Add role support

tkestack · Dec 25, 2019 · 51335d4 · 51335d4
1 parent eecb082
commit 51335d4
Show file tree

Hide file tree

Showing 57 changed files with 5,393 additions and 513 deletions.
diff --git a/api/auth/register.go b/api/auth/register.go
@@ -75,6 +75,9 @@ func addKnownTypes(scheme *runtime.Scheme) error {
  &Rule{},
  &RuleList{},
  &Binding{},
+ &Role{},
+ &RoleList{},
+ &PolicyBinding{},
  &Group{},
  &GroupList{},
 

diff --git a/api/auth/types.go b/api/auth/types.go
@@ -57,8 +57,11 @@ const (
  // PolicyFinalize is an internal finalizer values to Policy.
  PolicyFinalize FinalizerName = "policy"
 
- // PolicyFinalize is an internal finalizer values to Policy.
+ // PolicyFinalize is an internal finalizer values to Group.
  GroupFinalize FinalizerName = "group"
+
+ // RoleFinalize is an internal finalizer values to Role.
+ RoleFinalize FinalizerName = "role"
 )
 
 // LocalIdentitySpec is a description of an identity.
@@ -412,6 +415,76 @@ type Subject struct {
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
+// Role is a collection with multiple policies.
+type Role struct {
+ metav1.TypeMeta
+ metav1.ObjectMeta
+
+ // Spec defines the desired identities of role document in this set.
+ Spec RoleSpec
+
+ // +optional
+ Status RoleStatus
+}
+
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleList is the whole list of policy.
+type RoleList struct {
+ metav1.TypeMeta
+ metav1.ListMeta
+ // List of rules.
+ Items []Role
+}
+
+// RolePhase defines the phase of role constructor.
+type RolePhase string
+
+const (
+ RoleActive RolePhase = "Active"
+ // RoleTerminating means the role is undergoing graceful termination.
+ RoleTerminating RolePhase = "Terminating"
+)
+
+// RoleSpec is a description of role.
+type RoleSpec struct {
+ Finalizers []FinalizerName
+
+ DisplayName string
+ TenantID string
+
+ //Creator
+ Username string
+ Description string
+
+ Policies []string
+}
+
+// RoleStatus represents information about the status of a role.
+type RoleStatus struct {
+ // +optional
+ Phase RolePhase
+
+ // Subjects represents the members of the group.
+ Subjects []Subject
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyBinding references the request to bind or unbind policies to the role.
+type PolicyBinding struct {
+ metav1.TypeMeta
+
+ // Policies holds the policies will bind or unbind to the role.
+ // +optional
+ Policies []string
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 // Group represents a group of users.
 type Group struct {
  metav1.TypeMeta

diff --git a/api/auth/v1/conversion.go b/api/auth/v1/conversion.go
@@ -32,6 +32,7 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
  AddFieldLabelConversionsForRule,
  AddFieldLabelConversionsForCategory,
  AddFieldLabelConversionsForGroup,
+ AddFieldLabelConversionsForRole,
  }
  for _, f := range funcs {
  if err := f(scheme); err != nil {
@@ -155,3 +156,21 @@ func AddFieldLabelConversionsForGroup(scheme *runtime.Scheme) error {
  }
  })
 }
+
+// AddFieldLabelConversionsForRole adds a conversion function to convert
+// field selectors of Role from the given version to internal version
+// representation.
+func AddFieldLabelConversionsForRole(scheme *runtime.Scheme) error {
+ return scheme.AddFieldLabelConversionFunc(SchemeGroupVersion.WithKind("Role"),
+ func(label, value string) (string, string, error) {
+ switch label {
+ case "spec.displayName",
+ "spec.tenantID",
+ "spec.username",
+ "metadata.name":
+ return label, value, nil
+ default:
+ return "", "", fmt.Errorf("field label not supported: %s", label)
+ }
+ })
+}