Create roles/rolebindings for global dns entries/providers

mrajashree · Alena Prokharchyk · commit 57433009a50b · 2019-02-19T13:42:44.000-08:00
diff --git a/pkg/controllers/management/globaldns/globaldns_handler.go b/pkg/controllers/management/globaldns/globaldns_handler.go
@@ -66,6 +66,10 @@ func (n *GDController) sync(key string, obj *v3.GlobalDNS) (runtime.Object, erro
 		return nil, fmt.Errorf("GlobalDNS %v has no creatorId annotation", metaAccessor.GetName())
 	}
 
+	if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSResource, obj.Name,
+		obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {
+		return nil, err
+	}
 	//check if status.endpoints is set, if yes create a dummy ingress if not already present
 	//if ingress exists, update endpoints if different
 
@@ -98,10 +102,6 @@ func (n *GDController) sync(key string, obj *v3.GlobalDNS) (runtime.Object, erro
 		return nil, fmt.Errorf("GlobalDNSController: Error updating ingress for the GlobalDNS %v", err)
 	}
 
-	if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSResource, obj.Name,
-		obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {
-		return nil, err
-	}
 	return nil, nil
 }
 
diff --git a/pkg/controllers/management/globaldns/globaldns_provider.go b/pkg/controllers/management/globaldns/globaldns_provider.go
@@ -69,7 +69,12 @@ func (n *ProviderLauncher) sync(key string, obj *v3.GlobalDNSProvider) (runtime.
 	}
 	creatorID, ok := metaAccessor.GetAnnotations()[globalnamespacerbac.CreatorIDAnn]
 	if !ok {
-		return nil, fmt.Errorf("GlobalDNS %v has no creatorId annotation", metaAccessor.GetName())
+		return nil, fmt.Errorf("GlobalDNS provider %v has no creatorId annotation", metaAccessor.GetName())
+	}
+
+	if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSProviderResource, obj.Name,
+		obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {
+		return nil, err
 	}
 	//check if provider already running for this GlobalDNSProvider.
 	if n.isProviderAlreadyRunning(obj) {
@@ -106,10 +111,6 @@ func (n *ProviderLauncher) sync(key string, obj *v3.GlobalDNSProvider) (runtime.
 		return n.handleAlidnsProvider(obj)
 	}
 
-	if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSProviderResource, obj.Name,
-		obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {
-		return nil, err
-	}
 	return nil, nil
 }
 
diff --git a/pkg/controllers/management/globalnamespacerbac/rbac_common.go b/pkg/controllers/management/globalnamespacerbac/rbac_common.go
@@ -60,7 +60,11 @@ func CreateRoleAndRoleBinding(resource string, name string, UID types.UID, membe
 		case readOnlyAccess:
 			readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)
 		default:
-			readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)
+			if resource == GlobalDNSProviderResource || resource == GlobalDNSResource {
+				ownerAccessSubjects = append(ownerAccessSubjects, s)
+			} else {
+				readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)
+			}
 		}
 	}
 
diff --git a/tests/core/test_globaldns.py b/tests/core/test_globaldns.py
@@ -1,6 +1,8 @@
 from .common import random_str
 from rancher import ApiError
 import pytest
+import time
+import kubernetes
 
 
 def test_dns_fqdn_unique(admin_mc):
@@ -42,12 +44,125 @@ def test_dns_provider_deletion(admin_mc):
                                              'rootDomain': "example.com"})
 
     fqdn = random_str() + ".example.com"
+    provider_id = "cattle-global-data:"+provider_name
     globaldns_entry = \
-        client.create_global_dns(fqdn=fqdn, providerId=provider_name)
+        client.create_global_dns(fqdn=fqdn, providerId=provider_id)
 
     with pytest.raises(ApiError) as e:
         client.delete(globaldns_provider)
         assert e.value.error.status == 403
 
     client.delete(globaldns_entry)
     client.delete(globaldns_provider)
+
+
+def test_share_globaldns_provider_entry(admin_mc, user_factory,
+                                        remove_resource):
+    client = admin_mc.client
+    provider_name = random_str()
+    access = random_str()
+    secret = random_str()
+    # Add regular user as member to gdns provider
+    user_member = user_factory()
+    remove_resource(user_member)
+    user_client = user_member.client
+    members = [{"userPrincipalId": "local://" + user_member.user.id,
+                "accessType": "owner"}]
+    globaldns_provider = \
+        client.create_global_dns_provider(
+            name=provider_name,
+            route53ProviderConfig={
+                'accessKey': access,
+                'secretKey': secret,
+                'rootDomain': "example.com"},
+            members=members)
+
+    remove_resource(globaldns_provider)
+    fqdn = random_str() + ".example.com"
+    globaldns_entry = \
+        client.create_global_dns(fqdn=fqdn, providerId=provider_name,
+                                 members=members)
+    remove_resource(globaldns_entry)
+    # Make sure creator can access both, provider and entry
+    gdns_provider_id = "cattle-global-data:" + provider_name
+    gdns_provider = client.by_id_global_dns_provider(gdns_provider_id)
+    assert gdns_provider is not None
+
+    gdns_entry_id = "cattle-global-data:" + globaldns_entry.name
+    gdns = client.by_id_global_dns(gdns_entry_id)
+    assert gdns is not None
+    # user should be able to list this gdns provider
+    api_instance = kubernetes.client.RbacAuthorizationV1Api(
+        admin_mc.k8s_client)
+    provider_rb_name = provider_name + "-gp-a"
+    wait_to_ensure_user_in_rb_subject(api_instance, provider_rb_name,
+                                      user_member.user.id)
+    gdns_provider = user_client.by_id_global_dns_provider(gdns_provider_id)
+    assert gdns_provider is not None
+
+    # user should be able to list this gdns entry
+    entry_rb_name = globaldns_entry.name + "-g-a"
+    wait_to_ensure_user_in_rb_subject(api_instance, entry_rb_name,
+                                      user_member.user.id)
+    gdns = user_client.by_id_global_dns(gdns_entry_id)
+    assert gdns is not None
+
+
+def test_user_access_global_dns(admin_mc, user_factory, remove_resource):
+    user1 = user_factory()
+    remove_resource(user1)
+    user_client = user1.client
+    provider_name = random_str()
+    access = random_str()
+    secret = random_str()
+    globaldns_provider = \
+        user_client.create_global_dns_provider(
+            name=provider_name,
+            route53ProviderConfig={
+                'accessKey': access,
+                'secretKey': secret,
+                'rootDomain': "example.com"})
+
+    remove_resource(globaldns_provider)
+    fqdn = random_str() + ".example.com"
+    globaldns_entry = \
+        user_client.create_global_dns(fqdn=fqdn, providerId=provider_name)
+
+    remove_resource(globaldns_entry)
+    # Make sure creator can access both, provider and entry
+    api_instance = kubernetes.client.RbacAuthorizationV1Api(
+        admin_mc.k8s_client)
+    provider_rb_name = provider_name + "-gp-a"
+    wait_to_ensure_user_in_rb_subject(api_instance, provider_rb_name,
+                                      user1.user.id)
+
+    gdns_provider_id = "cattle-global-data:" + provider_name
+    gdns_provider = user_client.by_id_global_dns_provider(gdns_provider_id)
+    assert gdns_provider is not None
+
+    entry_rb_name = globaldns_entry.name + "-g-a"
+    wait_to_ensure_user_in_rb_subject(api_instance, entry_rb_name,
+                                      user1.user.id)
+    gdns_entry_id = "cattle-global-data:" + globaldns_entry.name
+    gdns = user_client.by_id_global_dns(gdns_entry_id)
+    assert gdns is not None
+
+
+def wait_to_ensure_user_in_rb_subject(api, name,
+                                      userId, timeout=60):
+    found = False
+    interval = 0.5
+    start = time.time()
+    while not found:
+        time.sleep(interval)
+        interval *= 2
+        try:
+            rb = api.read_namespaced_role_binding(name, "cattle-global-data")
+            for i in range(0, len(rb.subjects)):
+                if rb.subjects[i].name == userId:
+                    found = True
+        except kubernetes.client.rest.ApiException:
+            found = False
+        if time.time() - start > timeout:
+            raise AssertionError(
+                "Timed out waiting for user to get added to rb")
diff --git a/vendor.conf b/vendor.conf
@@ -42,7 +42,7 @@ github.com/rancher/rdns-server                bf662911db6acce4d6a85d2878653f6841
 github.com/rancher/norman                     362802224f64fd09a56be0d275f6ec1d7ecf2164
 github.com/rancher/kontainer-engine           e4935301f7229ea869ca00aed54d67a20cc0ca17
 github.com/rancher/rke                        f8b6131dd2b30f06b55a3a0888dbadb16ce27101
-github.com/rancher/types                      dc275ce6bede7bd83f4085cb4706d283b8f07be6
+github.com/rancher/types                      d0b7740d2089fdf9befdec93ccc9211e67e49a03
 
 gopkg.in/ldap.v2                              v2.5.0
 gopkg.in/asn1-ber.v1                          v1.1

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,10 @@ func (n GDController) sync(key string, obj v3.GlobalDNS) (runtime.Object, erro`
`66`	`66`	`return nil, fmt.Errorf("GlobalDNS %v has no creatorId annotation", metaAccessor.GetName())`
`67`	`67`	`}`
`68`	`68`
	`69`	`+ if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSResource, obj.Name,`
	`70`	`+ obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {`
	`71`	`+ return nil, err`
	`72`	`+ }`
`69`	`73`	`//check if status.endpoints is set, if yes create a dummy ingress if not already present`
`70`	`74`	`//if ingress exists, update endpoints if different`
`71`	`75`
`@@ -98,10 +102,6 @@ func (n GDController) sync(key string, obj v3.GlobalDNS) (runtime.Object, erro`
`98`	`102`	`return nil, fmt.Errorf("GlobalDNSController: Error updating ingress for the GlobalDNS %v", err)`
`99`	`103`	`}`
`100`	`104`
`101`		`- if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSResource, obj.Name,`
`102`		`- obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {`
`103`		`- return nil, err`
`104`		`- }`
`105`	`105`	`return nil, nil`
`106`	`106`	`}`
`107`	`107`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,12 @@ func (n ProviderLauncher) sync(key string, obj v3.GlobalDNSProvider) (runtime.`
`69`	`69`	`}`
`70`	`70`	`creatorID, ok := metaAccessor.GetAnnotations()[globalnamespacerbac.CreatorIDAnn]`
`71`	`71`	`if !ok {`
`72`		`- return nil, fmt.Errorf("GlobalDNS %v has no creatorId annotation", metaAccessor.GetName())`
	`72`	`+ return nil, fmt.Errorf("GlobalDNS provider %v has no creatorId annotation", metaAccessor.GetName())`
	`73`	`+ }`
	`74`	`+`
	`75`	`+ if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSProviderResource, obj.Name,`
	`76`	`+ obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {`
	`77`	`+ return nil, err`
`73`	`78`	`}`
`74`	`79`	`//check if provider already running for this GlobalDNSProvider.`
`75`	`80`	`if n.isProviderAlreadyRunning(obj) {`
`@@ -106,10 +111,6 @@ func (n ProviderLauncher) sync(key string, obj v3.GlobalDNSProvider) (runtime.`
`106`	`111`	`return n.handleAlidnsProvider(obj)`
`107`	`112`	`}`
`108`	`113`
`109`		`- if err := globalnamespacerbac.CreateRoleAndRoleBinding(globalnamespacerbac.GlobalDNSProviderResource, obj.Name,`
`110`		`- obj.UID, obj.Spec.Members, creatorID, n.managementContext); err != nil {`
`111`		`- return nil, err`
`112`		`- }`
`113`	`114`	`return nil, nil`
`114`	`115`	`}`
`115`	`116`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,11 @@ func CreateRoleAndRoleBinding(resource string, name string, UID types.UID, membe`
`60`	`60`	`case readOnlyAccess:`
`61`	`61`	`readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)`
`62`	`62`	`default:`
`63`		`- readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)`
	`63`	`+ if resource == GlobalDNSProviderResource \|\| resource == GlobalDNSResource {`
	`64`	`+ ownerAccessSubjects = append(ownerAccessSubjects, s)`
	`65`	`+ } else {`
	`66`	`+ readOnlyAccessSubjects = append(readOnlyAccessSubjects, s)`
	`67`	`+ }`
`64`	`68`	`}`
`65`	`69`	`}`
`66`	`70`