diff --git a/pkg/services/authn/grpcutils/grpc_authenticator.go b/pkg/services/authn/grpcutils/grpc_authenticator.go index 7ac2a716961..f5719008a9f 100644 --- a/pkg/services/authn/grpcutils/grpc_authenticator.go +++ b/pkg/services/authn/grpcutils/grpc_authenticator.go @@ -90,6 +90,7 @@ func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registere } func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.Context, error) { + origCtx := ctx // Try to authenticate with the new authenticator first ctx, err := f.authenticator.Authenticate(ctx) if err == nil { @@ -97,7 +98,7 @@ func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.C return ctx, nil } else if f.fallbackEnabled { // If the new authenticator failed and the fallback is enabled, try the legacy authenticator - ctx, err = f.legacyAuthenticator.Authenticate(ctx) + ctx, err = f.legacyAuthenticator.Authenticate(origCtx) f.metrics.fallbackCounter.WithLabelValues(fmt.Sprintf("%t", err == nil)).Inc() } return ctx, err diff --git a/pkg/services/grpcserver/service.go b/pkg/services/grpcserver/service.go index 26bbc3faf23..55f321bb3cc 100644 --- a/pkg/services/grpcserver/service.go +++ b/pkg/services/grpcserver/service.go @@ -71,14 +71,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe } } - var opts []grpc.ServerOption - namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg) // Default auth is admin token check, but this can be overridden by // services which implement ServiceAuthFuncOverride interface. // See https://github.com/grpc-ecosystem/go-grpc-middleware/blob/main/interceptors/auth/auth.go#L30. - opts = append(opts, []grpc.ServerOption{ + opts := []grpc.ServerOption{ grpc.StatsHandler(otelgrpc.NewServerHandler()), grpc.ChainUnaryInterceptor( grpcAuth.UnaryServerInterceptor(authenticator.Authenticate), @@ -92,7 +90,7 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe authzlib.StreamAuthorizeInterceptor(namespaceAuthz), middleware.StreamServerInstrumentInterceptor(grpcRequestDuration), ), - }...) + } if s.cfg.GRPCServerTLSConfig != nil { opts = append(opts, grpc.Creds(credentials.NewTLS(cfg.GRPCServerTLSConfig))) diff --git a/pkg/storage/unified/client.go b/pkg/storage/unified/client.go index 07709113562..cd505148608 100644 --- a/pkg/storage/unified/client.go +++ b/pkg/storage/unified/client.go @@ -77,7 +77,7 @@ func ProvideUnifiedStorageClient( } // Create a client instance - client, err := newResourceClient(conn, cfg) + client, err := newResourceClient(ctx, conn, cfg, features) if err != nil { return nil, err } @@ -93,7 +93,11 @@ func ProvideUnifiedStorageClient( } } -func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) { +func newResourceClient(ctx context.Context, conn *grpc.ClientConn, cfg *setting.Cfg, features featuremgmt.FeatureToggles) (resource.ResourceClient, error) { + if features.IsEnabled(ctx, featuremgmt.FlagAppPlatformGrpcClientAuth) { + return resource.NewLegacyResourceClient(conn), nil + } + clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg) if err != nil { return nil, err diff --git a/pkg/storage/unified/resource/client.go b/pkg/storage/unified/resource/client.go index cd0a968c68a..8672928dc9f 100644 --- a/pkg/storage/unified/resource/client.go +++ b/pkg/storage/unified/resource/client.go @@ -21,6 +21,7 @@ import ( "github.com/grafana/grafana/pkg/services/auth" "github.com/grafana/grafana/pkg/services/authn/grpcutils" "github.com/grafana/grafana/pkg/setting" + grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc" ) // TODO(drclau): decide on the audience for the resource store @@ -39,6 +40,15 @@ type resourceClient struct { DiagnosticsClient } +func NewLegacyResourceClient(channel *grpc.ClientConn) ResourceClient { + cc := grpchan.InterceptClientConn(channel, grpcUtils.UnaryClientInterceptor, grpcUtils.StreamClientInterceptor) + return &resourceClient{ + ResourceStoreClient: NewResourceStoreClient(cc), + ResourceIndexClient: NewResourceIndexClient(cc), + DiagnosticsClient: NewDiagnosticsClient(cc), + } +} + func NewLocalResourceClient(server ResourceServer) ResourceClient { // scenario: local in-proc channel := &inprocgrpc.Channel{}