Add localidentity controller to sync rules for user

api/auth/types.go

@@ -47,8 +47,18 @@ type LocalIdentityList struct {
  Items []LocalIdentity
 }
 
+// FinalizerName is the name identifying a finalizer during object lifecycle.
+type FinalizerName string
+
+const (
+ // LocalIdentityFinalize is an internal finalizer values to LocalIdentity.
+ LocalIdentityFinalize FinalizerName = "localidentity"
+)
+
 // LocalIdentitySpec is a description of an identity.
 type LocalIdentitySpec struct {
+ Finalizers []FinalizerName
+
  Username string
  DisplayName string
  Email string
@@ -60,10 +70,19 @@ type LocalIdentitySpec struct {
  Extra map[string]string
 }
 
+// LocalIdentityPhase defines the phase of LocalIdentity construct.
+type LocalIdentityPhase string
+
+const (
+ // LocalIdentityDeleting means the localidentity is undergoing graceful termination.
+ LocalIdentityDeleting LocalIdentityPhase = "Deleting"
+)
+
 // LocalIdentityStatus is a description of an identity status.
 type LocalIdentityStatus struct {
  Locked bool
 
+ Phase LocalIdentityPhase
  // The last time the local identity was updated.
  // +optional
  LastUpdateTime metav1.Time
@@ -182,21 +201,18 @@ type APISigningKeyList struct {
  Items []APISigningKey
 }
 
-// ProjectPhase defines the phase of project constructor.
+// ProjectPhase defines the phase of policy constructor.
 type PolicyPhase string
 
 const (
  // PolicyActive indicates the policy is active.
  PolicyActive PolicyPhase = "Active"
- // ProjectTerminating means the project is undergoing graceful termination.
+ // PolicyTerminating means the policy is undergoing graceful termination.
  PolicyTerminating PolicyPhase = "Terminating"
 )
 
-// FinalizerName is the name identifying a finalizer during project lifecycle.
-type FinalizerName string
-
 const (
- // ProjectFinalize is an internal finalizer values to Project.
+ // PolicyFinalize is an internal finalizer values to Policy.
  PolicyFinalize FinalizerName = "policy"
 )
 
@@ -241,6 +257,7 @@ type PolicySpec struct {
  Finalizers []FinalizerName
 
  TenantID string
+ Category string
  DisplayName string
  // Creator
  Username string

api/auth/v1/conversion.go

@@ -84,6 +84,7 @@ func AddFieldLabelConversionsForPolicy(scheme *runtime.Scheme) error {
  switch label {
  case "spec.tenantID",
  "spec.username",
+ "spec.category",
  "metadata.name":
  return label, value, nil
  default:

api/auth/v1/types.go

@@ -53,8 +53,15 @@ type LocalIdentityList struct {
  Items []LocalIdentity `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
 
+const (
+ // LocalIdentityFinalize is an internal finalizer values to LocalIdentity.
+ LocalIdentityFinalize FinalizerName = "localidentity"
+)
+
 // LocalIdentitySpec is a description of an identity.
 type LocalIdentitySpec struct {
+ Finalizers []FinalizerName `json:"finalizers,omitempty"`
+
  Username string `json:"username" protobuf:"bytes,7,opt,name=name"`
  DisplayName string `json:"displayName" protobuf:"bytes,8,opt,name=displayName"`
  Email string `json:"email" protobuf:"bytes,9,opt,name=email"`
@@ -69,8 +76,18 @@ type LocalIdentitySpec struct {
  Extra map[string]string `json:"extra,omitempty" protobuf:"bytes,3,rep,name=extra"`
 }
 
+// LocalIdentityPhase defines the phase of LocalIdentity construct.
+type LocalIdentityPhase string
+
+const (
+ // LocalIdentityDeleting means the localidentity is undergoing graceful termination.
+ LocalIdentityDeleting LocalIdentityPhase = "Deleting"
+)
+
 // LocalIdentityStatus is a description of an identity status.
 type LocalIdentityStatus struct {
+ Phase LocalIdentityPhase `json:"phase,omitempty"`
+
  // +optional
  Locked bool `json:"locked,omitempty" protobuf:"varint,1,opt,name=locked"`
 
@@ -267,11 +284,13 @@ type PolicySpec struct {
  Finalizers []FinalizerName `json:"finalizers,omitempty" protobuf:"bytes,8,rep,name=finalizers,casttype=FinalizerName"`
 
  TenantID string `json:"tenantID" protobuf:"bytes,1,opt,name=tenantID"`
+ Category string `json:"category" protobuf:"bytes,9,opt,name=category"`
  DisplayName string `json:"displayName" protobuf:"bytes,7,opt,name=displayName"`
  Username string `json:"username" protobuf:"bytes,2,opt,name=username"`
  // +optional
- Description string `json:"description" protobuf:"bytes,3,opt,name=description"`
- Statement Statement `json:"statement" protobuf:"bytes,5,rep,name=statement"`
+ Description string `json:"description" protobuf:"bytes,3,opt,name=description"`
+
+ Statement Statement `json:"statement" protobuf:"bytes,5,rep,name=statement"`
  // +optional
  Conditions []byte `json:"conditions,omitempty" protobuf:"bytes,6,rep,name=conditions"`
 }

cmd/tke-auth-controller/app/auth.go

@@ -21,6 +21,7 @@ package app
 import (
  "net/http"
  "time"
+ "tkestack.io/tke/pkg/auth/controller/localidentity"
 
  "k8s.io/apimachinery/pkg/runtime/schema"
  v1 "tkestack.io/tke/api/auth/v1"
@@ -30,6 +31,9 @@ import (
 const (
  policySyncPeriod = 5 * time.Minute
  concurrentPolicySyncs = 10
+
+ localIdentitySyncPeriod = 5 * time.Minute
+ concurrentLocalIdentitySyncs = 10
 )
 
 func startPolicyController(ctx ControllerContext) (http.Handler, bool, error) {
@@ -41,6 +45,7 @@ func startPolicyController(ctx ControllerContext) (http.Handler, bool, error) {
  ctx.ClientBuilder.ClientOrDie("policy-controller"),
  ctx.InformerFactory.Auth().V1().Policies(),
  ctx.InformerFactory.Auth().V1().Rules(),
+ ctx.Enforcer,
  policySyncPeriod,
  v1.PolicyFinalize,
  )
@@ -49,3 +54,22 @@ func startPolicyController(ctx ControllerContext) (http.Handler, bool, error) {
 
  return nil, true, nil
 }
+
+func startLocalIdentityController(ctx ControllerContext) (http.Handler, bool, error) {
+ if !ctx.AvailableResources[schema.GroupVersionResource{Group: v1.GroupName, Version: v1.Version, Resource: "policies"}] {
+ return nil, false, nil
+ }
+
+ ctrl := localidentity.NewController(
+ ctx.ClientBuilder.ClientOrDie("localidentity-controller"),
+ ctx.InformerFactory.Auth().V1().LocalIdentities(),
+ ctx.InformerFactory.Auth().V1().Rules(),
+ ctx.Enforcer,
+ localIdentitySyncPeriod,
+ v1.LocalIdentityFinalize,
+ )
+
+ go ctrl.Run(concurrentLocalIdentitySyncs, ctx.Stop)
+
+ return nil, true, nil
+}

cmd/tke-auth-controller/app/config/config.go

@@ -29,7 +29,6 @@ import (
  "tkestack.io/tke/cmd/tke-auth-controller/app/options"
  controllerconfig "tkestack.io/tke/pkg/controller/config"
  controlleroptions "tkestack.io/tke/pkg/controller/options"
- "tkestack.io/tke/pkg/util/log"
 )
 
 // Config is the running configuration structure of the TKE controller manager.
@@ -44,7 +43,7 @@ type Config struct {
  LeaderElectionClient *versionedclientset.Clientset
  // the rest config for the auth apiserver
  AuthAPIServerClientConfig *restclient.Config
- Component  controlleroptions.ComponentConfiguration
+ Component controlleroptions.ComponentConfiguration
 }
 
 // CreateConfigFromOptions creates a running configuration instance based
@@ -61,15 +60,13 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
 
  // shallow copy, do not modify the apiServerClientConfig.Timeout.
  config := *authAPIServerClientConfig
- log.Info("sasaas", log.String("xxx", config.Host))
  config.Timeout = opts.Component.LeaderElection.RenewDeadline
  leaderElectionClient := versionedclientset.NewForConfigOrDie(restclient.AddUserAgent(&config, "leader-election"))
 
-
  controllerManagerConfig := &Config{
- ServerName:  serverName,
- LeaderElectionClient:  leaderElectionClient,
- AuthAPIServerClientConfig:  authAPIServerClientConfig,
+ ServerName: serverName,
+ LeaderElectionClient: leaderElectionClient,
+ AuthAPIServerClientConfig: authAPIServerClientConfig,
  Authorization: apiserver.AuthorizationInfo{
  Authorizer: authorizerfactory.NewAlwaysAllowAuthorizer(),
  },

cmd/tke-auth-controller/app/context.go

@@ -20,17 +20,21 @@ package app
 
 import (
  "fmt"
+ "github.com/casbin/casbin/v2"
+ "github.com/casbin/casbin/v2/model"
  "k8s.io/apimachinery/pkg/runtime/schema"
  "k8s.io/apimachinery/pkg/util/wait"
  cacheddiscovery "k8s.io/client-go/discovery/cached"
  "k8s.io/client-go/rest"
  "k8s.io/client-go/restmapper"
  "net/http"
  "time"
+ "tkestack.io/tke/api/auth"
  versionedclientset "tkestack.io/tke/api/client/clientset/versioned"
  "tkestack.io/tke/api/client/clientset/versioned/typed/auth/v1"
  versionedinformers "tkestack.io/tke/api/client/informers/externalversions"
  "tkestack.io/tke/cmd/tke-auth-controller/app/config"
+ adapter2 "tkestack.io/tke/pkg/auth/util/adapter"
  "tkestack.io/tke/pkg/controller"
  "tkestack.io/tke/pkg/controller/util"
 )
@@ -56,6 +60,9 @@ type ControllerContext struct {
  // AvailableResources is a map listing currently available resources
  AvailableResources map[schema.GroupVersionResource]bool
 
+ // Enforcer is a casbin enforcer to operate policy.
+ Enforcer *casbin.SyncedEnforcer
+
  // Stop is the stop channel
  Stop <-chan struct{}
 
@@ -108,11 +115,24 @@ func CreateControllerContext(cfg *config.Config, rootClientBuilder controller.Cl
  return ControllerContext{}, err
  }
 
+ adpt := adapter2.NewAdapter(client.AuthV1().Rules(), sharedInformers.Auth().V1().Rules().Lister())
+ m, err := model.NewModelFromString(auth.DefaultRuleModel)
+ if err != nil {
+ return ControllerContext{}, fmt.Errorf("failed to new casbin model: %v", err)
+ }
+ e, err := casbin.NewSyncedEnforcer(m, adpt)
+ if err != nil {
+ return ControllerContext{}, fmt.Errorf("failed to new casbin enforcer: %v", err)
+ }
+
+ e.StartAutoLoadPolicy(1 * time.Second)
+
  ctx := ControllerContext{
  ClientBuilder: rootClientBuilder,
  InformerFactory: sharedInformers,
  RESTMapper: restMapper,
  AvailableResources: availableResources,
+ Enforcer: e,
  Stop: stop,
  InformersStarted: make(chan struct{}),
  ResyncPeriod: controller.ResyncPeriod(&cfg.Component),

cmd/tke-auth-controller/app/controller.go

@@ -49,6 +49,7 @@ func NewControllerInitializers() map[string]InitFunc {
  controllers := map[string]InitFunc{}
 
  controllers["policy"] = startPolicyController
+ controllers["localidentity"] = startLocalIdentityController
  return controllers
 }