create policy cache

deads2k · deads2k · commit d01bfa413564 · 2015-02-23T10:09:37.000-05:00
diff --git a/pkg/authorization/cache/policy_cache.go b/pkg/authorization/cache/policy_cache.go
@@ -0,0 +1,132 @@
+package cache
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/watch"
+
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	policyregistry "github.com/openshift/origin/pkg/authorization/registry/policy"
+	bindingregistry "github.com/openshift/origin/pkg/authorization/registry/policybinding"
+)
+
+// PolicyCache maintains a cache of PolicyRules
+type PolicyCache struct {
+	policyBindingIndexer cache.Indexer
+	policyIndexer        cache.Indexer
+
+	bindingRegistry bindingregistry.Registry
+	policyRegistry  policyregistry.Registry
+
+	keyFunc cache.KeyFunc
+}
+
+// TODO: Eliminate listWatch when this merges upstream: https://github.com/GoogleCloudPlatform/kubernetes/pull/4453
+type listFunc func() (runtime.Object, error)
+type watchFunc func(resourceVersion string) (watch.Interface, error)
+type listWatch struct {
+	listFunc  listFunc
+	watchFunc watchFunc
+}
+
+func (lw *listWatch) List() (runtime.Object, error) {
+	return lw.listFunc()
+}
+
+func (lw *listWatch) Watch(resourceVersion string) (watch.Interface, error) {
+	return lw.watchFunc(resourceVersion)
+}
+
+// NewPolicyCache creates a new PolicyCache.  You cannot use a normal client, because you don't want policy guarding the policy from the authorizer
+func NewPolicyCache(bindingRegistry bindingregistry.Registry, policyRegistry policyregistry.Registry) *PolicyCache {
+	result := &PolicyCache{
+		policyIndexer:        cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{"namespace": cache.MetaNamespaceIndexFunc}),
+		policyBindingIndexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{"namespace": cache.MetaNamespaceIndexFunc}),
+
+		keyFunc: cache.MetaNamespaceKeyFunc,
+
+		bindingRegistry: bindingRegistry,
+		policyRegistry:  policyRegistry,
+	}
+	return result
+}
+
+// Run begins watching and synchronizing the cache
+func (c *PolicyCache) Run(period time.Duration) {
+	ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll)
+
+	policyBindingReflector := cache.NewReflector(
+		&listWatch{
+			listFunc: func() (runtime.Object, error) {
+				return c.bindingRegistry.ListPolicyBindings(ctx, labels.Everything(), labels.Everything())
+			},
+			watchFunc: func(resourceVersion string) (watch.Interface, error) {
+				return c.bindingRegistry.WatchPolicyBindings(ctx, labels.Everything(), labels.Everything(), resourceVersion)
+			},
+		},
+		&authorizationapi.PolicyBinding{},
+		c.policyBindingIndexer,
+	)
+	policyBindingReflector.Run()
+
+	policyReflector := cache.NewReflector(
+		&listWatch{
+			listFunc: func() (runtime.Object, error) {
+				return c.policyRegistry.ListPolicies(ctx, labels.Everything(), labels.Everything())
+			},
+			watchFunc: func(resourceVersion string) (watch.Interface, error) {
+				return c.policyRegistry.WatchPolicies(ctx, labels.Everything(), labels.Everything(), resourceVersion)
+			},
+		},
+		&authorizationapi.Policy{},
+		c.policyIndexer,
+	)
+	policyReflector.Run()
+}
+
+// GetPolicy retrieves a specific policy.  It conforms to rulevalidation.PolicyGetter.
+func (c *PolicyCache) GetPolicy(ctx kapi.Context, name string) (*authorizationapi.Policy, error) {
+	namespace, exists := kapi.NamespaceFrom(ctx)
+	if !exists {
+		return nil, errors.New("no namespace found")
+	}
+
+	keyObj := &authorizationapi.Policy{ObjectMeta: kapi.ObjectMeta{Namespace: namespace, Name: name}}
+	key, _ := c.keyFunc(keyObj)
+
+	policy, exists, err := c.policyIndexer.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("%v not found", key)
+	}
+
+	return policy.(*authorizationapi.Policy), nil
+}
+
+// ListPolicyBindings obtains list of policyBindings that match a selector.  It conforms to rulevalidation.BindingLister
+func (c *PolicyCache) ListPolicyBindings(ctx kapi.Context, labels, fields labels.Selector) (*authorizationapi.PolicyBindingList, error) {
+	namespace, exists := kapi.NamespaceFrom(ctx)
+	if !exists {
+		return nil, errors.New("no namespace found")
+	}
+
+	bindings, err := c.policyBindingIndexer.Index("namespace", &authorizationapi.PolicyBinding{ObjectMeta: kapi.ObjectMeta{Namespace: namespace}})
+	if err != nil {
+		return nil, err
+	}
+
+	ret := &authorizationapi.PolicyBindingList{}
+	for i := range bindings {
+		ret.Items = append(ret.Items, *bindings[i].(*authorizationapi.PolicyBinding))
+	}
+
+	return ret, nil
+}
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -75,6 +75,7 @@ import (
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
+	policycache "github.com/openshift/origin/pkg/authorization/cache"
 	authorizationetcd "github.com/openshift/origin/pkg/authorization/registry/etcd"
 	policyregistry "github.com/openshift/origin/pkg/authorization/registry/policy"
 	policybindingregistry "github.com/openshift/origin/pkg/authorization/registry/policybinding"
@@ -115,6 +116,7 @@ type MasterConfig struct {
 	AuthorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder
 	MasterAuthorizationNamespace  string
 
+	PolicyCache               *policycache.PolicyCache
 	ProjectAuthorizationCache *projectauth.AuthorizationCache
 
 	// Map requests to contexts
@@ -559,6 +561,11 @@ func (c *MasterConfig) RunProjectAuthorizationCache() {
 	c.ProjectAuthorizationCache.Run(period)
 }
 
+// RunPolicyCache starts the policy cache
+func (c *MasterConfig) RunPolicyCache() {
+	c.PolicyCache.Run(10 * time.Second)
+}
+
 // RunAssetServer starts the asset server for the OpenShift UI.
 func (c *MasterConfig) RunAssetServer() {
 	// TODO use	version.Get().GitCommit as an etag cache header
diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
@@ -38,6 +38,7 @@ import (
 	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
+	policycache "github.com/openshift/origin/pkg/authorization/cache"
 	authorizationetcd "github.com/openshift/origin/pkg/authorization/registry/etcd"
 	"github.com/openshift/origin/pkg/authorization/rulevalidation"
 	projectauth "github.com/openshift/origin/pkg/project/auth"
@@ -367,11 +368,9 @@ func start(cfg *config, args []string) error {
 
 			EtcdHelper: etcdHelper,
 
-			AdmissionControl:              admit.NewAlwaysAdmit(),
-			Authorizer:                    newAuthorizer(etcdHelper, masterAuthorizationNamespace),
-			AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
-			MasterAuthorizationNamespace:  masterAuthorizationNamespace,
-			RequestContextMapper:          requestContextMapper,
+			AdmissionControl:             admit.NewAlwaysAdmit(),
+			MasterAuthorizationNamespace: masterAuthorizationNamespace,
+			RequestContextMapper:         requestContextMapper,
 
 			ImageFor: imageResolverFn,
 		}
@@ -502,6 +501,13 @@ func start(cfg *config, args []string) error {
 
 		osmaster.BuildClients()
 
+		authorizationEtcd := authorizationetcd.New(etcdHelper)
+		osmaster.PolicyCache = policycache.NewPolicyCache(authorizationEtcd, authorizationEtcd)
+		osmaster.Authorizer = newAuthorizer(osmaster.PolicyCache, masterAuthorizationNamespace)
+		osmaster.AuthorizationAttributeBuilder = newAuthorizationAttributeBuilder(requestContextMapper)
+		// the policy cache must start before you attempt to start any other components
+		osmaster.RunPolicyCache()
+
 		osmaster.ProjectAuthorizationCache = projectauth.NewAuthorizationCache(
 			projectauth.NewReviewer(osmaster.PolicyClient()),
 			osmaster.KubeClient().Namespaces(),
@@ -653,9 +659,8 @@ func start(cfg *config, args []string) error {
 	return nil
 }
 
-func newAuthorizer(etcdHelper tools.EtcdHelper, masterAuthorizationNamespace string) authorizer.Authorizer {
-	authorizationEtcd := authorizationetcd.New(etcdHelper)
-	authorizer := authorizer.NewAuthorizer(masterAuthorizationNamespace, rulevalidation.NewDefaultRuleResolver(authorizationEtcd, authorizationEtcd))
+func newAuthorizer(policyCache *policycache.PolicyCache, masterAuthorizationNamespace string) authorizer.Authorizer {
+	authorizer := authorizer.NewAuthorizer(masterAuthorizationNamespace, rulevalidation.NewDefaultRuleResolver(policyCache, policyCache))
 	return authorizer
 }
 
