本文整理汇总了Golang中github.com/openshift/origin/pkg/authorization/api.NewRule函数的典型用法代码示例。如果您正苦于以下问题:Golang NewRule函数的具体用法?Golang NewRule怎么用?Golang NewRule使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewRule函数的4个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: GetBootstrapOpenshiftRoles
func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role {
roles := []authorizationapi.Role{
{
ObjectMeta: kapi.ObjectMeta{
Name: OpenshiftSharedResourceViewRoleName,
Namespace: openshiftNamespace,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(read...).Groups(templateGroup).Resources("templates").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(imageGroup).Resources("imagestreams", "imagestreamtags", "imagestreamimages").RuleOrDie(),
// so anyone can pull from openshift/* image streams
authorizationapi.NewRule("get").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
},
},
}
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
return roles
}
示例2: ResolveRules
func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error) {
switch scope {
case UserInfo:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("get"), APIGroups: []string{userapi.GroupName}, Resources: sets.NewString("users"), ResourceNames: sets.NewString("~")},
}, nil
case UserAccessCheck:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("create"), APIGroups: []string{authorizationapi.GroupName}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
authorizationapi.NewRule("create").Groups(authorizationapi.GroupName).Resources("selfsubjectrulesreviews").RuleOrDie(),
}, nil
case UserListScopedProjects:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("list", "watch"), APIGroups: []string{projectapi.GroupName}, Resources: sets.NewString("projects")},
}, nil
case UserListAllProjects:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("list", "watch"), APIGroups: []string{projectapi.GroupName}, Resources: sets.NewString("projects")},
{Verbs: sets.NewString("get"), APIGroups: []string{kapi.GroupName}, Resources: sets.NewString("namespaces")},
}, nil
case UserFull:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("*"), APIGroups: []string{"*"}, Resources: sets.NewString("*")},
{Verbs: sets.NewString("*"), NonResourceURLs: sets.NewString("*")},
}, nil
default:
return nil, fmt.Errorf("unrecognized scope: %v", scope)
}
}
示例3: GetBootstrapClusterRoles
func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
// four resource can be a single line
// up to ten-ish resources per line otherwise
roles := []authorizationapi.ClusterRole{
{
ObjectMeta: kapi.ObjectMeta{
Name: ClusterAdminRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
{
Verbs: sets.NewString(authorizationapi.VerbAll),
NonResourceURLs: sets.NewString(authorizationapi.NonResourceAll),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: SudoerRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule("impersonate").Groups(kapiGroup).Resources(authorizationapi.SystemUserResource).Names(SystemAdminUsername).RuleOrDie(),
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: ClusterReaderRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "egressnetworkpolicies", "endpoints", "events", "limitranges",
"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
"persistentvolumes/status", "pods", "pods/binding", "pods/eviction", "pods/log", "pods/status", "podtemplates", "replicationcontrollers", "replicationcontrollers/scale",
"replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "securitycontextconstraints", "serviceaccounts", "services",
"services/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(appsGroup).Resources("petsets", "petsets/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(batchGroup).Resources("jobs", "jobs/status", "scheduledjobs", "scheduledjobs/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale",
"deployments/status", "horizontalpodautoscalers", "horizontalpodautoscalers/status", "ingresses", "ingresses/status", "jobs", "jobs/status",
"networkpolicies", "podsecuritypolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers",
"replicationcontrollers/scale", "storageclasses", "thirdpartyresources").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(certificatesGroup).Resources("certificatesigningrequests", "certificatesigningrequests/approval", "certificatesigningrequests/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(authzGroup).Resources("clusterpolicies", "clusterpolicybindings", "clusterroles", "clusterrolebindings",
"policies", "policybindings", "roles", "rolebindings").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(buildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(deployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log",
"deploymentconfigs/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(imageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages",
"imagestreams/status").RuleOrDie(),
// pull images
authorizationapi.NewRule("get").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(oauthGroup).Resources("oauthclientauthorizations").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(projectGroup).Resources("projectrequests", "projects").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(quotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(routeGroup).Resources("routes", "routes/status").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(sdnGroup).Resources("clusternetworks", "hostsubnets", "netnamespaces").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(templateGroup).Resources("templates", "templateconfigs", "processedtemplates").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(userGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(),
// permissions to check access. These creates are non-mutating
authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",
"selfsubjectrulesreviews", "subjectrulesreviews", "subjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
// permissions to check PSP, these creates are non-mutating
authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
// Allow read access to node metrics
authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),
// Allow read access to stats
// Node stats requests are submitted as POSTs. These creates are non-mutating
authorizationapi.NewRule("get", "create").Groups(kapiGroup).Resources(authorizationapi.NodeStatsResource).RuleOrDie(),
{
Verbs: sets.NewString("get"),
NonResourceURLs: sets.NewString(authorizationapi.NonResourceAll),
},
// backwards compatibility
authorizationapi.NewRule(read...).Groups(buildGroup).Resources("buildlogs").RuleOrDie(),
//.........这里部分代码省略.........
示例4: TestOwnerRefRestriction
func TestOwnerRefRestriction(t *testing.T) {
// functionality of the plugin has a unit test, we just need to make sure its called.
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
originClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = originClient.ClusterRoles().Create(&authorizationapi.ClusterRole{
ObjectMeta: kapi.ObjectMeta{
Name: "create-svc",
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule("create").Groups(kapi.GroupName).Resources("services").RuleOrDie(),
},
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(originClient, *clientConfig, "foo", "admin-user"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, creatorClient, _, err := testutil.GetClientForUser(*clientConfig, "creator")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = originClient.RoleBindings("foo").Create(&authorizationapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{
Name: "create-svc",
},
RoleRef: kapi.ObjectReference{Name: "create-svc"},
Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "creator"}},
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(originClient, "foo", "create", kapi.Resource("services"), true); err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = creatorClient.Services("foo").Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "my-service",
OwnerReferences: []kapi.OwnerReference{{}},
},
})
if err == nil {
t.Fatalf("missing err")
}
if !kapierrors.IsForbidden(err) || !strings.Contains(err.Error(), "cannot set an ownerRef on a resource you can't delete") {
t.Fatalf("expecting cannot set an ownerRef on a resource you can't delete, got %v", err)
}
}