allow using the legacy resource client via

pkg/services/authn/grpcutils/grpc_authenticator.go

@@ -90,6 +90,7 @@ func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registere
 }
 
 func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.Context, error) {
+	origCtx := ctx
 	// Try to authenticate with the new authenticator first
 	ctx, err := f.authenticator.Authenticate(ctx)
 	if err == nil {
@@ -97,7 +98,7 @@ func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.C
 		return ctx, nil
 	} else if f.fallbackEnabled {
 		// If the new authenticator failed and the fallback is enabled, try the legacy authenticator
-		ctx, err = f.legacyAuthenticator.Authenticate(ctx)
+		ctx, err = f.legacyAuthenticator.Authenticate(origCtx)
 		f.metrics.fallbackCounter.WithLabelValues(fmt.Sprintf("%t", err == nil)).Inc()
 	}
 	return ctx, err

pkg/services/grpcserver/service.go

@@ -71,14 +71,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
 		}
 	}
 
-	var opts []grpc.ServerOption
-
 	namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg)
 
 	// Default auth is admin token check, but this can be overridden by
 	// services which implement ServiceAuthFuncOverride interface.
 	// See https://github.com/grpc-ecosystem/go-grpc-middleware/blob/main/interceptors/auth/auth.go#L30.
-	opts = append(opts, []grpc.ServerOption{
+	opts := []grpc.ServerOption{
 		grpc.StatsHandler(otelgrpc.NewServerHandler()),
 		grpc.ChainUnaryInterceptor(
 			grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
@@ -92,7 +90,7 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
 			authzlib.StreamAuthorizeInterceptor(namespaceAuthz),
 			middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
 		),
-	}...)
+	}
 
 	if s.cfg.GRPCServerTLSConfig != nil {
 		opts = append(opts, grpc.Creds(credentials.NewTLS(cfg.GRPCServerTLSConfig)))

pkg/storage/unified/client.go

@@ -77,7 +77,7 @@ func ProvideUnifiedStorageClient(
 		}
 
 		// Create a client instance
-		client, err := newResourceClient(conn, cfg)
+		client, err := newResourceClient(ctx, conn, cfg, features)
 		if err != nil {
 			return nil, err
 		}
@@ -93,7 +93,11 @@ func ProvideUnifiedStorageClient(
 	}
 }
 
-func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) {
+func newResourceClient(ctx context.Context, conn *grpc.ClientConn, cfg *setting.Cfg, features featuremgmt.FeatureToggles) (resource.ResourceClient, error) {
+	if features.IsEnabled(ctx, featuremgmt.FlagAppPlatformGrpcClientAuth) {
+		return resource.NewLegacyResourceClient(conn), nil
+	}
+
 	clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
 	if err != nil {
 		return nil, err

pkg/storage/unified/resource/client.go

@@ -21,6 +21,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/authn/grpcutils"
 	"github.com/grafana/grafana/pkg/setting"
+	grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc"
 )
 
 // TODO(drclau): decide on the audience for the resource store
@@ -39,6 +40,15 @@ type resourceClient struct {
 	DiagnosticsClient
 }
 
+func NewLegacyResourceClient(channel *grpc.ClientConn) ResourceClient {
+	cc := grpchan.InterceptClientConn(channel, grpcUtils.UnaryClientInterceptor, grpcUtils.StreamClientInterceptor)
+	return &resourceClient{
+		ResourceStoreClient: NewResourceStoreClient(cc),
+		ResourceIndexClient: NewResourceIndexClient(cc),
+		DiagnosticsClient:   NewDiagnosticsClient(cc),
+	}
+}
+
 func NewLocalResourceClient(server ResourceServer) ResourceClient {
 	// scenario: local in-proc
 	channel := &inprocgrpc.Channel{}