add openshift image role

pkg/authorization/authorizer/bootstrap_policy_test.go

@@ -8,6 +8,8 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 )
 
 func TestViewerGetAllowedKindInMallet(t *testing.T) {
@@ -416,3 +418,42 @@ func newMalletBindings() []authorizationapi.PolicyBinding {
 		},
 	}
 }
+
+func GetBootstrapPolicy(masterNamespace string) *authorizationapi.Policy {
+	policy := &authorizationapi.Policy{
+		ObjectMeta: kapi.ObjectMeta{
+			Name:              authorizationapi.PolicyName,
+			Namespace:         masterNamespace,
+			CreationTimestamp: util.Now(),
+			UID:               util.NewUUID(),
+		},
+		LastModified: util.Now(),
+		Roles:        make(map[string]authorizationapi.Role),
+	}
+
+	for _, role := range bootstrappolicy.GetBootstrapMasterRoles(masterNamespace) {
+		policy.Roles[role.Name] = role
+	}
+
+	return policy
+}
+
+func GetBootstrapPolicyBinding(masterNamespace string) *authorizationapi.PolicyBinding {
+	policyBinding := &authorizationapi.PolicyBinding{
+		ObjectMeta: kapi.ObjectMeta{
+			Name:              masterNamespace,
+			Namespace:         masterNamespace,
+			CreationTimestamp: util.Now(),
+			UID:               util.NewUUID(),
+		},
+		LastModified: util.Now(),
+		PolicyRef:    kapi.ObjectReference{Namespace: masterNamespace},
+		RoleBindings: make(map[string]authorizationapi.RoleBinding),
+	}
+
+	for _, roleBinding := range bootstrappolicy.GetBootstrapMasterRoleBindings(masterNamespace) {
+		policyBinding.RoleBindings[roleBinding.Name] = roleBinding
+	}
+
+	return policyBinding
+}

pkg/authorization/registry/rolebinding/registry.go

@@ -13,10 +13,10 @@ type Registry interface {
 	ListRoleBindings(ctx kapi.Context, labels, fields klabels.Selector) (*authorizationapi.RoleBindingList, error)
 	// GetRoleBinding retrieves a specific policyRoleBinding.
 	GetRoleBinding(ctx kapi.Context, id string) (*authorizationapi.RoleBinding, error)
-	// CreateRoleBinding creates a new policyRoleBinding.
-	CreateRoleBinding(ctx kapi.Context, policyRoleBinding *authorizationapi.RoleBinding) error
-	// UpdateRoleBinding updates a policyRoleBinding.
-	UpdateRoleBinding(ctx kapi.Context, policyRoleBinding *authorizationapi.RoleBinding) error
+	// CreateRoleBinding creates a new policyRoleBinding.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
+	CreateRoleBinding(ctx kapi.Context, policyRoleBinding *authorizationapi.RoleBinding, allowEscalation bool) error
+	// UpdateRoleBinding updates a policyRoleBinding.  Skipping the escalation check should only be done during bootstrapping procedures where no users are currently bound.
+	UpdateRoleBinding(ctx kapi.Context, policyRoleBinding *authorizationapi.RoleBinding, allowEscalation bool) error
 	// DeleteRoleBinding deletes a policyRoleBinding.
 	DeleteRoleBinding(ctx kapi.Context, id string) error
 }

pkg/authorization/registry/rolebinding/rest.go

@@ -72,7 +72,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 		return nil, kerrors.NewInvalid("roleBinding", roleBinding.Name, errs)
 	}
 
-	err := r.registry.CreateRoleBinding(ctx, roleBinding)
+	err := r.registry.CreateRoleBinding(ctx, roleBinding, false)
 	if err != nil {
 		return nil, err
 	}
@@ -93,7 +93,7 @@ func (r *REST) Update(ctx kapi.Context, obj runtime.Object) (runtime.Object, boo
 		return nil, false, kerrors.NewInvalid("roleBinding", roleBinding.Name, errs)
 	}
 
-	err := r.registry.UpdateRoleBinding(ctx, roleBinding)
+	err := r.registry.UpdateRoleBinding(ctx, roleBinding, false)
 	if err != nil {
 		return nil, false, err
 	}

pkg/authorization/registry/rolebinding/virtual_registry.go

@@ -83,12 +83,14 @@ func (m *VirtualRegistry) DeleteRoleBinding(ctx kapi.Context, name string) error
 	return m.bindingRegistry.UpdatePolicyBinding(ctx, owningPolicyBinding)
 }
 
-func (m *VirtualRegistry) CreateRoleBinding(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
+func (m *VirtualRegistry) CreateRoleBinding(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding, allowEscalation bool) error {
 	if err := m.validateReferentialIntegrity(ctx, roleBinding); err != nil {
 		return err
 	}
-	if err := m.confirmNoEscalaton(ctx, roleBinding); err != nil {
-		return err
+	if !allowEscalation {
+		if err := m.confirmNoEscalation(ctx, roleBinding); err != nil {
+			return err
+		}
 	}
 
 	policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace)
@@ -110,12 +112,14 @@ func (m *VirtualRegistry) CreateRoleBinding(ctx kapi.Context, roleBinding *autho
 	return nil
 }
 
-func (m *VirtualRegistry) UpdateRoleBinding(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
+func (m *VirtualRegistry) UpdateRoleBinding(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding, allowEscalation bool) error {
 	if err := m.validateReferentialIntegrity(ctx, roleBinding); err != nil {
 		return err
 	}
-	if err := m.confirmNoEscalaton(ctx, roleBinding); err != nil {
-		return err
+	if !allowEscalation {
+		if err := m.confirmNoEscalation(ctx, roleBinding); err != nil {
+			return err
+		}
 	}
 
 	existingRoleBinding, err := m.GetRoleBinding(ctx, roleBinding.Name)
@@ -175,7 +179,7 @@ func (m *VirtualRegistry) getReferencedRole(roleRef kapi.ObjectReference) (*auth
 	return &role, nil
 }
 
-func (m *VirtualRegistry) confirmNoEscalaton(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
+func (m *VirtualRegistry) confirmNoEscalation(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
 	modifyingRole, err := m.getReferencedRole(roleBinding.RoleRef)
 	if err != nil {
 		return err