Proxy {Cluster}Role{Binding}s to Native Kube RBAC

Store them as native RBAC Objects via Kubernetes.
Also:
- Provides backwards compatible Openshift API.
- Kills Policy Sync Controller
- Removes init of PolicyRegistry
- Move helpers closer to their users
- Remove TestRBACController
- Remove tests that check only PolicyBindings related stuff
- hack around TestAuthorizationResolution

Signed-off-by: Simo Sorce <[email protected]>
Signed-off-by: Monis Khan <[email protected]>

pkg/auth/client/impersonate.go

@@ -3,8 +3,11 @@ package client
 import (
 	"net/http"
 
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/authentication/user"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/flowcontrol"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
 	authenticationapi "github.com/openshift/origin/pkg/auth/api"
@@ -59,3 +62,57 @@ func NewImpersonatingKubernetesClientset(user user.Info, config restclient.Confi
 	impersonatingConfig := NewImpersonatingConfig(user, config)
 	return kclientset.NewForConfig(&impersonatingConfig)
 }
+
+func NewImpersonatingKubernetesClientsetFromRESTClient(user user.Info, client restclient.Interface) kclientset.Interface {
+	return kclientset.New(NewImpersonatingRESTClient(user, client))
+}
+
+// impersonatingRESTClient sets impersonating user, groups, and scopes headers per request
+type impersonatingRESTClient struct {
+	user     user.Info
+	delegate restclient.Interface
+}
+
+func NewImpersonatingRESTClient(user user.Info, client restclient.Interface) restclient.Interface {
+	return &impersonatingRESTClient{user: user, delegate: client}
+}
+
+// Verb does the impersonation per request by setting the proper headers
+func (c impersonatingRESTClient) impersonate(req *restclient.Request) *restclient.Request {
+	req.SetHeader(authenticationapi.ImpersonateUserHeader, c.user.GetName())
+	req.SetHeader(authenticationapi.ImpersonateGroupHeader, c.user.GetGroups()...)
+	req.SetHeader(authenticationapi.ImpersonateUserScopeHeader, c.user.GetExtra()[authorizationapi.ScopesKey]...)
+	return req
+}
+
+func (c impersonatingRESTClient) Verb(verb string) *restclient.Request {
+	return c.impersonate(c.delegate.Verb(verb))
+}
+
+func (c impersonatingRESTClient) Post() *restclient.Request {
+	return c.impersonate(c.delegate.Post())
+}
+
+func (c impersonatingRESTClient) Put() *restclient.Request {
+	return c.impersonate(c.delegate.Put())
+}
+
+func (c impersonatingRESTClient) Patch(pt types.PatchType) *restclient.Request {
+	return c.impersonate(c.delegate.Patch(pt))
+}
+
+func (c impersonatingRESTClient) Get() *restclient.Request {
+	return c.impersonate(c.delegate.Get())
+}
+
+func (c impersonatingRESTClient) Delete() *restclient.Request {
+	return c.impersonate(c.delegate.Delete())
+}
+
+func (c impersonatingRESTClient) APIVersion() schema.GroupVersion {
+	return c.delegate.APIVersion()
+}
+
+func (c impersonatingRESTClient) GetRateLimiter() flowcontrol.RateLimiter {
+	return c.delegate.GetRateLimiter()
+}

pkg/auth/client/impersonate_rbac.go

@@ -0,0 +1,17 @@
+package client
+
+import (
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	apirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/rest"
+	rbacinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
+)
+
+func NewImpersonatingRBACFromContext(ctx apirequest.Context, restclient rest.Interface) (rbacinternalversion.RbacInterface, error) {
+	user, ok := request.UserFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("user missing from context")
+	}
+	return rbacinternalversion.New(NewImpersonatingRESTClient(user, restclient)), nil
+}