Update DS Proxy to use RBAC action (#87517)

iam-team: Update DS Proxy to use RBAC action
2025-02-25 18:55:37 -06:00 · 2024-05-21 08:05:16 -05:00 · 2024-05-21 08:05:16 -05:00 · 0072e4a92d
commit 0072e4a92d
parent 410e3b17e9
8 changed files with 56 additions and 7 deletions
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@ -189,4 +189,5 @@ export interface FeatureToggles {
  newDashboardSharingComponent?: boolean;
  notificationBanner?: boolean;
  dashboardRestore?: boolean;
+  datasourceProxyDisableRBAC?: boolean;
 }
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -19,6 +19,7 @@ import (
 	glog "github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@ -304,8 +305,14 @@ func (proxy *DataSourceProxy) validateRequest() error {
 			continue
 		}

-		if route.ReqRole.IsValid() {
-			if !proxy.ctx.HasUserRole(route.ReqRole) {
+		if proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagDatasourceProxyDisableRBAC) {
+			// TODO(aarongodin): following logic can be removed with FlagDatasourceProxyDisableRBAC as it is covered by
+			// proxy.hasAccessToRoute(..)
+			if route.ReqRole.IsValid() && !proxy.ctx.HasUserRole(route.ReqRole) {
+				return errors.New("plugin proxy route access denied")
+			}
+		} else {
+			if !proxy.hasAccessToRoute(route) {
 				return errors.New("plugin proxy route access denied")
 			}
 		}
@ -330,6 +337,26 @@ func (proxy *DataSourceProxy) validateRequest() error {
 	return nil
 }

+func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
+	ctxLogger := logger.FromContext(proxy.ctx.Req.Context())
+	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
+	if useRBAC {
+		routeEval := accesscontrol.EvalPermission(route.ReqAction)
+		ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
+		if !ok {
+			ctxLogger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "action", route.ReqAction, "path", route.Path, "method", route.Method)
+		}
+		return ok
+	}
+	if route.ReqRole.IsValid() {
+		if hasUserRole := proxy.ctx.HasUserRole(route.ReqRole); !hasUserRole {
+			ctxLogger.Debug("plugin route is covered by org role, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "role", route.ReqRole, "path", route.Path, "method", route.Method)
+			return false
+		}
+	}
+	return true
+}
+
 func (proxy *DataSourceProxy) logRequest() {
 	if !proxy.cfg.DataProxyLogging {
 		return
--- a/pkg/api/pluginproxy/pluginproxy.go
+++ b/pkg/api/pluginproxy/pluginproxy.go
@ -122,7 +122,7 @@ func (proxy *PluginProxy) HandleRequest() {
 }

 func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
-	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.RequiresRBACAction()
+	useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
 	if useRBAC {
 		hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
 		if !hasAccess {
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@ -207,10 +207,6 @@ type Route struct {
 	Body         json.RawMessage `json:"body"`
 }

-func (r *Route) RequiresRBACAction() bool {
-	return r.ReqAction != ""
-}
-
 // Header describes an HTTP header that is forwarded with
 // the proxied request for a plugin route
 type Header struct {
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@ -1275,6 +1275,13 @@ var (
 			HideFromDocs:      true,
 			HideFromAdminPage: true,
 		},
+		{
+			Name:         "datasourceProxyDisableRBAC",
+			Description:  "Disables applying a plugin route's ReqAction field to authorization",
+			Stage:        FeatureStageGeneralAvailability,
+			Owner:        identityAccessTeam,
+			HideFromDocs: true,
+		},
 	}
 )

--- a/pkg/services/featuremgmt/toggles_gen.csv
+++ b/pkg/services/featuremgmt/toggles_gen.csv
@ -170,3 +170,4 @@ logsExploreTableDefaultVisualization,experimental,@grafana/observability-logs,fa
 newDashboardSharingComponent,experimental,@grafana/sharing-squad,false,false,true
 notificationBanner,experimental,@grafana/grafana-frontend-platform,false,false,false
 dashboardRestore,experimental,@grafana/grafana-frontend-platform,false,false,false
+datasourceProxyDisableRBAC,GA,@grafana/identity-access-team,false,false,false
--- a/pkg/services/featuremgmt/toggles_gen.go
+++ b/pkg/services/featuremgmt/toggles_gen.go
@ -690,4 +690,8 @@ const (
 	// FlagDashboardRestore
 	// Enables deleted dashboard restore feature
 	FlagDashboardRestore = "dashboardRestore"
+
+	// FlagDatasourceProxyDisableRBAC
+	// Disables applying a plugin route&#39;s ReqAction field to authorization
+	FlagDatasourceProxyDisableRBAC = "datasourceProxyDisableRBAC"
 )
--- a/pkg/services/featuremgmt/toggles_gen.json
+++ b/pkg/services/featuremgmt/toggles_gen.json
@ -2222,6 +2222,19 @@
        "hideFromAdminPage": true,
        "hideFromDocs": true
      }
+    },
+    {
+      "metadata": {
+        "name": "datasourceProxyDisableRBAC",
+        "resourceVersion": "1715889033198",
+        "creationTimestamp": "2024-05-16T19:50:33Z"
+      },
+      "spec": {
+        "description": "Disables applying a plugin route's ReqAction field to authorization",
+        "stage": "GA",
+        "codeowner": "@grafana/identity-access-team",
+        "hideFromDocs": true
+      }
    }
  ]
 }