... | ... |
@@ -371,6 +371,7 @@ func NewFactory(clientConfig kclientcmd.ClientConfig) *Factory { |
371 | 371 |
client.GroupsInterface(oc), |
372 | 372 |
client.ClusterRoleBindingsInterface(oc), |
373 | 373 |
client.RoleBindingsNamespacer(oc), |
374 |
+ client.OAuthClientAuthorizationsInterface(oc), |
|
374 | 375 |
kclient.SecurityContextConstraintsInterface(kc), |
375 | 376 |
), nil |
376 | 377 |
case userapi.Kind("Group"): |
... | ... |
@@ -17,6 +17,7 @@ func NewUserReaper( |
17 | 17 |
groupClient client.GroupsInterface, |
18 | 18 |
clusterBindingClient client.ClusterRoleBindingsInterface, |
19 | 19 |
bindingClient client.RoleBindingsNamespacer, |
20 |
+ authorizationsClient client.OAuthClientAuthorizationsInterface, |
|
20 | 21 |
sccClient kclient.SecurityContextConstraintsInterface, |
21 | 22 |
) kubectl.Reaper { |
22 | 23 |
return &UserReaper{ |
... | ... |
@@ -24,6 +25,7 @@ func NewUserReaper( |
24 | 24 |
groupClient: groupClient, |
25 | 25 |
clusterBindingClient: clusterBindingClient, |
26 | 26 |
bindingClient: bindingClient, |
27 |
+ authorizationsClient: authorizationsClient, |
|
27 | 28 |
sccClient: sccClient, |
28 | 29 |
} |
29 | 30 |
} |
... | ... |
@@ -33,6 +35,7 @@ type UserReaper struct { |
33 | 33 |
groupClient client.GroupsInterface |
34 | 34 |
clusterBindingClient client.ClusterRoleBindingsInterface |
35 | 35 |
bindingClient client.RoleBindingsNamespacer |
36 |
+ authorizationsClient client.OAuthClientAuthorizationsInterface |
|
36 | 37 |
sccClient kclient.SecurityContextConstraintsInterface |
37 | 38 |
} |
38 | 39 |
|
... | ... |
@@ -91,6 +94,21 @@ func (r *UserReaper) Stop(namespace, name string, timeout time.Duration, gracePe |
91 | 91 |
} |
92 | 92 |
} |
93 | 93 |
|
94 |
+ // Remove the user's OAuthClientAuthorizations |
|
95 |
+ // Once https://github.com/kubernetes/kubernetes/pull/28112 is fixed, use a field selector |
|
96 |
+ // to filter on the userName, rather than fetching all authorizations and filtering client-side |
|
97 |
+ authorizations, err := r.authorizationsClient.OAuthClientAuthorizations().List(kapi.ListOptions{}) |
|
98 |
+ if err != nil { |
|
99 |
+ return err |
|
100 |
+ } |
|
101 |
+ for _, authorization := range authorizations.Items { |
|
102 |
+ if authorization.UserName == name { |
|
103 |
+ if err := r.authorizationsClient.OAuthClientAuthorizations().Delete(authorization.Name); err != nil && !kerrors.IsNotFound(err) { |
|
104 |
+ return err |
|
105 |
+ } |
|
106 |
+ } |
|
107 |
+ } |
|
108 |
+ |
|
94 | 109 |
// Intentionally leave identities that reference the user |
95 | 110 |
// The user does not "own" the identities |
96 | 111 |
// If the admin wants to remove the identities, that is a distinct operation |
... | ... |
@@ -12,6 +12,7 @@ import ( |
12 | 12 |
|
13 | 13 |
authorizationapi "github.com/openshift/origin/pkg/authorization/api" |
14 | 14 |
"github.com/openshift/origin/pkg/client/testclient" |
15 |
+ oauthapi "github.com/openshift/origin/pkg/oauth/api" |
|
15 | 16 |
authenticationapi "github.com/openshift/origin/pkg/user/api" |
16 | 17 |
) |
17 | 18 |
|
... | ... |
@@ -173,6 +174,32 @@ func TestUserReaper(t *testing.T) { |
173 | 173 |
ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "users"}, Name: "bob"}, |
174 | 174 |
}, |
175 | 175 |
}, |
176 |
+ { |
|
177 |
+ name: "oauth client authorizations", |
|
178 |
+ user: "bob", |
|
179 |
+ objects: []runtime.Object{ |
|
180 |
+ &oauthapi.OAuthClientAuthorization{ |
|
181 |
+ ObjectMeta: kapi.ObjectMeta{Name: "other-user"}, |
|
182 |
+ UserName: "alice", |
|
183 |
+ UserUID: "123", |
|
184 |
+ }, |
|
185 |
+ &oauthapi.OAuthClientAuthorization{ |
|
186 |
+ ObjectMeta: kapi.ObjectMeta{Name: "bob-authorization-1"}, |
|
187 |
+ UserName: "bob", |
|
188 |
+ UserUID: "234", |
|
189 |
+ }, |
|
190 |
+ &oauthapi.OAuthClientAuthorization{ |
|
191 |
+ ObjectMeta: kapi.ObjectMeta{Name: "bob-authorization-2"}, |
|
192 |
+ UserName: "bob", |
|
193 |
+ UserUID: "345", |
|
194 |
+ }, |
|
195 |
+ }, |
|
196 |
+ expected: []interface{}{ |
|
197 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "oauthclientauthorizations"}, Name: "bob-authorization-1"}, |
|
198 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "oauthclientauthorizations"}, Name: "bob-authorization-2"}, |
|
199 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "users"}, Name: "bob"}, |
|
200 |
+ }, |
|
201 |
+ }, |
|
176 | 202 |
} |
177 | 203 |
|
178 | 204 |
for _, test := range tests { |
... | ... |
@@ -190,7 +217,7 @@ func TestUserReaper(t *testing.T) { |
190 | 190 |
ktc.PrependReactor("update", "*", reactor) |
191 | 191 |
ktc.PrependReactor("delete", "*", reactor) |
192 | 192 |
|
193 |
- reaper := NewUserReaper(tc, tc, tc, tc, ktc) |
|
193 |
+ reaper := NewUserReaper(tc, tc, tc, tc, tc, ktc) |
|
194 | 194 |
err := reaper.Stop("", test.user, 0, nil) |
195 | 195 |
if err != nil { |
196 | 196 |
t.Errorf("%s: unexpected error: %v", test.name, err) |