mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Add tracing to the gRPC Authentication flow (#94466)
commit ad4df4b3f63bdf3e16423ac8c3fdb1a7fae5582e
Author: gamab <gabriel.mabille@grafana.com>
Date: Thu Oct 24 10:24:04 2024 +0200
nit
commit eb8b9cf2f3e27cae258b3ae310f1584da5ba36b5
Author: gamab <gabriel.mabille@grafana.com>
Date: Thu Oct 24 10:23:25 2024 +0200
miss
commit aab1aed204a5dedcc6dd187b2f636995bbe2c5c6
Merge: 5aafdec9233 7fe710b141
Author: gamab <gabriel.mabille@grafana.com>
Date: Thu Oct 24 10:22:05 2024 +0200
Merge remote-tracking branch 'origin/main' into gamab/resourcestore/tracing
commit 5aafdec9233d6824cba977b069d71eabc3d21a8d
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 16 18:03:56 2024 +0200
Did not fix the issue
commit 20522a7f64222fad27268ac640d4b4fb9259c748
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 16 17:42:35 2024 +0200
Test
commit b45199a341b6a57e93927c9eb7de8d7758ed7619
Merge: c0fbbdb95d4 e9e2b11ba2
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 16 17:31:59 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit e9e2b11ba2
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Oct 16 18:28:31 2024 +0300
PR feedback: simplified fallback implementation
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit b5209dba64
Author: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com>
Date: Wed Oct 16 18:03:06 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
commit c0fbbdb95d4605f349b902ca8698e7b560433867
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 16 10:32:52 2024 +0200
Add traces to fallback
commit 75aa8dcbd49288f1dca53cdf6e9a7b41688dff38
Merge: d92fafcaf0d 562d499e85
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 16 10:29:41 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit 562d499e85
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Oct 16 11:05:01 2024 +0300
switched to features.IsEnabledGlobally()
commit addc6aaca4
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Oct 16 10:21:31 2024 +0300
imports cleanup
commit 7c6d80f6aa
Merge: 64a5e55d61 9dc2ccdbfd
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Oct 16 10:18:54 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 64a5e55d61
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Oct 15 11:01:54 2024 +0300
cleanup
commit 4fe2c03457
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Oct 15 10:31:06 2024 +0300
always enable FlagAppPlatformGrpcClientAuth for k8s int tests
commit c7e36759cd
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Oct 15 10:30:43 2024 +0300
use sync.Once as it's more idiomatic
commit f5c2c79981
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 20:43:48 2024 +0300
remove client side namespace extractor
commit 742295c89a
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 20:04:11 2024 +0300
avoid double registration of metrics (fallbackCounter)
commit a45998c8d3
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 19:03:41 2024 +0300
use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
commit ffdc301718
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 18:37:22 2024 +0300
remove the NamespaceAuthorizer
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
commit 4a03ed7d7d
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 15:59:08 2024 +0300
allow using the legacy resource client via
commit a2c30f5328
Merge: ead390f608 2f3c539d9b
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Oct 14 14:08:32 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit ead390f608
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Fri Oct 11 09:38:49 2024 +0300
added server side gRPC authn fallback-to-legacy mechanism
- brought back the old gRPC authenticator
- added `grpc_server_authentication.legacy_fallback` config option
- introduced `AuthenticatorWithFallback`
- added telemetry to track fallbacks
commit d92fafcaf0db9c8d97a5d071759fc21ede7d8848
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 14:58:25 2024 +0200
Fix test
commit 54f05ff0fecf3d696a0e98621db6991282503917
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 14:42:18 2024 +0200
Forgot the tracer 😁
commit 3948048880c7a0eb2360a35b0cc9f3686f2edfef
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 14:02:41 2024 +0200
Add traces to NamespaceAuthorizer
commit cc695bb77c37a097174556303721fbc48b9464a0
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 13:56:48 2024 +0200
Add traces to authentication flow
commit 8686c46be5
Merge: 08c3d237dc 4a3ce66193
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 13:56:26 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 08c3d237dc
Merge: 33fd104cfd 84d580179d
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 12:41:57 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 33fd104cfd
Merge: 68af25fbc3 38f57d270a
Author: gamab <gabriel.mabille@grafana.com>
Date: Wed Oct 9 12:13:25 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 68af25fbc3
Author: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Mon Oct 7 16:31:09 2024 +0200
Update pkg/services/authz/config.go
commit 4fba5c9b32
Author: gamab <gabriel.mabille@grafana.com>
Date: Fri Oct 4 15:17:41 2024 +0200
PR Feedback
commit 86867a14ca
Author: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Fri Oct 4 15:13:06 2024 +0200
Update pkg/services/authn/grpcutils/config.go
Co-authored-by: Dan Cech <dcech@grafana.com>
commit c591631135
Merge: c80c46ca6a e37b43117b
Author: gamab <gabriel.mabille@grafana.com>
Date: Fri Oct 4 13:07:48 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit c80c46ca6a
Merge: 3acada9d47 4224d05934
Author: gamab <gabriel.mabille@grafana.com>
Date: Thu Oct 3 14:58:51 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 3acada9d47
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Fri Sep 27 17:39:59 2024 +0300
introducing `mode` config for gRPC auth server & client side
commit 914ca237e2
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Thu Sep 26 20:47:57 2024 +0300
Fixed integration tests
commit 71c33dcbe3
Merge: 52f248eebb 920d79680d
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Thu Sep 26 19:25:33 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 52f248eebb
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 24 18:44:38 2024 +0300
updated namespace extractor usage
commit a6c977ba4d
Merge: fb7bbf743b 8da1d78c92
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 24 17:35:03 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit fb7bbf743b
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 24 17:34:36 2024 +0300
unistor client side updates
commit a28440c40b
Merge: 79d9969aa8 a8b07b0c81
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 24 10:45:09 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 79d9969aa8
Author: gamab <gabriel.mabille@grafana.com>
Date: Mon Sep 9 16:14:02 2024 +0200
Rename NewResourceClient funcs
commit 36b3752490
Merge: 8ce354bb06 b89f3f8115
Author: gamab <gabriel.mabille@grafana.com>
Date: Mon Sep 9 16:00:54 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8ce354bb06
Author: gamab <gabriel.mabille@grafana.com>
Date: Mon Sep 9 10:40:06 2024 +0200
Align
commit bdf79f3b2f
Merge: 8f4df8973d 8eb7e55f8f
Author: gamab <gabriel.mabille@grafana.com>
Date: Mon Sep 9 10:38:45 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8f4df8973d
Merge: 2441cd8d53 9338e40dc3
Author: gamab <gabriel.mabille@grafana.com>
Date: Thu Sep 5 11:26:39 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 2441cd8d53
Merge: 2904074a2f 2bbce8a7f7
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 17:31:36 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 2904074a2f
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 16:35:25 2024 +0300
refactoring
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit 125cb3c834
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 16:34:18 2024 +0300
refactoring (aesthetics)
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit 499a31df53
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 15:59:09 2024 +0300
update usage of ReadGprcServerConfig()
commit f5d383644d
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 15:44:09 2024 +0300
make update-workspace
commit 755485751e
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:43:22 2024 +0200
Fix trace
commit d09e14c26a
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 15:42:50 2024 +0300
removed WithIDTokenExtractorOption, and other PR feedback
commit 21220c2cca
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:36:59 2024 +0200
Else statement
commit 6cf1efdcc4
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:35:02 2024 +0200
Mod update
commit 4b73a93883
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:32:20 2024 +0200
Add Auth func overrides
commit 6032ab3ae1
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:26:18 2024 +0200
Use NamespaceAuthorizer
commit 601beb5327
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:20:47 2024 +0200
Update authlib
commit a1b6408127
Merge: 0d70225c1a 1128c417d8
Author: gamab <gabriel.mabille@grafana.com>
Date: Tue Sep 3 14:18:49 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 0d70225c1a
Author: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com>
Date: Tue Sep 3 15:15:54 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
commit 62f165f6f9
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 10:55:45 2024 +0300
refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit bb5ee88d4f
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 10:39:11 2024 +0300
added stackIdExtractor for cloud mode
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit 84866a8a51
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Sep 3 10:38:19 2024 +0300
authz client cfg changes
- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
- reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
commit 14a1021605
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 21:44:35 2024 +0300
make update-workspace
commit 84f8c9be94
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 21:36:10 2024 +0300
cleanup: refactoring leftover
commit 7fe8d62304
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 19:30:51 2024 +0300
update authlib version (small fix)
commit 7c2353ae25
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 19:17:11 2024 +0300
cleanup: remove unused `GrpcServerConfig.Mode`
commit 52b7cf8550
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 19:06:59 2024 +0300
make update-workspace
commit 14ddfbd8fb
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 19:02:40 2024 +0300
finalize authlib grpc interceptors usage
commit 884c4a8c24
Merge: 0fd1988bed a1190b165b
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Sep 2 19:00:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0fd1988bed
Merge: b766bfb24f e0950a1283
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Fri Aug 30 10:45:51 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit b766bfb24f
Merge: 6993f108a2 68751ed310
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Aug 28 15:46:04 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6993f108a2
Merge: 5f073b04d0 f1ba609b34
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Tue Aug 27 12:51:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 5f073b04d0
Merge: 0620891d45 ac5ebe6e4d
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Aug 19 21:09:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0620891d45
Merge: 6a272e8e2a 15f2b08f00
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Mon Aug 12 14:14:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6a272e8e2a
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Thu Aug 8 18:53:43 2024 +0300
allow insecure conns in dev mode + refactoring
commit 31c7b030ba
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Thu Aug 8 10:31:13 2024 +0300
allow insecure connections (for testing purposes); remove audience checks
audience checks will still need to be done for Access tokens, but not for ID tokens
commit 0fdd2ff802
Merge: 763961210c f384759ad1
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Wed Aug 7 14:42:39 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 763961210c
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Fri Aug 2 18:54:29 2024 +0300
wip
commit c46b42a595
Merge: 92aba937a9 0145b0fe70
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Fri Aug 2 14:44:06 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 92aba937a9
Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
Date: Thu Aug 1 18:32:19 2024 +0300
authn: client side updates
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
This commit is contained in:
Gabriel MABILLE
GitHub
parent
fedcf47702
commit
5a0ef46280
@ -9,7 +9,9 @@ import (
|
|||||||
|
|
||||||
authnlib "github.com/grafana/authlib/authn"
|
authnlib "github.com/grafana/authlib/authn"
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
|
"go.opentelemetry.io/otel/attribute"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/services/grpcserver/interceptors"
|
"github.com/grafana/grafana/pkg/services/grpcserver/interceptors"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
@ -25,7 +27,7 @@ func NewInProcGrpcAuthenticator() *authnlib.GrpcAuthenticator {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error) {
|
func NewGrpcAuthenticator(cfg *setting.Cfg, tracer tracing.Tracer) (*authnlib.GrpcAuthenticator, error) {
|
||||||
authCfg, err := ReadGrpcServerConfig(cfg)
|
authCfg, err := ReadGrpcServerConfig(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -49,6 +51,7 @@ func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error)
|
|||||||
grpcOpts := []authnlib.GrpcAuthenticatorOption{
|
grpcOpts := []authnlib.GrpcAuthenticatorOption{
|
||||||
authnlib.WithIDTokenAuthOption(true),
|
authnlib.WithIDTokenAuthOption(true),
|
||||||
authnlib.WithKeyRetrieverOption(keyRetriever),
|
authnlib.WithKeyRetrieverOption(keyRetriever),
|
||||||
|
authnlib.WithTracerAuthOption(tracer),
|
||||||
}
|
}
|
||||||
if authCfg.Mode == ModeOnPrem {
|
if authCfg.Mode == ModeOnPrem {
|
||||||
grpcOpts = append(grpcOpts,
|
grpcOpts = append(grpcOpts,
|
||||||
@ -67,15 +70,16 @@ type AuthenticatorWithFallback struct {
|
|||||||
authenticator *authnlib.GrpcAuthenticator
|
authenticator *authnlib.GrpcAuthenticator
|
||||||
fallback interceptors.Authenticator
|
fallback interceptors.Authenticator
|
||||||
metrics *metrics
|
metrics *metrics
|
||||||
|
tracer tracing.Tracer
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registerer, fallback interceptors.Authenticator) (interceptors.Authenticator, error) {
|
func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registerer, tracer tracing.Tracer, fallback interceptors.Authenticator) (interceptors.Authenticator, error) {
|
||||||
authCfg, err := ReadGrpcServerConfig(cfg)
|
authCfg, err := ReadGrpcServerConfig(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
authenticator, err := NewGrpcAuthenticator(cfg)
|
authenticator, err := NewGrpcAuthenticator(cfg, tracer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -88,16 +92,20 @@ func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registere
|
|||||||
authenticator: authenticator,
|
authenticator: authenticator,
|
||||||
fallback: fallback,
|
fallback: fallback,
|
||||||
metrics: newMetrics(reg),
|
metrics: newMetrics(reg),
|
||||||
|
tracer: tracer,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.Context, error) {
|
func (f *AuthenticatorWithFallback) Authenticate(ctx context.Context) (context.Context, error) {
|
||||||
|
ctx, span := f.tracer.Start(ctx, "grpcutils.AuthenticatorWithFallback.Authenticate")
|
||||||
|
span.SetAttributes(attribute.Bool("fallback_used", false))
|
||||||
// Try to authenticate with the new authenticator first
|
// Try to authenticate with the new authenticator first
|
||||||
newCtx, err := f.authenticator.Authenticate(ctx)
|
newCtx, err := f.authenticator.Authenticate(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// In case of error, fallback to the legacy authenticator
|
// In case of error, fallback to the legacy authenticator
|
||||||
newCtx, err = f.fallback.Authenticate(ctx)
|
newCtx, err = f.fallback.Authenticate(ctx)
|
||||||
f.metrics.fallbackCounter.WithLabelValues(fmt.Sprintf("%t", err == nil)).Inc()
|
f.metrics.fallbackCounter.WithLabelValues(fmt.Sprintf("%t", err == nil)).Inc()
|
||||||
|
span.SetAttributes(attribute.Bool("fallback_used", true))
|
||||||
}
|
}
|
||||||
return newCtx, err
|
return newCtx, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -87,7 +87,7 @@ func ProvideUnifiedStorageClient(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create a client instance
|
// Create a client instance
|
||||||
client, err := newResourceClient(conn, cfg, features)
|
client, err := newResourceClient(conn, cfg, features, tracer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -116,15 +116,15 @@ func clientCfgMapping(clientCfg *grpcutils.GrpcClientConfig) authnlib.GrpcClient
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg, features featuremgmt.FeatureToggles) (resource.ResourceClient, error) {
|
func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg, features featuremgmt.FeatureToggles, tracer tracing.Tracer) (resource.ResourceClient, error) {
|
||||||
if !features.IsEnabledGlobally(featuremgmt.FlagAppPlatformGrpcClientAuth) {
|
if !features.IsEnabledGlobally(featuremgmt.FlagAppPlatformGrpcClientAuth) {
|
||||||
return resource.NewLegacyResourceClient(conn), nil
|
return resource.NewLegacyResourceClient(conn), nil
|
||||||
}
|
}
|
||||||
if cfg.StackID == "" {
|
if cfg.StackID == "" {
|
||||||
return resource.NewGRPCResourceClient(conn)
|
return resource.NewGRPCResourceClient(tracer, conn)
|
||||||
}
|
}
|
||||||
|
|
||||||
grpcClientCfg := grpcutils.ReadGrpcClientConfig(cfg)
|
grpcClientCfg := grpcutils.ReadGrpcClientConfig(cfg)
|
||||||
|
|
||||||
return resource.NewCloudResourceClient(conn, clientCfgMapping(grpcClientCfg), cfg.Env == setting.Dev)
|
return resource.NewCloudResourceClient(tracer, conn, clientCfgMapping(grpcClientCfg), cfg.Env == setting.Dev)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -17,6 +17,7 @@ import (
|
|||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||||
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/services/auth"
|
"github.com/grafana/grafana/pkg/services/auth"
|
||||||
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
||||||
grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc"
|
grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc"
|
||||||
@ -83,12 +84,13 @@ func NewLocalResourceClient(server ResourceServer) ResourceClient {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewGRPCResourceClient(conn *grpc.ClientConn) (ResourceClient, error) {
|
func NewGRPCResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn) (ResourceClient, error) {
|
||||||
// scenario: remote on-prem
|
// scenario: remote on-prem
|
||||||
clientInt, err := authnlib.NewGrpcClientInterceptor(
|
clientInt, err := authnlib.NewGrpcClientInterceptor(
|
||||||
&authnlib.GrpcClientConfig{},
|
&authnlib.GrpcClientConfig{},
|
||||||
authnlib.WithDisableAccessTokenOption(),
|
authnlib.WithDisableAccessTokenOption(),
|
||||||
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
||||||
|
authnlib.WithTracerOption(tracer),
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -102,10 +104,11 @@ func NewGRPCResourceClient(conn *grpc.ClientConn) (ResourceClient, error) {
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewCloudResourceClient(conn *grpc.ClientConn, cfg authnlib.GrpcClientConfig, allowInsecure bool) (ResourceClient, error) {
|
func NewCloudResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn, cfg authnlib.GrpcClientConfig, allowInsecure bool) (ResourceClient, error) {
|
||||||
// scenario: remote cloud
|
// scenario: remote cloud
|
||||||
opts := []authnlib.GrpcClientInterceptorOption{
|
opts := []authnlib.GrpcClientInterceptorOption{
|
||||||
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
||||||
|
authnlib.WithTracerOption(tracer),
|
||||||
}
|
}
|
||||||
|
|
||||||
if allowInsecure {
|
if allowInsecure {
|
||||||
|
|||||||
@ -70,7 +70,7 @@ func ProvideUnifiedStorageGrpcService(
|
|||||||
|
|
||||||
// FIXME: This is a temporary solution while we are migrating to the new authn interceptor
|
// FIXME: This is a temporary solution while we are migrating to the new authn interceptor
|
||||||
// grpcutils.NewGrpcAuthenticator should be used instead.
|
// grpcutils.NewGrpcAuthenticator should be used instead.
|
||||||
authn, err := grpcutils.NewGrpcAuthenticatorWithFallback(cfg, prometheus.DefaultRegisterer, &grpc.Authenticator{})
|
authn, err := grpcutils.NewGrpcAuthenticatorWithFallback(cfg, prometheus.DefaultRegisterer, tracing, &grpc.Authenticator{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -15,6 +15,7 @@ import (
|
|||||||
|
|
||||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||||
infraDB "github.com/grafana/grafana/pkg/infra/db"
|
infraDB "github.com/grafana/grafana/pkg/infra/db"
|
||||||
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
"github.com/grafana/grafana/pkg/storage/unified/resource"
|
"github.com/grafana/grafana/pkg/storage/unified/resource"
|
||||||
@ -375,7 +376,7 @@ func TestClientServer(t *testing.T) {
|
|||||||
t.Run("Create a client", func(t *testing.T) {
|
t.Run("Create a client", func(t *testing.T) {
|
||||||
conn, err := grpc.NewClient(svc.GetAddress(), grpc.WithTransportCredentials(insecure.NewCredentials()))
|
conn, err := grpc.NewClient(svc.GetAddress(), grpc.WithTransportCredentials(insecure.NewCredentials()))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
client, err = resource.NewGRPCResourceClient(conn)
|
client, err = resource.NewGRPCResourceClient(tracing.NewNoopTracerService(), conn)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user