mirror of https://github.com/grafana/grafana.git
introducing `mode` config for gRPC auth server & client side
This commit is contained in:
Claudiu Dragalina-Paraipan
parent
914ca237e2
commit
3acada9d47
|
|
@ -1,35 +1,66 @@
|
||||||
package grpcutils
|
package grpcutils
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type Mode string
|
||||||
|
|
||||||
|
func (s Mode) IsValid() bool {
|
||||||
|
switch s {
|
||||||
|
case ModeOnPrem, ModeCloud:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
ModeOnPrem Mode = "on-prem"
|
||||||
|
ModeCloud Mode = "cloud"
|
||||||
|
)
|
||||||
|
|
||||||
type GrpcClientConfig struct {
|
type GrpcClientConfig struct {
|
||||||
Token string
|
Token string
|
||||||
TokenExchangeURL string
|
TokenExchangeURL string
|
||||||
TokenNamespace string
|
TokenNamespace string
|
||||||
|
Mode Mode
|
||||||
}
|
}
|
||||||
|
|
||||||
func ReadGrpcClientConfig(cfg *setting.Cfg) *GrpcClientConfig {
|
func ReadGrpcClientConfig(cfg *setting.Cfg) (*GrpcClientConfig, error) {
|
||||||
section := cfg.SectionWithEnvOverrides("grpc_client_authentication")
|
section := cfg.SectionWithEnvOverrides("grpc_client_authentication")
|
||||||
|
|
||||||
|
mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
|
||||||
|
if !mode.IsValid() {
|
||||||
|
return nil, fmt.Errorf("grpc_client_authentication: invalid mode %q", mode)
|
||||||
|
}
|
||||||
|
|
||||||
return &GrpcClientConfig{
|
return &GrpcClientConfig{
|
||||||
Token: section.Key("token").MustString(""),
|
Token: section.Key("token").MustString(""),
|
||||||
TokenExchangeURL: section.Key("token_exchange_url").MustString(""),
|
TokenExchangeURL: section.Key("token_exchange_url").MustString(""),
|
||||||
TokenNamespace: section.Key("token_namespace").MustString("stack-" + cfg.StackID),
|
TokenNamespace: section.Key("token_namespace").MustString("stack-" + cfg.StackID),
|
||||||
}
|
Mode: mode,
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type GrpcServerConfig struct {
|
type GrpcServerConfig struct {
|
||||||
SigningKeysURL string
|
SigningKeysURL string
|
||||||
AllowedAudiences []string
|
AllowedAudiences []string
|
||||||
|
Mode Mode
|
||||||
}
|
}
|
||||||
|
|
||||||
func ReadGprcServerConfig(cfg *setting.Cfg) *GrpcServerConfig {
|
func ReadGprcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) {
|
||||||
section := cfg.SectionWithEnvOverrides("grpc_server_authentication")
|
section := cfg.SectionWithEnvOverrides("grpc_server_authentication")
|
||||||
|
|
||||||
|
mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
|
||||||
|
if !mode.IsValid() {
|
||||||
|
return nil, fmt.Errorf("grpc_server_authentication: invalid mode %q", mode)
|
||||||
|
}
|
||||||
|
|
||||||
return &GrpcServerConfig{
|
return &GrpcServerConfig{
|
||||||
SigningKeysURL: section.Key("signing_keys_url").MustString(""),
|
SigningKeysURL: section.Key("signing_keys_url").MustString(""),
|
||||||
AllowedAudiences: section.Key("allowed_audiences").Strings(","),
|
AllowedAudiences: section.Key("allowed_audiences").Strings(","),
|
||||||
}
|
Mode: mode,
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,10 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error) {
|
func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error) {
|
||||||
authCfg := ReadGprcServerConfig(cfg)
|
authCfg, err := ReadGprcServerConfig(cfg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{
|
grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{
|
||||||
KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
|
KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
|
||||||
SigningKeysURL: authCfg.SigningKeysURL,
|
SigningKeysURL: authCfg.SigningKeysURL,
|
||||||
|
|
@ -31,7 +34,7 @@ func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error)
|
||||||
authnlib.WithIDTokenAuthOption(true),
|
authnlib.WithIDTokenAuthOption(true),
|
||||||
authnlib.WithKeyRetrieverOption(keyRetriever),
|
authnlib.WithKeyRetrieverOption(keyRetriever),
|
||||||
}
|
}
|
||||||
if cfg.StackID == "" {
|
if authCfg.Mode == ModeOnPrem {
|
||||||
grpcOpts = append(grpcOpts,
|
grpcOpts = append(grpcOpts,
|
||||||
// Access token are not yet available on-prem
|
// Access token are not yet available on-prem
|
||||||
authnlib.WithDisableAccessTokenAuthOption(),
|
authnlib.WithDisableAccessTokenAuthOption(),
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@ import (
|
||||||
infraDB "github.com/grafana/grafana/pkg/infra/db"
|
infraDB "github.com/grafana/grafana/pkg/infra/db"
|
||||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/services/apiserver/options"
|
"github.com/grafana/grafana/pkg/services/apiserver/options"
|
||||||
|
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
||||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
"github.com/grafana/grafana/pkg/storage/unified/resource"
|
"github.com/grafana/grafana/pkg/storage/unified/resource"
|
||||||
|
|
@ -92,7 +93,12 @@ func ProvideUnifiedStorageClient(
|
||||||
}
|
}
|
||||||
|
|
||||||
func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) {
|
func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) {
|
||||||
if cfg.StackID != "" {
|
clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if clientConfig.Mode == grpcutils.ModeCloud {
|
||||||
return resource.NewCloudResourceClient(conn, cfg)
|
return resource.NewCloudResourceClient(conn, cfg)
|
||||||
}
|
}
|
||||||
return resource.NewGRPCResourceClient(conn)
|
return resource.NewGRPCResourceClient(conn)
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,11 @@ func NewGRPCResourceClient(conn *grpc.ClientConn) (ResourceClient, error) {
|
||||||
|
|
||||||
func NewCloudResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (ResourceClient, error) {
|
func NewCloudResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (ResourceClient, error) {
|
||||||
// scenario: remote cloud
|
// scenario: remote cloud
|
||||||
grpcClientConfig := clientCfgMapping(grpcutils.ReadGrpcClientConfig(cfg))
|
clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
grpcClientConfig := clientCfgMapping(clientConfig)
|
||||||
|
|
||||||
opts := []authnlib.GrpcClientInterceptorOption{
|
opts := []authnlib.GrpcClientInterceptorOption{
|
||||||
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue