forked from kubeflow/pipelines
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(backend): Refactor authz to perform SubjectAccessReview. Fixes k…
…ubeflow#3513 (kubeflow#4723) * [Backend] Return proper error codes for failures during auth * [Backend] Implement helpers to initialize a SubjectAccessReview client In preparation of SubjectAccessReview, we implement some helpers to create a new Kubernetes Authorization clientset and return the SubjectAccessReview client. We also define some fake clients to be used by future tests. * [Backend] Introduce RBAC-related constants In preparation of SubjectAccessReview, introduce RBAC groups, resources, and verbs. * [Backend] Extend managers with a SubjectAccessReviewClient * [Backend] Refactor the authorization mechanism for requests Authorization should be based on performing some action on a resource living in a namespace. This commit refactors the authorization utilities to reflect this and perform SubjectAccessReview. This commit also deletes some tests based on old authn/authz mechanism. A following commit will fix/extend the tests for the new mechanism * [Backend] Adjust endpoints to pass resource attributes for authz With KFAM authorization, we passed only the namespace attribute for authorization. With SubjectAccessReview, we need a richer list of attributes. Thus, we adjust endpoints to pass request details (resource attributes) necessary for authorizing the request. We only change the already authorized endpoints, not introducing any new checks. * [Backend] Adjust apiserver/server tests to SubjectAccessReview * [Backend] Purge KFAM Since we no longer use KFAM, we may as well purge it * [Backend] Update BUILD files Signed-off-by: Ilias Katsakioris <[email protected]> * [Manifests] Extend manifests for SubjectAccessReview * API Server: Allow creating SubjectAccessReviews * Add view/edit roles in a multi-user kustomization
- Loading branch information
Showing
31 changed files
with
890 additions
and
564 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| // Copyright 2020 Arrikto Inc. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // https://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package client | ||
|
|
||
| import ( | ||
| "time" | ||
|
|
||
| "github.com/cenkalti/backoff" | ||
| "github.com/golang/glog" | ||
| "github.com/pkg/errors" | ||
| authzv1 "k8s.io/api/authorization/v1" | ||
| "k8s.io/client-go/kubernetes" | ||
| "k8s.io/client-go/rest" | ||
| ) | ||
|
|
||
| type SubjectAccessReviewInterface interface { | ||
| Create(sar *authzv1.SubjectAccessReview) (result *authzv1.SubjectAccessReview, err error) | ||
| } | ||
|
|
||
| func createSubjectAccessReviewClient() (SubjectAccessReviewInterface, error) { | ||
| restConfig, err := rest.InClusterConfig() | ||
| if err != nil { | ||
| return nil, errors.Wrap(err, "Failed to initialize kubernetes client.") | ||
| } | ||
|
|
||
| clientSet, err := kubernetes.NewForConfig(restConfig) | ||
| if err != nil { | ||
| return nil, errors.Wrap(err, "Failed to initialize kubernetes client set.") | ||
| } | ||
| return clientSet.AuthorizationV1().SubjectAccessReviews(), nil | ||
| } | ||
|
|
||
| // CreateSubjectAccessReviewClientOrFatal creates a new SubjectAccessReview client. | ||
| func CreateSubjectAccessReviewClientOrFatal(initConnectionTimeout time.Duration) SubjectAccessReviewInterface { | ||
| var client SubjectAccessReviewInterface | ||
| var err error | ||
| var operation = func() error { | ||
| client, err = createSubjectAccessReviewClient() | ||
| return err | ||
| } | ||
| b := backoff.NewExponentialBackOff() | ||
| b.MaxElapsedTime = initConnectionTimeout | ||
| err = backoff.Retry(operation, b) | ||
|
|
||
| if err != nil { | ||
| glog.Fatalf("Failed to create SubjectAccessReview client. Error: %v", err) | ||
| } | ||
| return client | ||
| } |
63 changes: 63 additions & 0 deletions
63
backend/src/apiserver/client/subject_access_review_fake.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| // Copyright 2020 Arrikto Inc. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // https://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package client | ||
|
|
||
| import ( | ||
| "github.com/pkg/errors" | ||
| authzv1 "k8s.io/api/authorization/v1" | ||
| ) | ||
|
|
||
| type FakeSubjectAccessReviewClient struct { | ||
| } | ||
|
|
||
| func (FakeSubjectAccessReviewClient) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) { | ||
| return &authzv1.SubjectAccessReview{Status: authzv1.SubjectAccessReviewStatus{ | ||
| Allowed: true, | ||
| Denied: false, | ||
| Reason: "", | ||
| EvaluationError: "", | ||
| }}, nil | ||
| } | ||
|
|
||
| func NewFakeSubjectAccessReviewClient() FakeSubjectAccessReviewClient { | ||
| return FakeSubjectAccessReviewClient{} | ||
| } | ||
|
|
||
| type FakeSubjectAccessReviewClientUnauthorized struct { | ||
| } | ||
|
|
||
| func (FakeSubjectAccessReviewClientUnauthorized) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) { | ||
| return &authzv1.SubjectAccessReview{Status: authzv1.SubjectAccessReviewStatus{ | ||
| Allowed: false, | ||
| Denied: false, | ||
| Reason: "this is not allowed", | ||
| EvaluationError: "", | ||
| }}, nil | ||
| } | ||
|
|
||
| func NewFakeSubjectAccessReviewClientUnauthorized() FakeSubjectAccessReviewClientUnauthorized { | ||
| return FakeSubjectAccessReviewClientUnauthorized{} | ||
| } | ||
|
|
||
| type FakeSubjectAccessReviewClientError struct { | ||
| } | ||
|
|
||
| func (FakeSubjectAccessReviewClientError) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) { | ||
| return nil, errors.New("failed to create subject access review") | ||
| } | ||
|
|
||
| func NewFakeSubjectAccessReviewClientError() FakeSubjectAccessReviewClientError { | ||
| return FakeSubjectAccessReviewClientError{} | ||
| } |
Oops, something went wrong.