IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AuthZ: Introduce cloud mode (#96922)

Browse Source 
* AuthZ: Introduce cloud mode

* Update readme
This commit is contained in:
Gabriel MABILLE 2024-11-22 16:19:53 +01:00 committed by GitHub
parent c6848d4b68
commit 3c876f0208
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/services/authz/README.md
View File

@ -18,7 +18,7 @@ To configure the authorization server and client, use the "authorization" sectio
The `remote_address` setting, specifies the address where the authorization server is located (ex: `server.example.org:10000`). The `remote_address` setting, specifies the address where the authorization server is located (ex: `server.example.org:10000`).
The `mode` setting can be set to either `grpc` or `inproc`. When set to `grpc`, the client will connect to the specified address. When set to `inproc` the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server. The `mode` setting can be set to either `cloud`, `grpc` or `inproc`. When set to `cloud` (or `grpc`), the client will connect to the specified address. When set to `inproc` the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server.
The `listen` setting determines whether the authorization server should listen for incoming requests. When set to `true`, the authorization service will be registered to the Grafana GRPC server. The `listen` setting determines whether the authorization server should listen for incoming requests. When set to `true`, the authorization service will be registered to the Grafana GRPC server.
@ -60,7 +60,7 @@ stack_id = 11
[authorization] [authorization]
remote_address = "server.example.org:10000" remote_address = "server.example.org:10000"
mode = "grpc" mode = "cloud"
listen = false listen = false
[grpc_client_authentication] [grpc_client_authentication]

20
pkg/services/authz/client.go
View File

@ -58,16 +58,14 @@ func ProvideAuthZClient(
return nil, err return nil, err
} }
case ModeGRPC: case ModeGRPC:
if cfg.StackID == "" { client, err = newGrpcLegacyClient(authCfg)
client, err = newGrpcLegacyClient(authCfg) if err != nil {
if err != nil { return nil, err
return nil, err }
} case ModeCloud:
} else { client, err = newCloudLegacyClient(authCfg)
client, err = newCloudLegacyClient(authCfg) if err != nil {
if err != nil { return nil, err
return nil, err
}
} }
} }
@ -88,7 +86,7 @@ func ProvideStandaloneAuthZClient(
return nil, err return nil, err
} }
if cfg.StackID == "" { if authCfg.mode == ModeGRPC {
return newGrpcLegacyClient(authCfg) return newGrpcLegacyClient(authCfg)
} }
return newCloudLegacyClient(authCfg) return newCloudLegacyClient(authCfg)

5
pkg/services/authz/config.go
View File

@ -10,13 +10,14 @@ type Mode string
func (s Mode) IsValid() bool { func (s Mode) IsValid() bool {
switch s { switch s {
case ModeGRPC, ModeInProc: case ModeGRPC, ModeInProc, ModeCloud:
return true return true
} }
return false return false
} }
const ( const (
ModeCloud Mode = "cloud"
ModeGRPC Mode = "grpc" ModeGRPC Mode = "grpc"
ModeInProc Mode = "inproc" ModeInProc Mode = "inproc"
) )
@ -47,7 +48,7 @@ func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
tokenNamespace := grpcClientAuthSection.Key("token_namespace").MustString("stacks-" + cfg.StackID) tokenNamespace := grpcClientAuthSection.Key("token_namespace").MustString("stacks-" + cfg.StackID)
// When running in cloud mode, the token and tokenExchangeURL are required. // When running in cloud mode, the token and tokenExchangeURL are required.
if mode == ModeGRPC && cfg.StackID != "" { if mode == ModeCloud {
if token == "" || tokenExchangeURL == "" { if token == "" || tokenExchangeURL == "" {
return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl") return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
} }