AuthN: Make clientTokenRotation work when Grafana is accessible on a sub url (#69385)

Fix clientTokenRotation for auth-proxy
2024-11-26 02:40:26 -06:00 · 2023-06-01 17:06:00 +02:00 · 2023-06-01 17:06:00 +02:00 · 28bb960e42
commit 28bb960e42
parent 56c27a1f0d
5 changed files with 11 additions and 6 deletions
--- a/devenv/docker/blocks/auth/nginx_proxy_mac/docker-compose.yaml
+++ b/devenv/docker/blocks/auth/nginx_proxy_mac/docker-compose.yaml
@ -1,11 +1,13 @@
-# This will proxy all requests for http://localhost:10080/grafana/ to
+# This will proxy all requests for http://localhost:8090/grafana/ to
 # http://localhost:3000 (Grafana running locally)
 #
 # Please note that you'll need to change the root_url in the Grafana configuration:
-# root_url = %(protocol)s://%(domain)s:10080/grafana/
+# root_url = %(protocol)s://%(domain)s:8090/grafana/

  nginxproxy:
    build: docker/blocks/auth/nginx_proxy_mac
+    volumes:
+      - "./docker/blocks/auth/nginx_proxy_mac/nginx_login_only.conf:/etc/nginx/nginx.conf"
    ports:
-      - "10080:10080"
+      - "8090:8090"

--- a/devenv/docker/blocks/auth/nginx_proxy_mac/nginx.conf
+++ b/devenv/docker/blocks/auth/nginx_proxy_mac/nginx.conf
@ -10,7 +10,7 @@ http {
  proxy_set_header   X-Forwarded-Host $server_name;

  server {
-    listen 10080;
+    listen 8090;

    location /grafana/ {
      ################################################################
--- a/devenv/docker/blocks/auth/nginx_proxy_mac/nginx_login_only.conf
+++ b/devenv/docker/blocks/auth/nginx_proxy_mac/nginx_login_only.conf
@ -10,7 +10,7 @@ http {
  proxy_set_header   X-Forwarded-Host $server_name;

  server {
-    listen 10080;
+    listen 8090;

    location /grafana/ {
      ################################################################
@ -28,6 +28,8 @@ http {
      # header_property = username
      ################################################################

+      proxy_set_header   Host $host:$server_port;
+
      location /grafana/login {
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/htpasswd;
--- a/pkg/services/authn/clients/grafana.go
+++ b/pkg/services/authn/clients/grafana.go
@ -39,6 +39,7 @@ func (c *Grafana) AuthenticateProxy(ctx context.Context, r *authn.Request, usern
 			SyncTeams:       true,
 			FetchSyncedUser: true,
 			SyncOrgRoles:    true,
+			SyncPermissions: true,
 			AllowSignUp:     c.cfg.AuthProxyAutoSignUp,
 		},
 	}
--- a/public/app/core/services/context_srv.ts
+++ b/public/app/core/services/context_srv.ts
@ -245,7 +245,7 @@ export class ContextSrv {

  private rotateToken() {
    // We directly use fetch here to bypass the request queue from backendSvc
-    return fetch('/api/user/auth-tokens/rotate', { method: 'POST' })
+    return fetch(config.appSubUrl + '/api/user/auth-tokens/rotate', { method: 'POST' })
      .then((res) => {
        if (res.status === 200) {
          this.scheduleTokenRotationJob();