add other user rules review

Author: deads2k

api/swagger-spec/oapi-v1.json

@@ -18944,6 +18944,104 @@
      }
     ]
    },
+   {
+    "path": "/oapi/v1/namespaces/{namespace}/subjectrulesreviews",
+    "description": "OpenShift REST API, version v1",
+    "operations": [
+     {
+      "type": "v1.SubjectRulesReview",
+      "method": "POST",
+      "summary": "create a SubjectRulesReview",
+      "nickname": "createNamespacedSubjectRulesReview",
+      "parameters": [
+       {
+        "type": "string",
+        "paramType": "query",
+        "name": "pretty",
+        "description": "If 'true', then the output is pretty printed.",
+        "required": false,
+        "allowMultiple": false
+       },
+       {
+        "type": "v1.SubjectRulesReview",
+        "paramType": "body",
+        "name": "body",
+        "description": "",
+        "required": true,
+        "allowMultiple": false
+       },
+       {
+        "type": "string",
+        "paramType": "path",
+        "name": "namespace",
+        "description": "object name and auth scope, such as for teams and projects",
+        "required": true,
+        "allowMultiple": false
+       }
+      ],
+      "responseMessages": [
+       {
+        "code": 200,
+        "message": "OK",
+        "responseModel": "v1.SubjectRulesReview"
+       }
+      ],
+      "produces": [
+       "application/json",
+       "application/yaml",
+       "application/vnd.kubernetes.protobuf"
+      ],
+      "consumes": [
+       "*/*"
+      ]
+     }
+    ]
+   },
+   {
+    "path": "/oapi/v1/subjectrulesreviews",
+    "description": "OpenShift REST API, version v1",
+    "operations": [
+     {
+      "type": "v1.SubjectRulesReview",
+      "method": "POST",
+      "summary": "create a SubjectRulesReview",
+      "nickname": "createNamespacedSubjectRulesReview",
+      "parameters": [
+       {
+        "type": "string",
+        "paramType": "query",
+        "name": "pretty",
+        "description": "If 'true', then the output is pretty printed.",
+        "required": false,
+        "allowMultiple": false
+       },
+       {
+        "type": "v1.SubjectRulesReview",
+        "paramType": "body",
+        "name": "body",
+        "description": "",
+        "required": true,
+        "allowMultiple": false
+       }
+      ],
+      "responseMessages": [
+       {
+        "code": 200,
+        "message": "OK",
+        "responseModel": "v1.SubjectRulesReview"
+       }
+      ],
+      "produces": [
+       "application/json",
+       "application/yaml",
+       "application/vnd.kubernetes.protobuf"
+      ],
+      "consumes": [
+       "*/*"
+      ]
+     }
+    ]
+   },
    {
     "path": "/oapi/v1/namespaces/{namespace}/templates",
     "description": "OpenShift REST API, version v1",
@@ -26937,6 +27035,60 @@
      }
     }
    },
+   "v1.SubjectRulesReview": {
+    "id": "v1.SubjectRulesReview",
+    "description": "SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace",
+    "required": [
+     "spec"
+    ],
+    "properties": {
+     "kind": {
+      "type": "string",
+      "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/release-1.4/docs/devel/api-conventions.md#types-kinds"
+     },
+     "apiVersion": {
+      "type": "string",
+      "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: http://releases.k8s.io/release-1.4/docs/devel/api-conventions.md#resources"
+     },
+     "spec": {
+      "$ref": "v1.SubjectRulesReviewSpec",
+      "description": "Spec adds information about how to conduct the check"
+     },
+     "status": {
+      "$ref": "v1.SubjectRulesReviewStatus",
+      "description": "Status is completed by the server to tell which permissions you have"
+     }
+    }
+   },
+   "v1.SubjectRulesReviewSpec": {
+    "id": "v1.SubjectRulesReviewSpec",
+    "description": "SubjectRulesReviewSpec adds information about how to conduct the check",
+    "required": [
+     "user",
+     "groups",
+     "scopes"
+    ],
+    "properties": {
+     "user": {
+      "type": "string",
+      "description": "User is optional.  At least one of User and Groups must be specified."
+     },
+     "groups": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "Groups is optional.  Groups is the list of groups to which the User belongs.  At least one of User and Groups must be specified."
+     },
+     "scopes": {
+      "type": "array",
+      "items": {
+       "type": "string"
+      },
+      "description": "Scopes to use for the evaluation.  Empty means \"use the unscoped (full) permissions of the user/groups\"."
+     }
+    }
+   },
    "v1.TemplateList": {
     "id": "v1.TemplateList",
     "description": "TemplateList is a list of Template objects.",

pkg/authorization/api/register.go

@@ -39,6 +39,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&RoleList{},
 
 		&SelfSubjectRulesReview{},
+		&SubjectRulesReview{},
 		&ResourceAccessReview{},
 		&SubjectAccessReview{},
 		&LocalResourceAccessReview{},

pkg/authorization/api/types.go

@@ -159,6 +159,27 @@ type SelfSubjectRulesReviewSpec struct {
 	Scopes []string
 }
 
+// SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace
+type SubjectRulesReview struct {
+	unversioned.TypeMeta
+
+	// Spec adds information about how to conduct the check
+	Spec SubjectRulesReviewSpec
+
+	// Status is completed by the server to tell which permissions you have
+	Status SubjectRulesReviewStatus
+}
+
+// SubjectRulesReviewSpec adds information about how to conduct the check
+type SubjectRulesReviewSpec struct {
+	// User is optional.  At least one of User and Groups must be specified.
+	User string
+	// Groups is optional.  Groups is the list of groups to which the User belongs.  At least one of User and Groups must be specified.
+	Groups []string
+	// Scopes to use for the evaluation.  Empty means "use the unscoped (full) permissions of the user/groups".
+	Scopes []string
+}
+
 // SubjectRulesReviewStatus is contains the result of a rules check
 type SubjectRulesReviewStatus struct {
 	// Rules is the list of rules (no particular sort) that are allowed for the subject