Zanzana: add flag for running zanzana server insecurely (#107130)

* add flag for running zanzana server insecurely * Only allow insecure connections in dev environment Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> --------- Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2025-06-25 17:47:53 -05:00 · 2025-06-25 17:47:53 -05:00 · 41a4841e57
parent 79fe8a9902
commit 41a4841e57
2 changed files with 33 additions and 9 deletions
--- a/pkg/services/authz/zanzana.go
+++ b/pkg/services/authz/zanzana.go
@ -177,19 +177,32 @@ func (z *Zanzana) start(ctx context.Context) error {
 		return fmt.Errorf("failed to start zanzana: %w", err)
 	}

-	authenticator := authnlib.NewAccessTokenAuthenticator(
-		authnlib.NewAccessTokenVerifier(
-			authnlib.VerifierConfig{AllowedAudiences: []string{AuthzServiceAudience}},
-			authnlib.NewKeyRetriever(authnlib.KeyRetrieverConfig{
-				SigningKeysURL: z.cfg.ZanzanaServer.SigningKeysURL,
-			}),
-		),
-	)
+	var authenticatorInterceptor interceptors.Authenticator
+	if z.cfg.ZanzanaServer.AllowInsecure && z.cfg.Env == setting.Dev {
+		z.logger.Info("Allowing insecure connections to OpenFGA HTTP server")
+		authenticatorInterceptor = noopAuthenticator{}
+	} else {
+		z.logger.Info("Requiring secure connections to OpenFGA HTTP server")
+		authenticator := authnlib.NewAccessTokenAuthenticator(
+			authnlib.NewAccessTokenVerifier(
+				authnlib.VerifierConfig{AllowedAudiences: []string{AuthzServiceAudience}},
+				authnlib.NewKeyRetriever(authnlib.KeyRetrieverConfig{
+					SigningKeysURL: z.cfg.ZanzanaServer.SigningKeysURL,
+				}),
+			),
+		)
+		authenticatorInterceptor = interceptors.AuthenticatorFunc(
+			grpcutils.NewAuthenticatorInterceptor(
+				authenticator,
+				tracer,
+			),
+		)
+	}

 	z.handle, err = grpcserver.ProvideService(
 		z.cfg,
 		z.features,
-		interceptors.AuthenticatorFunc(grpcutils.NewAuthenticatorInterceptor(authenticator, tracer)),
+		authenticatorInterceptor,
 		tracer,
 		prometheus.DefaultRegisterer,
 	)
@ -238,3 +251,11 @@ func (z *Zanzana) stopping(err error) error {
 	}
 	return nil
 }
+
+// TODO this impl might be more broadly useful in authlib
+type noopAuthenticator struct {
+}
+
+func (n noopAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	return ctx, nil
+}
--- a/pkg/setting/settings_zanzana.go
+++ b/pkg/setting/settings_zanzana.go
@ -46,6 +46,8 @@ type ZanzanaServerSettings struct {
 	UseStreamedListObjects bool
 	// URL for fetching signing keys.
 	SigningKeysURL string
+	// Allow insecure connections to the server for development purposes.
+	AllowInsecure bool
 }

 func (cfg *Cfg) readZanzanaSettings() {
@ -77,6 +79,7 @@ func (cfg *Cfg) readZanzanaSettings() {
 	zs.ListObjectsMaxResults = uint32(serverSec.Key("list_objects_max_results").MustUint(1000))
 	zs.UseStreamedListObjects = serverSec.Key("use_streamed_list_objects").MustBool(false)
 	zs.SigningKeysURL = serverSec.Key("signing_keys_url").MustString("")
+	zs.AllowInsecure = serverSec.Key("allow_insecure").MustBool(false)

 	cfg.ZanzanaServer = zs
 }