Address sur's comments

kcp-dev · Mar 25, 2022 · 5034d72 · 5034d72
1 parent 7a4efb8
commit 5034d72
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/pkg/authorization/bootstrap/policy.go b/pkg/authorization/bootstrap/policy.go
@@ -22,9 +22,11 @@ import (
 	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
 )
 
-const SystemKcpTopLevelClusterWorkspaceAccessGroup = "system:kcp:toplevel-clusterworkspace:access"
-const SystemKcpClusterWorkspaceAccessGroup = "system:kcp:clusterworkspace:access"
-const SystemKcpClusterWorkspaceAdminGroup = "system:kcp:clusterworkspace:admin"
+const (
+	SystemKcpTopLevelClusterWorkspaceAccessGroup = "system:kcp:toplevel-clusterworkspace:access"
+	SystemKcpClusterWorkspaceAccessGroup         = "system:kcp:clusterworkspace:access"
+	SystemKcpClusterWorkspaceAdminGroup          = "system:kcp:clusterworkspace:admin"
+)
 
 // ClusterRoleBindings return default rolebindings to the default roles
 func clusterRoleBindings() []rbacv1.ClusterRoleBinding {

diff --git a/pkg/authorization/toplevel_org_authorizer.go b/pkg/authorization/toplevel_org_authorizer.go
@@ -91,7 +91,7 @@ func (a *topLevelOrgAccessAuthorizer) Authorize(ctx context.Context, attr author
 	// everybody authenticated has access to the root workspace
 	if cluster.Name == v1alpha1.RootCluster {
 		if sets.NewString(attr.GetUser().GetGroups()...).Has("system:authenticated") {
-			return a.delegate.Authorize(ctx, attributesWithReplacedGrouops(attr, append(attr.GetUser().GetGroups(), bootstrap.SystemKcpTopLevelClusterWorkspaceAccessGroup)))
+			return a.delegate.Authorize(ctx, attributesWithReplacedGroups(attr, append(attr.GetUser().GetGroups(), bootstrap.SystemKcpTopLevelClusterWorkspaceAccessGroup)))
 		}
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("%q workspace access not permitted", cluster.Name), err
 	}
@@ -170,10 +170,10 @@ func (a *topLevelOrgAccessAuthorizer) Authorize(ctx context.Context, attr author
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("%q workspace access not permitted", cluster.Name), nil
 	}
 
-	return a.delegate.Authorize(ctx, attributesWithReplacedGrouops(attr, append(attr.GetUser().GetGroups(), extraGroups...)))
+	return a.delegate.Authorize(ctx, attributesWithReplacedGroups(attr, append(attr.GetUser().GetGroups(), extraGroups...)))
 }
 
-func attributesWithReplacedGrouops(attr authorizer.Attributes, groups []string) authorizer.Attributes {
+func attributesWithReplacedGroups(attr authorizer.Attributes, groups []string) authorizer.Attributes {
 	return authorizer.AttributesRecord{
 		User: &user.DefaultInfo{
 			Name:   attr.GetUser().GetName(),

diff --git a/pkg/authorization/workspace_content_authorizer.go b/pkg/authorization/workspace_content_authorizer.go
@@ -80,7 +80,7 @@ func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authori
 	// everybody authenticated has access to the root workspace
 	if cluster.Name == v1alpha1.RootCluster {
 		if sets.NewString(attr.GetUser().GetGroups()...).Has("system:authenticated") {
-			return a.delegate.Authorize(ctx, attributesWithReplacedGrouops(attr, append(attr.GetUser().GetGroups(), bootstrap.SystemKcpTopLevelClusterWorkspaceAccessGroup)))
+			return a.delegate.Authorize(ctx, attributesWithReplacedGroups(attr, append(attr.GetUser().GetGroups(), bootstrap.SystemKcpTopLevelClusterWorkspaceAccessGroup)))
 		}
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("%q workspace access not permitted", cluster.Name), err
 	}
@@ -183,5 +183,5 @@ func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authori
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("%q workspace access not permitted", cluster.Name), nil
 	}
 
-	return a.delegate.Authorize(ctx, attributesWithReplacedGrouops(attr, append(attr.GetUser().GetGroups(), extraGroups...)))
+	return a.delegate.Authorize(ctx, attributesWithReplacedGroups(attr, append(attr.GetUser().GetGroups(), extraGroups...)))
 }