2247d8c3a2
* + endpoint and namespace level authorizations + user namespace authorization API + k8s client setup service account with k8s roles and policies by portainer role * User authorization changes refresh token cache * rbac authorizes k8s requests * CE to EE migrator to include new authorizations * code clean up * comments * * merge in the RestrictDefaultNamespace changes * - remove unnecessary check for default namespace * + updates namespace access policies when generating token * * updates namespace access policies when querying the user namespace endpoint * + k8s rule in rbac.go for endpoint access test + missing k8s cluster rules for different roles * feat(rbac): update kube rbac * feat(rbac): use the authorization directive * feat(rbac): Update namespace access policies when user/team is deleted * refactor(app): use new angular-multi-select capabilities * feat(rbac): fix authorizations * feat(rbac): fix userAccessPolicies update bug * feat(rbac): add W applications authorizations * feat(rbac): add application details W authorizations * feat(rbac): add configurations W autohorizations * feat(rbac): add configuration details W authorizations * feat(rbac): add volumes W authorizations * feat(rbac): add volume details W authorizations * feat(rbac): add componentstatus to portainer-view role and add cluster/node authorizations * fix(rbac): disable application note for non authorized user * fix(rbac): add endpoints list and components status to portainer-basic * fix(rbac): allow user to access default namespace when restrict default namespace isn't activated * fix(rbac): remove default namespace from useraccesspolicies when restrict default namespace isn't activated * fix(rbac): change some things * fix(rbac): allow standard user to access container console * - removed unused parameter * fix(rbac): fix team authorizations Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com> Co-authored-by: xAt0mZ <baron_l@epitech.eu>
127 lines
3.2 KiB
Go
127 lines
3.2 KiB
Go
package kubernetes
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"sync"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
)
|
|
|
|
const defaultServiceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
|
|
type tokenManager struct {
|
|
tokenCache *tokenCache
|
|
kubecli portainer.KubeClient
|
|
dataStore portainer.DataStore
|
|
mutex sync.Mutex
|
|
adminToken string
|
|
authService *authorization.Service
|
|
}
|
|
|
|
// NewTokenManager returns a pointer to a new instance of tokenManager.
|
|
// If the useLocalAdminToken parameter is set to true, it will search for the local admin service account
|
|
// and associate it to the manager.
|
|
func NewTokenManager(
|
|
kubecli portainer.KubeClient,
|
|
dataStore portainer.DataStore,
|
|
cache *tokenCache,
|
|
setLocalAdminToken bool,
|
|
authService *authorization.Service,
|
|
) (*tokenManager, error) {
|
|
tokenManager := &tokenManager{
|
|
tokenCache: cache,
|
|
kubecli: kubecli,
|
|
dataStore: dataStore,
|
|
mutex: sync.Mutex{},
|
|
adminToken: "",
|
|
authService: authService,
|
|
}
|
|
|
|
if setLocalAdminToken {
|
|
token, err := ioutil.ReadFile(defaultServiceAccountTokenFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tokenManager.adminToken = string(token)
|
|
}
|
|
|
|
return tokenManager, nil
|
|
}
|
|
|
|
func (manager *tokenManager) getAdminServiceAccountToken() string {
|
|
return manager.adminToken
|
|
}
|
|
|
|
// setup a user's service account if not exist, then retrieve its token
|
|
func (manager *tokenManager) getUserServiceAccountToken(
|
|
userID int, endpointID int,
|
|
) (string, error) {
|
|
manager.mutex.Lock()
|
|
defer manager.mutex.Unlock()
|
|
|
|
token, ok := manager.tokenCache.getToken(userID)
|
|
if !ok {
|
|
user, err := manager.dataStore.User().User(portainer.UserID(userID))
|
|
if err != nil || user == nil {
|
|
return "", err
|
|
}
|
|
|
|
endpointRole, err := manager.authService.GetUserEndpointRole(userID, endpointID)
|
|
if err != nil || endpointRole == nil {
|
|
return "", err
|
|
}
|
|
|
|
endpoint, err := manager.dataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
namespaces, err := manager.kubecli.GetNamespaces()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
accessPolicies, err := manager.kubecli.GetNamespaceAccessPolicies()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
// update the namespace access policies based on user's role, also in configmap.
|
|
accessPolicies, hasChange, err := manager.authService.UpdateUserNamespaceAccessPolicies(
|
|
userID, endpoint, accessPolicies,
|
|
)
|
|
if hasChange {
|
|
err = manager.kubecli.UpdateNamespaceAccessPolicies(accessPolicies)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
namespaceRoles, err := manager.authService.GetUserNamespaceRoles(
|
|
userID, endpointID, accessPolicies, namespaces, endpointRole.Authorizations,
|
|
endpoint.Kubernetes.Configuration,
|
|
)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
err = manager.kubecli.SetupUserServiceAccount(
|
|
*user, endpointRole.ID, namespaces, namespaceRoles,
|
|
)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
manager.tokenCache.addToken(userID, serviceAccountToken)
|
|
token = serviceAccountToken
|
|
}
|
|
|
|
return token, nil
|
|
}
|