Files
portainer/api/http/proxy/factory/kubernetes/token.go
T
Yi Chen 2247d8c3a2 (feat)k8s/RBAC: Provide Portainer RBAC functionality for Kubernetes endpoints (#35)
* + endpoint and namespace level authorizations
+ user namespace authorization API
+ k8s client setup service account with k8s roles and policies by portainer role
* User authorization changes refresh token cache
* rbac authorizes k8s requests
* CE to EE migrator to include new authorizations

* code clean up
* comments

* * merge in the RestrictDefaultNamespace changes

* - remove unnecessary check for default namespace

* + updates namespace access policies when generating token

* * updates namespace access policies when querying the user namespace endpoint

* + k8s rule in rbac.go for endpoint access test
+ missing k8s cluster rules for different roles

* feat(rbac): update kube rbac

* feat(rbac): use the authorization directive

* feat(rbac): Update namespace access policies when user/team is deleted

* refactor(app): use new angular-multi-select capabilities

* feat(rbac): fix authorizations

* feat(rbac): fix userAccessPolicies update bug

* feat(rbac): add W applications authorizations

* feat(rbac): add application details W authorizations

* feat(rbac): add configurations W autohorizations

* feat(rbac): add configuration details W authorizations

* feat(rbac): add volumes W authorizations

* feat(rbac): add volume details W authorizations

* feat(rbac): add componentstatus to portainer-view role and add cluster/node authorizations

* fix(rbac): disable application note for non authorized user

* fix(rbac): add endpoints list and components status to portainer-basic

* fix(rbac): allow user to access default namespace when restrict default namespace isn't activated

* fix(rbac): remove default namespace from useraccesspolicies when restrict default namespace isn't activated

* fix(rbac): change some things

* fix(rbac): allow standard user to access container console

* - removed unused parameter

* fix(rbac): fix team authorizations

Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
Co-authored-by: xAt0mZ <baron_l@epitech.eu>
2020-11-03 22:08:09 +13:00

127 lines
3.2 KiB
Go

package kubernetes
import (
"io/ioutil"
"sync"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/internal/authorization"
)
const defaultServiceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
type tokenManager struct {
tokenCache *tokenCache
kubecli portainer.KubeClient
dataStore portainer.DataStore
mutex sync.Mutex
adminToken string
authService *authorization.Service
}
// NewTokenManager returns a pointer to a new instance of tokenManager.
// If the useLocalAdminToken parameter is set to true, it will search for the local admin service account
// and associate it to the manager.
func NewTokenManager(
kubecli portainer.KubeClient,
dataStore portainer.DataStore,
cache *tokenCache,
setLocalAdminToken bool,
authService *authorization.Service,
) (*tokenManager, error) {
tokenManager := &tokenManager{
tokenCache: cache,
kubecli: kubecli,
dataStore: dataStore,
mutex: sync.Mutex{},
adminToken: "",
authService: authService,
}
if setLocalAdminToken {
token, err := ioutil.ReadFile(defaultServiceAccountTokenFile)
if err != nil {
return nil, err
}
tokenManager.adminToken = string(token)
}
return tokenManager, nil
}
func (manager *tokenManager) getAdminServiceAccountToken() string {
return manager.adminToken
}
// setup a user's service account if not exist, then retrieve its token
func (manager *tokenManager) getUserServiceAccountToken(
userID int, endpointID int,
) (string, error) {
manager.mutex.Lock()
defer manager.mutex.Unlock()
token, ok := manager.tokenCache.getToken(userID)
if !ok {
user, err := manager.dataStore.User().User(portainer.UserID(userID))
if err != nil || user == nil {
return "", err
}
endpointRole, err := manager.authService.GetUserEndpointRole(userID, endpointID)
if err != nil || endpointRole == nil {
return "", err
}
endpoint, err := manager.dataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
if err != nil {
return "", err
}
namespaces, err := manager.kubecli.GetNamespaces()
if err != nil {
return "", err
}
accessPolicies, err := manager.kubecli.GetNamespaceAccessPolicies()
if err != nil {
return "", err
}
// update the namespace access policies based on user's role, also in configmap.
accessPolicies, hasChange, err := manager.authService.UpdateUserNamespaceAccessPolicies(
userID, endpoint, accessPolicies,
)
if hasChange {
err = manager.kubecli.UpdateNamespaceAccessPolicies(accessPolicies)
if err != nil {
return "", err
}
}
namespaceRoles, err := manager.authService.GetUserNamespaceRoles(
userID, endpointID, accessPolicies, namespaces, endpointRole.Authorizations,
endpoint.Kubernetes.Configuration,
)
if err != nil {
return "", err
}
err = manager.kubecli.SetupUserServiceAccount(
*user, endpointRole.ID, namespaces, namespaceRoles,
)
if err != nil {
return "", err
}
serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID)
if err != nil {
return "", err
}
manager.tokenCache.addToken(userID, serviceAccountToken)
token = serviceAccountToken
}
return token, nil
}