GITBOOK-273: No subject

cit965 · Feb 7, 2025 · 27c6850 · 27c6850
1 parent c06920c
commit 27c6850
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/.gitbook/assets/efb30b00f6495c2049ec7fc7e8d91aa (1).png b/.gitbook/assets/efb30b00f6495c2049ec7fc7e8d91aa (1).png
diff --git a/.gitbook/assets/efb30b00f6495c2049ec7fc7e8d91aa.png b/.gitbook/assets/efb30b00f6495c2049ec7fc7e8d91aa.png
diff --git a/k8s-yuan-ma-ren-cai-fu-hua-xun-lian-ying/di-wu-zhang-apimachinery/5.7-ren-zheng.md b/k8s-yuan-ma-ren-cai-fu-hua-xun-lian-ying/di-wu-zhang-apimachinery/5.7-ren-zheng.md
@@ -320,9 +320,17 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed
 
 
 
-AuthenticateRequest 是一个接口，具体实现 是 unionAuthRetuestHandler ：
+AuthenticateRequest 是一个接口，具体实现是 unionAuthRetuestHandler , union 是联合的意思，其结构体内包含一个 Handlers 数组，每一个Handler 又都实现了 AuthenticateRequest 接口，只要有一个 Hander 认证成功就返回ok：
 
 ```go
+// unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
+type unionAuthRequestHandler struct {
+	// Handlers is a chain of request authenticators to delegate to
+	Handlers []authenticator.Request
+	// FailOnError determines whether an error returns short-circuits the chain
+	FailOnError bool
+}
+
 // AuthenticateRequest authenticates the request using a chain of authenticator.Request objects.
 func (authHandler *unionAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
     var errlist []error
@@ -537,7 +545,7 @@ func (config Config) New(serverLifecycle context.Context) (authenticator.Request
 
 ### 插件实现
 
-认证插件要实现一个接口：
+之前介绍的几种身份认证策略，都必须要实现一个接口，我们来看下该接口的签名：
 
 ```go
 // Request attempts to extract authentication information from a request and
@@ -547,9 +555,12 @@ type Request interface {
 }
 ```
 
-我们来看下 baretoken 是如何实现的：
+<figure><img src="../../.gitbook/assets/efb30b00f6495c2049ec7fc7e8d91aa (1).png" alt=""><figcaption></figcaption></figure>
+
+我们已经看过了 unionAuthRequestHandler 的实现，我们再看下 baretoken 是如何实现的：
 
 ```go
+// staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
 func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
     auth := strings.TrimSpace(req.Header.Get("Authorization"))
     if auth == "" {
@@ -570,7 +581,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
        }
        return nil, false, nil
     }
-
+    // 从请求中读取 token，和服务器中存储的做对比，这里又调用了个 AuthenticateToken 接口
     resp, ok, err := a.auth.AuthenticateToken(req.Context(), token)
     // if we authenticated successfully, go ahead and remove the bearer token so that no one
     // is ever tempted to use it inside of the API server
@@ -585,4 +596,10 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
 
     return resp, ok, err
 }
+
+// Token checks a string value against a backing authentication store and
+// returns a Response or an error if the token could not be checked.
+type Token interface {
+	AuthenticateToken(ctx context.Context, token string) (*Response, bool, error)
+}
 ```