1/* 2Copyright 2014 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package authorizer 18 19import ( 20 "context" 21 "net/http" 22 23 "k8s.io/apiserver/pkg/authentication/user" 24) 25 26// Attributes is an interface used by an Authorizer to get information about a request 27// that is used to make an authorization decision. 28type Attributes interface { 29 // GetUser returns the user.Info object to authorize 30 GetUser() user.Info 31 32 // GetVerb returns the kube verb associated with API requests (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy), 33 // or the lowercased HTTP verb associated with non-API requests (this includes get, put, post, patch, and delete) 34 GetVerb() string 35 36 // When IsReadOnly() == true, the request has no side effects, other than 37 // caching, logging, and other incidentals. 38 IsReadOnly() bool 39 40 // The namespace of the object, if a request is for a REST object. 41 GetNamespace() string 42 43 // The kind of object, if a request is for a REST object. 44 GetResource() string 45 46 // GetSubresource returns the subresource being requested, if present 47 GetSubresource() string 48 49 // GetName returns the name of the object as parsed off the request. This will not be present for all request types, but 50 // will be present for: get, update, delete 51 GetName() string 52 53 // The group of the resource, if a request is for a REST object. 54 GetAPIGroup() string 55 56 // GetAPIVersion returns the version of the group requested, if a request is for a REST object. 57 GetAPIVersion() string 58 59 // IsResourceRequest returns true for requests to API resources, like /api/v1/nodes, 60 // and false for non-resource endpoints like /api, /healthz 61 IsResourceRequest() bool 62 63 // GetPath returns the path of the request 64 GetPath() string 65} 66 67// Authorizer makes an authorization decision based on information gained by making 68// zero or more calls to methods of the Attributes interface. It returns nil when an action is 69// authorized, otherwise it returns an error. 70type Authorizer interface { 71 Authorize(ctx context.Context, a Attributes) (authorized Decision, reason string, err error) 72} 73 74type AuthorizerFunc func(a Attributes) (Decision, string, error) 75 76func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, string, error) { 77 return f(a) 78} 79 80// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. 81type RuleResolver interface { 82 // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. 83 RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) 84} 85 86// RequestAttributesGetter provides a function that extracts Attributes from an http.Request 87type RequestAttributesGetter interface { 88 GetRequestAttributes(user.Info, *http.Request) Attributes 89} 90 91// AttributesRecord implements Attributes interface. 92type AttributesRecord struct { 93 User user.Info 94 Verb string 95 Namespace string 96 APIGroup string 97 APIVersion string 98 Resource string 99 Subresource string 100 Name string 101 ResourceRequest bool 102 Path string 103} 104 105func (a AttributesRecord) GetUser() user.Info { 106 return a.User 107} 108 109func (a AttributesRecord) GetVerb() string { 110 return a.Verb 111} 112 113func (a AttributesRecord) IsReadOnly() bool { 114 return a.Verb == "get" || a.Verb == "list" || a.Verb == "watch" 115} 116 117func (a AttributesRecord) GetNamespace() string { 118 return a.Namespace 119} 120 121func (a AttributesRecord) GetResource() string { 122 return a.Resource 123} 124 125func (a AttributesRecord) GetSubresource() string { 126 return a.Subresource 127} 128 129func (a AttributesRecord) GetName() string { 130 return a.Name 131} 132 133func (a AttributesRecord) GetAPIGroup() string { 134 return a.APIGroup 135} 136 137func (a AttributesRecord) GetAPIVersion() string { 138 return a.APIVersion 139} 140 141func (a AttributesRecord) IsResourceRequest() bool { 142 return a.ResourceRequest 143} 144 145func (a AttributesRecord) GetPath() string { 146 return a.Path 147} 148 149type Decision int 150 151const ( 152 // DecisionDeny means that an authorizer decided to deny the action. 153 DecisionDeny Decision = iota 154 // DecisionAllow means that an authorizer decided to allow the action. 155 DecisionAllow 156 // DecisionNoOpionion means that an authorizer has no opinion on whether 157 // to allow or deny an action. 158 DecisionNoOpinion 159) 160