Allow non admin users to manage BSL (#6589)

* allow other than admins to manage cbsl * add impersonated client * refactor code * improve errors * review comments --------- Co-authored-by: moelsayed <m.elsayed@gmail.com>
kubermatic · Mar 14, 2024 · f3bb210 · f3bb210
1 parent a1e2135
commit f3bb210
Show file tree

Hide file tree

Showing 10 changed files with 197 additions and 142 deletions.
diff --git a/modules/api/cmd/kubermatic-api/main.go b/modules/api/cmd/kubermatic-api/main.go
@@ -410,7 +410,7 @@ func createInitProviders(ctx context.Context, options serverRunOptions, masterCf
 
 	featureGatesProvider := kubernetesprovider.NewFeatureGatesProvider(options.featureGates)
 
-	backupStorageProvider := backupStorageProviderFactory(client)
+	backupStorageProvider := backupStorageProviderFactory(defaultImpersonationClient.CreateImpersonatedClient, client)
 
 	return providers{
 		sshKey:                                         sshKeyProvider,

diff --git a/modules/api/cmd/kubermatic-api/wrappers_ce.go b/modules/api/cmd/kubermatic-api/wrappers_ce.go
@@ -48,6 +48,6 @@ func groupProjectBindingFactory(_ kubernetes.ImpersonationClient, _ ctrlruntimec
 	return nil
 }
 
-func backupStorageProviderFactory(_ ctrlruntimeclient.Client) provider.BackupStorageProvider {
+func backupStorageProviderFactory(_ kubernetes.ImpersonationClient, _ ctrlruntimeclient.Client) provider.BackupStorageProvider {
 	return nil
 }
diff --git a/modules/api/cmd/kubermatic-api/wrappers_ee.go b/modules/api/cmd/kubermatic-api/wrappers_ee.go
@@ -49,6 +49,6 @@ func groupProjectBindingFactory(createMasterImpersonatedClient kubernetes.Impers
 	return eeapi.GroupProjectBindingProviderFactory(createMasterImpersonatedClient, privilegedClient)
 }
 
-func backupStorageProviderFactory(privilegedClient ctrlruntimeclient.Client) provider.BackupStorageProvider {
-	return eeapi.BackupStorageProviderFactory(privilegedClient)
+func backupStorageProviderFactory(createMasterImpersonatedClient kubernetes.ImpersonationClient, privilegedClient ctrlruntimeclient.Client) provider.BackupStorageProvider {
+	return eeapi.BackupStorageProviderFactory(createMasterImpersonatedClient, privilegedClient)
 }
diff --git a/modules/api/pkg/ee/clusterbackup/storage-location/handler.go b/modules/api/pkg/ee/clusterbackup/storage-location/handler.go
@@ -96,16 +96,23 @@ const (
 	displayNameLabelKey = "csbl-display-name"
 )
 
-func ListCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) ([]*apiv2.ClusterBackupStorageLocation, error) {
+func ListCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) ([]*apiv2.ClusterBackupStorageLocation, error) {
 	req, ok := request.(listCbslReq)
 	if !ok {
 		return nil, utilerrors.NewBadRequest("invalid request")
 	}
+
+	user, err := userInfoGetter(ctx, req.ProjectID)
+
+	if err != nil {
+		return nil, err
+	}
+
 	labelSet := map[string]string{
 		kubermaticv1.ProjectIDLabelKey: req.ProjectID,
 	}
 
-	cbslList, err := provider.ListUnsecured(ctx, labelSet)
+	cbslList, err := provider.ListUnsecured(ctx, user, labelSet)
 	if err != nil {
 		return nil, err
 	}
@@ -122,20 +129,31 @@ func ListCBSL(ctx context.Context, request interface{}, provider provider.Backup
 	return resp, nil
 }
 
-func GetCSBL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
+func GetCSBL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
 	req, ok := request.(getCbslReq)
 	if !ok {
 		return nil, utilerrors.NewBadRequest("invalid request")
 	}
+
+	user, err := userInfoGetter(ctx, req.ProjectID)
+
+	if err != nil {
+		return nil, err
+	}
+
 	labelSet := map[string]string{
 		kubermaticv1.ProjectIDLabelKey: req.ProjectID,
 	}
 
-	cbsl, err := provider.GetUnsecured(ctx, req.ClusterBackupStorageLocationName, labelSet)
+	cbsl, err := provider.GetUnsecured(ctx, user, req.ClusterBackupStorageLocationName, labelSet)
 	if err != nil {
 		return nil, err
 	}
 
+	if cbsl == nil {
+		return nil, nil
+	}
+
 	return &apiv2.ClusterBackupStorageLocation{
 		Name:        cbsl.Name,
 		DisplayName: cbsl.Labels[displayNameLabelKey],
@@ -144,18 +162,25 @@ func GetCSBL(ctx context.Context, request interface{}, provider provider.BackupS
 	}, nil
 }
 
-func CreateCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
+func CreateCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
 	req, ok := request.(createCbslReq)
 	if !ok {
 		return nil, utilerrors.NewBadRequest("invalid request")
 	}
+
+	user, err := userInfoGetter(ctx, req.ProjectID)
+
+	if err != nil {
+		return nil, err
+	}
+
 	cbslName := req.Body.Name
 	cbslSpec := req.Body.CBSLSpec.DeepCopy()
 	creds := req.Body.Credentials
 	cbsl := &kubermaticv1.ClusterBackupStorageLocation{
 		Spec: *cbslSpec,
 	}
-	created, err := provider.CreateUnsecured(ctx, cbslName, req.ProjectID, cbsl, creds)
+	created, err := provider.Create(ctx, user, cbslName, req.ProjectID, cbsl, creds)
 	if err != nil {
 		return nil, err
 	}
@@ -168,31 +193,47 @@ func CreateCBSL(ctx context.Context, request interface{}, provider provider.Back
 	}, nil
 }
 
-func DeleteCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) error {
+func DeleteCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) error {
 	req, ok := request.(deleteCbslReq)
 	if !ok {
 		return utilerrors.NewBadRequest("invalid request")
 	}
 
-	err := provider.DeleteUnsecured(ctx, req.ClusterBackupStorageLocationName)
+	user, err := userInfoGetter(ctx, req.ProjectID)
+
+	if err != nil {
+		return err
+	}
+
+	err = provider.Delete(ctx, user, req.ClusterBackupStorageLocationName)
 	if err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func PatchCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
+func PatchCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) {
 	req, ok := request.(patchCbslReq)
 	if !ok {
 		return nil, utilerrors.NewBadRequest("invalid request")
 	}
 
+	user, err := userInfoGetter(ctx, req.ProjectID)
+
+	if err != nil {
+		return nil, err
+	}
+
 	cbslSpec := req.Body.CBSLSpec.DeepCopy()
 	cbsl := &kubermaticv1.ClusterBackupStorageLocation{
 		Spec: *cbslSpec,
 	}
-	patched, err := provider.PatchUnsecured(ctx, req.ClusterBackupStorageLocationName, cbsl, req.Body.Credentials)
+	patched, err := provider.Patch(ctx, user, req.ClusterBackupStorageLocationName, cbsl, req.Body.Credentials)
+	if err != nil {
+		return nil, err
+	}
+
 	if err != nil {
 		return nil, err
 	}