IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AuthN: Register flags for grpc_server_authentication configuration (#97063)

Browse Source 
* AuthZServer: Add authenticator

* Add flags
This commit is contained in:
Gabriel MABILLE 2024-11-27 10:35:35 +01:00 committed by GitHub
parent 722af820a5
commit 6e2d3cae5e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/services/authn/grpcutils/config.go
View File

@ -3,6 +3,8 @@ package grpcutils
import ( import (
"fmt" "fmt"
"github.com/spf13/pflag"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
) )
@ -26,6 +28,11 @@ type GrpcServerConfig struct {
AllowedAudiences []string AllowedAudiences []string
Mode Mode Mode Mode
LegacyFallback bool LegacyFallback bool
AllowInsecure bool
}
func (c *GrpcServerConfig) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&c.SigningKeysURL, "grpc-server-authentication.signing-keys-url", "", "gRPC server authentication signing keys URL")
} }
func ReadGrpcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) { func ReadGrpcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) {
@ -41,6 +48,7 @@ func ReadGrpcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) {
AllowedAudiences: section.Key("allowed_audiences").Strings(","), AllowedAudiences: section.Key("allowed_audiences").Strings(","),
Mode: mode, Mode: mode,
LegacyFallback: section.Key("legacy_fallback").MustBool(true), LegacyFallback: section.Key("legacy_fallback").MustBool(true),
AllowInsecure: cfg.Env == setting.Dev,
}, nil }, nil
} }

10
pkg/services/authn/grpcutils/grpc_authenticator.go
View File

@ -27,11 +27,7 @@ func NewInProcGrpcAuthenticator() *authnlib.GrpcAuthenticator {
) )
} }
func NewGrpcAuthenticator(cfg *setting.Cfg, tracer tracing.Tracer) (*authnlib.GrpcAuthenticator, error) { func NewGrpcAuthenticator(authCfg *GrpcServerConfig, tracer tracing.Tracer) (*authnlib.GrpcAuthenticator, error) {
authCfg, err := ReadGrpcServerConfig(cfg)
if err != nil {
return nil, err
}
grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{ grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{
KeyRetrieverConfig: authnlib.KeyRetrieverConfig{ KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
SigningKeysURL: authCfg.SigningKeysURL, SigningKeysURL: authCfg.SigningKeysURL,
@ -42,7 +38,7 @@ func NewGrpcAuthenticator(cfg *setting.Cfg, tracer tracing.Tracer) (*authnlib.Gr
} }
client := http.DefaultClient client := http.DefaultClient
if cfg.Env == setting.Dev { if authCfg.AllowInsecure {
// allow insecure connections in development mode to facilitate testing // allow insecure connections in development mode to facilitate testing
client = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}} client = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
} }
@ -87,7 +83,7 @@ func NewGrpcAuthenticatorWithFallback(cfg *setting.Cfg, reg prometheus.Registere
return nil, err return nil, err
} }
authenticator, err := NewGrpcAuthenticator(cfg, tracer) authenticator, err := NewGrpcAuthenticator(authCfg, tracer)
if err != nil { if err != nil {
return nil, err return nil, err
} }