Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider supporting groups instead of single users only and create their tests #351

Open
wants to merge 1 commit into
base: sig-auth-acceptance
Choose a base branch
from
Open

Consider supporting groups instead of single users only and create their tests #351

wants to merge 1 commit into from

Conversation

ShazaAldawamneh
Copy link

this PR to cover issue: 333

@ShazaAldawamneh ShazaAldawamneh marked this pull request as ready for review January 7, 2025 14:21
@ShazaAldawamneh
Copy link
Author

@stlaz @ibihim can I have your review in this PR please ?

@stlaz
Copy link
Collaborator

stlaz commented Jan 9, 2025

This is an open source project, remove any references to trackers that are not in this repo. If they contain additional context, move it to the GitHub issue you are fixing.

@ShazaAldawamneh ShazaAldawamneh changed the title CNTRLPLANE-63: Consider supporting groups instead of single users only and create their tests Consider supporting groups instead of single users only and create their tests Jan 9, 2025
ibihim
ibihim reviewed Jan 13, 2025
View reviewed changes
Copy link
Collaborator

@ibihim ibihim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good job

stlaz
stlaz reviewed Jan 17, 2025
View reviewed changes
@ShazaAldawamneh
[Consider supporting groups instead of single users only and create t…
2b27a4d 
…heir tests]

added comment

Refactor group storage structure in status.go to use sets

Optimize group lookup by precomputing GroupSet in NewStaticAuthorizer for O(1) checks.

Update pkg/authorization/static/static.go

Co-authored-by: Krzysztof Ostrowski <krzysztof.ostrowski@posteo.de>

Update pkg/authorization/static/static.go

Co-authored-by: Krzysztof Ostrowski <krzysztof.ostrowski@posteo.de>

imported set
stlaz
stlaz reviewed Feb 21, 2025
View reviewed changes
pkg/authorization/static/static.go
Groups []string `json:"groups,omitempty"`
Name string `json:"name,omitempty"`
Groups []string `json:"groups,omitempty"`
GroupSet set.Set[string]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we split the external, serialized config, and its internal representation?
Make it so that only one of username/group can be specified.

pkg/authorization/static/static.go
@@ -48,8 +50,12 @@ type staticAuthorizer struct {

// NewStaticAuthorizer creates an authorizer for static SubjectAccessReviews
func NewStaticAuthorizer(config []StaticAuthorizationConfig) (*staticAuthorizer, error) {
for _, c := range config {
if c.ResourceRequest != (c.Path == "") {
for c := range config {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we need some internal representation of the config anyway, it might be easier to implement this part as a unionauthorizer.New([]staticAuthorizer{...}) (union authorizer constructor) where each staticAuthorizer in the above mentioned slice represents each element from []StaticAuthorizationConfig here.

That way func (saConfig StaticAuthorizationConfig) Matches(a authorizer.Attributes) bool
changes into
func (sa staticAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error).
Each return true changes into authorizer.DecisionAllow and each return false into authorizer.DecisionNoOpinion.

The constructor might then look something like this:

func NewStaticAuthorizer(config []StaticAuthorizationConfig) (authorizer.Authorizer, error) {
   var authorizers []staticAuthorizer
   for _, c := range config {
       authz, err := newStaticAuthorizers(&c)
       // handle error
       authorizers = append(authorizers, authz)
   }
   return unionauthorizer.New(authorizers...)
}

WDYT?

cc @ibihim

pkg/authorization/static/static.go
return true
}
for _, group := range requestGroups {
if _, exists := saConfig.User.GroupSet[group]; exists {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use the set.Has() method

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz left review comments

@ibihim ibihim ibihim left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ShazaAldawamneh @stlaz @ibihim