scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-01 18:58:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #38121 from deads2k/auth-09-remove-rbac-super

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 38111, 38121)

remove rbac super user

Cleaning up cruft and duplicated capabilities as we transition from RBAC alpha to beta.  In 1.5, we added a secured loopback connection based on the `system:masters` group name.  `system:masters` have full power in the API, so the RBAC super user is superfluous.

The flag will stay in place so that the process can still launch, but it will be disconnected.

@kubernetes/sig-auth
This commit is contained in:
Kubernetes Submit Queue
2016-12-05 14:14:41 -08:00
committed by GitHub
parent 5e923ddc7d 2923d09091
commit 2c61d2f80c
15 changed files with 35 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@@ -33,16 +33,10 @@ type RequestToRuleMapper interface {
}
type RBACAuthorizer struct {
superUser string
authorizationRuleResolver RequestToRuleMapper
}
func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (bool, string, error) {
if r.superUser != "" && requestAttributes.GetUser() != nil && requestAttributes.GetUser().GetName() == r.superUser {
return true, "", nil
}
rules, ruleResolutionError := r.authorizationRuleResolver.RulesFor(requestAttributes.GetUser(), requestAttributes.GetNamespace())
if RulesAllow(requestAttributes, rules...) {
return true, "", nil
@@ -51,9 +45,8 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return false, "", ruleResolutionError
}
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister, superUser string) *RBACAuthorizer {
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {
authorizer := &RBACAuthorizer{
superUser: superUser,
authorizationRuleResolver: validation.NewDefaultRuleResolver(
roles, roleBindings, clusterRoles, clusterRoleBindings,
),

4
plugin/pkg/auth/authorizer/rbac/rbac_test.go
View File

@@ -122,8 +122,6 @@ func TestAuthorizer(t *testing.T) {
clusterRoles []*rbac.ClusterRole
clusterRoleBindings []*rbac.ClusterRoleBinding
superUser string
shouldPass []authorizer.Attributes
shouldFail []authorizer.Attributes
}{
@@ -222,7 +220,7 @@ func TestAuthorizer(t *testing.T) {
}
for i, tt := range tests {
ruleResolver, _ := validation.NewTestRuleResolver(tt.roles, tt.roleBindings, tt.clusterRoles, tt.clusterRoleBindings)
a := RBACAuthorizer{tt.superUser, ruleResolver}
a := RBACAuthorizer{ruleResolver}
for _, attr := range tt.shouldPass {
if authorized, _, _ := a.Authorize(attr); !authorized {
t.Errorf("case %d: incorrectly restricted %s", i, attr)