github.com/kubewharf/katalyst-core@v0.5.3/pkg/util/credential/authorization/authorizations.go (about) 1 /* 2 Copyright 2022 The Katalyst Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package authorization 18 19 import ( 20 "context" 21 "fmt" 22 23 "github.com/kubewharf/katalyst-core/pkg/config/agent/dynamic" 24 "github.com/kubewharf/katalyst-core/pkg/config/generic" 25 "github.com/kubewharf/katalyst-core/pkg/util/credential" 26 ) 27 28 type PermissionType string 29 30 type AccessControlType string 31 32 type AuthRule map[string][]PermissionType 33 34 const ( 35 // PermissionTypeHttpEndpoint represents all http resources 36 PermissionTypeHttpEndpoint = "http_endpoint" 37 // PermissionTypeEvictionPlugin represents the permission to register eviction plugin. 38 PermissionTypeEvictionPlugin = "eviction_plugin" 39 // PermissionTypeAll represents all permissions. 40 PermissionTypeAll = "*" 41 ) 42 43 const ( 44 AccessControlTypeInsecure = "insecure" 45 AccessControlTypeStatic = "static" 46 AccessControlTypeDynamicConf = "dynamic_conf" 47 ) 48 49 const ( 50 ErrorMsgInvalidSubject = "there is no record associated to subject %v" 51 ErrorMsgNoPermission = "subject %v has no permission to resource %v" 52 ) 53 54 // AccessControl verifies whether the subject the AuthInfo holds has the permission on the target resource. 55 type AccessControl interface { 56 // Verify verifies whether the subject passed in has the permission on the target resource. 57 Verify(authInfo credential.AuthInfo, targetResource PermissionType) error 58 // Run starts the AccessControl component 59 Run(ctx context.Context) 60 } 61 62 func verify(authInfo credential.AuthInfo, targetResource PermissionType, rules AuthRule) error { 63 resources, ok := rules[authInfo.SubjectName()] 64 if !ok { 65 return fmt.Errorf(ErrorMsgInvalidSubject, authInfo.SubjectName()) 66 } 67 68 for _, resource := range resources { 69 if resource == targetResource || resource == PermissionTypeAll { 70 return nil 71 } 72 } 73 74 return fmt.Errorf(ErrorMsgNoPermission, authInfo.SubjectName(), targetResource) 75 } 76 77 type NewAccessControlFunc func(authConfig *generic.AuthConfiguration, dynamicConfig *dynamic.DynamicAgentConfiguration) (AccessControl, error) 78 79 var accessControlInitializer = make(map[AccessControlType]NewAccessControlFunc) 80 81 func RegisterAccessControlInitializer(authType AccessControlType, initializer NewAccessControlFunc) { 82 accessControlInitializer[authType] = initializer 83 } 84 85 func GetAccessControlInitializer() map[AccessControlType]NewAccessControlFunc { 86 return accessControlInitializer 87 } 88 89 func init() { 90 RegisterAccessControlInitializer(AccessControlTypeInsecure, NewInsecureAccessControl) 91 RegisterAccessControlInitializer(AccessControlTypeDynamicConf, NewDynamicConfAccessControl) 92 RegisterAccessControlInitializer(AccessControlTypeStatic, NewStaticAccessControl) 93 } 94 95 func GetAccessControl(genericConf *generic.GenericConfiguration, dynamicConfig *dynamic.DynamicAgentConfiguration) (AccessControl, error) { 96 accessControlInitializer, ok := GetAccessControlInitializer()[AccessControlType(genericConf.AuthConfiguration.AccessControlType)] 97 if ok { 98 ac, err := accessControlInitializer(genericConf.AuthConfiguration, dynamicConfig) 99 if err != nil { 100 return nil, fmt.Errorf("initialize access control failed,type: %v, err: %v", genericConf.AccessControlType, err) 101 } 102 103 return ac, nil 104 } else { 105 return nil, fmt.Errorf("unsupported access control type: %v", genericConf.AuthConfiguration.AccessControlType) 106 } 107 } 108 109 func DefaultAccessControl() AccessControl { 110 return &insecureAccessControl{} 111 }