Skip to content

Commit

Permalink
Merge pull request #23 from ibuildthecloud/master
Browse files Browse the repository at this point in the history
Fix issues when creating clusterrolebindings to namespaces objects
  • Loading branch information
ibuildthecloud authored Aug 4, 2021
2 parents f588bce + eba8358 commit b2d9409
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 6 deletions.
25 changes: 20 additions & 5 deletions pkg/accesscontrol/access_set.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) {
verbs = append(verbs, "get")
}

for _, verb := range verbs {
for _, access := range a[verb] {
for _, access := range a[verb] {
resources := result[access.Namespace]
if access.ResourceName == All {
resources.All = true
} else {
if resources.Names == nil {
resources.Names = sets.String{}
}
resources.Names.Insert(access.ResourceName)
}
result[access.Namespace] = resources
}

if verb == "list" {
// look for objects referenced by get
for _, access := range a["get"] {
resources := result[access.Namespace]
if access.ResourceName == All {
resources.All = true
} else {
continue
} else if len(access.ResourceName) > 0 {
if resources.Names == nil {
resources.Names = sets.String{}
}
resources.Names.Insert(access.ResourceName)
result[access.Namespace] = resources
}
result[access.Namespace] = resources
}
}

return result
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/stores/partition/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ func (s *Store) List(apiOp *types.APIRequest, schema *types.APISchema) (types.AP

result.Revision = lister.Revision()
result.Continue = lister.Continue()
return result, nil
return result, lister.Err()
}

func (s *Store) Create(apiOp *types.APIRequest, schema *types.APISchema, data types.APIObject) (types.APIObject, error) {
Expand Down
6 changes: 6 additions & 0 deletions pkg/stores/proxy/proxy_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured {
}

func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) {
if apiOp.Namespace == "*" {
// This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat
// this as an invalid situation instead of listing all objects in the cluster and filtering by name.
return types.APIObjectList{}, nil
}

adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace)
if err != nil {
return types.APIObjectList{}, err
Expand Down

0 comments on commit b2d9409

Please sign in to comment.