Merge pull request #14896 from enj/enj/i/live_policy/1463630

Use live lookups to resolve uncached role refs

Author: smarterclayton

pkg/authorization/registry/clusterpolicy/registry.go

@@ -121,23 +121,23 @@ func (s *simulatedStorage) DeletePolicy(ctx apirequest.Context, name string) err
 }
 
 type ReadOnlyClusterPolicy struct {
-	Registry
+	Registry Registry
 }
 
 func (s ReadOnlyClusterPolicy) List(options metav1.ListOptions) (*authorizationapi.ClusterPolicyList, error) {
 	optint := metainternal.ListOptions{}
 	if err := metainternal.Convert_v1_ListOptions_To_internalversion_ListOptions(&options, &optint, nil); err != nil {
 		return nil, err
 	}
-	return s.ListClusterPolicies(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint)
+	return s.Registry.ListClusterPolicies(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint)
 }
 
 func (s ReadOnlyClusterPolicy) Get(name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicy, error) {
-	return s.GetClusterPolicy(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options)
+	return s.Registry.GetClusterPolicy(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options)
 }
 
 type ReadOnlyClusterPolicyClientShim struct {
-	ReadOnlyClusterPolicy
+	ReadOnlyClusterPolicy ReadOnlyClusterPolicy
 }
 
 func (r *ReadOnlyClusterPolicyClientShim) List(label labels.Selector) ([]*authorizationapi.ClusterPolicy, error) {

pkg/authorization/registry/clusterpolicybinding/registry.go

@@ -121,23 +121,23 @@ func (s *simulatedStorage) DeletePolicyBinding(ctx apirequest.Context, name stri
 }
 
 type ReadOnlyClusterPolicyBinding struct {
-	Registry
+	Registry Registry
 }
 
 func (s ReadOnlyClusterPolicyBinding) List(options metav1.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error) {
 	optint := metainternal.ListOptions{}
 	if err := metainternal.Convert_v1_ListOptions_To_internalversion_ListOptions(&options, &optint, nil); err != nil {
 		return nil, err
 	}
-	return s.ListClusterPolicyBindings(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint)
+	return s.Registry.ListClusterPolicyBindings(apirequest.WithNamespace(apirequest.NewContext(), ""), &optint)
 }
 
 func (s ReadOnlyClusterPolicyBinding) Get(name string, options *metav1.GetOptions) (*authorizationapi.ClusterPolicyBinding, error) {
-	return s.GetClusterPolicyBinding(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options)
+	return s.Registry.GetClusterPolicyBinding(apirequest.WithNamespace(apirequest.NewContext(), ""), name, options)
 }
 
 type ReadOnlyClusterPolicyBindingClientShim struct {
-	ReadOnlyClusterPolicyBinding
+	ReadOnlyClusterPolicyBinding ReadOnlyClusterPolicyBinding
 }
 
 func (r *ReadOnlyClusterPolicyBindingClientShim) List(label labels.Selector) ([]*authorizationapi.ClusterPolicyBinding, error) {

pkg/authorization/registry/clusterrole/proxy/proxy.go

@@ -9,7 +9,7 @@ import (
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"
-	clusterpolicybindingregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicybinding"
+	"github.com/openshift/origin/pkg/authorization/registry/clusterrole"
 	roleregistry "github.com/openshift/origin/pkg/authorization/registry/role"
 	rolestorage "github.com/openshift/origin/pkg/authorization/registry/role/policybased"
 	"github.com/openshift/origin/pkg/authorization/rulevalidation"
@@ -19,30 +19,18 @@ type ClusterRoleStorage struct {
 	roleStorage rolestorage.VirtualStorage
 }
 
-func NewClusterRoleStorage(clusterPolicyRegistry clusterpolicyregistry.Registry, clusterBindingRegistry clusterpolicybindingregistry.Registry, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) *ClusterRoleStorage {
-	simulatedPolicyRegistry := clusterpolicyregistry.NewSimulatedRegistry(clusterPolicyRegistry)
-
-	ruleResolver := rulevalidation.NewDefaultRuleResolver(
-		nil,
-		nil,
-		&clusterpolicyregistry.ReadOnlyClusterPolicyClientShim{
-			ReadOnlyClusterPolicy: clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
-		},
-		&clusterpolicybindingregistry.ReadOnlyClusterPolicyBindingClientShim{
-			ReadOnlyClusterPolicyBinding: clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterBindingRegistry},
-		},
-	)
-
+func NewClusterRoleStorage(clusterPolicyRegistry clusterpolicyregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrole.Storage {
 	return &ClusterRoleStorage{
 		roleStorage: rolestorage.VirtualStorage{
-			PolicyStorage: simulatedPolicyRegistry,
+			PolicyStorage: clusterpolicyregistry.NewSimulatedRegistry(clusterPolicyRegistry),
 
-			RuleResolver:       ruleResolver,
+			RuleResolver:       liveRuleResolver,
 			CachedRuleResolver: cachedRuleResolver,
 
 			CreateStrategy: roleregistry.ClusterStrategy,
 			UpdateStrategy: roleregistry.ClusterStrategy,
-			Resource:       authorizationapi.Resource("clusterrole")},
+			Resource:       authorizationapi.Resource("clusterrole"),
+		},
 	}
 }
 

pkg/authorization/registry/clusterrole/registry.go

@@ -1,29 +1,12 @@
 package clusterrole
 
 import (
-	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
-	kapi "k8s.io/kubernetes/pkg/api"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
-// Registry is an interface for things that know how to store ClusterRoles.
-type Registry interface {
-	// ListClusterRoles obtains list of policyClusterRoles that match a selector.
-	ListClusterRoles(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterRoleList, error)
-	// GetClusterRole retrieves a specific policyClusterRole.
-	GetClusterRole(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.ClusterRole, error)
-	// CreateClusterRole creates a new policyClusterRole.
-	CreateClusterRole(ctx apirequest.Context, policyClusterRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error)
-	// UpdateClusterRole updates a policyClusterRole.
-	UpdateClusterRole(ctx apirequest.Context, policyClusterRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error)
-	// DeleteClusterRole deletes a policyClusterRole.
-	DeleteClusterRole(ctx apirequest.Context, id string) error
-}
-
 // Storage is an interface for a standard REST Storage backend
 type Storage interface {
 	rest.Getter
@@ -32,57 +15,7 @@ type Storage interface {
 	rest.GracefulDeleter
 
 	// CreateRoleWithEscalation creates a new policyRole.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
-	CreateRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.Role) (*authorizationapi.Role, error)
+	CreateClusterRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error)
 	// UpdateRoleWithEscalation updates a policyRole.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
-	UpdateRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.Role) (*authorizationapi.Role, bool, error)
-}
-
-// storage puts strong typing around storage calls
-type storage struct {
-	Storage
-}
-
-// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
-// types will panic.
-func NewRegistry(s Storage) Registry {
-	return &storage{s}
-}
-
-func (s *storage) ListClusterRoles(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.ClusterRoleList, error) {
-	obj, err := s.List(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-
-	return obj.(*authorizationapi.ClusterRoleList), nil
-}
-
-func (s *storage) CreateClusterRole(ctx apirequest.Context, node *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error) {
-	obj, err := s.Create(ctx, node)
-	if err != nil {
-		return nil, err
-	}
-
-	return obj.(*authorizationapi.ClusterRole), err
-}
-
-func (s *storage) UpdateClusterRole(ctx apirequest.Context, node *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error) {
-	obj, created, err := s.Update(ctx, node.Name, rest.DefaultUpdatedObjectInfo(node, kapi.Scheme))
-	if err != nil {
-		return nil, created, err
-	}
-	return obj.(*authorizationapi.ClusterRole), created, err
-}
-
-func (s *storage) GetClusterRole(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.ClusterRole, error) {
-	obj, err := s.Get(ctx, name, options)
-	if err != nil {
-		return nil, err
-	}
-	return obj.(*authorizationapi.ClusterRole), nil
-}
-
-func (s *storage) DeleteClusterRole(ctx apirequest.Context, name string) error {
-	_, _, err := s.Delete(ctx, name, nil)
-	return err
+	UpdateClusterRoleWithEscalation(ctx apirequest.Context, policyRole *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, bool, error)
 }

pkg/authorization/registry/clusterrolebinding/proxy/proxy.go

@@ -8,8 +8,8 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"
 	clusterpolicybindingregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicybinding"
+	"github.com/openshift/origin/pkg/authorization/registry/clusterrolebinding"
 	rolebindingregistry "github.com/openshift/origin/pkg/authorization/registry/rolebinding"
 	rolebindingstorage "github.com/openshift/origin/pkg/authorization/registry/rolebinding/policybased"
 	"github.com/openshift/origin/pkg/authorization/rulevalidation"
@@ -19,25 +19,12 @@ type ClusterRoleBindingStorage struct {
 	roleBindingStorage rolebindingstorage.VirtualStorage
 }
 
-func NewClusterRoleBindingStorage(clusterPolicyRegistry clusterpolicyregistry.Registry, clusterPolicyBindingRegistry clusterpolicybindingregistry.Registry, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) *ClusterRoleBindingStorage {
-	simulatedPolicyBindingRegistry := clusterpolicybindingregistry.NewSimulatedRegistry(clusterPolicyBindingRegistry)
-
-	ruleResolver := rulevalidation.NewDefaultRuleResolver(
-		nil,
-		nil,
-		&clusterpolicyregistry.ReadOnlyClusterPolicyClientShim{
-			ReadOnlyClusterPolicy: clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
-		},
-		&clusterpolicybindingregistry.ReadOnlyClusterPolicyBindingClientShim{
-			ReadOnlyClusterPolicyBinding: clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterPolicyBindingRegistry},
-		},
-	)
-
+func NewClusterRoleBindingStorage(clusterBindingRegistry clusterpolicybindingregistry.Registry, liveRuleResolver, cachedRuleResolver rulevalidation.AuthorizationRuleResolver) clusterrolebinding.Storage {
 	return &ClusterRoleBindingStorage{
-		rolebindingstorage.VirtualStorage{
-			BindingRegistry: simulatedPolicyBindingRegistry,
+		roleBindingStorage: rolebindingstorage.VirtualStorage{
+			BindingRegistry: clusterpolicybindingregistry.NewSimulatedRegistry(clusterBindingRegistry),
 
-			RuleResolver:       ruleResolver,
+			RuleResolver:       liveRuleResolver,
 			CachedRuleResolver: cachedRuleResolver,
 
 			CreateStrategy: rolebindingregistry.ClusterStrategy,

pkg/authorization/registry/clusterrolebinding/registry.go

@@ -1,29 +1,12 @@
 package clusterrolebinding
 
 import (
-	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
-	kapi "k8s.io/kubernetes/pkg/api"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
-// Registry is an interface for things that know how to store RoleBindings.
-type Registry interface {
-	// ListRoleBindings obtains list of policyRoleBindings that match a selector.
-	ListRoleBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.RoleBindingList, error)
-	// GetRoleBinding retrieves a specific policyRoleBinding.
-	GetRoleBinding(ctx apirequest.Context, id string, options *metav1.GetOptions) (*authorizationapi.RoleBinding, error)
-	// CreateRoleBinding creates a new policyRoleBinding.
-	CreateRoleBinding(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, error)
-	// UpdateRoleBinding updates a policyRoleBinding.
-	UpdateRoleBinding(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, bool, error)
-	// DeleteRoleBinding deletes a policyRoleBinding.
-	DeleteRoleBinding(ctx apirequest.Context, id string) error
-}
-
 // Storage is an interface for a standard REST Storage backend
 type Storage interface {
 	rest.Getter
@@ -32,56 +15,7 @@ type Storage interface {
 	rest.GracefulDeleter
 
 	// CreateRoleBinding creates a new policyRoleBinding.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
-	CreateRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, error)
+	CreateClusterRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, error)
 	// UpdateRoleBinding updates a policyRoleBinding.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
-	UpdateRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, bool, error)
-}
-
-// storage puts strong typing around storage calls
-type storage struct {
-	Storage
-}
-
-// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
-// types will panic.
-func NewRegistry(s Storage) Registry {
-	return &storage{s}
-}
-
-func (s *storage) ListRoleBindings(ctx apirequest.Context, options *metainternal.ListOptions) (*authorizationapi.RoleBindingList, error) {
-	obj, err := s.List(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-
-	return obj.(*authorizationapi.RoleBindingList), nil
-}
-
-func (s *storage) CreateRoleBinding(ctx apirequest.Context, binding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, error) {
-	obj, err := s.Create(ctx, binding)
-	if err != nil {
-		return nil, err
-	}
-	return obj.(*authorizationapi.RoleBinding), err
-}
-
-func (s *storage) UpdateRoleBinding(ctx apirequest.Context, binding *authorizationapi.RoleBinding) (*authorizationapi.RoleBinding, bool, error) {
-	obj, created, err := s.Update(ctx, binding.Name, rest.DefaultUpdatedObjectInfo(binding, kapi.Scheme))
-	if err != nil {
-		return nil, created, err
-	}
-	return obj.(*authorizationapi.RoleBinding), created, err
-}
-
-func (s *storage) GetRoleBinding(ctx apirequest.Context, name string, options *metav1.GetOptions) (*authorizationapi.RoleBinding, error) {
-	obj, err := s.Get(ctx, name, options)
-	if err != nil {
-		return nil, err
-	}
-	return obj.(*authorizationapi.RoleBinding), nil
-}
-
-func (s *storage) DeleteRoleBinding(ctx apirequest.Context, name string) error {
-	_, _, err := s.Delete(ctx, name, nil)
-	return err
+	UpdateClusterRoleBindingWithEscalation(ctx apirequest.Context, policyRoleBinding *authorizationapi.ClusterRoleBinding) (*authorizationapi.ClusterRoleBinding, bool, error)
 }

pkg/authorization/registry/policy/registry.go

@@ -3,12 +3,14 @@ package policy
 import (
 	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/watch"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
 	kapi "k8s.io/kubernetes/pkg/api"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
+	authorizationlister "github.com/openshift/origin/pkg/authorization/generated/listers/authorization/internalversion"
 )
 
 // Registry is an interface for things that know how to store Policies.
@@ -82,3 +84,36 @@ func (s *storage) DeletePolicy(ctx apirequest.Context, name string) error {
 	_, _, err := s.Delete(ctx, name, nil)
 	return err
 }
+
+type ReadOnlyPolicyListerNamespacer struct {
+	Registry Registry
+}
+
+func (s ReadOnlyPolicyListerNamespacer) Policies(namespace string) authorizationlister.PolicyNamespaceLister {
+	return readOnlyPolicyLister{registry: s.Registry, namespace: namespace}
+}
+
+func (s ReadOnlyPolicyListerNamespacer) List(label labels.Selector) ([]*authorizationapi.Policy, error) {
+	return s.Policies("").List(label)
+}
+
+type readOnlyPolicyLister struct {
+	registry  Registry
+	namespace string
+}
+
+func (s readOnlyPolicyLister) List(label labels.Selector) ([]*authorizationapi.Policy, error) {
+	list, err := s.registry.ListPolicies(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), &metainternal.ListOptions{LabelSelector: label})
+	if err != nil {
+		return nil, err
+	}
+	var items []*authorizationapi.Policy
+	for i := range list.Items {
+		items = append(items, &list.Items[i])
+	}
+	return items, nil
+}
+
+func (s readOnlyPolicyLister) Get(name string) (*authorizationapi.Policy, error) {
+	return s.registry.GetPolicy(apirequest.WithNamespace(apirequest.NewContext(), s.namespace), name, &metav1.GetOptions{})
+}