root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 80 Packages Projects Releases Wiki Activity

refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud 

Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
This commit is contained in:
Claudiu Dragalina-Paraipan 2024-09-03 10:55:45 +03:00
parent bb5ee88d4f
commit 62f165f6f9
2 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/services/authn/grpcutils/namespace_checker.go Normal file
View File

@ -0,0 +1,23 @@
package grpcutils
import (
authzlib "github.com/grafana/authlib/authz"
"github.com/grafana/authlib/claims"
"github.com/grafana/grafana/pkg/setting"
)
func NewNamespaceAccessChecker(cfg *setting.Cfg) authzlib.NamespaceAccessChecker {
if cfg.StackID != "" {
return authzlib.NewNamespaceAccessChecker(
claims.CloudNamespaceFormatter,
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
)
}
return authzlib.NewNamespaceAccessChecker(
claims.OrgNamespaceFormatter,
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
)
}

10
pkg/services/grpcserver/service.go
View File

@ -7,7 +7,6 @@ import (
"time" "time"
authzlib "github.com/grafana/authlib/authz" authzlib "github.com/grafana/authlib/authz"
"github.com/grafana/authlib/claims"
"github.com/grafana/dskit/instrument" "github.com/grafana/dskit/instrument"
"github.com/grafana/dskit/middleware" "github.com/grafana/dskit/middleware"
"github.com/grafana/grafana-plugin-sdk-go/backend" "github.com/grafana/grafana-plugin-sdk-go/backend"
@ -20,6 +19,7 @@ import (
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/registry" "github.com/grafana/grafana/pkg/registry"
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
"github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/grpcserver/interceptors" "github.com/grafana/grafana/pkg/services/grpcserver/interceptors"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
@ -73,13 +73,7 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
var opts []grpc.ServerOption var opts []grpc.ServerOption
// We don't need to support the CloudNamespaceFormatter here, because the grpcserver is only used on-prem. namespaceChecker := grpcutils.NewNamespaceAccessChecker(cfg)
// TODO(drclau): validate this assumption.
namespaceChecker := authzlib.NewNamespaceAccessChecker(
claims.OrgNamespaceFormatter,
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
)
stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey) stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey)
// Default auth is admin token check, but this can be overridden by // Default auth is admin token check, but this can be overridden by