本文整理汇总了Golang中github.com/openshift/origin/pkg/user/api.Resource函数的典型用法代码示例。如果您正苦于以下问题:Golang Resource函数的具体用法?Golang Resource怎么用?Golang Resource使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了Resource函数的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: parseRequestedSubject
func parseRequestedSubject(requestedSubject string) (unversioned.GroupResource, string, string, error) {
subjects := authorizationapi.BuildSubjects([]string{requestedSubject}, nil,
// validates whether the usernames are regular users or system users
uservalidation.ValidateUserName,
// validates group names, but we never pass any groups
func(s string, b bool) (bool, string) { return true, "" })
if len(subjects) == 0 {
return unversioned.GroupResource{}, "", "", fmt.Errorf("subject must be in the form of a username, not %v", requestedSubject)
}
resource := unversioned.GroupResource{}
switch subjects[0].GetObjectKind().GroupVersionKind().GroupKind() {
case userapi.Kind(authorizationapi.UserKind):
resource = userapi.Resource(authorizationapi.UserResource)
case userapi.Kind(authorizationapi.SystemUserKind):
resource = userapi.Resource(authorizationapi.SystemUserResource)
case kapi.Kind(authorizationapi.ServiceAccountKind):
resource = kapi.Resource(authorizationapi.ServiceAccountResource)
default:
return unversioned.GroupResource{}, "", "", fmt.Errorf("unknown subject type: %v", subjects[0])
}
return resource, subjects[0].Namespace, subjects[0].Name, nil
}
示例2: NewREST
// NewREST returns a RESTStorage object that will work against groups
func NewREST(s storage.Interface) *REST {
store := &etcdgeneric.Etcd{
NewFunc: func() runtime.Object { return &api.Group{} },
NewListFunc: func() runtime.Object { return &api.GroupList{} },
KeyRootFunc: func(ctx kapi.Context) string {
return EtcdPrefix
},
KeyFunc: func(ctx kapi.Context, name string) (string, error) {
return util.NoNamespaceKeyFunc(ctx, EtcdPrefix, name)
},
ObjectNameFunc: func(obj runtime.Object) (string, error) {
return obj.(*api.Group).Name, nil
},
PredicateFunc: func(label labels.Selector, field fields.Selector) generic.Matcher {
return group.Matcher(label, field)
},
QualifiedResource: api.Resource("groups"),
CreateStrategy: group.Strategy,
UpdateStrategy: group.Strategy,
Storage: s,
}
return &REST{store}
}
示例3: NewREST
// NewREST returns a RESTStorage object that will work against users
func NewREST(optsGetter restoptions.Getter) (*REST, error) {
store := ®istry.Store{
NewFunc: func() runtime.Object { return &api.User{} },
NewListFunc: func() runtime.Object { return &api.UserList{} },
KeyRootFunc: func(ctx kapi.Context) string {
return EtcdPrefix
},
KeyFunc: func(ctx kapi.Context, name string) (string, error) {
return util.NoNamespaceKeyFunc(ctx, EtcdPrefix, name)
},
ObjectNameFunc: func(obj runtime.Object) (string, error) {
return obj.(*api.User).Name, nil
},
PredicateFunc: func(label labels.Selector, field fields.Selector) generic.Matcher {
return user.Matcher(label, field)
},
QualifiedResource: api.Resource("users"),
CreateStrategy: user.Strategy,
UpdateStrategy: user.Strategy,
}
if err := restoptions.ApplyOptions(optsGetter, store, EtcdPrefix); err != nil {
return nil, err
}
return &REST{*store}, nil
}
示例4: GetUser
func (r *UserRegistry) GetUser(ctx kapi.Context, name string) (*api.User, error) {
*r.Actions = append(*r.Actions, Action{"GetUser", name})
if user, ok := r.Get[name]; ok {
return user, nil
}
if err, ok := r.GetErr[name]; ok {
return nil, err
}
return nil, kerrs.NewNotFound(api.Resource("user"), name)
}
示例5: GetIdentity
func (r *IdentityRegistry) GetIdentity(ctx kapi.Context, name string) (*api.Identity, error) {
*r.Actions = append(*r.Actions, Action{"GetIdentity", name})
if identity, ok := r.Get[name]; ok {
return identity, nil
}
if err, ok := r.GetErr[name]; ok {
return nil, err
}
return nil, kerrs.NewNotFound(api.Resource("identity"), name)
}
示例6: getMapping
func (p *provisioningIdentityMapper) getMapping(ctx kapi.Context, identity *userapi.Identity) (kuser.Info, error) {
if len(identity.User.Name) == 0 {
return nil, kerrs.NewNotFound(userapi.Resource("useridentitymapping"), identity.Name)
}
u, err := p.user.GetUser(ctx, identity.User.Name)
if err != nil {
return nil, err
}
if u.UID != identity.User.UID {
glog.Errorf("identity.user.uid (%s) and user.uid (%s) do not match for identity %s", identity.User.UID, u.UID, identity.Name)
return nil, kerrs.NewNotFound(userapi.Resource("useridentitymapping"), identity.Name)
}
if !sets.NewString(u.Identities...).Has(identity.Name) {
glog.Errorf("user.identities (%#v) does not include identity (%s)", u, identity.Name)
return nil, kerrs.NewNotFound(userapi.Resource("useridentitymapping"), identity.Name)
}
return &kuser.DefaultInfo{
Name: u.Name,
UID: string(u.UID),
Groups: u.Groups,
}, nil
}
示例7: getRelatedObjects
// getRelatedObjects returns the identity, user, and mapping for the named identity
// a nil mappingErr means all objects were retrieved without errors, and correctly reference each other
func (s *REST) getRelatedObjects(ctx kapi.Context, name string) (
identity *api.Identity, identityErr error,
user *api.User, userErr error,
mapping *api.UserIdentityMapping, mappingErr error,
) {
// Initialize errors to NotFound
identityErr = kerrs.NewNotFound(api.Resource("identity"), name)
userErr = kerrs.NewNotFound(api.Resource("user"), "")
mappingErr = kerrs.NewNotFound(api.Resource("useridentitymapping"), name)
// Get identity
identity, identityErr = s.identityRegistry.GetIdentity(ctx, name)
if identityErr != nil {
return
}
if !hasUserMapping(identity) {
return
}
// Get user
user, userErr = s.userRegistry.GetUser(ctx, identity.User.Name)
if userErr != nil {
return
}
// Ensure relational integrity
if !identityReferencesUser(identity, user) {
return
}
if !userReferencesIdentity(user, identity) {
return
}
mapping, mappingErr = mappingFor(user, identity)
return
}
示例8: NewREST
// NewREST returns a RESTStorage object that will work against groups
func NewREST(optsGetter restoptions.Getter) (*REST, error) {
store := ®istry.Store{
NewFunc: func() runtime.Object { return &api.Group{} },
NewListFunc: func() runtime.Object { return &api.GroupList{} },
ObjectNameFunc: func(obj runtime.Object) (string, error) {
return obj.(*api.Group).Name, nil
},
PredicateFunc: func(label labels.Selector, field fields.Selector) storage.SelectionPredicate {
return group.Matcher(label, field)
},
QualifiedResource: api.Resource("groups"),
CreateStrategy: group.Strategy,
UpdateStrategy: group.Strategy,
}
if err := restoptions.ApplyOptions(optsGetter, store, false, storage.NoTriggerPublisher); err != nil {
return nil, err
}
return &REST{store}, nil
}
示例9: Get
// Get retrieves the item from etcd.
func (r *REST) Get(ctx kapi.Context, name string) (runtime.Object, error) {
// "~" means the currently authenticated user
if name == "~" {
user, ok := kapi.UserFrom(ctx)
if !ok || user.GetName() == "" {
return nil, kerrs.NewForbidden(api.Resource("user"), "~", errors.New("requests to ~ must be authenticated"))
}
name = user.GetName()
// remove the known virtual groups from the list if they are present
contextGroups := sets.NewString(user.GetGroups()...)
contextGroups.Delete(bootstrappolicy.UnauthenticatedGroup, bootstrappolicy.AuthenticatedGroup)
if ok, _ := validation.ValidateUserName(name, false); !ok {
// The user the authentication layer has identified cannot possibly be a persisted user
// Return an API representation of the virtual user
return &api.User{ObjectMeta: kapi.ObjectMeta{Name: name}, Groups: contextGroups.List()}, nil
}
obj, err := r.Store.Get(ctx, name)
if err == nil {
return obj, nil
}
if !kerrs.IsNotFound(err) {
return nil, err
}
return &api.User{ObjectMeta: kapi.ObjectMeta{Name: name}, Groups: contextGroups.List()}, nil
}
if ok, details := validation.ValidateUserName(name, false); !ok {
return nil, field.Invalid(field.NewPath("metadata", "name"), name, details)
}
return r.Store.Get(ctx, name)
}
示例10: createOrUpdate
func (s *REST) createOrUpdate(ctx kapi.Context, obj runtime.Object, forceCreate bool) (runtime.Object, bool, error) {
mapping := obj.(*api.UserIdentityMapping)
identity, identityErr, oldUser, oldUserErr, oldMapping, oldMappingErr := s.getRelatedObjects(ctx, mapping.Name)
// Ensure we didn't get any errors other than NotFound errors
if !(oldMappingErr == nil || kerrs.IsNotFound(oldMappingErr)) {
return nil, false, oldMappingErr
}
if !(identityErr == nil || kerrs.IsNotFound(identityErr)) {
return nil, false, identityErr
}
if !(oldUserErr == nil || kerrs.IsNotFound(oldUserErr)) {
return nil, false, oldUserErr
}
// If we expect to be creating, fail if the mapping already existed
if forceCreate && oldMappingErr == nil {
return nil, false, kerrs.NewAlreadyExists(api.Resource("useridentitymapping"), oldMapping.Name)
}
// Allow update to create if missing
creating := forceCreate || kerrs.IsNotFound(oldMappingErr)
if creating {
// Pre-create checks with no access to oldMapping
if err := rest.BeforeCreate(Strategy, ctx, mapping); err != nil {
return nil, false, err
}
// Ensure resource version is not specified
if len(mapping.ResourceVersion) > 0 {
return nil, false, kerrs.NewNotFound(api.Resource("useridentitymapping"), mapping.Name)
}
} else {
// Pre-update checks with access to oldMapping
if err := rest.BeforeUpdate(Strategy, ctx, mapping, oldMapping); err != nil {
return nil, false, err
}
// Ensure resource versions match
if len(mapping.ResourceVersion) > 0 && mapping.ResourceVersion != oldMapping.ResourceVersion {
return nil, false, kerrs.NewConflict(api.Resource("useridentitymapping"), mapping.Name, fmt.Errorf("the resource was updated to %s", oldMapping.ResourceVersion))
}
// If we're "updating" to the user we're already pointing to, we're already done
if mapping.User.Name == oldMapping.User.Name {
return oldMapping, false, nil
}
}
// Validate identity
if kerrs.IsNotFound(identityErr) {
errs := field.ErrorList{field.Invalid(field.NewPath("identity", "name"), mapping.Identity.Name, "referenced identity does not exist")}
return nil, false, kerrs.NewInvalid(api.Kind("UserIdentityMapping"), mapping.Name, errs)
}
// Get new user
newUser, err := s.userRegistry.GetUser(ctx, mapping.User.Name)
if kerrs.IsNotFound(err) {
errs := field.ErrorList{field.Invalid(field.NewPath("user", "name"), mapping.User.Name, "referenced user does not exist")}
return nil, false, kerrs.NewInvalid(api.Kind("UserIdentityMapping"), mapping.Name, errs)
}
if err != nil {
return nil, false, err
}
// Update the new user to point at the identity. If this fails, Update is re-entrant
if addIdentityToUser(identity, newUser) {
if _, err := s.userRegistry.UpdateUser(ctx, newUser); err != nil {
return nil, false, err
}
}
// Update the identity to point at the new user. If this fails. Update is re-entrant
if setIdentityUser(identity, newUser) {
if updatedIdentity, err := s.identityRegistry.UpdateIdentity(ctx, identity); err != nil {
return nil, false, err
} else {
identity = updatedIdentity
}
}
// At this point, the mapping for the identity has been updated to the new user
// Everything past this point is cleanup
// Update the old user to no longer point at the identity.
// If this fails, log the error, but continue, because Update is no longer re-entrant
if oldUser != nil && removeIdentityFromUser(identity, oldUser) {
if _, err := s.userRegistry.UpdateUser(ctx, oldUser); err != nil {
utilruntime.HandleError(fmt.Errorf("error removing identity reference %s from user %s: %v", identity.Name, oldUser.Name, err))
}
}
updatedMapping, err := mappingFor(newUser, identity)
return updatedMapping, creating, err
}
示例11: TestUserInitialization
func TestUserInitialization(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterConfig, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
optsGetter := originrest.StorageOptions(*masterConfig)
userStorage, err := useretcd.NewREST(optsGetter)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage, err := identityetcd.NewREST(optsGetter)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
identityRegistry := identityregistry.NewRegistry(identityStorage)
lookup, err := identitymapper.NewIdentityUserMapper(identityRegistry, userRegistry, identitymapper.MappingMethodLookup)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
generate, err := identitymapper.NewIdentityUserMapper(identityRegistry, userRegistry, identitymapper.MappingMethodGenerate)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
add, err := identitymapper.NewIdentityUserMapper(identityRegistry, userRegistry, identitymapper.MappingMethodAdd)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
claim, err := identitymapper.NewIdentityUserMapper(identityRegistry, userRegistry, identitymapper.MappingMethodClaim)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
testcases := map[string]struct {
Identity authapi.UserIdentityInfo
Mapper authapi.UserIdentityMapper
CreateIdentity *api.Identity
CreateUser *api.User
CreateMapping *api.UserIdentityMapping
UpdateUser *api.User
ExpectedErr error
ExpectedUserName string
ExpectedFullName string
ExpectedIdentities []string
}{
"lookup missing identity": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: lookup,
ExpectedErr: identitymapper.NewLookupError(makeIdentityInfo("idp", "bob", nil), kerrs.NewNotFound(api.Resource("useridentitymapping"), "idp:bob")),
},
"lookup existing identity": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: lookup,
CreateUser: makeUser("mappeduser"),
CreateIdentity: makeIdentity("idp", "bob"),
CreateMapping: makeMapping("mappeduser", "idp:bob"),
ExpectedUserName: "mappeduser",
ExpectedIdentities: []string{"idp:bob"},
},
"generate missing identity and user": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: generate,
ExpectedUserName: "bob",
ExpectedIdentities: []string{"idp:bob"},
},
"generate missing identity and user with preferred username and display name": {
Identity: makeIdentityInfo("idp", "bob", map[string]string{authapi.IdentityDisplayNameKey: "Bob, Sr.", authapi.IdentityPreferredUsernameKey: "admin"}),
Mapper: generate,
ExpectedUserName: "admin",
ExpectedFullName: "Bob, Sr.",
ExpectedIdentities: []string{"idp:bob"},
},
"generate missing identity for existing user": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: generate,
CreateUser: makeUser("bob", "idp:bob"),
ExpectedUserName: "bob",
ExpectedIdentities: []string{"idp:bob"},
},
"generate missing identity with conflicting user": {
//.........这里部分代码省略.........
示例12: impersonationFilter
func (c *MasterConfig) impersonationFilter(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
requestedSubject := req.Header.Get(authenticationapi.ImpersonateUserHeader)
if len(requestedSubject) == 0 {
handler.ServeHTTP(w, req)
return
}
resource, namespace, name, err := parseRequestedSubject(requestedSubject)
if err != nil {
forbidden(err.Error(), nil, w, req)
return
}
ctx, exists := c.RequestContextMapper.Get(req)
if !exists {
forbidden("context not found", nil, w, req)
return
}
actingAsAttributes := &authorizer.DefaultAuthorizationAttributes{
Verb: "impersonate",
APIGroup: resource.Group,
Resource: resource.Resource,
ResourceName: name,
}
authCheckCtx := kapi.WithNamespace(ctx, namespace)
allowed, reason, err := c.Authorizer.Authorize(authCheckCtx, actingAsAttributes)
if err != nil {
forbidden(err.Error(), actingAsAttributes, w, req)
return
}
if !allowed {
forbidden(reason, actingAsAttributes, w, req)
return
}
var extra map[string][]string
if requestScopes, ok := req.Header[authenticationapi.ImpersonateUserScopeHeader]; ok {
extra = map[string][]string{authorizationapi.ScopesKey: requestScopes}
}
switch resource {
case kapi.Resource(authorizationapi.ServiceAccountResource):
newUser := &user.DefaultInfo{
Name: serviceaccount.MakeUsername(namespace, name),
Groups: serviceaccount.MakeGroupNames(namespace, name),
Extra: extra,
}
newUser.Groups = append(newUser.Groups, bootstrappolicy.AuthenticatedGroup)
c.RequestContextMapper.Update(req, kapi.WithUser(ctx, newUser))
case userapi.Resource(authorizationapi.UserResource):
newUser := &user.DefaultInfo{
Name: name,
Extra: extra,
}
groups, err := c.GroupCache.GroupsFor(name)
if err == nil {
for _, group := range groups {
newUser.Groups = append(newUser.Groups, group.Name)
}
}
newUser.Groups = append(newUser.Groups, bootstrappolicy.AuthenticatedGroup, bootstrappolicy.AuthenticatedOAuthGroup)
c.RequestContextMapper.Update(req, kapi.WithUser(ctx, newUser))
case userapi.Resource(authorizationapi.SystemUserResource):
newUser := &user.DefaultInfo{
Name: name,
Extra: extra,
}
if name == bootstrappolicy.UnauthenticatedUsername {
newUser.Groups = append(newUser.Groups, bootstrappolicy.UnauthenticatedGroup)
} else {
newUser.Groups = append(newUser.Groups, bootstrappolicy.AuthenticatedGroup)
}
c.RequestContextMapper.Update(req, kapi.WithUser(ctx, newUser))
default:
forbidden(fmt.Sprintf("%v is an unhandled resource for acting-as", resource), nil, w, req)
return
}
newCtx, _ := c.RequestContextMapper.Get(req)
oldUser, _ := kapi.UserFrom(ctx)
newUser, _ := kapi.UserFrom(newCtx)
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
handler.ServeHTTP(w, req)
})
}
示例13: TestProvision
func TestProvision(t *testing.T) {
testcases := map[string]struct {
ProviderName string
ProviderUserName string
ExistingIdentity *userapi.Identity
ExistingUser *userapi.User
NewIdentityGetterResponses []interface{}
ExpectedActions []test.Action
ExpectedError bool
ExpectedUserName string
}{
"no identity, create user succeeds": {
ProviderName: "idp",
ProviderUserName: "bob",
ExistingIdentity: nil,
ExistingUser: nil,
NewIdentityGetterResponses: []interface{}{
makeUser("bobUserUID", "bob", "idp:bob"),
},
ExpectedActions: []test.Action{
{"GetIdentity", "idp:bob"},
// ... new identity user getter creates user
{"CreateIdentity", makeIdentity("", "idp", "bob", "bobUserUID", "bob")},
},
ExpectedUserName: "bob",
},
"no identity, alreadyexists error retries": {
ProviderName: "idp",
ProviderUserName: "bob",
ExistingIdentity: nil,
ExistingUser: nil,
NewIdentityGetterResponses: []interface{}{
kerrs.NewAlreadyExists(userapi.Resource("User"), "bob"),
makeUser("bobUserUID", "bob", "idp:bob"),
},
ExpectedActions: []test.Action{
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
{"GetIdentity", "idp:bob"},
// ... new identity user getter creates user
{"CreateIdentity", makeIdentity("", "idp", "bob", "bobUserUID", "bob")},
},
ExpectedUserName: "bob",
},
"no identity, conflict error retries": {
ProviderName: "idp",
ProviderUserName: "bob",
ExistingIdentity: nil,
ExistingUser: nil,
NewIdentityGetterResponses: []interface{}{
kerrs.NewConflict(userapi.Resource("User"), "bob", fmt.Errorf("conflict")),
makeUser("bobUserUID", "bob", "idp:bob"),
},
ExpectedActions: []test.Action{
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
{"GetIdentity", "idp:bob"},
// ... new identity user getter creates user
{"CreateIdentity", makeIdentity("", "idp", "bob", "bobUserUID", "bob")},
},
ExpectedUserName: "bob",
},
"no identity, only retries 3 times": {
ProviderName: "idp",
ProviderUserName: "bob",
ExistingIdentity: nil,
ExistingUser: nil,
NewIdentityGetterResponses: []interface{}{
kerrs.NewConflict(userapi.Resource("User"), "bob", fmt.Errorf("conflict")),
kerrs.NewConflict(userapi.Resource("User"), "bob", fmt.Errorf("conflict")),
kerrs.NewConflict(userapi.Resource("User"), "bob", fmt.Errorf("conflict")),
kerrs.NewConflict(userapi.Resource("User"), "bob", fmt.Errorf("conflict")),
},
ExpectedActions: []test.Action{
// original attempt
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
// retry #1
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
// retry #2
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
// retry #3
{"GetIdentity", "idp:bob"},
// ... new identity user getter returns error
},
ExpectedError: true,
},
"no identity, unknown error does not retry": {
//.........这里部分代码省略.........