

diff --git a/api/auth/types.go b/api/auth/types.go
@@ -538,6 +538,121 @@ type GroupStatus struct {
  Subjects []Subject
 }
 
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SubjectAccessReview checks whether or not a user or group can perform an action. Not filling in a
+// spec.namespace means "in all namespaces".
+type SubjectAccessReview struct {
+ metav1.TypeMeta
+ metav1.ObjectMeta
+
+ // Spec holds information about the request being evaluated
+ Spec SubjectAccessReviewSpec
+
+ // Status is filled in by the server and indicates whether the request is allowed or not
+ Status SubjectAccessReviewStatus
+}
+
+// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes
+// and NonResourceAttributes must be set
+type SubjectAccessReviewSpec struct {
+ // ResourceAttributes describes information for a resource access request
+ ResourceAttributes *ResourceAttributes
+
+ // ResourceAttributesList describes information for multi resource access request.
+ ResourceAttributesList []*ResourceAttributes
+
+ // NonResourceAttributes describes information for a non-resource access request
+ NonResourceAttributes *NonResourceAttributes
+
+ // User is the user you're testing for.
+ // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
+ User string
+ // Groups is the groups you're testing for.
+ Groups []string
+ // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
+ // it needs a reflection here.
+ Extra map[string]ExtraValue
+ // UID information about the requesting user.
+ UID string
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+type ExtraValue []string
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+type ResourceAttributes struct {
+ // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
+ // "" (empty) is defaulted for LocalSubjectAccessReviews
+ // "" (empty) is empty for cluster-scoped resources
+ // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+ Namespace string
+ // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
+ Verb string
+ // Group is the API Group of the Resource. "*" means all.
+ Group string
+ // Version is the API Version of the Resource. "*" means all.
+ Version string
+ // Resource is one of the existing resource types. "*" means all.
+ Resource string
+ // Subresource is one of the existing resource types. "" means none.
+ Subresource string
+ // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+ Name string
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+type NonResourceAttributes struct {
+ // Path is the URL path of the request
+ Path string
+ // Verb is the standard HTTP verb
+ Verb string
+}
+
+// SubjectAccessReviewStatus represents the current state of a SubjectAccessReview.
+type SubjectAccessReviewStatus struct {
+ // Allowed is required. True if the action would be allowed, false otherwise.
+ Allowed bool
+ // Denied is optional. True if the action would be denied, otherwise
+ // false. If both allowed is false and denied is false, then the
+ // authorizer has no opinion on whether to authorize the action. Denied
+ // may not be true if Allowed is true.
+ Denied bool
+ // Reason is optional. It indicates why a request was allowed or denied.
+ Reason string
+ // EvaluationError is an indication that some error occurred during the authorization check.
+ // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+ // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+ EvaluationError string
+
+ // AllowedList is the allowed response for batch authorization request.
+ AllowedList []*AllowedStatus
+}
+
+// AllowedStatus includes the resource access request and response.
+//+k8s:openapi-gen=true
+type AllowedStatus struct {
+ // Resource is the resource of request
+ Resource string
+ // Verb is the verb of request
+ Verb string
+
+ // Allowed is required. True if the action would be allowed, false otherwise.
+ Allowed bool
+ // Denied is optional. True if the action would be denied, otherwise
+ // false. If both allowed is false and denied is false, then the
+ // authorizer has no opinion on whether to authorize the action. Denied
+ // may not be true if Allowed is true.
+ Denied bool
+ // Reason is optional. It indicates why a request was allowed or denied.
+ Reason string
+ // EvaluationError is an indication that some error occurred during the authorization check.
+ // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+ // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+ EvaluationError string
+}
+
 // +genclient
 // +genclient:nonNamespaced
 // +genclient:skipVerbs=deleteCollection