本文整理汇总了Golang中github.com/openshift/origin/pkg/authorization/api.NormalizeResources函数的典型用法代码示例。如果您正苦于以下问题:Golang NormalizeResources函数的具体用法?Golang NormalizeResources怎么用?Golang NormalizeResources使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NormalizeResources函数的9个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: GetBootstrapOpenshiftRoles
func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role {
roles := []authorizationapi.Role{
{
ObjectMeta: kapi.ObjectMeta{
Name: OpenshiftSharedResourceViewRoleName,
Namespace: openshiftNamespace,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(read...).Groups(templateGroup).Resources("templates").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(imageGroup).Resources("imagestreams", "imagestreamtags", "imagestreamimages").RuleOrDie(),
// so anyone can pull from openshift/* image streams
authorizationapi.NewRule("get").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
},
},
}
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
return roles
}
示例2: RuleMatches
func (a DefaultAuthorizationAttributes) RuleMatches(rule authorizationapi.PolicyRule) (bool, error) {
if a.IsNonResourceURL() {
if a.nonResourceMatches(rule) {
if a.verbMatches(rule.Verbs) {
return true, nil
}
}
return false, nil
}
if a.verbMatches(rule.Verbs) {
if a.apiGroupMatches(rule.APIGroups) {
allowedResourceTypes := authorizationapi.NormalizeResources(rule.Resources)
if a.resourceMatches(allowedResourceTypes) {
if a.nameMatches(rule.ResourceNames) {
// this rule matches the request, so we should check the additional restrictions to be sure that it's allowed
if rule.AttributeRestrictions != nil {
switch rule.AttributeRestrictions.(type) {
case (*authorizationapi.IsPersonalSubjectAccessReview):
return IsPersonalAccessReview(a)
default:
return false, fmt.Errorf("unable to interpret: %#v", rule.AttributeRestrictions)
}
}
return true, nil
}
}
}
}
return false, nil
}
示例3: oldGetBootstrapOpenshiftRoles
func oldGetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role {
roles := []authorizationapi.Role{
{
ObjectMeta: kapi.ObjectMeta{
Name: bootstrappolicy.OpenshiftSharedResourceViewRoleName,
Namespace: openshiftNamespace,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("get", "list"),
Resources: sets.NewString("templates", authorizationapi.ImageGroupName),
},
{
// so anyone can pull from openshift/* image streams
Verbs: sets.NewString("get"),
Resources: sets.NewString("imagestreams/layers"),
},
},
},
}
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
return roles
}
示例4: TestAllOpenShiftResourceCoverage
// TestAllOpenShiftResourceCoverage checks to make sure that the openshift all group actually contains all openshift resources
func TestAllOpenShiftResourceCoverage(t *testing.T) {
allOpenshift := authorizationapi.NormalizeResources(sets.NewString(authorizationapi.GroupsToResources[authorizationapi.OpenshiftAllGroupName]...))
config := fakeMasterConfig()
storageMap := config.GetRestStorage()
for key := range storageMap {
if allOpenshift.Has(strings.ToLower(key)) {
continue
}
t.Errorf("authorizationapi.GroupsToResources[authorizationapi.OpenshiftAllGroupName] is missing %v. Check pkg/authorization/api/types.go.", strings.ToLower(key))
}
}
示例5: ruleCovers
// ruleCovers determines whether the ownerRule (which may have multiple verbs, resources, and resourceNames) covers
// the subrule (which may only contain at most one verb, resource, and resourceName)
func ruleCovers(ownerRule, subrule authorizationapi.PolicyRule) bool {
allResources := authorizationapi.NormalizeResources(ownerRule.Resources)
ownerGroups := sets.NewString(ownerRule.APIGroups...)
groupMatches := ownerGroups.Has(authorizationapi.APIGroupAll) || ownerGroups.HasAll(subrule.APIGroups...) || (len(ownerRule.APIGroups) == 0 && len(subrule.APIGroups) == 0)
verbMatches := ownerRule.Verbs.Has(authorizationapi.VerbAll) || ownerRule.Verbs.HasAll(subrule.Verbs.List()...)
resourceMatches := ownerRule.Resources.Has(authorizationapi.ResourceAll) || allResources.HasAll(subrule.Resources.List()...)
resourceNameMatches := false
if len(subrule.ResourceNames) == 0 {
resourceNameMatches = (len(ownerRule.ResourceNames) == 0)
} else {
resourceNameMatches = (len(ownerRule.ResourceNames) == 0) || ownerRule.ResourceNames.HasAll(subrule.ResourceNames.List()...)
}
return verbMatches && resourceMatches && resourceNameMatches && groupMatches
}
示例6: breakdownRuleForGroup
func breakdownRuleForGroup(group string, rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule {
subrules := []authorizationapi.PolicyRule{}
for resource := range authorizationapi.NormalizeResources(rule.Resources) {
for verb := range rule.Verbs {
if len(rule.ResourceNames) > 0 {
for _, resourceName := range rule.ResourceNames.List() {
subrules = append(subrules, authorizationapi.PolicyRule{APIGroups: []string{group}, Resources: sets.NewString(resource), Verbs: sets.NewString(verb), ResourceNames: sets.NewString(resourceName)})
}
} else {
subrules = append(subrules, authorizationapi.PolicyRule{APIGroups: []string{group}, Resources: sets.NewString(resource), Verbs: sets.NewString(verb)})
}
}
}
return subrules
}
示例7: GetBootstrapClusterRoles
//.........这里部分代码省略.........
{
ObjectMeta: kapi.ObjectMeta{
Name: DiscoveryRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.DiscoveryRule,
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: RegistryAdminRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(readWrite...).Groups(kapiGroup).Resources("serviceaccounts", "secrets").RuleOrDie(),
authorizationapi.NewRule(readWrite...).Groups(imageGroup).Resources("imagestreamimages", "imagestreammappings", "imagestreams", "imagestreams/secrets", "imagestreamtags").RuleOrDie(),
authorizationapi.NewRule("create").Groups(imageGroup).Resources("imagestreamimports").RuleOrDie(),
authorizationapi.NewRule("get", "update").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
authorizationapi.NewRule(readWrite...).Groups(authzGroup).Resources("rolebindings", "roles").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "subjectrulesreviews").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(authzGroup).Resources("policies", "policybindings").RuleOrDie(),
authorizationapi.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
authorizationapi.NewRule("get", "delete").Groups(projectGroup).Resources("projects").RuleOrDie(),
// backwards compatibility
authorizationapi.NewRule("create").Groups(authzGroup).Resources("resourceaccessreviews", "subjectaccessreviews").RuleOrDie(),
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: RegistryEditorRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(readWrite...).Groups(kapiGroup).Resources("serviceaccounts", "secrets").RuleOrDie(),
authorizationapi.NewRule(readWrite...).Groups(imageGroup).Resources("imagestreamimages", "imagestreammappings", "imagestreams", "imagestreams/secrets", "imagestreamtags").RuleOrDie(),
authorizationapi.NewRule("create").Groups(imageGroup).Resources("imagestreamimports").RuleOrDie(),
authorizationapi.NewRule("get", "update").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
authorizationapi.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
authorizationapi.NewRule("get").Groups(projectGroup).Resources("projects").RuleOrDie(),
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: RegistryViewerRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule(read...).Groups(imageGroup).Resources("imagestreamimages", "imagestreammappings", "imagestreams", "imagestreamtags").RuleOrDie(),
authorizationapi.NewRule("get").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
authorizationapi.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
authorizationapi.NewRule("get").Groups(projectGroup).Resources("projects").RuleOrDie(),
},
},
}
saRoles := InfraSAs.AllRoles()
for _, saRole := range saRoles {
for _, existingRole := range roles {
if existingRole.Name == saRole.Name {
panic(fmt.Sprintf("clusterrole/%s is already registered", existingRole.Name))
}
}
}
// TODO roundtrip roles to pick up defaulting for API groups. Without this, the covers check in reconcile-cluster-roles will fail.
// we can remove this again once everything gets group qualified and we have unit tests enforcing that. other pulls are in
// progress to do that.
// we only want to roundtrip the sa roles now. We'll remove this once we convert the SA roles
versionedRoles := []authorizationapiv1.ClusterRole{}
for i := range saRoles {
newRole := &authorizationapiv1.ClusterRole{}
if err := kapi.Scheme.Convert(&saRoles[i], newRole, nil); err != nil {
panic(err)
}
versionedRoles = append(versionedRoles, *newRole)
}
roundtrippedRoles := []authorizationapi.ClusterRole{}
for i := range versionedRoles {
newRole := &authorizationapi.ClusterRole{}
if err := kapi.Scheme.Convert(&versionedRoles[i], newRole, nil); err != nil {
panic(err)
}
roundtrippedRoles = append(roundtrippedRoles, *newRole)
}
roles = append(roles, roundtrippedRoles...)
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
return roles
}
示例8: GetBootstrapClusterRoles
//.........这里部分代码省略.........
// Needed for persistent volumes
Verbs: sets.NewString("get"),
Resources: sets.NewString("persistentvolumeclaims", "persistentvolumes"),
},
{
// TODO: restrict to namespaces of pods scheduled on bound node once supported
// TODO: change glusterfs to use DNS lookup so this isn't needed?
// Needed for glusterfs volumes
Verbs: sets.NewString("get"),
Resources: sets.NewString("endpoints"),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: SDNReaderRoleName,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("get", "list", "watch"),
Resources: sets.NewString("hostsubnets"),
},
{
Verbs: sets.NewString("get", "list", "watch"),
Resources: sets.NewString("netnamespaces"),
},
{
Verbs: sets.NewString("get", "list", "watch"),
Resources: sets.NewString("nodes"),
},
{
Verbs: sets.NewString("get"),
Resources: sets.NewString("clusternetworks"),
},
{
Verbs: sets.NewString("get", "list", "watch"),
Resources: sets.NewString("namespaces"),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: SDNManagerRoleName,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("get", "list", "watch", "create", "delete"),
Resources: sets.NewString("hostsubnets"),
},
{
Verbs: sets.NewString("get", "list", "watch", "create", "delete"),
Resources: sets.NewString("netnamespaces"),
},
{
Verbs: sets.NewString("get", "list", "watch"),
Resources: sets.NewString("nodes"),
},
{
Verbs: sets.NewString("get", "create"),
Resources: sets.NewString("clusternetworks"),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: WebHooksRoleName,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("get", "create"),
Resources: sets.NewString("buildconfigs/webhooks"),
},
},
},
}
saRoles := InfraSAs.AllRoles()
for _, saRole := range saRoles {
for _, existingRole := range roles {
if existingRole.Name == saRole.Name {
panic(fmt.Sprintf("clusterrole/%s is already registered", existingRole.Name))
}
}
}
roles = append(roles, saRoles...)
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
return roles
}
示例9: oldGetBootstrapClusterRoles
//.........这里部分代码省略.........
APIGroups: []string{authorizationapi.GroupName},
Resources: sets.NewString("rolebindings", "roles"),
},
{
Verbs: sets.NewString("get", "list", "watch"),
APIGroups: []string{authorizationapi.GroupName},
Resources: sets.NewString("policies", "policybindings"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{kapi.GroupName},
Resources: sets.NewString("namespaces"),
},
{
Verbs: sets.NewString("get", "delete"),
APIGroups: []string{projectapi.GroupName},
Resources: sets.NewString("projects"),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: bootstrappolicy.RegistryEditorRoleName,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"),
APIGroups: []string{imageapi.GroupName},
Resources: sets.NewString("imagestreamimages", "imagestreamimports", "imagestreammappings", "imagestreams", "imagestreams/secrets", "imagestreamtags"),
},
{
Verbs: sets.NewString("get", "update"),
APIGroups: []string{imageapi.GroupName},
Resources: sets.NewString("imagestreams/layers"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{kapi.GroupName},
Resources: sets.NewString("namespaces"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{projectapi.GroupName},
Resources: sets.NewString("projects"),
},
},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: bootstrappolicy.RegistryViewerRoleName,
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("get", "list", "watch"),
APIGroups: []string{imageapi.GroupName},
Resources: sets.NewString("imagestreamimages", "imagestreamimports", "imagestreammappings", "imagestreams", "imagestreamtags"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{imageapi.GroupName},
Resources: sets.NewString("imagestreams/layers"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{kapi.GroupName},
Resources: sets.NewString("namespaces"),
},
{
Verbs: sets.NewString("get"),
APIGroups: []string{projectapi.GroupName},
Resources: sets.NewString("projects"),
},
},
},
}
// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
// our default roles and hard for them to reason about what power they are granting their users
for i := range roles {
for j := range roles[i].Rules {
roles[i].Rules[j].Resources = authorizationapi.NormalizeResources(roles[i].Rules[j].Resources)
}
}
versionedRoles := []authorizationapiv1.ClusterRole{}
for i := range roles {
newRole := &authorizationapiv1.ClusterRole{}
kapi.Scheme.Convert(&roles[i], newRole)
versionedRoles = append(versionedRoles, *newRole)
}
roundtrippedRoles := []authorizationapi.ClusterRole{}
for i := range versionedRoles {
newRole := &authorizationapi.ClusterRole{}
kapi.Scheme.Convert(&versionedRoles[i], newRole)
roundtrippedRoles = append(roundtrippedRoles, *newRole)
}
return roundtrippedRoles
}