diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go index f2e45ba9fd84..c16ee3879716 100644 --- a/pkg/cmd/server/origin/master_config.go +++ b/pkg/cmd/server/origin/master_config.go @@ -187,16 +187,18 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) { plug, plugStart := newControllerPlug(options, client) + authorizer := newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage) + config := &MasterConfig{ Options: options, Authenticator: newAuthenticator(options, etcdHelper, serviceAccountTokenGetter, apiClientCAs, groupCache), - Authorizer: newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage), + Authorizer: authorizer, AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper), PolicyCache: policyCache, GroupCache: groupCache, - ProjectAuthorizationCache: newProjectAuthorizationCache(privilegedLoopbackOpenShiftClient, privilegedLoopbackKubeClient, policyClient), + ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, policyClient), RequestContextMapper: requestContextMapper, @@ -320,10 +322,9 @@ func newAuthenticator(config configapi.MasterConfig, etcdHelper storage.Interfac return ret } -func newProjectAuthorizationCache(openshiftClient *osclient.Client, kubeClient *kclient.Client, - policyClient policyclient.ReadOnlyPolicyClient) *projectauth.AuthorizationCache { +func newProjectAuthorizationCache(authorizer authorizer.Authorizer, kubeClient *kclient.Client, policyClient policyclient.ReadOnlyPolicyClient) *projectauth.AuthorizationCache { return projectauth.NewAuthorizationCache( - projectauth.NewReviewer(openshiftClient), + projectauth.NewAuthorizerReviewer(authorizer), kubeClient.Namespaces(), policyClient, ) diff --git a/pkg/project/auth/reviewer.go b/pkg/project/auth/reviewer.go index 999418b5b930..37ce5e4e8e01 100644 --- a/pkg/project/auth/reviewer.go +++ b/pkg/project/auth/reviewer.go @@ -1,7 +1,10 @@ package auth import ( + kapi "k8s.io/kubernetes/pkg/api" + authorizationapi "github.com/openshift/origin/pkg/authorization/api" + "github.com/openshift/origin/pkg/authorization/authorizer" "github.com/openshift/origin/pkg/client" ) @@ -11,6 +14,20 @@ type Review interface { Groups() []string } +type defaultReview struct { + users []string + groups []string +} + +func (r *defaultReview) Users() []string { + return r.users +} + +// Groups returns the groups that can access a resource +func (r *defaultReview) Groups() []string { + return r.groups +} + type review struct { response *authorizationapi.ResourceAccessReviewResponse } @@ -62,3 +79,31 @@ func (r *reviewer) Review(name string) (Review, error) { } return review, nil } + +type authorizerReviewer struct { + policyChecker authorizer.Authorizer +} + +func NewAuthorizerReviewer(policyChecker authorizer.Authorizer) Reviewer { + return &authorizerReviewer{policyChecker: policyChecker} +} + +func (r *authorizerReviewer) Review(namespaceName string) (Review, error) { + attributes := authorizer.DefaultAuthorizationAttributes{ + Verb: "get", + Resource: "namespaces", + ResourceName: namespaceName, + } + + ctx := kapi.WithNamespace(kapi.NewContext(), namespaceName) + users, groups, err := r.policyChecker.GetAllowedSubjects(ctx, attributes) + if err != nil { + return nil, err + } + + review := &defaultReview{ + users: users.List(), + groups: groups.List(), + } + return review, nil +}