Browse code
Fix args check for role and scc modify
Kenjiro Nakayama authored on 2016/01/28 18:25:36Showing 5 changed files
- docs/generated/oadm_by_example_content.adoc
- docs/generated/oc_by_example_content.adoc
- pkg/cmd/admin/policy/modify_roles.go
- pkg/cmd/admin/policy/modify_scc.go
- test/cmd/policy.sh
| ... | ... |
@@ -282,6 +282,38 @@ Make project network global |
| 282 | 282 |
==== |
| 283 | 283 |
|
| 284 | 284 |
|
| 285 |
+== oadm policy add-role-to-user |
|
| 286 |
+Add users or serviceaccounts to a role in the current project |
|
| 287 |
+ |
|
| 288 |
+==== |
|
| 289 |
+ |
|
| 290 |
+[options="nowrap"] |
|
| 291 |
+---- |
|
| 292 |
+ # Add the 'view' role to user1 in the current project |
|
| 293 |
+ $ oadm policy add-role-to-user view user1 |
|
| 294 |
+ |
|
| 295 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
| 296 |
+ $ oadm policy add-role-to-user edit -z serviceaccount1 |
|
| 297 |
+---- |
|
| 298 |
+==== |
|
| 299 |
+ |
|
| 300 |
+ |
|
| 301 |
+== oadm policy add-scc-to-user |
|
| 302 |
+Add users or serviceaccount to a security context constraint |
|
| 303 |
+ |
|
| 304 |
+==== |
|
| 305 |
+ |
|
| 306 |
+[options="nowrap"] |
|
| 307 |
+---- |
|
| 308 |
+ # Add the 'restricted' security context contraint to user1 and user2 |
|
| 309 |
+ $ oadm policy add-scc-to-user restricted user1 user2 |
|
| 310 |
+ |
|
| 311 |
+ # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace |
|
| 312 |
+ $ oadm policy add-scc-to-user privileged -z serviceaccount1 |
|
| 313 |
+---- |
|
| 314 |
+==== |
|
| 315 |
+ |
|
| 316 |
+ |
|
| 285 | 317 |
== oadm policy reconcile-cluster-role-bindings |
| 286 | 318 |
Replace cluster role bindings to match the recommended bootstrap policy |
| 287 | 319 |
|
| ... | ... |
@@ -626,6 +626,22 @@ Update field(s) of a resource using strategic merge patch. |
| 626 | 626 |
==== |
| 627 | 627 |
|
| 628 | 628 |
|
| 629 |
+== oc policy add-role-to-user |
|
| 630 |
+Add users or serviceaccounts to a role in the current project |
|
| 631 |
+ |
|
| 632 |
+==== |
|
| 633 |
+ |
|
| 634 |
+[options="nowrap"] |
|
| 635 |
+---- |
|
| 636 |
+ # Add the 'view' role to user1 in the current project |
|
| 637 |
+ $ oc policy add-role-to-user view user1 |
|
| 638 |
+ |
|
| 639 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
| 640 |
+ $ oc policy add-role-to-user edit -z serviceaccount1 |
|
| 641 |
+---- |
|
| 642 |
+==== |
|
| 643 |
+ |
|
| 644 |
+ |
|
| 629 | 645 |
== oc port-forward |
| 630 | 646 |
Forward one or more local ports to a pod. |
| 631 | 647 |
|
| ... | ... |
@@ -27,6 +27,14 @@ const ( |
| 27 | 27 |
RemoveClusterRoleFromUserRecommendedName = "remove-cluster-role-from-user" |
| 28 | 28 |
) |
| 29 | 29 |
|
| 30 |
+const ( |
|
| 31 |
+ addRoleToUserExample = ` # Add the 'view' role to user1 in the current project |
|
| 32 |
+ $ %[1]s view user1 |
|
| 33 |
+ |
|
| 34 |
+ # Add the 'edit' role to serviceaccount1 in the current project |
|
| 35 |
+ $ %[1]s edit -z serviceaccount1` |
|
| 36 |
+) |
|
| 37 |
+ |
|
| 30 | 38 |
type RoleModificationOptions struct {
|
| 31 | 39 |
RoleNamespace string |
| 32 | 40 |
RoleName string |
| ... | ... |
@@ -67,9 +75,10 @@ func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Wri |
| 67 | 67 |
saNames := []string{}
|
| 68 | 68 |
|
| 69 | 69 |
cmd := &cobra.Command{
|
| 70 |
- Use: name + " ROLE USER [USER ...]", |
|
| 71 |
- Short: "Add users to a role in the current project", |
|
| 72 |
- Long: `Add users to a role in the current project`, |
|
| 70 |
+ Use: name + " ROLE (USER | -z SERVICEACCOUNT) [USER ...]", |
|
| 71 |
+ Short: "Add users or serviceaccounts to a role in the current project", |
|
| 72 |
+ Long: `Add users or serviceaccounts to a role in the current project`, |
|
| 73 |
+ Example: fmt.Sprintf(addRoleToUserExample, fullName), |
|
| 73 | 74 |
Run: func(cmd *cobra.Command, args []string) {
|
| 74 | 75 |
if err := options.CompleteUserWithSA(f, args, saNames); err != nil {
|
| 75 | 76 |
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error())) |
| ... | ... |
@@ -226,8 +235,8 @@ func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory |
| 226 | 226 |
} |
| 227 | 227 |
|
| 228 | 228 |
func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args []string, saNames []string) error {
|
| 229 |
- if (len(args) < 2) && (len(saNames) == 0) {
|
|
| 230 |
- return errors.New("you must specify at least two arguments: <role> <user> [user]...")
|
|
| 229 |
+ if len(args) < 1 {
|
|
| 230 |
+ return errors.New("you must specify a role")
|
|
| 231 | 231 |
} |
| 232 | 232 |
|
| 233 | 233 |
o.RoleName = args[0] |
| ... | ... |
@@ -235,6 +244,10 @@ func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, args |
| 235 | 235 |
o.Users = append(o.Users, args[1:]...) |
| 236 | 236 |
} |
| 237 | 237 |
|
| 238 |
+ if (len(o.Users) == 0) && (len(saNames) == 0) {
|
|
| 239 |
+ return errors.New("you must specify at least one user or service account")
|
|
| 240 |
+ } |
|
| 241 |
+ |
|
| 238 | 242 |
osClient, _, err := f.Clients() |
| 239 | 243 |
if err != nil {
|
| 240 | 244 |
return err |
| ... | ... |
@@ -2,6 +2,7 @@ package policy |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"errors" |
| 5 |
+ "fmt" |
|
| 5 | 6 |
"io" |
| 6 | 7 |
|
| 7 | 8 |
"github.com/spf13/cobra" |
| ... | ... |
@@ -22,6 +23,14 @@ const ( |
| 22 | 22 |
RemoveSCCFromUserRecommendedName = "remove-scc-from-user" |
| 23 | 23 |
) |
| 24 | 24 |
|
| 25 |
+const ( |
|
| 26 |
+ addSCCToUserExample = ` # Add the 'restricted' security context contraint to user1 and user2 |
|
| 27 |
+ $ %[1]s restricted user1 user2 |
|
| 28 |
+ |
|
| 29 |
+ # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace |
|
| 30 |
+ $ %[1]s privileged -z serviceaccount1` |
|
| 31 |
+) |
|
| 32 |
+ |
|
| 25 | 33 |
type SCCModificationOptions struct {
|
| 26 | 34 |
SCCName string |
| 27 | 35 |
SCCInterface kclient.SecurityContextConstraintsInterface |
| ... | ... |
@@ -56,9 +65,10 @@ func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writ |
| 56 | 56 |
saNames := []string{}
|
| 57 | 57 |
|
| 58 | 58 |
cmd := &cobra.Command{
|
| 59 |
- Use: name + " SCC USER [USER ...]", |
|
| 60 |
- Short: "Add users to a security context constraint", |
|
| 61 |
- Long: `Add users to a security context constraint`, |
|
| 59 |
+ Use: name + " SCC (USER | -z SERVICEACCOUNT) [USER ...]", |
|
| 60 |
+ Short: "Add users or serviceaccount to a security context constraint", |
|
| 61 |
+ Long: `Add users or serviceaccount to a security context constraint`, |
|
| 62 |
+ Example: fmt.Sprintf(addSCCToUserExample, fullName), |
|
| 62 | 63 |
Run: func(cmd *cobra.Command, args []string) {
|
| 63 | 64 |
if err := options.CompleteUsers(f, args, saNames); err != nil {
|
| 64 | 65 |
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error())) |
| ... | ... |
@@ -121,13 +131,17 @@ func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io |
| 121 | 121 |
} |
| 122 | 122 |
|
| 123 | 123 |
func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, args []string, saNames []string) error {
|
| 124 |
- if (len(args) < 2) && (len(saNames) == 0) {
|
|
| 125 |
- return errors.New("you must specify at least two arguments (<scc> <user> [user]...) or a service account (<scc> -z <service account name>) ")
|
|
| 124 |
+ if len(args) < 1 {
|
|
| 125 |
+ return errors.New("you must specify a scc")
|
|
| 126 | 126 |
} |
| 127 | 127 |
|
| 128 | 128 |
o.SCCName = args[0] |
| 129 | 129 |
o.Subjects = authorizationapi.BuildSubjects(args[1:], []string{}, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)
|
| 130 | 130 |
|
| 131 |
+ if (len(o.Subjects) == 0) && (len(saNames) == 0) {
|
|
| 132 |
+ return errors.New("you must specify at least one user or service account")
|
|
| 133 |
+ } |
|
| 134 |
+ |
|
| 131 | 135 |
var err error |
| 132 | 136 |
_, o.SCCInterface, err = f.Clients() |
| 133 | 137 |
if err != nil {
|
| ... | ... |
@@ -11,6 +11,10 @@ os::log::install_errexit |
| 11 | 11 |
|
| 12 | 12 |
# This test validates user level policy |
| 13 | 13 |
|
| 14 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user' 'you must specify a role' |
|
| 15 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user -z NamespaceWithoutRole' 'you must specify a role' |
|
| 16 |
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user view' 'you must specify at least one user or service account' |
|
| 17 |
+ |
|
| 14 | 18 |
os::cmd::expect_success 'oc policy add-role-to-group cluster-admin system:unauthenticated' |
| 15 | 19 |
os::cmd::expect_success 'oc policy add-role-to-user cluster-admin system:no-user' |
| 16 | 20 |
os::cmd::expect_success 'oc get rolebinding/cluster-admin --no-headers' |