separate out bootstrap policy

pkg/cmd/openshift/openshift.go

@@ -18,7 +18,7 @@ import (
 	"github.com/openshift/origin/pkg/cmd/infra/builder"
 	"github.com/openshift/origin/pkg/cmd/infra/deployer"
 	"github.com/openshift/origin/pkg/cmd/infra/router"
-	"github.com/openshift/origin/pkg/cmd/server/certs"
+	"github.com/openshift/origin/pkg/cmd/server/admin"
 	"github.com/openshift/origin/pkg/cmd/server/start"
 	"github.com/openshift/origin/pkg/cmd/templates"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
@@ -81,7 +81,7 @@ func NewCommandOpenShift() *cobra.Command {
 
 	startAllInOne, _ := start.NewCommandStartAllInOne()
 	root.AddCommand(startAllInOne)
-	root.AddCommand(certs.NewCommandAdmin())
+	root.AddCommand(admin.NewCommandAdmin())
 	root.AddCommand(cli.NewCommandCLI("cli", "openshift cli"))
 	root.AddCommand(cli.NewCmdKubectl("kube"))
 	root.AddCommand(newExperimentalCommand("openshift", "ex"))

pkg/cmd/server/certs/create_allcerts.go → pkg/cmd/server/admin/create_allcerts.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/admin/create_bootstrappolicy_file.go

@@ -0,0 +1,111 @@
+package admin
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+
+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubectl"
+
+	"github.com/openshift/origin/pkg/api/latest"
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+	"github.com/openshift/origin/pkg/template/api"
+)
+
+const (
+	DefaultPolicyFile                    = "openshift.local.policy/policy.json"
+	CreateBootstrapPolicyFileCommand     = "create-bootstrap-policy-file"
+	CreateBootstrapPolicyFileFullCommand = "openshift admin " + CreateBootstrapPolicyFileCommand
+)
+
+type CreateBootstrapPolicyFileOptions struct {
+	File string
+
+	MasterAuthorizationNamespace      string
+	OpenShiftSharedResourcesNamespace string
+}
+
+func NewCommandCreateBootstrapPolicyFile() *cobra.Command {
+	options := &CreateBootstrapPolicyFileOptions{}
+
+	cmd := &cobra.Command{
+		Use:   CreateBootstrapPolicyFileCommand,
+		Short: "Create bootstrap policy for OpenShift.",
+		Run: func(c *cobra.Command, args []string) {
+			if err := options.Validate(args); err != nil {
+				fmt.Println(err.Error())
+				c.Help()
+				return
+			}
+
+			if err := options.CreateBootstrapPolicyFile(); err != nil {
+				glog.Fatal(err)
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVar(&options.File, "filename", DefaultPolicyFile, "The policy template file that will be written with roles and bindings.")
+
+	flags.StringVar(&options.MasterAuthorizationNamespace, "master-namespace", "master", "Global authorization namespace.")
+	flags.StringVar(&options.OpenShiftSharedResourcesNamespace, "openshift-namespace", "openshift", "Namespace for shared openshift resources.")
+
+	return cmd
+}
+
+func (o CreateBootstrapPolicyFileOptions) Validate(args []string) error {
+	if len(args) != 0 {
+		return errors.New("no arguments are supported")
+	}
+	if len(o.File) == 0 {
+		return errors.New("filename must be provided")
+	}
+	if len(o.MasterAuthorizationNamespace) == 0 {
+		return errors.New("master-namespace must be provided")
+	}
+	if len(o.OpenShiftSharedResourcesNamespace) == 0 {
+		return errors.New("openshift-namespace must be provided")
+	}
+
+	return nil
+}
+
+func (o CreateBootstrapPolicyFileOptions) CreateBootstrapPolicyFile() error {
+	if err := os.MkdirAll(path.Dir(o.File), os.FileMode(0755)); err != nil {
+		return err
+	}
+
+	policyTemplate := &api.Template{}
+
+	roles := bootstrappolicy.GetBootstrapRoles(o.MasterAuthorizationNamespace, o.OpenShiftSharedResourcesNamespace)
+	for i := range roles {
+		policyTemplate.Objects = append(policyTemplate.Objects, &roles[i])
+	}
+
+	roleBindings := bootstrappolicy.GetBootstrapRoleBindings(o.MasterAuthorizationNamespace, o.OpenShiftSharedResourcesNamespace)
+	for i := range roleBindings {
+		policyTemplate.Objects = append(policyTemplate.Objects, &roleBindings[i])
+	}
+
+	versionedPolicyTemplate, err := kapi.Scheme.ConvertToVersion(policyTemplate, latest.Version)
+	if err != nil {
+		return err
+	}
+
+	buffer := &bytes.Buffer{}
+	(&kubectl.JSONPrinter{}).PrintObj(versionedPolicyTemplate, buffer)
+
+	if err := ioutil.WriteFile(o.File, buffer.Bytes(), 0644); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/cmd/server/certs/create_clientcert.go → pkg/cmd/server/admin/create_clientcert.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/certs/create_comands.go → pkg/cmd/server/admin/create_comands.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"github.com/spf13/cobra"
@@ -13,6 +13,8 @@ func NewCommandAdmin() *cobra.Command {
 		},
 	}
 
+	cmd.AddCommand(NewCommandOverwriteBootstrapPolicy())
+	cmd.AddCommand(NewCommandCreateBootstrapPolicyFile())
 	cmd.AddCommand(NewCommandCreateKubeConfig())
 	cmd.AddCommand(NewCommandCreateAllCerts())
 	cmd.AddCommand(NewCommandCreateClientCert())

pkg/cmd/server/certs/create_kubeconfig.go → pkg/cmd/server/admin/create_kubeconfig.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/certs/create_nodeclientcerts.go → pkg/cmd/server/admin/create_nodeclientcerts.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/certs/create_servercert.go → pkg/cmd/server/admin/create_servercert.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/certs/create_signercert.go → pkg/cmd/server/admin/create_signercert.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/certs/default_certs.go → pkg/cmd/server/admin/default_certs.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"fmt"

pkg/cmd/server/admin/overwrite_bootstrappolicy.go

@@ -0,0 +1,141 @@
+package admin
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubectl"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubectl/resource"
+	utilerrors "github.com/GoogleCloudPlatform/kubernetes/pkg/util/errors"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
+	"github.com/openshift/origin/pkg/api/latest"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	authorizationetcd "github.com/openshift/origin/pkg/authorization/registry/etcd"
+	roleregistry "github.com/openshift/origin/pkg/authorization/registry/role"
+	rolebindingregistry "github.com/openshift/origin/pkg/authorization/registry/rolebinding"
+	configapilatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
+	configvalidation "github.com/openshift/origin/pkg/cmd/server/api/validation"
+	"github.com/openshift/origin/pkg/cmd/server/etcd"
+	cmdclientcmd "github.com/openshift/origin/pkg/cmd/util/clientcmd"
+	templateapi "github.com/openshift/origin/pkg/template/api"
+)
+
+type OverwriteBootstrapPolicyOptions struct {
+	File             string
+	MasterConfigFile string
+}
+
+func NewCommandOverwriteBootstrapPolicy() *cobra.Command {
+	options := &OverwriteBootstrapPolicyOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "overwrite-policy",
+		Short: "Overwrite policy for OpenShift.  DANGER: THIS BYPASSES ALL ACCESS CONTROL CHECKS AND WRITES DIRECTLY TO ETCD!",
+		Run: func(c *cobra.Command, args []string) {
+			if err := options.Validate(args); err != nil {
+				fmt.Println(err.Error())
+				c.Help()
+				return
+			}
+
+			if err := options.OverwriteBootstrapPolicy(); err != nil {
+				glog.Fatal(err)
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVar(&options.File, "filename", "", "The policy template file containing roles and bindings.  One can be created with '"+CreateBootstrapPolicyFileFullCommand+"'.")
+	flags.StringVar(&options.MasterConfigFile, "master-config", "master.yaml", "Location of the master configuration file to run from in order to connect to etcd and directly modify the policy.")
+
+	return cmd
+}
+
+func (o OverwriteBootstrapPolicyOptions) Validate(args []string) error {
+	if len(args) != 0 {
+		return errors.New("no arguments are supported")
+	}
+	if len(o.File) == 0 {
+		return errors.New("filename must be provided")
+	}
+	if len(o.MasterConfigFile) == 0 {
+		return errors.New("master-config must be provided")
+	}
+
+	return nil
+}
+
+func (o OverwriteBootstrapPolicyOptions) OverwriteBootstrapPolicy() error {
+	masterConfig, err := configapilatest.ReadAndResolveMasterConfig(o.MasterConfigFile)
+	if err != nil {
+		return err
+	}
+	if err := configvalidation.ValidateNamespace(masterConfig.PolicyConfig.MasterAuthorizationNamespace, "masterAuthorizationNamespace"); len(err) > 0 {
+		return utilerrors.NewAggregate(err)
+	}
+
+	etcdHelper, err := etcd.NewOpenShiftEtcdHelper(masterConfig.EtcdClientInfo.URL)
+	if err != nil {
+		return err
+	}
+
+	return OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.MasterAuthorizationNamespace, o.File)
+}
+
+func OverwriteBootstrapPolicy(etcdHelper tools.EtcdHelper, masterNamespace, policyFile string) error {
+	mapper := cmdclientcmd.ShortcutExpander{kubectl.ShortcutExpander{latest.RESTMapper}}
+	typer := api.Scheme
+	clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
+		return nil, nil
+	})
+
+	r := resource.NewBuilder(mapper, typer, clientMapper).
+		FilenameParam(policyFile).
+		Flatten().
+		Do()
+
+	if r.Err() != nil {
+		return r.Err()
+	}
+
+	registry := authorizationetcd.New(etcdHelper)
+	roleRegistry := roleregistry.NewVirtualRegistry(registry)
+	roleBindingRegistry := rolebindingregistry.NewVirtualRegistry(registry, registry, masterNamespace)
+
+	return r.Visit(func(info *resource.Info) error {
+		template, ok := info.Object.(*templateapi.Template)
+		if !ok {
+			return errors.New("policy must be contained in a template.  One can be created with '" + CreateBootstrapPolicyFileFullCommand + "'.")
+		}
+
+		for _, item := range template.Objects {
+			switch castObject := item.(type) {
+			case *authorizationapi.Role:
+				ctx := api.WithNamespace(api.NewContext(), castObject.Namespace)
+				roleRegistry.DeleteRole(ctx, castObject.Name)
+				if err := roleRegistry.CreateRole(ctx, castObject); err != nil {
+					return err
+				}
+
+			case *authorizationapi.RoleBinding:
+				ctx := api.WithNamespace(api.NewContext(), castObject.Namespace)
+				roleBindingRegistry.DeleteRoleBinding(ctx, castObject.Name)
+				if err := roleBindingRegistry.CreateRoleBinding(ctx, castObject, true); err != nil {
+					return err
+				}
+
+			default:
+				return errors.New("only roles and rolebindings may be created in this mode")
+			}
+		}
+
+		return nil
+	})
+}

pkg/cmd/server/certs/signer_cert_args.go → pkg/cmd/server/admin/signer_cert_args.go

@@ -1,4 +1,4 @@
-package certs
+package admin
 
 import (
 	"errors"

pkg/cmd/server/api/latest/helpers.go

@@ -0,0 +1,32 @@
+package latest
+
+import (
+	"io/ioutil"
+	"path"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+)
+
+func ReadMasterConfig(filename string) (*configapi.MasterConfig, error) {
+	data, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &configapi.MasterConfig{}
+
+	if err := Codec.DecodeInto(data, config); err != nil {
+		return nil, err
+	}
+	return config, nil
+}
+
+func ReadAndResolveMasterConfig(filename string) (*configapi.MasterConfig, error) {
+	masterConfig, err := ReadMasterConfig(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	configapi.ResolveMasterConfigPaths(masterConfig, path.Dir(filename))
+	return masterConfig, nil
+}

pkg/cmd/server/api/types.go

@@ -64,6 +64,13 @@ type MasterConfig struct {
 
 	ImageConfig ImageConfig
 
+	PolicyConfig PolicyConfig
+}
+
+type PolicyConfig struct {
+	// BootstrapPolicyFile points to a template that contains roles and rolebindings that will be created if no policy object exists in the master namespace
+	BootstrapPolicyFile string
+
 	// MasterAuthorizationNamespace is the global namespace for Policy
 	MasterAuthorizationNamespace string
 	// OpenShiftSharedResourcesNamespace is the namespace where shared OpenShift resources live (like shared templates)

pkg/cmd/server/api/v1/types.go

@@ -64,6 +64,13 @@ type MasterConfig struct {
 
 	ImageConfig ImageConfig `json:"imageConfig"`
 
+	PolicyConfig PolicyConfig
+}
+
+type PolicyConfig struct {
+	// BootstrapPolicyFile points to a template that contains roles and rolebindings that will be created if no policy object exists in the master namespace
+	BootstrapPolicyFile string `json:"bootstrapPolicyFile"`
+
 	// MasterAuthorizationNamespace is the global namespace for Policy
 	MasterAuthorizationNamespace string `json:"masterAuthorizationNamespace"`
 	// OpenShiftSharedResourcesNamespace is the namespace where shared OpenShift resources live (like shared templates)