mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Use NamespaceAuthorizer
This commit is contained in:
gamab
parent
601beb5327
commit
6032ab3ae1
@ -7,17 +7,24 @@ import (
|
|||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
func NewNamespaceAccessChecker(cfg *setting.Cfg) authzlib.NamespaceAccessChecker {
|
func NewNamespaceAuthorizer(cfg *setting.Cfg) authzlib.AuthorizeFunc {
|
||||||
|
var na authzlib.NamespaceAccessChecker
|
||||||
|
|
||||||
if cfg.StackID != "" {
|
if cfg.StackID != "" {
|
||||||
return authzlib.NewNamespaceAccessChecker(
|
na = authzlib.NewNamespaceAccessChecker(
|
||||||
claims.CloudNamespaceFormatter,
|
claims.CloudNamespaceFormatter,
|
||||||
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
return authzlib.NewNamespaceAccessChecker(
|
na = authzlib.NewNamespaceAccessChecker(
|
||||||
claims.OrgNamespaceFormatter,
|
claims.OrgNamespaceFormatter,
|
||||||
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
|
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
|
||||||
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
return authzlib.NamespaceAuthorizationFunc(
|
||||||
|
na,
|
||||||
|
authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -73,8 +73,7 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
|
|||||||
|
|
||||||
var opts []grpc.ServerOption
|
var opts []grpc.ServerOption
|
||||||
|
|
||||||
namespaceChecker := grpcutils.NewNamespaceAccessChecker(cfg)
|
namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg)
|
||||||
stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey)
|
|
||||||
|
|
||||||
// Default auth is admin token check, but this can be overridden by
|
// Default auth is admin token check, but this can be overridden by
|
||||||
// services which implement ServiceAuthFuncOverride interface.
|
// services which implement ServiceAuthFuncOverride interface.
|
||||||
@ -83,14 +82,14 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
|
|||||||
grpc.StatsHandler(otelgrpc.NewServerHandler()),
|
grpc.StatsHandler(otelgrpc.NewServerHandler()),
|
||||||
grpc.ChainUnaryInterceptor(
|
grpc.ChainUnaryInterceptor(
|
||||||
grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
|
grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
|
||||||
authzlib.UnaryNamespaceAccessInterceptor(namespaceChecker, stackIdExtractor),
|
authzlib.UnaryAuthorizeInterceptor(namespaceAuthz),
|
||||||
interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id
|
interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id
|
||||||
middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration),
|
middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration),
|
||||||
),
|
),
|
||||||
grpc.ChainStreamInterceptor(
|
grpc.ChainStreamInterceptor(
|
||||||
interceptors.TracingStreamInterceptor(tracer),
|
interceptors.TracingStreamInterceptor(tracer),
|
||||||
grpcAuth.StreamServerInterceptor(authenticator.Authenticate),
|
grpcAuth.StreamServerInterceptor(authenticator.Authenticate),
|
||||||
authzlib.StreamNamespaceAccessInterceptor(namespaceChecker, stackIdExtractor),
|
authzlib.StreamAuthorizeInterceptor(namespaceAuthz),
|
||||||
middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
|
middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
|
||||||
),
|
),
|
||||||
}...)
|
}...)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user