本文整理汇总了Golang中github.com/openshift/origin/pkg/authorization/api.Kind函数的典型用法代码示例。如果您正苦于以下问题:Golang Kind函数的具体用法?Golang Kind怎么用?Golang Kind使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了Kind函数的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: describerMap
func describerMap(c *client.Client, kclient kclient.Interface, host string) map[unversioned.GroupKind]kctl.Describer {
m := map[unversioned.GroupKind]kctl.Describer{
buildapi.Kind("Build"): &BuildDescriber{c, kclient},
buildapi.Kind("BuildConfig"): &BuildConfigDescriber{c, host},
deployapi.Kind("DeploymentConfig"): &DeploymentConfigDescriber{c, kclient, nil},
authorizationapi.Kind("Identity"): &IdentityDescriber{c},
imageapi.Kind("Image"): &ImageDescriber{c},
imageapi.Kind("ImageStream"): &ImageStreamDescriber{c},
imageapi.Kind("ImageStreamTag"): &ImageStreamTagDescriber{c},
imageapi.Kind("ImageStreamImage"): &ImageStreamImageDescriber{c},
routeapi.Kind("Route"): &RouteDescriber{c, kclient},
projectapi.Kind("Project"): &ProjectDescriber{c, kclient},
templateapi.Kind("Template"): &TemplateDescriber{c, meta.NewAccessor(), kapi.Scheme, nil},
authorizationapi.Kind("Policy"): &PolicyDescriber{c},
authorizationapi.Kind("PolicyBinding"): &PolicyBindingDescriber{c},
authorizationapi.Kind("RoleBinding"): &RoleBindingDescriber{c},
authorizationapi.Kind("Role"): &RoleDescriber{c},
authorizationapi.Kind("ClusterPolicy"): &ClusterPolicyDescriber{c},
authorizationapi.Kind("ClusterPolicyBinding"): &ClusterPolicyBindingDescriber{c},
authorizationapi.Kind("ClusterRoleBinding"): &ClusterRoleBindingDescriber{c},
authorizationapi.Kind("ClusterRole"): &ClusterRoleDescriber{c},
oauthapi.Kind("OAuthAccessToken"): &OAuthAccessTokenDescriber{c},
userapi.Kind("User"): &UserDescriber{c},
userapi.Kind("Group"): &GroupDescriber{c.Groups()},
userapi.Kind("UserIdentityMapping"): &UserIdentityMappingDescriber{c},
quotaapi.Kind("ClusterResourceQuota"): &ClusterQuotaDescriber{c},
quotaapi.Kind("AppliedClusterResourceQuota"): &AppliedClusterQuotaDescriber{c},
}
return m
}
示例2: Create
// Create transforms a LocalSAR into an ClusterSAR that is requesting a namespace. That collapses the code paths.
// LocalSubjectAccessReview exists to allow clean expression of policy.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
localSAR, ok := obj.(*authorizationapi.LocalSubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a localSubjectAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateLocalSubjectAccessReview(localSAR); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorizationapi.Kind(localSAR.Kind), "", errs)
}
if namespace := kapi.NamespaceValue(ctx); len(namespace) == 0 {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))
} else if (len(localSAR.Action.Namespace) > 0) && (namespace != localSAR.Action.Namespace) {
return nil, field.Invalid(field.NewPath("namespace"), localSAR.Action.Namespace, fmt.Sprintf("namespace must be: %v", namespace))
}
// transform this into a SubjectAccessReview
clusterSAR := &authorizationapi.SubjectAccessReview{
Action: localSAR.Action,
User: localSAR.User,
Groups: localSAR.Groups,
Scopes: localSAR.Scopes,
}
clusterSAR.Action.Namespace = kapi.NamespaceValue(ctx)
return r.clusterSARRegistry.CreateSubjectAccessReview(kapi.WithNamespace(ctx, ""), clusterSAR)
}
示例3: Create
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
resourceAccessReview, ok := obj.(*authorizationapi.ResourceAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a resourceAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateResourceAccessReview(resourceAccessReview); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorizationapi.Kind(resourceAccessReview.Kind), "", errs)
}
// if a namespace is present on the request, then the namespace on the on the RAR is overwritten.
// This is to support backwards compatibility. To have gotten here in this state, it means that
// the authorizer decided that a user could run an RAR against this namespace
if namespace := kapi.NamespaceValue(ctx); len(namespace) > 0 {
resourceAccessReview.Action.Namespace = namespace
} else if err := r.isAllowed(ctx, resourceAccessReview); err != nil {
// this check is mutually exclusive to the condition above. localSAR and localRAR both clear the namespace before delegating their calls
// We only need to check if the RAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
return nil, err
}
requestContext := kapi.WithNamespace(ctx, resourceAccessReview.Action.Namespace)
attributes := authorizer.ToDefaultAuthorizationAttributes(resourceAccessReview.Action)
users, groups, err := r.authorizer.GetAllowedSubjects(requestContext, attributes)
response := &authorizationapi.ResourceAccessReviewResponse{
Namespace: resourceAccessReview.Action.Namespace,
Users: users,
Groups: groups,
}
if err != nil {
response.EvaluationError = err.Error()
}
return response, nil
}
示例4: Create
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorizationapi.Kind(subjectAccessReview.Kind), "", errs)
}
// if a namespace is present on the request, then the namespace on the on the SAR is overwritten.
// This is to support backwards compatibility. To have gotten here in this state, it means that
// the authorizer decided that a user could run an SAR against this namespace
if namespace := kapi.NamespaceValue(ctx); len(namespace) > 0 {
subjectAccessReview.Action.Namespace = namespace
} else if err := r.isAllowed(ctx, subjectAccessReview); err != nil {
// this check is mutually exclusive to the condition above. localSAR and localRAR both clear the namespace before delegating their calls
// We only need to check if the SAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
return nil, err
}
var userToCheck user.Info
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest("user missing from context")
}
userToCheck = ctxUser
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
}
}
requestContext := kapi.WithNamespace(kapi.WithUser(ctx, userToCheck), subjectAccessReview.Action.Namespace)
attributes := authorizer.ToDefaultAuthorizationAttributes(subjectAccessReview.Action)
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: subjectAccessReview.Action.Namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}
示例5: List
func (c *readOnlyClusterPolicyCache) List(options *kapi.ListOptions) (*authorizationapi.ClusterPolicyList, error) {
clusterPolicyList := &authorizationapi.ClusterPolicyList{}
returnedList := c.indexer.List()
matcher := clusterpolicyregistry.Matcher(api.ListOptionsToSelectors(options))
for i := range returnedList {
clusterPolicy, castOK := returnedList[i].(*authorizationapi.ClusterPolicy)
if !castOK {
return clusterPolicyList, errors.NewInvalid(authorizationapi.Kind("ClusterPolicy"), "clusterPolicy", kfield.ErrorList{})
}
if matches, err := matcher.Matches(clusterPolicy); err == nil && matches {
clusterPolicyList.Items = append(clusterPolicyList.Items, *clusterPolicy)
}
}
return clusterPolicyList, nil
}
示例6: List
func (c *readOnlyPolicyCache) List(options *kapi.ListOptions, namespace string) (*authorizationapi.PolicyList, error) {
var returnedList []interface{}
if namespace == kapi.NamespaceAll {
returnedList = c.indexer.List()
} else {
items, err := c.indexer.Index("namespace", &authorizationapi.Policy{ObjectMeta: kapi.ObjectMeta{Namespace: namespace}})
returnedList = items
if err != nil {
return &authorizationapi.PolicyList{}, errors.NewInvalid(authorizationapi.Kind("PolicyList"), "policyList", kfield.ErrorList{kfield.Invalid(kfield.NewPath("policyList"), nil, err.Error())})
}
}
policyList := &authorizationapi.PolicyList{}
matcher := policyregistry.Matcher(oapi.ListOptionsToSelectors(options))
for i := range returnedList {
policy, castOK := returnedList[i].(*authorizationapi.Policy)
if !castOK {
return policyList, errors.NewInvalid(authorizationapi.Kind("PolicyList"), "policyList", kfield.ErrorList{})
}
if matches, err := matcher.Matches(policy); err == nil && matches {
policyList.Items = append(policyList.Items, *policy)
}
}
return policyList, nil
}
示例7: Get
func (c *readOnlyClusterPolicyCache) Get(name string) (*authorizationapi.ClusterPolicy, error) {
keyObj := &authorizationapi.ClusterPolicy{ObjectMeta: kapi.ObjectMeta{Name: name}}
key, _ := c.keyFunc(keyObj)
item, exists, getErr := c.indexer.GetByKey(key)
if getErr != nil {
return &authorizationapi.ClusterPolicy{}, getErr
}
if !exists {
existsErr := errors.NewNotFound(authorizationapi.Resource("clusterpolicy"), name)
return &authorizationapi.ClusterPolicy{}, existsErr
}
clusterPolicy, castOK := item.(*authorizationapi.ClusterPolicy)
if !castOK {
castErr := errors.NewInvalid(authorizationapi.Kind("ClusterPolicy"), name, kfield.ErrorList{})
return &authorizationapi.ClusterPolicy{}, castErr
}
return clusterPolicy, nil
}
示例8: Get
func (c *readOnlyPolicyBindingCache) Get(name, namespace string) (*authorizationapi.PolicyBinding, error) {
keyObj := &authorizationapi.PolicyBinding{ObjectMeta: kapi.ObjectMeta{Namespace: namespace, Name: name}}
key, _ := c.keyFunc(keyObj)
item, exists, getErr := c.indexer.GetByKey(key)
if getErr != nil {
return &authorizationapi.PolicyBinding{}, getErr
}
if !exists {
existsErr := errors.NewNotFound(authorizationapi.Resource("policybinding"), name)
return &authorizationapi.PolicyBinding{}, existsErr
}
policyBinding, castOK := item.(*authorizationapi.PolicyBinding)
if !castOK {
castErr := errors.NewInvalid(authorizationapi.Kind("PolicyBinding"), name, kfield.ErrorList{})
return &authorizationapi.PolicyBinding{}, castErr
}
return policyBinding, nil
}
示例9: NewFactory
// NewFactory creates an object that holds common methods across all OpenShift commands
func NewFactory(clientConfig kclientcmd.ClientConfig) *Factory {
var restMapper meta.MultiRESTMapper
seenGroups := sets.String{}
for _, gv := range registered.EnabledVersions() {
if seenGroups.Has(gv.Group) {
continue
}
seenGroups.Insert(gv.Group)
groupMeta, err := registered.Group(gv.Group)
if err != nil {
continue
}
restMapper = meta.MultiRESTMapper(append(restMapper, groupMeta.RESTMapper))
}
mapper := ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: restMapper}}
clients := &clientCache{
clients: make(map[string]*client.Client),
configs: make(map[string]*kclient.Config),
loader: clientConfig,
}
w := &Factory{
Factory: cmdutil.NewFactory(clientConfig),
OpenShiftClientConfig: clientConfig,
clients: clients,
}
w.Object = func() (meta.RESTMapper, runtime.ObjectTyper) {
// Output using whatever version was negotiated in the client cache. The
// version we decode with may not be the same as what the server requires.
if cfg, err := clients.ClientConfigForVersion(nil); err == nil {
cmdApiVersion := unversioned.GroupVersion{}
if cfg.GroupVersion != nil {
cmdApiVersion = *cfg.GroupVersion
}
return kubectl.OutputVersionMapper{RESTMapper: mapper, OutputVersions: []unversioned.GroupVersion{cmdApiVersion}}, api.Scheme
}
return mapper, api.Scheme
}
kClientForMapping := w.Factory.ClientForMapping
w.ClientForMapping = func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
if latest.OriginKind(mapping.GroupVersionKind) {
mappingVersion := mapping.GroupVersionKind.GroupVersion()
client, err := clients.ClientForVersion(&mappingVersion)
if err != nil {
return nil, err
}
return client.RESTClient, nil
}
return kClientForMapping(mapping)
}
// Save original Describer function
kDescriberFunc := w.Factory.Describer
w.Describer = func(mapping *meta.RESTMapping) (kubectl.Describer, error) {
if latest.OriginKind(mapping.GroupVersionKind) {
oClient, kClient, err := w.Clients()
if err != nil {
return nil, fmt.Errorf("unable to create client %s: %v", mapping.GroupVersionKind.Kind, err)
}
mappingVersion := mapping.GroupVersionKind.GroupVersion()
cfg, err := clients.ClientConfigForVersion(&mappingVersion)
if err != nil {
return nil, fmt.Errorf("unable to load a client %s: %v", mapping.GroupVersionKind.Kind, err)
}
describer, ok := describe.DescriberFor(mapping.GroupVersionKind.GroupKind(), oClient, kClient, cfg.Host)
if !ok {
return nil, fmt.Errorf("no description has been implemented for %q", mapping.GroupVersionKind.Kind)
}
return describer, nil
}
return kDescriberFunc(mapping)
}
kScalerFunc := w.Factory.Scaler
w.Scaler = func(mapping *meta.RESTMapping) (kubectl.Scaler, error) {
oc, kc, err := w.Clients()
if err != nil {
return nil, err
}
if mapping.GroupVersionKind.GroupKind() == deployapi.Kind("DeploymentConfig") {
return deployscaler.NewDeploymentConfigScaler(oc, kc), nil
}
return kScalerFunc(mapping)
}
kReaperFunc := w.Factory.Reaper
w.Reaper = func(mapping *meta.RESTMapping) (kubectl.Reaper, error) {
oc, kc, err := w.Clients()
if err != nil {
return nil, err
}
switch mapping.GroupVersionKind.GroupKind() {
case deployapi.Kind("DeploymentConfig"):
//.........这里部分代码省略.........
示例10: NewFactory
// NewFactory creates an object that holds common methods across all OpenShift commands
func NewFactory(clientConfig kclientcmd.ClientConfig) *Factory {
restMapper := registered.RESTMapper()
clients := &clientCache{
clients: make(map[string]*client.Client),
configs: make(map[string]*restclient.Config),
loader: clientConfig,
}
w := &Factory{
Factory: cmdutil.NewFactory(clientConfig),
OpenShiftClientConfig: clientConfig,
clients: clients,
ImageResolutionOptions: &imageResolutionOptions{},
}
w.Object = func(bool) (meta.RESTMapper, runtime.ObjectTyper) {
defaultMapper := ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: restMapper}}
defaultTyper := api.Scheme
// Output using whatever version was negotiated in the client cache. The
// version we decode with may not be the same as what the server requires.
cfg, err := clients.ClientConfigForVersion(nil)
if err != nil {
return defaultMapper, defaultTyper
}
cmdApiVersion := unversioned.GroupVersion{}
if cfg.GroupVersion != nil {
cmdApiVersion = *cfg.GroupVersion
}
// at this point we've negotiated and can get the client
oclient, err := clients.ClientForVersion(nil)
if err != nil {
return defaultMapper, defaultTyper
}
cacheDir := computeDiscoverCacheDir(filepath.Join(homedir.HomeDir(), ".kube"), cfg.Host)
cachedDiscoverClient := NewCachedDiscoveryClient(client.NewDiscoveryClient(oclient.RESTClient), cacheDir, time.Duration(10*time.Minute))
// if we can't find the server version or its too old to have Kind information in the discovery doc, skip the discovery RESTMapper
// and use our hardcoded levels
mapper := registered.RESTMapper()
if serverVersion, err := cachedDiscoverClient.ServerVersion(); err == nil && useDiscoveryRESTMapper(serverVersion.GitVersion) {
mapper = restmapper.NewDiscoveryRESTMapper(cachedDiscoverClient)
}
mapper = NewShortcutExpander(cachedDiscoverClient, kubectl.ShortcutExpander{RESTMapper: mapper})
return kubectl.OutputVersionMapper{RESTMapper: mapper, OutputVersions: []unversioned.GroupVersion{cmdApiVersion}}, api.Scheme
}
w.UnstructuredObject = func() (meta.RESTMapper, runtime.ObjectTyper, error) {
// load a discovery client from the default config
cfg, err := clients.ClientConfigForVersion(nil)
if err != nil {
return nil, nil, err
}
dc, err := discovery.NewDiscoveryClientForConfig(cfg)
if err != nil {
return nil, nil, err
}
cacheDir := computeDiscoverCacheDir(filepath.Join(homedir.HomeDir(), ".kube"), cfg.Host)
cachedDiscoverClient := NewCachedDiscoveryClient(client.NewDiscoveryClient(dc.RESTClient), cacheDir, time.Duration(10*time.Minute))
// enumerate all group resources
groupResources, err := discovery.GetAPIGroupResources(cachedDiscoverClient)
if err != nil {
return nil, nil, err
}
// Register unknown APIs as third party for now to make
// validation happy. TODO perhaps make a dynamic schema
// validator to avoid this.
for _, group := range groupResources {
for _, version := range group.Group.Versions {
gv := unversioned.GroupVersion{Group: group.Group.Name, Version: version.Version}
if !registered.IsRegisteredVersion(gv) {
registered.AddThirdPartyAPIGroupVersions(gv)
}
}
}
// construct unstructured mapper and typer
mapper := discovery.NewRESTMapper(groupResources, meta.InterfacesForUnstructured)
typer := discovery.NewUnstructuredObjectTyper(groupResources)
return NewShortcutExpander(cachedDiscoverClient, kubectl.ShortcutExpander{RESTMapper: mapper}), typer, nil
}
kClientForMapping := w.Factory.ClientForMapping
w.ClientForMapping = func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
if latest.OriginKind(mapping.GroupVersionKind) {
mappingVersion := mapping.GroupVersionKind.GroupVersion()
client, err := clients.ClientForVersion(&mappingVersion)
if err != nil {
return nil, err
}
return client.RESTClient, nil
}
return kClientForMapping(mapping)
//.........这里部分代码省略.........
示例11: TestAdmission
func TestAdmission(t *testing.T) {
var (
userAlice = userapi.User{
ObjectMeta: kapi.ObjectMeta{
Name: "Alice",
Labels: map[string]string{"foo": "bar"},
},
}
userAliceRef = kapi.ObjectReference{
Kind: authorizationapi.UserKind,
Name: "Alice",
}
userBob = userapi.User{
ObjectMeta: kapi.ObjectMeta{Name: "Bob"},
Groups: []string{"group"},
}
userBobRef = kapi.ObjectReference{
Kind: authorizationapi.UserKind,
Name: "Bob",
}
group = userapi.Group{
ObjectMeta: kapi.ObjectMeta{
Name: "group",
Labels: map[string]string{"baz": "quux"},
},
Users: []string{userBobRef.Name},
}
groupRef = kapi.ObjectReference{
Kind: authorizationapi.GroupKind,
Name: "group",
}
serviceaccount = kapi.ServiceAccount{
ObjectMeta: kapi.ObjectMeta{
Namespace: "namespace",
Name: "serviceaccount",
Labels: map[string]string{"xyzzy": "thud"},
},
}
serviceaccountRef = kapi.ObjectReference{
Kind: authorizationapi.ServiceAccountKind,
Namespace: "namespace",
Name: "serviceaccount",
}
systemuserRef = kapi.ObjectReference{
Kind: authorizationapi.SystemUserKind,
Name: "system user",
}
systemgroupRef = kapi.ObjectReference{
Kind: authorizationapi.SystemGroupKind,
Name: "system group",
}
)
testCases := []struct {
name string
expectedErr string
object runtime.Object
oldObject runtime.Object
kind unversioned.GroupVersionKind
resource unversioned.GroupVersionResource
namespace string
subresource string
objects []runtime.Object
}{
{
name: "ignore (allow) if subresource is nonempty",
object: &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Namespace: "namespace",
Name: "rolebinding",
},
Subjects: []kapi.ObjectReference{userAliceRef},
},
oldObject: &authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Namespace: "namespace",
Name: "rolebinding",
},
Subjects: []kapi.ObjectReference{},
},
kind: authorizationapi.Kind("RoleBinding").WithVersion("version"),
resource: authorizationapi.Resource("rolebindings").WithVersion("version"),
namespace: "namespace",
subresource: "subresource",
objects: []runtime.Object{
&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{
Name: "namespace",
},
},
},
},
{
name: "ignore (allow) cluster-scoped rolebinding",
object: &authorizationapi.RoleBinding{
//.........这里部分代码省略.........
示例12: NewFactory
// NewFactory creates an object that holds common methods across all OpenShift commands
func NewFactory(clientConfig kclientcmd.ClientConfig) *Factory {
restMapper := registered.RESTMapper()
clients := &clientCache{
clients: make(map[string]*client.Client),
configs: make(map[string]*restclient.Config),
loader: clientConfig,
}
w := &Factory{
Factory: cmdutil.NewFactory(clientConfig),
OpenShiftClientConfig: clientConfig,
clients: clients,
}
w.Object = func(bool) (meta.RESTMapper, runtime.ObjectTyper) {
defaultMapper := ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: restMapper}}
defaultTyper := api.Scheme
// Output using whatever version was negotiated in the client cache. The
// version we decode with may not be the same as what the server requires.
cfg, err := clients.ClientConfigForVersion(nil)
if err != nil {
return defaultMapper, defaultTyper
}
cmdApiVersion := unversioned.GroupVersion{}
if cfg.GroupVersion != nil {
cmdApiVersion = *cfg.GroupVersion
}
// at this point we've negotiated and can get the client
oclient, err := clients.ClientForVersion(nil)
if err != nil {
return defaultMapper, defaultTyper
}
cacheDir := computeDiscoverCacheDir(filepath.Join(homedir.HomeDir(), ".kube"), cfg.Host)
cachedDiscoverClient := NewCachedDiscoveryClient(client.NewDiscoveryClient(oclient.RESTClient), cacheDir, time.Duration(10*time.Minute))
mapper := restmapper.NewDiscoveryRESTMapper(cachedDiscoverClient)
mapper = NewShortcutExpander(cachedDiscoverClient, kubectl.ShortcutExpander{RESTMapper: mapper})
return kubectl.OutputVersionMapper{RESTMapper: mapper, OutputVersions: []unversioned.GroupVersion{cmdApiVersion}}, api.Scheme
}
kClientForMapping := w.Factory.ClientForMapping
w.ClientForMapping = func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
if latest.OriginKind(mapping.GroupVersionKind) {
mappingVersion := mapping.GroupVersionKind.GroupVersion()
client, err := clients.ClientForVersion(&mappingVersion)
if err != nil {
return nil, err
}
return client.RESTClient, nil
}
return kClientForMapping(mapping)
}
// Save original Describer function
kDescriberFunc := w.Factory.Describer
w.Describer = func(mapping *meta.RESTMapping) (kubectl.Describer, error) {
if latest.OriginKind(mapping.GroupVersionKind) {
oClient, kClient, err := w.Clients()
if err != nil {
return nil, fmt.Errorf("unable to create client %s: %v", mapping.GroupVersionKind.Kind, err)
}
mappingVersion := mapping.GroupVersionKind.GroupVersion()
cfg, err := clients.ClientConfigForVersion(&mappingVersion)
if err != nil {
return nil, fmt.Errorf("unable to load a client %s: %v", mapping.GroupVersionKind.Kind, err)
}
describer, ok := describe.DescriberFor(mapping.GroupVersionKind.GroupKind(), oClient, kClient, cfg.Host)
if !ok {
return nil, fmt.Errorf("no description has been implemented for %q", mapping.GroupVersionKind.Kind)
}
return describer, nil
}
return kDescriberFunc(mapping)
}
kScalerFunc := w.Factory.Scaler
w.Scaler = func(mapping *meta.RESTMapping) (kubectl.Scaler, error) {
oc, kc, err := w.Clients()
if err != nil {
return nil, err
}
if mapping.GroupVersionKind.GroupKind() == deployapi.Kind("DeploymentConfig") {
return deployscaler.NewDeploymentConfigScaler(oc, kc), nil
}
return kScalerFunc(mapping)
}
kReaperFunc := w.Factory.Reaper
w.Reaper = func(mapping *meta.RESTMapping) (kubectl.Reaper, error) {
oc, kc, err := w.Clients()
if err != nil {
return nil, err
//.........这里部分代码省略.........
示例13: Create
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorizationapi.Kind(subjectAccessReview.Kind), "", errs)
}
// if a namespace is present on the request, then the namespace on the on the SAR is overwritten.
// This is to support backwards compatibility. To have gotten here in this state, it means that
// the authorizer decided that a user could run an SAR against this namespace
if namespace := kapi.NamespaceValue(ctx); len(namespace) > 0 {
subjectAccessReview.Action.Namespace = namespace
} else if err := r.isAllowed(ctx, subjectAccessReview); err != nil {
// this check is mutually exclusive to the condition above. localSAR and localRAR both clear the namespace before delegating their calls
// We only need to check if the SAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
return nil, err
}
var userToCheck *user.DefaultInfo
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest("user missing from context")
}
// make a copy, we don't want to risk changing the original
newExtra := map[string][]string{}
for k, v := range ctxUser.GetExtra() {
if v == nil {
newExtra[k] = nil
continue
}
newSlice := make([]string, len(v), len(v))
copy(newSlice, v)
newExtra[k] = newSlice
}
userToCheck = &user.DefaultInfo{
Name: ctxUser.GetName(),
Groups: ctxUser.GetGroups(),
UID: ctxUser.GetUID(),
Extra: newExtra,
}
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
Extra: map[string][]string{},
}
}
switch {
case subjectAccessReview.Scopes == nil:
// leave the scopes alone. on a self-sar, this means "use incoming request", on regular-sar it means, "use no scope restrictions"
case len(subjectAccessReview.Scopes) == 0:
// this always means "use no scope restrictions", so delete them
delete(userToCheck.Extra, authorizationapi.ScopesKey)
case len(subjectAccessReview.Scopes) > 0:
// this always means, "use these scope restrictions", so force the value
userToCheck.Extra[authorizationapi.ScopesKey] = subjectAccessReview.Scopes
}
requestContext := kapi.WithNamespace(kapi.WithUser(ctx, userToCheck), subjectAccessReview.Action.Namespace)
attributes := authorizer.ToDefaultAuthorizationAttributes(subjectAccessReview.Action)
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: subjectAccessReview.Action.Namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}