filter the resource and fix some bugs for common users

Author: carmark

pkg/apiserver/handlers.go

@@ -535,7 +535,7 @@ func (r *APIRequestInfoResolver) GetAPIRequestInfo(req *http.Request) (APIReques
 		if len(currentParts) > 1 {
 			requestInfo.Tenant = currentParts[1]
 
-			// if there is another step after the namespace name and it is not a known namespace subresource
+			// if there is another step after the tenant name and it is not a known tenant subresource
 			// move currentParts to include it as a resource in its own right
 			if len(currentParts) > 2 {
 				currentParts = currentParts[2:]

pkg/apiserver/resthandler.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/rest"
 	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/auth/authorizer"
 	"k8s.io/kubernetes/pkg/fields"
 	"k8s.io/kubernetes/pkg/runtime"
 	"k8s.io/kubernetes/pkg/util"
@@ -280,9 +281,8 @@ func ListResource(r rest.Lister, rw rest.Watcher, scope RequestScope, forceWatch
 			return
 		}
 		//
-		url := req.Request.URL.String()
-		userinfo, _ := api.UserFrom(ctx)
-		if strings.Index(url, "https://") == 0 && userinfo.GetName() != api.UserAdmin {
+		userinfo, ok := api.UserFrom(ctx)
+		if ok && !authorizer.IsWhiteListedUser(userinfo.GetName()) {
 			tenant := api.TenantValue(ctx)
 			if err := filterListInTenant(result, tenant, scope.Kind, scope.Namer); err != nil {
 				errorJSON(err, scope.Codec, w)
@@ -848,7 +848,7 @@ func filterListInTenant(obj runtime.Object, tenant string, kind string, namer Sc
 				}
 			}
 		}
-	} else if kind == "Namespace" || kind == "Network" {
+	} else if kind == "Namespace" || kind == "Network" || kind == "Pod" || kind == "Serviceaccount" || kind == "Secret" {
 		for i := range items {
 			if name, err := namer.ObjectTenant(items[i]); err == nil {
 				if tenant == name {

pkg/auth/authorizer/helper.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2015 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+import (
+	"strings"
+
+	"k8s.io/kubernetes/pkg/api"
+)
+
+func IsWhiteListedUser(username string) bool {
+	if strings.HasPrefix(username, "system:serviceaccount:") {
+		return true
+	}
+	whiteList := map[string]bool{
+		api.UserAdmin:               true,
+		"kubelet":                   true,
+		"kube_proxy":                true,
+		"system:scheduler":          true,
+		"system:controller_manager": true,
+		"system:logging":            true,
+		"system:monitoring":         true,
+	}
+	return whiteList[username]
+}

pkg/auth/authorizer/keystone/keystone.go

@@ -18,7 +18,6 @@ package keystone
 
 import (
 	"errors"
-	"strings"
 
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/auth/authorizer"
@@ -97,24 +96,8 @@ func (ka *keystoneAuthorizer) Authorize(a authorizer.Attributes) (string, error)
 	var (
 		tenantName string
 		ns         *api.Namespace
+		err        error
 	)
-	if strings.HasPrefix(a.GetUserName(), "system:serviceaccount:") {
-		return "", nil
-	}
-	if isWhiteListedUser(a.GetUserName()) {
-		return "", nil
-	}
-
-	authConfig := &authConfig{
-		AuthUrl:  ka.authUrl,
-		Username: a.GetUserName(),
-		Password: a.GetPassword(),
-	}
-	osClient, err := newOpenstackClient(authConfig)
-	if err != nil {
-		glog.Errorf("%v", err)
-		return "", err
-	}
 	if a.GetNamespace() != "" {
 		ns, err = ka.kubeClient.Namespaces().Get(a.GetNamespace())
 		if err != nil {
@@ -130,6 +113,25 @@ func (ka *keystoneAuthorizer) Authorize(a authorizer.Attributes) (string, error)
 			tenantName = te.Name
 		}
 	}
+	if authorizer.IsWhiteListedUser(a.GetUserName()) {
+		return tenantName, nil
+	} else {
+		if !a.IsReadOnly() && a.GetResource() == "tenants" {
+			return "", errors.New("only admin can write tenant")
+		}
+	}
+
+	authConfig := &authConfig{
+		AuthUrl:  ka.authUrl,
+		Username: a.GetUserName(),
+		Password: a.GetPassword(),
+	}
+	osClient, err := newOpenstackClient(authConfig)
+	if err != nil {
+		glog.Errorf("%v", err)
+		return "", err
+	}
+
 	tenant, err := osClient.getTenant()
 	if err != nil {
 		glog.Errorf("%v", err)
@@ -141,19 +143,6 @@ func (ka *keystoneAuthorizer) Authorize(a authorizer.Attributes) (string, error)
 	return "", errors.New("Keystone authorization failed")
 }
 
-func isWhiteListedUser(username string) bool {
-	whiteList := map[string]bool{
-		api.UserAdmin:               true,
-		"kubelet":                   true,
-		"kube_proxy":                true,
-		"system:scheduler":          true,
-		"system:controller_manager": true,
-		"system:logging":            true,
-		"system:monitoring":         true,
-	}
-	return whiteList[username]
-}
-
 func (osClient *OpenstackClient) getTenant() (tenant *tenants.Tenant, err error) {
 	tenantList := make([]tenants.Tenant, 0)
 	opts := tenants.ListOpts{}

pkg/controller/serviceaccount/serviceaccounts_controller.go

@@ -211,6 +211,12 @@ func (e *ServiceAccountsController) createServiceAccount(name, namespace string)
 	serviceAccount := &api.ServiceAccount{}
 	serviceAccount.Name = name
 	serviceAccount.Namespace = namespace
+	ns, err := e.getNamespace(namespace)
+	if err != nil {
+		glog.Error(err)
+		return
+	}
+	serviceAccount.Tenant = ns.Tenant
 	if _, err := e.client.ServiceAccounts(namespace).Create(serviceAccount); err != nil {
 		glog.Error(err)
 	}

pkg/controller/serviceaccount/tokens_controller.go

@@ -305,6 +305,7 @@ func (e *TokensController) createSecret(serviceAccount *api.ServiceAccount) erro
 		ObjectMeta: api.ObjectMeta{
 			Name:      secret.Strategy.GenerateName(fmt.Sprintf("%s-token-", serviceAccount.Name)),
 			Namespace: serviceAccount.Namespace,
+			Tenant:    serviceAccount.Tenant,
 			Annotations: map[string]string{
 				api.ServiceAccountNameKey: serviceAccount.Name,
 				api.ServiceAccountUIDKey:  string(serviceAccount.UID),

pkg/kubectl/cmd/create.go

@@ -87,16 +87,18 @@ func RunCreate(f *cmdutil.Factory, cmd *cobra.Command, out io.Writer, options *C
 	if err != nil {
 		return err
 	}
+
 	cmdTenant, enforceTenant, err := f.DefaultTenant()
 	if err != nil {
 		return err
 	}
+	fmt.Printf("tenant input is %s\n", cmdTenant)
 	mapper, typer := f.Object()
 	r := resource.NewBuilder(mapper, typer, f.ClientMapperForCommand()).
 		Schema(schema).
 		ContinueOnError().
-		NamespaceParam(cmdNamespace).DefaultNamespace().
-		TenantParam(cmdTenant).DefaultTenant().
+		NamespaceParam(cmdNamespace).
+		TenantParam(cmdTenant).
 		FilenameParam(enforceTenant, enforceNamespace, options.Filenames...).
 		Flatten().
 		Do()

pkg/kubectl/cmd/get.go

@@ -134,7 +134,7 @@ func RunGet(f *cmdutil.Factory, out io.Writer, cmd *cobra.Command, args []string
 	isWatch, isWatchOnly := cmdutil.GetFlagBool(cmd, "watch"), cmdutil.GetFlagBool(cmd, "watch-only")
 	if isWatch || isWatchOnly {
 		r := resource.NewBuilder(mapper, typer, f.ClientMapperForCommand()).
-			NamespaceParam(cmdNamespace).DefaultNamespace().AllNamespaces(allNamespaces).
+			NamespaceParam(cmdNamespace).DefaultNamespace().AllNamespaces(true).
 			TenantParam(cmdTenant).DefaultTenant().
 			FilenameParam(enforceTenant, enforceNamespace, options.Filenames...).
 			SelectorParam(selector).
@@ -189,7 +189,7 @@ func RunGet(f *cmdutil.Factory, out io.Writer, cmd *cobra.Command, args []string
 	}
 
 	b := resource.NewBuilder(mapper, typer, f.ClientMapperForCommand()).
-		NamespaceParam(cmdNamespace).DefaultNamespace().AllNamespaces(allNamespaces).
+		NamespaceParam(cmdNamespace).DefaultNamespace().AllNamespaces(true).
 		FilenameParam(enforceTenant, enforceNamespace, options.Filenames...).
 		SelectorParam(selector).
 		ResourceTypeOrNameArgs(true, args...).

pkg/kubectl/resource/visitor.go

@@ -601,9 +601,6 @@ func RequireTenant(tenant string) VisitorFunc {
 		if err != nil {
 			return err
 		}
-		if !info.Namespaced() {
-			return nil
-		}
 		if len(info.Tenant) == 0 {
 			info.Tenant = tenant
 			UpdateObjectTenant(info, nil)

pkg/kubectl/resource_printer.go

@@ -1052,7 +1052,7 @@ func printNetworkList(list *api.NetworkList, w io.Writer, withNamespace bool, wi
 
 func printTenant(item *api.Tenant, w io.Writer, withNamespace bool, wide bool, showAll bool, columnLabels []string) error {
 	if withNamespace {
-		return fmt.Errorf("namespace is not namespaced")
+		return fmt.Errorf("tenant is not namespaced")
 	}
 
 	if _, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s", item.Name, labels.FormatLabels(item.Labels), item.Status.Phase, translateTimestamp(item.CreationTimestamp)); err != nil {