Allow --no-rbac flag that allows users to not pass rbac config (#9972)

* Allow --no-rbac flag that allows users to not pass rbac config

Signed-off-by: notfelineit <notfelineit@gmail.com>

* Address PR comments

Signed-off-by: notfelineit <notfelineit@gmail.com>

* Update go/cmd/vtadmin/main.go

Co-authored-by: Andrew Mason <andrew@planetscale.com>

* Remove [rbac] prefix in error mssging

Signed-off-by: notfelineit <notfelineit@gmail.com>

Co-authored-by: Andrew Mason <andrew@planetscale.com>
This commit is contained in:
Frances Thai 2022-03-25 11:59:01 -07:00 коммит произвёл GitHub
Родитель d0fd6b0e39
Коммит c82d09aebf
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 53 добавлений и 2 удалений

Просмотреть файл

@ -43,6 +43,8 @@ var (
defaultClusterConfig cluster.Config defaultClusterConfig cluster.Config
rbacConfigPath string rbacConfigPath string
enableRBAC bool
disableRBAC bool
traceCloser io.Closer = &noopCloser{} traceCloser io.Closer = &noopCloser{}
@ -101,13 +103,19 @@ func run(cmd *cobra.Command, args []string) {
} }
var rbacConfig *rbac.Config var rbacConfig *rbac.Config
if rbacConfigPath != "" { if disableRBAC {
rbacConfig = rbac.DefaultConfig()
} else if enableRBAC && rbacConfigPath != "" {
cfg, err := rbac.LoadConfig(rbacConfigPath) cfg, err := rbac.LoadConfig(rbacConfigPath)
if err != nil { if err != nil {
fatal(err) fatal(err)
} }
rbacConfig = cfg rbacConfig = cfg
} else if enableRBAC && rbacConfigPath == "" {
fatal("must pass --rbac-config path when enabling rbac")
} else {
fatal("must explicitly enable or disable RBAC by passing --no-rbac or --rbac")
} }
for i, cfg := range configs { for i, cfg := range configs {
@ -162,7 +170,9 @@ func main() {
rootCmd.Flags().BoolVar(&httpOpts.EnableDynamicClusters, "http-enable-dynamic-clusters", false, "whether to enable dynamic clusters that are set by request header cookies") rootCmd.Flags().BoolVar(&httpOpts.EnableDynamicClusters, "http-enable-dynamic-clusters", false, "whether to enable dynamic clusters that are set by request header cookies")
// rbac flags // rbac flags
rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "rbac.yaml", "") rootCmd.Flags().StringVar(&rbacConfigPath, "rbac-config", "", "path to an RBAC config file. must be set if passing --rbac")
rootCmd.Flags().BoolVar(&enableRBAC, "rbac", false, "whether to enable RBAC. must be set if not passing --rbac")
rootCmd.Flags().BoolVar(&disableRBAC, "no-rbac", false, "whether to disable RBAC. must be set if not passing --no-rbac")
// glog flags, no better way to do this // glog flags, no better way to do this
rootCmd.Flags().AddGoFlag(flag.Lookup("v")) rootCmd.Flags().AddGoFlag(flag.Lookup("v"))

Просмотреть файл

@ -225,6 +225,7 @@ func (api *API) ServeHTTP(w http.ResponseWriter, r *http.Request) {
api.Handler().ServeHTTP(w, r) api.Handler().ServeHTTP(w, r)
return return
} }
dynamicAPI := &API{ dynamicAPI := &API{
clusters: api.clusters, clusters: api.clusters,
clusterMap: api.clusterMap, clusterMap: api.clusterMap,

Просмотреть файл

@ -163,3 +163,43 @@ func (c *Config) GetAuthenticator() Authenticator {
func (c *Config) GetAuthorizer() *Authorizer { func (c *Config) GetAuthorizer() *Authorizer {
return c.authorizer return c.authorizer
} }
// DefaultConfig returns a default config that allows all actions on all resources
// It is mainly used in the case where users explicitly pass --no-rbac flag.
func DefaultConfig() *Config {
log.Info("[rbac]: using default rbac configuration")
actions := []string{string(GetAction), string(CreateAction), string(DeleteAction), string(PutAction), string(PingAction)}
subjects := []string{"*"}
clusters := []string{"*"}
cfg := map[string][]*Rule{
"*": {
{
clusters: sets.NewString(clusters...),
actions: sets.NewString(actions...),
subjects: sets.NewString(subjects...),
},
},
}
return &Config{
Rules: []*struct {
Resource string
Actions []string
Subjects []string
Clusters []string
}{
{
Resource: "*",
Actions: actions,
Subjects: subjects,
Clusters: clusters,
},
},
cfg: cfg,
authorizer: &Authorizer{
policies: cfg,
},
authenticator: nil,
}
}