Proxy Cluster Roles to Native Kube RBAC Cluster Roles

OpenShift Bot · simo5 · commit 75d7d5a6d6f3 · 2017-07-03T12:22:07.000-04:00
Store ClusterRoles as native RBAC Objects via Kubernetes.
Provides backwards compatible API for the old policy based roles.
diff --git a/pkg/authorization/registry/clusterrole/proxy/proxy.go b/pkg/authorization/registry/clusterrole/proxy/proxy.go
@@ -1,124 +1,150 @@
-package proxy
+package rbac
 
 import (
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"
-	"github.com/openshift/origin/pkg/authorization/registry/clusterrole"
-	roleregistry "github.com/openshift/origin/pkg/authorization/registry/role"
-	rolestorage "github.com/openshift/origin/pkg/authorization/registry/role/policybased"
-	"github.com/openshift/origin/pkg/authorization/rulevalidation"
+	authzapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
-type ClusterRoleStorage struct {
-	roleStorage rolestorage.VirtualStorage
+func rbacToClusterRole(in *rbac.ClusterRole) (authzapi.ClusterRole, error) {
+	var out authzapi.ClusterRole
+	err := authzapi.Convert_rbac_ClusterRole_To_authorization_ClusterRole(in, &out, nil)
+	return out, err
 }
 
-func NewClusterRoleStorage(clusterPolicyRegistry clusterpolicyregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrole.Storage {
-	return &ClusterRoleStorage{
-		roleStorage: rolestorage.VirtualStorage{
-			PolicyStorage: clusterpolicyregistry.NewSimulatedRegistry(clusterPolicyRegistry),
+func rbacFromClusterRole(in *authzapi.ClusterRole) (rbac.ClusterRole, error) {
+	var out rbac.ClusterRole
+	err := authzapi.Convert_authorization_ClusterRole_To_rbac_ClusterRole(in, &out, nil)
+	return out, err
+}
 
-			RuleResolver:       liveRuleResolver,
-			CachedRuleResolver: cachedRuleResolver,
+type ClusterRoleStorage struct {
+	client internalversion.ClusterRoleInterface
+}
 
-			CreateStrategy: roleregistry.ClusterStrategy,
-			UpdateStrategy: roleregistry.ClusterStrategy,
-			Resource:       authorizationapi.Resource("clusterrole"),
-		},
-	}
+func NewREST(client internalversion.ClusterRoleInterface) *ClusterRoleStorage {
+	return &ClusterRoleStorage{client}
 }
 
 func (s *ClusterRoleStorage) New() runtime.Object {
-	return &authorizationapi.ClusterRole{}
+	return &authzapi.ClusterRole{}
 }
 func (s *ClusterRoleStorage) NewList() runtime.Object {
-	return &authorizationapi.ClusterRoleList{}
+	return &authzapi.ClusterRoleList{}
 }
 
 func (s *ClusterRoleStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) {
-	ret, err := s.roleStorage.List(ctx, options)
-	if ret == nil {
+	optv1 := metav1.ListOptions{}
+	if err := metainternal.Convert_internalversion_ListOptions_To_v1_ListOptions(options, &optv1, nil); err != nil {
 		return nil, err
 	}
-	return authorizationapi.ToClusterRoleList(ret.(*authorizationapi.RoleList)), err
+	roles, err := s.client.List(optv1)
+	if roles == nil {
+		return nil, err
+	}
+	ret := &authzapi.ClusterRoleList{}
+	for _, curr := range roles.Items {
+		role, err := rbacToClusterRole(&curr)
+		if err != nil {
+			return nil, err
+		}
+		ret.Items = append(ret.Items, role)
+	}
+	return ret, err
 }
 
 func (s *ClusterRoleStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) {
-	ret, err := s.roleStorage.Get(ctx, name, options)
-	if ret == nil {
+	ret, err := s.client.Get(name, *options)
+	if err != nil {
 		return nil, err
 	}
-
-	return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), err
+	role, err := rbacToClusterRole(ret)
+	if err != nil {
+		return nil, err
+	}
+	return &role, err
 }
+
 func (s *ClusterRoleStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) {
-	ret, immediate, err := s.roleStorage.Delete(ctx, name, options)
-	if ret == nil {
-		return nil, immediate, err
+	if err := s.client.Delete(name, options); err != nil {
+		return nil, false, err
 	}
 
-	return ret.(*metav1.Status), false, err
+	return &metav1.Status{Status: metav1.StatusSuccess}, true, nil
 }
 
 func (s *ClusterRoleStorage) Create(ctx apirequest.Context, obj runtime.Object) (runtime.Object, error) {
-	clusterObj := obj.(*authorizationapi.ClusterRole)
-	convertedObj := authorizationapi.ToRole(clusterObj)
+	clusterObj := obj.(*authzapi.ClusterRole)
+	convertedObj, err := rbacFromClusterRole(clusterObj)
 
-	ret, err := s.roleStorage.Create(ctx, convertedObj)
-	if ret == nil {
+	ret, err := s.client.Create(&convertedObj)
+	if err != nil {
 		return nil, err
 	}
-
-	return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), err
-}
-
-type convertingObjectInfo struct {
-	rest.UpdatedObjectInfo
-}
-
-func (i convertingObjectInfo) UpdatedObject(ctx apirequest.Context, old runtime.Object) (runtime.Object, error) {
-	oldObj := old.(*authorizationapi.Role)
-	convertedOldObj := authorizationapi.ToClusterRole(oldObj)
-	obj, err := i.UpdatedObjectInfo.UpdatedObject(ctx, convertedOldObj)
+	role, err := rbacToClusterRole(ret)
 	if err != nil {
 		return nil, err
 	}
-	clusterObj := obj.(*authorizationapi.ClusterRole)
-	convertedObj := authorizationapi.ToRole(clusterObj)
-	return convertedObj, nil
+	return &role, err
 }
 
 func (s *ClusterRoleStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
-	ret, created, err := s.roleStorage.Update(ctx, name, convertingObjectInfo{objInfo})
-	if ret == nil {
-		return nil, created, err
+	old, err := s.client.Get(name, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			err = apierrors.NewNotFound(rbac.Resource("clusterrole"), name)
+		}
+		return nil, false, err
 	}
 
-	return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), created, err
-}
+	oldRole, err := rbacToClusterRole(old)
+	if err != nil {
+		return nil, false, err
+	}
 
-func (m *ClusterRoleStorage) CreateClusterRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error) {
-	in := authorizationapi.ToRole(obj)
-	ret, err := m.roleStorage.CreateRoleWithEscalation(ctx, in)
-	return authorizationapi.ToClusterRole(ret), err
-}
+	obj, err := objInfo.UpdatedObject(ctx, &oldRole)
+	if err != nil {
+		return nil, false, err
+	}
+
+	updatedRole, err := rbacFromClusterRole(obj.(*authzapi.ClusterRole))
+	if err != nil {
+		return nil, false, err
+	}
 
-func (m *ClusterRoleStorage) UpdateClusterRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error) {
-	in := authorizationapi.ToRole(obj)
-	ret, created, err := m.roleStorage.UpdateRoleWithEscalation(ctx, in)
-	return authorizationapi.ToClusterRole(ret), created, err
+	ret, err := s.client.Update(&updatedRole)
+	if err != nil {
+		return nil, false, err
+	}
+
+	role, err := rbacToClusterRole(ret)
+	if err != nil {
+		return nil, false, err
+	}
+	return &role, false, err
 }
 
-func (m *ClusterRoleStorage) CreateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, error) {
-	return m.roleStorage.CreateRoleWithEscalation(ctx, obj)
+// FIXME: what's escalation exactly ?
+func (m *ClusterRoleStorage) CreateClusterRoleWithEscalation(ctx apirequest.Context, obj *authzapi.ClusterRole) (*authzapi.ClusterRole, error) {
+	ret, err := m.Create(ctx, obj)
+	if err != nil {
+		return nil, err
+	}
+	return ret.(*authzapi.ClusterRole), err
 }
 
-func (m *ClusterRoleStorage) UpdateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, bool, error) {
-	return m.roleStorage.UpdateRoleWithEscalation(ctx, obj)
+func (m *ClusterRoleStorage) UpdateClusterRoleWithEscalation(ctx apirequest.Context, obj *authzapi.ClusterRole) (*authzapi.ClusterRole, bool, error) {
+	ret, ignored, err := m.Update(ctx, obj.Name, rest.DefaultUpdatedObjectInfo(obj, api.Scheme))
+	if err != nil {
+		return nil, false, err
+	}
+	return ret.(*authzapi.ClusterRole), ignored, err
 }
diff --git a/pkg/authorization/util/util.go b/pkg/authorization/util/util.go
@@ -7,6 +7,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/kubernetes/pkg/apis/authorization"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
 
 	clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"
@@ -83,7 +84,7 @@ func NewLiveRuleResolver(policyRegistry policyregistry.Registry, policyBindingRe
 	)
 }
 
-func GetAuthorizationStorage(optsGetter restoptions.Getter, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) (*AuthorizationStorage, error) {
+func GetAuthorizationStorage(optsGetter restoptions.Getter, kubeClient internalclientset.Interface, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) (*AuthorizationStorage, error) {
 	policyStorage, err := policyetcd.NewREST(optsGetter)
 	if err != nil {
 		return nil, err
@@ -112,7 +113,7 @@ func GetAuthorizationStorage(optsGetter restoptions.Getter, cachedRuleResolver r
 
 	roleStorage := rolestorage.NewVirtualStorage(policyRegistry, liveRuleResolver, cachedRuleResolver)
 	roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, liveRuleResolver, cachedRuleResolver)
-	clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, liveRuleResolver, cachedRuleResolver)
+	clusterRoleStorage := clusterrolestorage.NewREST(kubeClient.Rbac().ClusterRoles())
 	clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyBindingRegistry, liveRuleResolver, cachedRuleResolver)
 
 	return &AuthorizationStorage{
diff --git a/pkg/cmd/server/admin/overwrite_bootstrappolicy.go b/pkg/cmd/server/admin/overwrite_bootstrappolicy.go
@@ -21,6 +21,7 @@ import (
 	"github.com/openshift/origin/pkg/authorization/util"
 
 	"github.com/openshift/origin/pkg/cmd/cli/describe"
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
 	originrest "github.com/openshift/origin/pkg/cmd/server/origin/rest"
 	templateapi "github.com/openshift/origin/pkg/template/apis/template"
@@ -95,10 +96,11 @@ func (o OverwriteBootstrapPolicyOptions) OverwriteBootstrapPolicy() error {
 		return err
 	}
 
-	return OverwriteBootstrapPolicy(optsGetter, o.File, o.CreateBootstrapPolicyCommand, o.Force, o.Out)
+	return OverwriteBootstrapPolicy(optsGetter, o.File, o.MasterConfigFile, o.CreateBootstrapPolicyCommand, o.Force, o.Out)
 }
 
-func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
+func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, kubeConfigFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
+
 	if !change {
 		fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n")
 	}
@@ -118,7 +120,12 @@ func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createB
 		return r.Err()
 	}
 
-	authStorage, err := util.GetAuthorizationStorage(optsGetter, nil)
+	kubeClient, _, err := configapi.GetInternalKubeClient(kubeConfigFile, nil)
+	if err != nil {
+		return err
+	}
+
+	authStorage, err := util.GetAuthorizationStorage(optsGetter, kubeClient, nil)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/cmd/server/origin/ensure.go b/pkg/cmd/server/origin/ensure.go
@@ -182,7 +182,11 @@ func (c *MasterConfig) ensureComponentAuthorizationRules() {
 	if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName, &metav1.GetOptions{}); kapierror.IsNotFound(err) {
 		glog.Infof("No cluster policy found.  Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile)
 
-		if err := admin.OverwriteBootstrapPolicy(c.RESTOptionsGetter, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
+		if err := admin.OverwriteBootstrapPolicy(c.RESTOptionsGetter,
+			c.Options.PolicyConfig.BootstrapPolicyFile,
+			c.Options.MasterClients.OpenShiftLoopbackKubeConfig,
+			admin.CreateBootstrapPolicyFileFullCommand,
+			true, ioutil.Discard); err != nil {
 			glog.Errorf("Error creating bootstrap policy: %v", err)
 		}
 
diff --git a/pkg/cmd/server/origin/storage.go b/pkg/cmd/server/origin/storage.go
@@ -204,7 +204,7 @@ func (c OpenshiftAPIConfig) GetRestStorage() (map[schema.GroupVersion]map[string
 	selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, clusterPolicies)
 	subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, clusterPolicies)
 
-	authStorage, err := util.GetAuthorizationStorage(c.GenericConfig.RESTOptionsGetter, c.RuleResolver)
+	authStorage, err := util.GetAuthorizationStorage(c.GenericConfig.RESTOptionsGetter, c.KubeClientInternal, c.RuleResolver)
 	if err != nil {
 		return nil, fmt.Errorf("error building authorization REST storage: %v", err)
 	}
diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go
@@ -115,7 +115,11 @@ func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {
 		t.Errorf("unexpected error: %v", err)
 	}
 
-	if err := admin.OverwriteBootstrapPolicy(optsGetter, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
+	if err := admin.OverwriteBootstrapPolicy(optsGetter,
+		masterConfig.PolicyConfig.BootstrapPolicyFile,
+		masterConfig.MasterClients.OpenShiftLoopbackKubeConfig,
+		admin.CreateBootstrapPolicyFileFullCommand,
+		true, ioutil.Discard); err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ func (c OpenshiftAPIConfig) GetRestStorage() (map[schema.GroupVersion]map[string`
`204`	`204`	`selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, clusterPolicies)`
`205`	`205`	`subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, clusterPolicies)`
`206`	`206`
`207`		`- authStorage, err := util.GetAuthorizationStorage(c.GenericConfig.RESTOptionsGetter, c.RuleResolver)`
	`207`	`+ authStorage, err := util.GetAuthorizationStorage(c.GenericConfig.RESTOptionsGetter, c.KubeClientInternal, c.RuleResolver)`
`208`	`208`	`if err != nil {`
`209`	`209`	`return nil, fmt.Errorf("error building authorization REST storage: %v", err)`
`210`	`210`	`}`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,11 @@ func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {`
`115`	`115`	`t.Errorf("unexpected error: %v", err)`
`116`	`116`	`}`
`117`	`117`
`118`		`- if err := admin.OverwriteBootstrapPolicy(optsGetter, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {`
	`118`	`+ if err := admin.OverwriteBootstrapPolicy(optsGetter,`
	`119`	`+ masterConfig.PolicyConfig.BootstrapPolicyFile,`
	`120`	`+ masterConfig.MasterClients.OpenShiftLoopbackKubeConfig,`
	`121`	`+ admin.CreateBootstrapPolicyFileFullCommand,`
	`122`	`+ true, ioutil.Discard); err != nil {`
`119`	`123`	`t.Errorf("unexpected error: %v", err)`
`120`	`124`	`}`
`121`	`125`