Consider supporting groups instead of single users only and create their tests #351
Conversation
|
This is an open source project, remove any references to trackers that are not in this repo. If they contain additional context, move it to the GitHub issue you are fixing. |
ShazaAldawamneh
changed the title
| } | ||
|
|
||
| if isAllowed(saConfig.User.Name, userName) && | ||
| if (saConfig.User.Name == "" || isAllowed(saConfig.User.Name, userName)) && |
There was a problem hiding this comment.
I think the previous solution was sufficient. If there is no config (empty string) for user or any other resourceAttribute, it defaults to true.
The unit tests show those permutations of user / no user, group / no group, allowed.
| if len(configGroups) == 0 { | ||
| return true | ||
| } | ||
| configGroupSet := make(map[string]struct{}) |
There was a problem hiding this comment.
A set is a great solution for this. You are always on the safe side that it scales up.
But the configGroupSet slice will never change, and we are initializing it on every request at least once.
We would need to move it out and initialize the configGroupSet in the constructor NewStaticAuthorizer.
The issue is, that the config given to the user to configure it is a slice of strings. This should stay as is, but for working with it we need to turn this into a Set of strings. So you would need to create as struct StaticAuthorizationOptions that contains a slice of strings and can be used by the user and you need to modify the existing StaticAuthorizationConfig to have a Set of strings.
If you create a Set and you don't use the k8s utility package and you do it by hand, it is also good to create struct{}{} as a global variable with a name like noop and reference it, that way you don't initialize it for every entry.
this PR to cover issue: 333