GitList

Browse code

expose evaluation errors for RAR

deads2k authored on 2015/09/29 23:52:51
Showing 8 changed files

pkg/authorization/api/deep_copy_generated.go index aa1c91f..96dd1b2 100644
pkg/authorization/api/types.go index cad7d62..c0e423d 100644
pkg/authorization/api/v1/deep_copy_generated.go index 4b35620..75eabec 100644
pkg/authorization/api/v1/swagger_doc.go index 556ee25..f8e7fcf 100644
pkg/authorization/api/v1/types.go index a4c19c9..e451219 100644
pkg/authorization/registry/resourceaccessreview/rest.go index 620bcc3..4836234 100644
pkg/cmd/admin/policy/who_can.go index 5dea006..1f323b8 100644
test/integration/authorization_test.go index 1aab574..b82c48c 100644

pkg/authorization/api/deep_copy_generated.go

@@ -505,6 +505,7 @@ func DeepCopy_api_ResourceAccessReviewResponse(in ResourceAccessReviewResponse,
 	} else {
 		out.Groups = nil
 	}
+	out.EvaluationError = in.EvaluationError
 	return nil
 }
 

pkg/authorization/api/types.go

History View file @ 16333f7

@@ -174,6 +174,11 @@ type ResourceAccessReviewResponse struct {
                      	Users sets.String
                      	// Groups is the list of groups who can perform the action
                      	Groups sets.String
+                    +
                     +	// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
                     +	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.  This is
                     +	// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
                     +	EvaluationError string
+                     }
                      // ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the

pkg/authorization/api/v1/deep_copy_generated.go

History View file @ 16333f7

@@ -497,6 +497,7 @@ func DeepCopy_v1_ResourceAccessReviewResponse(in ResourceAccessReviewResponse, o
 	} else {
 		out.GroupsSlice = nil
 	}
+	out.EvaluationError = in.EvaluationError
 	return nil
 }
 

pkg/authorization/api/v1/swagger_doc.go

History View file @ 16333f7

@@ -239,10 +239,11 @@ func (ResourceAccessReview) SwaggerDoc() map[string]string {
+                     }
                      var map_ResourceAccessReviewResponse = map[string]string{
                     -	"":          "ResourceAccessReviewResponse describes who can perform the action",
                     -	"namespace": "Namespace is the namespace used for the access review",
                     -	"users":     "UsersSlice is the list of users who can perform the action",
                     -	"groups":    "GroupsSlice is the list of groups who can perform the action",
                     +	"":               "ResourceAccessReviewResponse describes who can perform the action",
                     +	"namespace":      "Namespace is the namespace used for the access review",
                     +	"users":          "UsersSlice is the list of users who can perform the action",
                     +	"groups":         "GroupsSlice is the list of groups who can perform the action",
                     +	"evalutionError": "EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. It is entirely possible to get an error and be able to continue determine authorization status in spite of it.  This is most common when a bound role is missing, but enough roles are still present and bound to reason about the request.",
+                     }
                      func (ResourceAccessReviewResponse) SwaggerDoc() map[string]string {

pkg/authorization/api/v1/types.go

History View file @ 16333f7

@@ -155,6 +155,11 @@ type ResourceAccessReviewResponse struct {
                      	UsersSlice []string `json:"users"`
                      	// GroupsSlice is the list of groups who can perform the action
                      	GroupsSlice []string `json:"groups"`
+                    +
                     +	// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
                     +	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.  This is
                     +	// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
                     +	EvaluationError string `json:"evalutionError"`
+                     }
                      // ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the

pkg/authorization/registry/resourceaccessreview/rest.go

History View file @ 16333f7

@@ -51,13 +51,16 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
                      	requestContext := kapi.WithNamespace(ctx, resourceAccessReview.Action.Namespace)
                      	attributes := authorizer.ToDefaultAuthorizationAttributes(resourceAccessReview.Action)
                     -	users, groups, _ := r.authorizer.GetAllowedSubjects(requestContext, attributes)
                     +	users, groups, err := r.authorizer.GetAllowedSubjects(requestContext, attributes)
                      	response := &authorizationapi.ResourceAccessReviewResponse{
                      		Namespace: resourceAccessReview.Action.Namespace,
                      		Users:     users,
                      		Groups:    groups,
+                     	}
                     +	if err != nil {
                     +		response.EvaluationError = err.Error()
                     +	}
                      	return response, nil
+                     }

pkg/cmd/admin/policy/who_can.go

History View file @ 16333f7

@@ -138,5 +138,9 @@ func (o *whoCanOptions) run() error {
 		fmt.Printf("Groups: %s\n\n", strings.Join(resourceAccessReviewResponse.Groups.List(), "\n        "))
 	}
 
+	if len(resourceAccessReviewResponse.EvaluationError) != 0 {
+		fmt.Printf("Error during evaluation, results may not be complete: %s\n", resourceAccessReviewResponse.EvaluationError)
+	}
+
 	return nil
 }

test/integration/authorization_test.go

History View file @ 16333f7

@@ -304,7 +304,10 @@ func (test resourceAccessReviewTest) run(t *testing.T) {
+                     			}
+                     		}
                     -		if actualResponse.Namespace != test.response.Namespace || !reflect.DeepEqual(actualResponse.Users.List(), test.response.Users.List()) || !reflect.DeepEqual(actualResponse.Groups.List(), test.response.Groups.List()) {
                     +		if actualResponse.Namespace != test.response.Namespace ||
                     +			!reflect.DeepEqual(actualResponse.Users.List(), test.response.Users.List()) ||
                     +			!reflect.DeepEqual(actualResponse.Groups.List(), test.response.Groups.List()) ||
                     +			actualResponse.EvaluationError != test.response.EvaluationError {
                      			failMessage = fmt.Sprintf("%s: %#v: expected %#v, got %#v", test.description, test.review, test.response, actualResponse)
                      			return false, nil
+                     		}
@@ -354,7 +357,10 @@ func (test localResourceAccessReviewTest) run(t *testing.T) {
+                     			}
+                     		}
                     -		if actualResponse.Namespace != test.response.Namespace || !reflect.DeepEqual(actualResponse.Users.List(), test.response.Users.List()) || !reflect.DeepEqual(actualResponse.Groups.List(), test.response.Groups.List()) {
                     +		if actualResponse.Namespace != test.response.Namespace ||
                     +			!reflect.DeepEqual(actualResponse.Users.List(), test.response.Users.List()) ||
                     +			!reflect.DeepEqual(actualResponse.Groups.List(), test.response.Groups.List()) ||
                     +			actualResponse.EvaluationError != test.response.EvaluationError {
                      			failMessage = fmt.Sprintf("%s: %#v: expected %#v, got %#v", test.description, test.review, test.response, actualResponse)
                      			return false, nil
+                     		}
@@ -495,9 +501,10 @@ func TestAuthorizationResourceAccessReview(t *testing.T) {
                      			clientInterface: clusterAdminClient.LocalResourceAccessReviews("mallet-project"),
                      			review:          localRequestWhoCanViewDeploymentConfigs,
                      			response: authorizationapi.ResourceAccessReviewResponse{
                     -				Users:     sets.NewString("edgar"),
                     -				Groups:    sets.NewString(),
                     -				Namespace: "mallet-project",
                     +				Users:           sets.NewString("edgar"),
                     +				Groups:          sets.NewString(),
                     +				Namespace:       "mallet-project",
                     +				EvaluationError: `role "admin" not found`,
                      			},
+                     		}
                      		test.response.Users.Insert(globalClusterReaderUsers.List()...)

...	...	@@ -505,6 +505,7 @@ func DeepCopy_api_ResourceAccessReviewResponse(in ResourceAccessReviewResponse,
505	505	} else {
506	506	out.Groups = nil
507	507	}
	508	+ out.EvaluationError = in.EvaluationError
508	509	return nil
509	510	}
510	511

...	...	@@ -138,5 +138,9 @@ func (o *whoCanOptions) run() error {
138	138	fmt.Printf("Groups: %s\n\n", strings.Join(resourceAccessReviewResponse.Groups.List(), "\n "))
139	139	}
140	140
	141	+ if len(resourceAccessReviewResponse.EvaluationError) != 0 {
	142	+ fmt.Printf("Error during evaluation, results may not be complete: %s\n", resourceAccessReviewResponse.EvaluationError)
	143	+ }
	144	+
141	145	return nil
142	146	}

...	...	@@ -497,6 +497,7 @@ func DeepCopy_v1_ResourceAccessReviewResponse(in ResourceAccessReviewResponse, o
497	497	} else {
498	498	out.GroupsSlice = nil
499	499	}
	500	+ out.EvaluationError = in.EvaluationError
500	501	return nil
501	502	}
502	503