IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

K8s: Namespace parsing updates (default + stack-id) (#76310)

Browse Source 
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
This commit is contained in:
Ryan McKinley
2023-10-12 11:34:50 -07:00
committed by GitHub
parent be7fe761a3
commit 2a527aa33b
13 changed files with 328 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
pkg/services/grafana-apiserver/auth/authorizer/stack/stack_id.go Normal file
View File

@@ -0,0 +1,56 @@
package stack
import (
"context"
"fmt"
"k8s.io/apiserver/pkg/authorization/authorizer"
"github.com/grafana/grafana/pkg/infra/appcontext"
"github.com/grafana/grafana/pkg/infra/log"
grafanarequest "github.com/grafana/grafana/pkg/services/grafana-apiserver/endpoints/request"
"github.com/grafana/grafana/pkg/setting"
)
var _ authorizer.Authorizer = &StackIDAuthorizer{}
type StackIDAuthorizer struct {
log log.Logger
stackID string
}
func ProvideStackIDAuthorizer(cfg *setting.Cfg) *StackIDAuthorizer {
return &StackIDAuthorizer{
log: log.New("grafana-apiserver.authorizer.stackid"),
stackID: cfg.StackID, // this lets a single tenant grafana validate stack id (rather than orgs)
}
}
func (auth StackIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
signedInUser, err := appcontext.User(ctx)
if err != nil {
return authorizer.DecisionDeny, fmt.Sprintf("error getting signed in user: %v", err), nil
}
info, err := grafanarequest.ParseNamespace(a.GetNamespace())
if err != nil {
return authorizer.DecisionDeny, fmt.Sprintf("error reading namespace: %v", err), nil
}
// No opinion when the namespace is arbitrary
if info.OrgID == -1 {
return authorizer.DecisionNoOpinion, "", nil
}
if info.StackID != auth.stackID {
return authorizer.DecisionDeny, "wrong stack id is selected", nil
}
if info.OrgID != 1 {
return authorizer.DecisionDeny, "cloud instance requires org 1", nil
}
if signedInUser.OrgID != 1 {
return authorizer.DecisionDeny, "user must be in org 1", nil
}
return authorizer.DecisionAllow, "", nil
}

7
pkg/services/grafana-apiserver/auth/authorizer/stack/wireset.go Normal file
View File

@@ -0,0 +1,7 @@
package stack
import "github.com/google/wire"
var WireSet = wire.NewSet(
ProvideStackIDAuthorizer,
)