salt/auth: Add groups support for bearer auth

Currently we have no permissions when using bearer token auth, add a groups function to authenticate bearer auth using the same approach as the basic auth for the moment Also update test accordingly
scality · Nov 22, 2019 · 1d4b15a · 1d4b15a
1 parent c5ef29b
commit 1d4b15a
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/salt/_auth/kubernetes_rbac.py b/salt/_auth/kubernetes_rbac.py
@@ -114,14 +114,54 @@ def _groups_basic(kubeconfig, username, token):
     'groups': _groups_basic,
 }
 
+
 @_log_exceptions
 def _auth_bearer(kubeconfig, username, token):
     return _check_k8s_creds(kubeconfig, 'Bearer {}'.format(token))
 
+
+@_log_exceptions
+def _groups_bearer(kubeconfig, username, token):
+    kubeconfig.api_key = {
+        'authorization': token,
+    }
+    kubeconfig.api_key_prefix = {
+        'authorization': 'Bearer',
+    }
+    kubeconfig.username = username
+    kubeconfig.password = None
+    kubeconfig.cert_file = None
+    kubeconfig.key_file = None
+
+    client = kubernetes.client.ApiClient(configuration=kubeconfig)
+
+    authz_api = kubernetes.client.AuthorizationV1Api(api_client=client)
+
+    groups = set()
+
+    result = authz_api.create_self_subject_access_review(
+        body=kubernetes.client.V1SelfSubjectAccessReview(
+            spec=kubernetes.client.V1SelfSubjectAccessReviewSpec(
+                resource_attributes=kubernetes.client.V1ResourceAttributes(
+                    resource='nodes',
+                    verb='*',
+                ),
+            ),
+        ),
+    )
+
+    if result.status.allowed:
+        groups.add('node-admins')
+
+    return list(groups)
+
+
 AUTH_HANDLERS['bearer'] = {
     'auth': _auth_bearer,
+    'groups': _groups_bearer
 }
 
+
 @_log_exceptions
 def _load_kubeconfig(opts):
     config = {

diff --git a/tests/post/features/salt_api.feature b/tests/post/features/salt_api.feature
@@ -12,7 +12,10 @@ Feature: SaltAPI
     Scenario: Login to SaltAPI using a ServiceAccount
         Given the Kubernetes API is available
         When we login to SaltAPI with the ServiceAccount 'storage-operator'
-        Then we can invoke '["disk.dump", "state.sls"]' on '*'
+        Then we can ping all minions
+        And we can invoke '[".*"]' on '*'
+        And we have '@wheel' perms
+        And we have '@runner' perms
         And we have '@jobs' perms
 
     Scenario: Login to SaltAPI using an incorrect password