Merge pull request #5760 from deads2k/5737

Merged by openshift-bot
openshift · Nov 7, 2015 · bee82d4 · bee82d4
2 parents a001f36 + 16d6c23
commit bee82d4
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 5 deletions.
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -187,16 +187,18 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
 
 	plug, plugStart := newControllerPlug(options, client)
 
+	authorizer := newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage)
+
 	config := &MasterConfig{
 		Options: options,
 
 		Authenticator:                 newAuthenticator(options, etcdHelper, serviceAccountTokenGetter, apiClientCAs, groupCache),
-		Authorizer:                    newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage),
+		Authorizer:                    authorizer,
 		AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
 
 		PolicyCache:               policyCache,
 		GroupCache:                groupCache,
-		ProjectAuthorizationCache: newProjectAuthorizationCache(privilegedLoopbackOpenShiftClient, privilegedLoopbackKubeClient, policyClient),
+		ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, policyClient),
 
 		RequestContextMapper: requestContextMapper,
 
@@ -320,10 +322,9 @@ func newAuthenticator(config configapi.MasterConfig, etcdHelper storage.Interfac
 	return ret
 }
 
-func newProjectAuthorizationCache(openshiftClient *osclient.Client, kubeClient *kclient.Client,
-	policyClient policyclient.ReadOnlyPolicyClient) *projectauth.AuthorizationCache {
+func newProjectAuthorizationCache(authorizer authorizer.Authorizer, kubeClient *kclient.Client, policyClient policyclient.ReadOnlyPolicyClient) *projectauth.AuthorizationCache {
 	return projectauth.NewAuthorizationCache(
-		projectauth.NewReviewer(openshiftClient),
+		projectauth.NewAuthorizerReviewer(authorizer),
 		kubeClient.Namespaces(),
 		policyClient,
 	)

diff --git a/pkg/project/auth/reviewer.go b/pkg/project/auth/reviewer.go
@@ -1,7 +1,10 @@
 package auth
 
 import (
+	kapi "k8s.io/kubernetes/pkg/api"
+
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	"github.com/openshift/origin/pkg/authorization/authorizer"
 	"github.com/openshift/origin/pkg/client"
 )
 
@@ -11,6 +14,20 @@ type Review interface {
 	Groups() []string
 }
 
+type defaultReview struct {
+	users  []string
+	groups []string
+}
+
+func (r *defaultReview) Users() []string {
+	return r.users
+}
+
+// Groups returns the groups that can access a resource
+func (r *defaultReview) Groups() []string {
+	return r.groups
+}
+
 type review struct {
 	response *authorizationapi.ResourceAccessReviewResponse
 }
@@ -62,3 +79,31 @@ func (r *reviewer) Review(name string) (Review, error) {
 	}
 	return review, nil
 }
+
+type authorizerReviewer struct {
+	policyChecker authorizer.Authorizer
+}
+
+func NewAuthorizerReviewer(policyChecker authorizer.Authorizer) Reviewer {
+	return &authorizerReviewer{policyChecker: policyChecker}
+}
+
+func (r *authorizerReviewer) Review(namespaceName string) (Review, error) {
+	attributes := authorizer.DefaultAuthorizationAttributes{
+		Verb:         "get",
+		Resource:     "namespaces",
+		ResourceName: namespaceName,
+	}
+
+	ctx := kapi.WithNamespace(kapi.NewContext(), namespaceName)
+	users, groups, err := r.policyChecker.GetAllowedSubjects(ctx, attributes)
+	if err != nil {
+		return nil, err
+	}
+
+	review := &defaultReview{
+		users:  users.List(),
+		groups: groups.List(),
+	}
+	return review, nil
+}