diff --git a/pkg/services/grpcserver/service.go b/pkg/services/grpcserver/service.go index 67bf962385d..d555532d94d 100644 --- a/pkg/services/grpcserver/service.go +++ b/pkg/services/grpcserver/service.go @@ -6,11 +6,14 @@ import ( "net" "time" + authnlib "github.com/grafana/authlib/authn" + authzlib "github.com/grafana/authlib/authz" "github.com/grafana/dskit/instrument" "github.com/grafana/dskit/middleware" "github.com/grafana/grafana-plugin-sdk-go/backend" grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth" "github.com/prometheus/client_golang/prometheus" + "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -75,7 +78,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe if cfg.StackID != "" { namespaceFmt = authnlib.CloudNamespaceFormatter } - namespaceChecker := authzlib.NewNamespaceAccessChecker(namespaceFmt) + namespaceChecker := authzlib.NewNamespaceAccessChecker( + namespaceFmt, + // TODO(drclau): are the following opts required/correct for on-prem? + authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(), + authzlib.WithIDTokenNamespaceAccessCheckerOption(true), + ) stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey) // Default auth is admin token check, but this can be overridden by diff --git a/pkg/storage/unified/resource/client_wrapper.go b/pkg/storage/unified/resource/client_wrapper.go index a3d02a0beeb..a8d7db55b1d 100644 --- a/pkg/storage/unified/resource/client_wrapper.go +++ b/pkg/storage/unified/resource/client_wrapper.go @@ -24,7 +24,6 @@ func NewLocalResourceStoreClient(server ResourceStoreServer) ResourceStoreClient channel := &inprocgrpc.Channel{} auth := &grpcUtils.InProcAuthenticator{} - channel.RegisterService( grpchan.InterceptServer( &ResourceStore_ServiceDesc, diff --git a/pkg/storage/unified/sql/service.go b/pkg/storage/unified/sql/service.go index 7719d0b509e..30ae51df144 100644 --- a/pkg/storage/unified/sql/service.go +++ b/pkg/storage/unified/sql/service.go @@ -2,6 +2,8 @@ package sql import ( "context" + "crypto/tls" + "net/http" authnlib "github.com/grafana/authlib/authn" "github.com/grafana/dskit/services" @@ -72,11 +74,17 @@ func ProvideService( KeyRetrieverConfig: authnlib.KeyRetrieverConfig{ SigningKeysURL: authCfg.SigningKeysURL, }, - VerifierConfig: authnlib.VerifierConfig{ - AllowedAudiences: authCfg.AllowedAudiences, - }, + // TODO(drclau): for ID tokens audience is the tenant + // VerifierConfig: authnlib.VerifierConfig{ + // AllowedAudiences: authCfg.AllowedAudiences, + // }, } + // TODO(drclau): only allow insecure connections when app_mode = development + tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} + client := &http.Client{Transport: tr} + keyRetriever := authnlib.NewKeyRetriever(grpcAuthCfg.KeyRetrieverConfig, authnlib.WithHTTPClientKeyRetrieverOpt(client)) + grpcOpts := []authnlib.GrpcAuthenticatorOption{} switch authCfg.Mode { case grpcutils.ModeInProc: @@ -86,6 +94,7 @@ func ProvideService( grpcOpts = append(grpcOpts, authnlib.WithDisableAccessTokenAuthOption(), authnlib.WithIDTokenAuthOption(true), + authnlib.WithKeyRetrieverOption(keyRetriever), ) case grpcutils.ModeCloud: grpcOpts = append(grpcOpts, authnlib.WithIDTokenAuthOption(true))