modify policy to correctly identify resource versus kind

2015-01-29 14:14:54 -05:00
parent 1c9216a45e
commit 8a2fe9bd2b
7 changed files with 45 additions and 45 deletions
--- a/pkg/auth/authorizer/abac/abac.go
+++ b/pkg/auth/authorizer/abac/abac.go
@@ -52,7 +52,7 @@ type policy struct {

 	// TODO: make this a proper REST object with its own registry.
 	Readonly  bool   `json:"readonly,omitempty"`
-	Kind      string `json:"kind,omitempty"`
+	Resource  string `json:"resource,omitempty"`
 	Namespace string `json:"namespace,omitempty"`

 	// TODO: "expires" string in RFC3339 format.
@@ -100,7 +100,7 @@ func NewFromFile(path string) (policyList, error) {
 func (p policy) matches(a authorizer.Attributes) bool {
 	if p.subjectMatches(a) {
 		if p.Readonly == false || (p.Readonly == a.IsReadOnly()) {
-			if p.Kind == "" || (p.Kind == a.GetKind()) {
+			if p.Resource == "" || (p.Resource == a.GetResource()) {
 				if p.Namespace == "" || (p.Namespace == a.GetNamespace()) {
 					return true
 				}
--- a/pkg/auth/authorizer/abac/abac_test.go
+++ b/pkg/auth/authorizer/abac/abac_test.go
@@ -76,49 +76,49 @@ func NotTestAuthorize(t *testing.T) {
 	testCases := []struct {
 		User        user.DefaultInfo
 		RO          bool
-		Kind        string
+		Resource    string
 		NS          string
 		ExpectAllow bool
 	}{
 		// Scheduler can read pods
-		{User: uScheduler, RO: true, Kind: "pods", NS: "ns1", ExpectAllow: true},
-		{User: uScheduler, RO: true, Kind: "pods", NS: "", ExpectAllow: true},
+		{User: uScheduler, RO: true, Resource: "pods", NS: "ns1", ExpectAllow: true},
+		{User: uScheduler, RO: true, Resource: "pods", NS: "", ExpectAllow: true},
 		// Scheduler cannot write pods
-		{User: uScheduler, RO: false, Kind: "pods", NS: "ns1", ExpectAllow: false},
-		{User: uScheduler, RO: false, Kind: "pods", NS: "", ExpectAllow: false},
+		{User: uScheduler, RO: false, Resource: "pods", NS: "ns1", ExpectAllow: false},
+		{User: uScheduler, RO: false, Resource: "pods", NS: "", ExpectAllow: false},
 		// Scheduler can write bindings
-		{User: uScheduler, RO: true, Kind: "bindings", NS: "ns1", ExpectAllow: true},
-		{User: uScheduler, RO: true, Kind: "bindings", NS: "", ExpectAllow: true},
+		{User: uScheduler, RO: true, Resource: "bindings", NS: "ns1", ExpectAllow: true},
+		{User: uScheduler, RO: true, Resource: "bindings", NS: "", ExpectAllow: true},

 		// Alice can read and write anything in the right namespace.
-		{User: uAlice, RO: true, Kind: "pods", NS: "projectCaribou", ExpectAllow: true},
-		{User: uAlice, RO: true, Kind: "widgets", NS: "projectCaribou", ExpectAllow: true},
-		{User: uAlice, RO: true, Kind: "", NS: "projectCaribou", ExpectAllow: true},
-		{User: uAlice, RO: false, Kind: "pods", NS: "projectCaribou", ExpectAllow: true},
-		{User: uAlice, RO: false, Kind: "widgets", NS: "projectCaribou", ExpectAllow: true},
-		{User: uAlice, RO: false, Kind: "", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: true, Resource: "pods", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: true, Resource: "widgets", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: true, Resource: "", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: false, Resource: "pods", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: false, Resource: "widgets", NS: "projectCaribou", ExpectAllow: true},
+		{User: uAlice, RO: false, Resource: "", NS: "projectCaribou", ExpectAllow: true},
 		// .. but not the wrong namespace.
-		{User: uAlice, RO: true, Kind: "pods", NS: "ns1", ExpectAllow: false},
-		{User: uAlice, RO: true, Kind: "widgets", NS: "ns1", ExpectAllow: false},
-		{User: uAlice, RO: true, Kind: "", NS: "ns1", ExpectAllow: false},
+		{User: uAlice, RO: true, Resource: "pods", NS: "ns1", ExpectAllow: false},
+		{User: uAlice, RO: true, Resource: "widgets", NS: "ns1", ExpectAllow: false},
+		{User: uAlice, RO: true, Resource: "", NS: "ns1", ExpectAllow: false},

 		// Chuck can read events, since anyone can.
-		{User: uChuck, RO: true, Kind: "events", NS: "ns1", ExpectAllow: true},
-		{User: uChuck, RO: true, Kind: "events", NS: "", ExpectAllow: true},
+		{User: uChuck, RO: true, Resource: "events", NS: "ns1", ExpectAllow: true},
+		{User: uChuck, RO: true, Resource: "events", NS: "", ExpectAllow: true},
 		// Chuck can't do other things.
-		{User: uChuck, RO: false, Kind: "events", NS: "ns1", ExpectAllow: false},
-		{User: uChuck, RO: true, Kind: "pods", NS: "ns1", ExpectAllow: false},
-		{User: uChuck, RO: true, Kind: "floop", NS: "ns1", ExpectAllow: false},
+		{User: uChuck, RO: false, Resource: "events", NS: "ns1", ExpectAllow: false},
+		{User: uChuck, RO: true, Resource: "pods", NS: "ns1", ExpectAllow: false},
+		{User: uChuck, RO: true, Resource: "floop", NS: "ns1", ExpectAllow: false},
 		// Chunk can't access things with no kind or namespace
 		// TODO: find a way to give someone access to miscelaneous endpoints, such as
 		// /healthz, /version, etc.
-		{User: uChuck, RO: true, Kind: "", NS: "", ExpectAllow: false},
+		{User: uChuck, RO: true, Resource: "", NS: "", ExpectAllow: false},
 	}
 	for _, tc := range testCases {
 		attr := authorizer.AttributesRecord{
 			User:      &tc.User,
 			ReadOnly:  tc.RO,
-			Kind:      tc.Kind,
+			Resource:  tc.Resource,
 			Namespace: tc.NS,
 		}
 		t.Logf("tc: %v -> attr %v", tc, attr)
--- a/pkg/auth/authorizer/abac/example_policy_file.jsonl
+++ b/pkg/auth/authorizer/abac/example_policy_file.jsonl
@@ -1,9 +1,9 @@
 {"user":"admin"}
-{"user":"scheduler", "readonly": true, "kind": "pods"}
-{"user":"scheduler", "kind": "bindings"}
-{"user":"kubelet",  "readonly": true, "kind": "pods"}
-{"user":"kubelet",  "readonly": true, "kind": "services"}
-{"user":"kubelet",  "readonly": true, "kind": "endpoints"}
-{"user":"kubelet", "kind": "events"}
+{"user":"scheduler", "readonly": true, "resource": "pods"}
+{"user":"scheduler", "resource": "bindings"}
+{"user":"kubelet",  "readonly": true, "resource": "pods"}
+{"user":"kubelet",  "readonly": true, "resource": "services"}
+{"user":"kubelet",  "readonly": true, "resource": "endpoints"}
+{"user":"kubelet", "resource": "events"}
 {"user":"alice", "ns": "projectCaribou"}
 {"user":"bob", "readonly": true, "ns": "projectCaribou"}
--- a/pkg/auth/authorizer/interfaces.go
+++ b/pkg/auth/authorizer/interfaces.go
@@ -40,7 +40,7 @@ type Attributes interface {
 	GetNamespace() string

 	// The kind of object, if a request is for a REST object.
-	GetKind() string
+	GetResource() string
 }

 // Authorizer makes an authorization decision based on information gained by making
@@ -55,7 +55,7 @@ type AttributesRecord struct {
 	User      user.Info
 	ReadOnly  bool
 	Namespace string
-	Kind      string
+	Resource  string
 }

 func (a AttributesRecord) GetUserName() string {
@@ -74,6 +74,6 @@ func (a AttributesRecord) GetNamespace() string {
 	return a.Namespace
 }

-func (a AttributesRecord) GetKind() string {
-	return a.Kind
+func (a AttributesRecord) GetResource() string {
+	return a.Resource
 }