mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
introducing mode config for gRPC auth server & client side
This commit is contained in:
Claudiu Dragalina-Paraipan
parent
914ca237e2
commit
3acada9d47
@ -1,35 +1,66 @@
|
||||
package grpcutils
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
type Mode string
|
||||
|
||||
func (s Mode) IsValid() bool {
|
||||
switch s {
|
||||
case ModeOnPrem, ModeCloud:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
const (
|
||||
ModeOnPrem Mode = "on-prem"
|
||||
ModeCloud Mode = "cloud"
|
||||
)
|
||||
|
||||
type GrpcClientConfig struct {
|
||||
Token string
|
||||
TokenExchangeURL string
|
||||
TokenNamespace string
|
||||
Mode Mode
|
||||
}
|
||||
|
||||
func ReadGrpcClientConfig(cfg *setting.Cfg) *GrpcClientConfig {
|
||||
func ReadGrpcClientConfig(cfg *setting.Cfg) (*GrpcClientConfig, error) {
|
||||
section := cfg.SectionWithEnvOverrides("grpc_client_authentication")
|
||||
|
||||
mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
|
||||
if !mode.IsValid() {
|
||||
return nil, fmt.Errorf("grpc_client_authentication: invalid mode %q", mode)
|
||||
}
|
||||
|
||||
return &GrpcClientConfig{
|
||||
Token: section.Key("token").MustString(""),
|
||||
TokenExchangeURL: section.Key("token_exchange_url").MustString(""),
|
||||
TokenNamespace: section.Key("token_namespace").MustString("stack-" + cfg.StackID),
|
||||
}
|
||||
Mode: mode,
|
||||
}, nil
|
||||
}
|
||||
|
||||
type GrpcServerConfig struct {
|
||||
SigningKeysURL string
|
||||
AllowedAudiences []string
|
||||
Mode Mode
|
||||
}
|
||||
|
||||
func ReadGprcServerConfig(cfg *setting.Cfg) *GrpcServerConfig {
|
||||
func ReadGprcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) {
|
||||
section := cfg.SectionWithEnvOverrides("grpc_server_authentication")
|
||||
|
||||
mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
|
||||
if !mode.IsValid() {
|
||||
return nil, fmt.Errorf("grpc_server_authentication: invalid mode %q", mode)
|
||||
}
|
||||
|
||||
return &GrpcServerConfig{
|
||||
SigningKeysURL: section.Key("signing_keys_url").MustString(""),
|
||||
AllowedAudiences: section.Key("allowed_audiences").Strings(","),
|
||||
}
|
||||
Mode: mode,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -10,7 +10,10 @@ import (
|
||||
)
|
||||
|
||||
func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error) {
|
||||
authCfg := ReadGprcServerConfig(cfg)
|
||||
authCfg, err := ReadGprcServerConfig(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{
|
||||
KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
|
||||
SigningKeysURL: authCfg.SigningKeysURL,
|
||||
@ -31,7 +34,7 @@ func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error)
|
||||
authnlib.WithIDTokenAuthOption(true),
|
||||
authnlib.WithKeyRetrieverOption(keyRetriever),
|
||||
}
|
||||
if cfg.StackID == "" {
|
||||
if authCfg.Mode == ModeOnPrem {
|
||||
grpcOpts = append(grpcOpts,
|
||||
// Access token are not yet available on-prem
|
||||
authnlib.WithDisableAccessTokenAuthOption(),
|
||||
|
||||
@ -13,6 +13,7 @@ import (
|
||||
infraDB "github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
"github.com/grafana/grafana/pkg/services/apiserver/options"
|
||||
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/storage/unified/resource"
|
||||
@ -92,7 +93,12 @@ func ProvideUnifiedStorageClient(
|
||||
}
|
||||
|
||||
func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) {
|
||||
if cfg.StackID != "" {
|
||||
clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if clientConfig.Mode == grpcutils.ModeCloud {
|
||||
return resource.NewCloudResourceClient(conn, cfg)
|
||||
}
|
||||
return resource.NewGRPCResourceClient(conn)
|
||||
|
||||
@ -95,7 +95,11 @@ func NewGRPCResourceClient(conn *grpc.ClientConn) (ResourceClient, error) {
|
||||
|
||||
func NewCloudResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (ResourceClient, error) {
|
||||
// scenario: remote cloud
|
||||
grpcClientConfig := clientCfgMapping(grpcutils.ReadGrpcClientConfig(cfg))
|
||||
clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
grpcClientConfig := clientCfgMapping(clientConfig)
|
||||
|
||||
opts := []authnlib.GrpcClientInterceptorOption{
|
||||
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
||||
|
||||
Loading…
Reference in New Issue
Block a user