Proxy Cluster Role Bindings to Native Kube RBAC

simo5 · simo5 · commit 7ebbf1a2563c · 2017-07-05T05:51:37.000-04:00
Store ClusterRoleBindings as native RBAC Objects via Kubernetes.
Provides backwards compatible API for the old Openshift rolebindings.
diff --git a/pkg/authorization/registry/clusterrolebinding/proxy/proxy.go b/pkg/authorization/registry/clusterrolebinding/proxy/proxy.go
@@ -1,116 +1,150 @@
 package proxy
 
 import (
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	clusterpolicybindingregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicybinding"
-	"github.com/openshift/origin/pkg/authorization/registry/clusterrolebinding"
-	rolebindingregistry "github.com/openshift/origin/pkg/authorization/registry/rolebinding"
-	rolebindingstorage "github.com/openshift/origin/pkg/authorization/registry/rolebinding/policybased"
-	"github.com/openshift/origin/pkg/authorization/rulevalidation"
+	authzapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
-type ClusterRoleBindingStorage struct {
-	roleBindingStorage rolebindingstorage.VirtualStorage
+func rbacToClusterRoleBinding(in *rbac.ClusterRoleBinding) (authzapi.ClusterRoleBinding, error) {
+	var out authzapi.ClusterRoleBinding
+	err := authzapi.Convert_rbac_ClusterRoleBinding_To_authorization_ClusterRoleBinding(in, &out, nil)
+	return out, err
 }
 
-func NewClusterRoleBindingStorage(clusterBindingRegistry clusterpolicybindingregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrolebinding.Storage {
-	return &ClusterRoleBindingStorage{
-		roleBindingStorage: rolebindingstorage.VirtualStorage{
-			BindingRegistry: clusterpolicybindingregistry.NewSimulatedRegistry(clusterBindingRegistry),
+func rbacFromClusterRoleBinding(in *authzapi.ClusterRoleBinding) (rbac.ClusterRoleBinding, error) {
+	var out rbac.ClusterRoleBinding
+	err := authzapi.Convert_authorization_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in, &out, nil)
+	return out, err
+}
 
-			RuleResolver:       liveRuleResolver,
-			CachedRuleResolver: cachedRuleResolver,
+type ClusterRoleBindingStorage struct {
+	client internalversion.ClusterRoleBindingInterface
+}
 
-			CreateStrategy: rolebindingregistry.ClusterStrategy,
-			UpdateStrategy: rolebindingregistry.ClusterStrategy,
-			Resource:       authorizationapi.Resource("clusterrolebinding"),
-		},
-	}
+func NewREST(client internalversion.ClusterRoleBindingInterface) *ClusterRoleBindingStorage {
+	return &ClusterRoleBindingStorage{client}
 }
 
 func (s *ClusterRoleBindingStorage) New() runtime.Object {
-	return &authorizationapi.ClusterRoleBinding{}
+	return &authzapi.ClusterRoleBinding{}
 }
 func (s *ClusterRoleBindingStorage) NewList() runtime.Object {
-	return &authorizationapi.ClusterRoleBindingList{}
+	return &authzapi.ClusterRoleBindingList{}
 }
 
 func (s *ClusterRoleBindingStorage) List(ctx apirequest.Context, options *metainternal.ListOptions) (runtime.Object, error) {
-	ret, err := s.roleBindingStorage.List(ctx, options)
-	if ret == nil {
+	optv1 := metav1.ListOptions{}
+	if err := metainternal.Convert_internalversion_ListOptions_To_v1_ListOptions(options, &optv1, nil); err != nil {
 		return nil, err
 	}
-	return authorizationapi.ToClusterRoleBindingList(ret.(*authorizationapi.RoleBindingList)), err
+	roles, err := s.client.List(optv1)
+	if roles == nil {
+		return nil, err
+	}
+	ret := &authzapi.ClusterRoleBindingList{}
+	for _, curr := range roles.Items {
+		role, err := rbacToClusterRoleBinding(&curr)
+		if err != nil {
+			return nil, err
+		}
+		ret.Items = append(ret.Items, role)
+	}
+	return ret, err
 }
 
 func (s *ClusterRoleBindingStorage) Get(ctx apirequest.Context, name string, options *metav1.GetOptions) (runtime.Object, error) {
-	ret, err := s.roleBindingStorage.Get(ctx, name, options)
-	if ret == nil {
+	ret, err := s.client.Get(name, *options)
+	if err != nil {
 		return nil, err
 	}
-
-	return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), err
+	role, err := rbacToClusterRoleBinding(ret)
+	if err != nil {
+		return nil, err
+	}
+	return &role, err
 }
+
 func (s *ClusterRoleBindingStorage) Delete(ctx apirequest.Context, name string, options *metav1.DeleteOptions) (runtime.Object, bool, error) {
-	ret, immediate, err := s.roleBindingStorage.Delete(ctx, name, options)
-	if ret == nil {
-		return nil, immediate, err
+	if err := s.client.Delete(name, options); err != nil {
+		return nil, false, err
 	}
 
-	return ret.(*metav1.Status), false, err
+	return &metav1.Status{Status: metav1.StatusSuccess}, true, nil
 }
 
 func (s *ClusterRoleBindingStorage) Create(ctx apirequest.Context, obj runtime.Object) (runtime.Object, error) {
-	clusterObj := obj.(*authorizationapi.ClusterRoleBinding)
-	convertedObj := authorizationapi.ToRoleBinding(clusterObj)
+	clusterObj := obj.(*authzapi.ClusterRoleBinding)
+	convertedObj, err := rbacFromClusterRoleBinding(clusterObj)
 
-	ret, err := s.roleBindingStorage.Create(ctx, convertedObj)
-	if ret == nil {
+	ret, err := s.client.Create(&convertedObj)
+	if err != nil {
 		return nil, err
 	}
-
-	return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), err
-}
-
-type convertingObjectInfo struct {
-	rest.UpdatedObjectInfo
-}
-
-func (i convertingObjectInfo) UpdatedObject(ctx apirequest.Context, old runtime.Object) (runtime.Object, error) {
-	oldObj := old.(*authorizationapi.RoleBinding)
-	convertedOldObj := authorizationapi.ToClusterRoleBinding(oldObj)
-	obj, err := i.UpdatedObjectInfo.UpdatedObject(ctx, convertedOldObj)
+	role, err := rbacToClusterRoleBinding(ret)
 	if err != nil {
 		return nil, err
 	}
-	clusterObj := obj.(*authorizationapi.ClusterRoleBinding)
-	convertedObj := authorizationapi.ToRoleBinding(clusterObj)
-	return convertedObj, nil
+	return &role, err
 }
 
 func (s *ClusterRoleBindingStorage) Update(ctx apirequest.Context, name string, objInfo rest.UpdatedObjectInfo) (runtime.Object, bool, error) {
-	ret, created, err := s.roleBindingStorage.Update(ctx, name, convertingObjectInfo{objInfo})
-	if ret == nil {
-		return nil, created, err
+	old, err := s.client.Get(name, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			err = apierrors.NewNotFound(rbac.Resource("clusterrolebinding"), name)
+		}
+		return nil, false, err
+	}
+
+	oldRoleBinding, err := rbacToClusterRoleBinding(old)
+	if err != nil {
+		return nil, false, err
+	}
+
+	obj, err := objInfo.UpdatedObject(ctx, &oldRoleBinding)
+	if err != nil {
+		return nil, false, err
+	}
+
+	updatedRoleBinding, err := rbacFromClusterRoleBinding(obj.(*authzapi.ClusterRoleBinding))
+	if err != nil {
+		return nil, false, err
 	}
 
-	return authorizationapi.ToClusterRoleBinding(ret.(*authorizationapi.RoleBinding)), created, err
+	ret, err := s.client.Update(&updatedRoleBinding)
+	if err != nil {
+		return nil, false, err
+	}
+
+	role, err := rbacToClusterRoleBinding(ret)
+	if err != nil {
+		return nil, false, err
+	}
+	return &role, false, err
 }
 
-func (m *ClusterRoleBindingStorage) CreateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, error) {
-	in := authorizationapi.ToRoleBinding(obj)
-	ret, err := m.roleBindingStorage.CreateRoleBindingWithEscalation(ctx, in)
-	return authorizationapi.ToClusterRoleBinding(ret), err
+// FIXME: what's escalation exactly ?
+func (m *ClusterRoleBindingStorage) CreateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authzapi.ClusterRoleBinding) (*authzapi.ClusterRoleBinding, error) {
+	ret, err := m.Create(ctx, obj)
+	if err != nil {
+		return nil, err
+	}
+	return ret.(*authzapi.ClusterRoleBinding), err
 }
 
-func (m *ClusterRoleBindingStorage) UpdateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, bool, error) {
-	in := authorizationapi.ToRoleBinding(obj)
-	ret, created, err := m.roleBindingStorage.UpdateRoleBindingWithEscalation(ctx, in)
-	return authorizationapi.ToClusterRoleBinding(ret), created, err
+func (m *ClusterRoleBindingStorage) UpdateClusterRoleBindingWithEscalation(ctx apirequest.Context, obj *authzapi.ClusterRoleBinding) (*authzapi.ClusterRoleBinding, bool, error) {
+	ret, ignored, err := m.Update(ctx, obj.Name, rest.DefaultUpdatedObjectInfo(obj, api.Scheme))
+	if err != nil {
+		return nil, false, err
+	}
+	return ret.(*authzapi.ClusterRoleBinding), ignored, err
 }
diff --git a/pkg/authorization/util/util.go b/pkg/authorization/util/util.go
@@ -114,7 +114,7 @@ func GetAuthorizationStorage(optsGetter restoptions.Getter, kubeClient internalc
 	roleStorage := rolestorage.NewVirtualStorage(policyRegistry, liveRuleResolver, cachedRuleResolver)
 	roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, liveRuleResolver, cachedRuleResolver)
 	clusterRoleStorage := clusterrolestorage.NewREST(kubeClient.Rbac().ClusterRoles())
-	clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyBindingRegistry, liveRuleResolver, cachedRuleResolver)
+	clusterRoleBindingStorage := clusterrolebindingstorage.NewREST(kubeClient.Rbac().ClusterRoleBindings())
 
 	return &AuthorizationStorage{
 		Policy:               policyStorage,
