Add check idp administrator for platform portal info

TomatoAres · Jan 17, 2020 · fda9bc3 · fda9bc3
1 parent ddd6081
commit fda9bc3
Show file tree

Hide file tree

Showing 25 changed files with 397 additions and 245 deletions.
diff --git a/api/auth/types.go b/api/auth/types.go
@@ -793,7 +793,7 @@ type IdentityProviderSpec struct {
  Type string
 
  // The admins means the users is super admin for the idp.
- Admins []string
+ Administrators []string
  // Config holds all the configuration information specific to the connector type. Since there
  // no generic struct we can use for this purpose, it is stored as a json string.
  Config string

diff --git a/api/auth/v1/conversion.go b/api/auth/v1/conversion.go
@@ -201,6 +201,7 @@ func AddFieldLabelConversionsForUser(scheme *runtime.Scheme) error {
  func(label, value string) (string, string, error) {
  switch label {
  case "keyword",
+ "limit",
  "spec.tenantID":
  return label, value, nil
  default:
@@ -217,6 +218,7 @@ func AddFieldLabelConversionsForGroup(scheme *runtime.Scheme) error {
  func(label, value string) (string, string, error) {
  switch label {
  case "keyword",
+ "limit",
  "spec.tenantID":
  return label, value, nil
  default:

diff --git a/api/auth/v1/generated.pb.go b/api/auth/v1/generated.pb.go
diff --git a/api/auth/v1/generated.proto b/api/auth/v1/generated.proto
diff --git a/api/auth/v1/types.go b/api/auth/v1/types.go
@@ -847,8 +847,8 @@ type IdentityProviderSpec struct {
  Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
  // The type of the connector. E.g. 'oidc' or 'ldap'
  Type string `json:"type" protobuf:"bytes,2,opt,name=type"`
- // The admins means the users is super admin for the idp.
- Admins []string `json:"admin" protobuf:"bytes,3,opt,name=admins"`
+ // The administrators means the users is super admin for the idp.
+ Administrators []string `json:"administrators" protobuf:"bytes,3,opt,name=administrators"`
  // Config holds all the configuration information specific to the connector type. Since there
  // no generic struct we can use for this purpose, it is stored as a json string.
  Config string `json:"config" protobuf:"bytes,4,opt,name=config"`

diff --git a/api/auth/v1/types_swagger_doc_generated.go b/api/auth/v1/types_swagger_doc_generated.go
diff --git a/api/auth/v1/zz_generated.conversion.go b/api/auth/v1/zz_generated.conversion.go
diff --git a/api/auth/v1/zz_generated.deepcopy.go b/api/auth/v1/zz_generated.deepcopy.go
diff --git a/api/auth/zz_generated.deepcopy.go b/api/auth/zz_generated.deepcopy.go
diff --git a/api/openapi/zz_generated.openapi.go b/api/openapi/zz_generated.openapi.go
diff --git a/cmd/tke-auth-api/app/config/config.go b/cmd/tke-auth-api/app/config/config.go
@@ -19,17 +19,19 @@
 package config
 
 import (
+ "encoding/json"
  "fmt"
+ "io/ioutil"
+ "path/filepath"
  "regexp"
  "strings"
  "time"
- dexutil "tkestack.io/tke/pkg/auth/util/dex"
- "tkestack.io/tke/pkg/util/log/dex"
 
  "github.com/casbin/casbin/v2"
  casbinlog "github.com/casbin/casbin/v2/log"
  "github.com/casbin/casbin/v2/model"
  casbinutil "github.com/casbin/casbin/v2/util"
+ dexldap "github.com/dexidp/dex/connector/ldap"
  dexserver "github.com/dexidp/dex/server"
  dexstorage "github.com/dexidp/dex/storage"
  "github.com/dexidp/dex/storage/etcd"
@@ -60,10 +62,13 @@ import (
  "tkestack.io/tke/pkg/auth/apiserver"
  "tkestack.io/tke/pkg/auth/authentication/authenticator"
  "tkestack.io/tke/pkg/auth/authentication/oidc/identityprovider"
+ "tkestack.io/tke/pkg/auth/authentication/oidc/identityprovider/ldap"
  "tkestack.io/tke/pkg/auth/authentication/oidc/identityprovider/local"
  "tkestack.io/tke/pkg/auth/authorization/aggregation"
+ dexutil "tkestack.io/tke/pkg/auth/util/dex"
  casbinlogger "tkestack.io/tke/pkg/auth/util/logger"
  "tkestack.io/tke/pkg/util/log"
+ "tkestack.io/tke/pkg/util/log/dex"
 )
 
 const (
@@ -163,9 +168,25 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  return nil, err
  }
 
- err = setupDefaultConnectorConfig(authClient, versionedInformers, dexConfig.Storage, opts.Auth)
- if err != nil {
- return nil, err
+ // create dex local identity provider for tke connector.
+ dexserver.ConnectorsConfig[local.ConnectorType] = func() dexserver.ConnectorConfig {
+ return new(local.DefaultIdentityProvider)
+ }
+ local.SetupRestClient(authClient)
+ log.Info("init tenant type", log.String("type", opts.Auth.InitTenantType))
+ switch opts.Auth.InitTenantType {
+ case local.ConnectorType:
+ err = setupDefaultConnector(versionedInformers, opts.Auth)
+ if err != nil {
+ return nil, err
+ }
+ case ldap.ConnectorType:
+ err = setupLdapConnector(opts.Auth)
+ if err != nil {
+ return nil, err
+ }
+ default:
+ log.Warn("Unknown init tenant type", log.String("type", opts.Auth.InitTenantType))
  }
 
  err = setupDefaultClient(dexConfig.Storage, opts.Auth)
@@ -305,13 +326,7 @@ func setupCasbinEnforcer(authorizationOptions *options.AuthorizationOptions) (*c
  return enforcer, nil
 }
 
-func setupDefaultConnectorConfig(authClient authinternalclient.AuthInterface, versionInformers versionedinformers.SharedInformerFactory, store dexstorage.Storage, auth *options.AuthOptions) error {
- // create dex local identity provider for tke connector.
- dexserver.ConnectorsConfig[local.ConnectorType] = func() dexserver.ConnectorConfig {
- return new(local.DefaultIdentityProvider)
- }
- local.SetupRestClient(authClient)
-
+func setupDefaultConnector(versionInformers versionedinformers.SharedInformerFactory, auth *options.AuthOptions) error {
  if _, ok := identityprovider.IdentityProvidersStore[auth.InitTenantID]; !ok {
  defaultIDP := local.NewDefaultIdentityProvider(auth.InitTenantID, versionInformers)
  identityprovider.IdentityProvidersStore[auth.InitTenantID] = defaultIDP
@@ -320,6 +335,33 @@ func setupDefaultConnectorConfig(authClient authinternalclient.AuthInterface, ve
  return nil
 }
 
+func setupLdapConnector(auth *options.AuthOptions) error {
+ log.Info("setup ldap connector", log.Any("auth", auth))
+ const errFmt = "failed to load Ldap config file %s, error %v"
+ // compute absolute path based on current working dir
+ ldapConfigFile, err := filepath.Abs(auth.LdapConfigFile)
+ if err != nil {
+ return fmt.Errorf(errFmt, ldapConfigFile, err)
+ }
+
+ bytes, err := ioutil.ReadFile(ldapConfigFile)
+ var ldapConfig dexldap.Config
+ if err := json.Unmarshal(bytes, &ldapConfig); err != nil {
+ return fmt.Errorf(errFmt, ldapConfigFile, err)
+ }
+
+ idp, err := ldap.NewLDAPIdentityProvider(ldapConfig, auth.InitTenantID)
+ if err != nil {
+ return err
+ }
+
+ if _, ok := identityprovider.IdentityProvidersStore[auth.InitTenantID]; !ok {
+ identityprovider.IdentityProvidersStore[auth.InitTenantID] = idp
+ }
+
+ return nil
+}
+
 func setupDefaultClient(store dexstorage.Storage, auth *options.AuthOptions) error {
  clis, err := store.ListClients()
  if err != nil {

diff --git a/cmd/tke-auth-api/app/options/auth.go b/cmd/tke-auth-api/app/options/auth.go
@@ -22,14 +22,19 @@ import (
  "fmt"
  "time"
 
+ "tkestack.io/tke/pkg/auth/authentication/oidc/identityprovider/ldap"
+ "tkestack.io/tke/pkg/auth/authentication/oidc/identityprovider/local"
+
  "github.com/spf13/pflag"
  "github.com/spf13/viper"
 )
 
 const (
  flagAuthAssetsPath = "assets-path"
  flagAuthIDTokenTimeout = "id-token-timeout"
+ flagAuthInitTenantType = "init-tenant-type"
  flagAuthInitTenantID = "init-tenant-id"
+ flagAuthLDAPConfigFile = "auth.ldap-config-file"
  flagAuthTenantAdmin = "tenant-admin"
  flagAuthTenantAdminSecret = "tenant-admin-secret"
  flagAuthInitClientID = "init-client-id"
@@ -40,7 +45,9 @@ const (
 const (
  configAuthAssetsPath = "auth.assets_path"
  configAuthIDTokenTimeout = "auth.id_token_timeout"
+ configAuthInitTenantType = "auth.init_tenant_type"
  configAuthInitTenantID = "auth.init_tenant_id"
+ configAuthLDAPConfigFile = "auth.ldap_config_file"
  configAuthTenantAdmin = "auth.tenant_admin"
  configAuthTenantAdminSecret = "auth.tenant_admin_secret"
  configAuthInitClientID = "auth.init_client_id"
@@ -52,7 +59,9 @@ const (
 type AuthOptions struct {
  AssetsPath string
  IDTokenTimeout time.Duration
+ InitTenantType string
  InitTenantID string
+ LdapConfigFile string
  TenantAdmin string
  TenantAdminSecret string
  InitClientID string
@@ -64,6 +73,7 @@ type AuthOptions struct {
 func NewAuthOptions() *AuthOptions {
  return &AuthOptions{
  IDTokenTimeout: 24 * time.Hour,
+ InitTenantType: local.ConnectorType,
  InitTenantID: "default",
  InitClientID: "default",
  }
@@ -76,13 +86,21 @@ func (o *AuthOptions) AddFlags(fs *pflag.FlagSet) {
  _ = viper.BindPFlag(configAuthAssetsPath, fs.Lookup(flagAuthAssetsPath))
 
  fs.Duration(flagAuthIDTokenTimeout, o.IDTokenTimeout,
- "An optional field indicating the valid duration of the IDToken the OIDC generated. If blank, default value is 24h")
+ "An optional field indicating the valid duration of the IDToken the OIDC generated. If blank, default value is 24h.")
  _ = viper.BindPFlag(configAuthIDTokenTimeout, fs.Lookup(flagAuthIDTokenTimeout))
 
+ fs.String(flagAuthInitTenantType, o.InitTenantType,
+ "Default tenant type for auth first started, supported tke,ldap.(default tke).")
+ _ = viper.BindPFlag(configAuthInitTenantType, fs.Lookup(flagAuthInitTenantType))
+
  fs.String(flagAuthInitTenantID, o.InitTenantID,
  "Default tenant id will be created when started.")
  _ = viper.BindPFlag(configAuthInitTenantID, fs.Lookup(flagAuthInitTenantID))
 
+ fs.String(flagAuthLDAPConfigFile, o.LdapConfigFile,
+ "Config file path for ldap ldap, must specify if init-tenant-type is ldap.")
+ _ = viper.BindPFlag(configAuthLDAPConfigFile, fs.Lookup(flagAuthLDAPConfigFile))
+
  fs.String(flagAuthTenantAdmin, o.TenantAdmin,
  "Default tenant admin name will be created when started.")
  _ = viper.BindPFlag(configAuthTenantAdmin, fs.Lookup(flagAuthTenantAdmin))
@@ -117,6 +135,12 @@ func (o *AuthOptions) ApplyFlags() []error {
 
  o.IDTokenTimeout = viper.GetDuration(configAuthIDTokenTimeout)
 
+ o.InitTenantType = viper.GetString(configAuthInitTenantType)
+ o.LdapConfigFile = viper.GetString(configAuthLDAPConfigFile)
+ if o.InitTenantType == ldap.ConnectorType && o.LdapConfigFile == "" {
+ errs = append(errs, fmt.Errorf("--%s must be specified for ldap type tenant", flagAuthLDAPConfigFile))
+ }
+
  o.InitTenantID = viper.GetString(configAuthInitTenantID)
  if len(o.InitTenantID) == 0 {
  errs = append(errs, fmt.Errorf("--%s must be specified", flagAuthInitTenantID))

diff --git a/cmd/tke-business-api/app/config/config.go b/cmd/tke-business-api/app/config/config.go
@@ -27,6 +27,7 @@ import (
  "k8s.io/client-go/rest"
  "tkestack.io/tke/api/business"
  versionedclientset "tkestack.io/tke/api/client/clientset/versioned"
+ authversionedclient "tkestack.io/tke/api/client/clientset/versioned/typed/auth/v1"
  platformversionedclient "tkestack.io/tke/api/client/clientset/versioned/typed/platform/v1"
  registryversionedclient "tkestack.io/tke/api/client/clientset/versioned/typed/registry/v1"
  versionedinformers "tkestack.io/tke/api/client/informers/externalversions"
@@ -55,6 +56,7 @@ type Config struct {
  StorageFactory *serverstorage.DefaultStorageFactory
  PlatformClient platformversionedclient.PlatformV1Interface
  RegistryClient registryversionedclient.RegistryV1Interface
+ AuthClient authversionedclient.AuthV1Interface
  PrivilegedUsername string
  FeatureOptions *options.FeatureOptions
 }
@@ -134,6 +136,19 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  FeatureOptions: opts.FeatureOptions,
  }
 
+ // client config for auth apiserver
+ authAPIServerClientConfig, ok, err := controllerconfig.BuildClientConfig(opts.AuthAPIClient)
+ if err != nil {
+ return nil, err
+ }
+ if ok && authAPIServerClientConfig != nil {
+ authClient, err := versionedclientset.NewForConfig(rest.AddUserAgent(authAPIServerClientConfig, "tke-business-api"))
+ if err != nil {
+ return nil, err
+ }
+ cfg.AuthClient = authClient.AuthV1()
+ }
+
  // client config for registry apiserver
  registryAPIServerClientConfig, ok, err := controllerconfig.BuildClientConfig(opts.RegistryAPIClient)
  if err != nil {

diff --git a/cmd/tke-business-api/app/options/options.go b/cmd/tke-business-api/app/options/options.go
@@ -39,6 +39,7 @@ type Options struct {
  Authorization *apiserveroptions.AuthorizationOptions
  PlatformAPIClient *controlleroptions.APIServerClientOptions
  RegistryAPIClient *controlleroptions.APIServerClientOptions
+ AuthAPIClient *controlleroptions.APIServerClientOptions
  FeatureOptions *FeatureOptions
 }
 
@@ -54,6 +55,7 @@ func NewOptions(serverName string) *Options {
  Authorization: apiserveroptions.NewAuthorizationOptions(),
  PlatformAPIClient: controlleroptions.NewAPIServerClientOptions("platform", true),
  RegistryAPIClient: controlleroptions.NewAPIServerClientOptions("registry", false),
+ AuthAPIClient: controlleroptions.NewAPIServerClientOptions("auth", false),
  FeatureOptions: NewFeatureOptions(),
  }
 }
@@ -69,6 +71,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
  o.Authorization.AddFlags(fs)
  o.PlatformAPIClient.AddFlags(fs)
  o.RegistryAPIClient.AddFlags(fs)
+ o.AuthAPIClient.AddFlags(fs)
  o.FeatureOptions.AddFlags(fs)
 }
 
@@ -86,6 +89,7 @@ func (o *Options) ApplyFlags() []error {
  errs = append(errs, o.Authorization.ApplyFlags()...)
  errs = append(errs, o.PlatformAPIClient.ApplyFlags()...)
  errs = append(errs, o.RegistryAPIClient.ApplyFlags()...)
+ errs = append(errs, o.AuthAPIClient.ApplyFlags()...)
  errs = append(errs, o.FeatureOptions.ApplyFlags()...)
 
  return errs

diff --git a/cmd/tke-business-api/app/server.go b/cmd/tke-business-api/app/server.go
@@ -57,6 +57,7 @@ func createAPIServerConfig(cfg *config.Config) *apiserver.Config {
  APIResourceConfigSource: cfg.StorageFactory.APIResourceConfigSource,
  PlatformClient: cfg.PlatformClient,
  RegistryClient: cfg.RegistryClient,
+ AuthClient: cfg.AuthClient,
  PrivilegedUsername: cfg.PrivilegedUsername,
  FeatureOptions: cfg.FeatureOptions,
  },