IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

K8s: Ensure there is always a user in appcontext.User (#78247)

Browse Source
This commit is contained in:
Ryan McKinley 2023-11-15 16:52:54 -08:00 committed by GitHub
parent 768fde02aa
commit 71f32d4e19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/infra/appcontext/user.go
View File

@ -4,6 +4,10 @@ import (
"context" "context"
"fmt" "fmt"
k8suser "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/request"
"github.com/grafana/grafana/pkg/models/roletype"
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey" "github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model" contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
grpccontext "github.com/grafana/grafana/pkg/services/grpcserver/context" grpccontext "github.com/grafana/grafana/pkg/services/grpcserver/context"
@ -38,6 +42,26 @@ func User(ctx context.Context) (*user.SignedInUser, error) {
return c.SignedInUser, nil return c.SignedInUser, nil
} }
// Find the kubernetes user info
k8sUserInfo, ok := request.UserFrom(ctx)
if ok {
for _, group := range k8sUserInfo.GetGroups() {
switch group {
case k8suser.APIServerUser:
fallthrough
case k8suser.SystemPrivilegedGroup:
return &user.SignedInUser{
UserID: 1,
OrgID: 1,
Name: k8sUserInfo.GetName(),
Login: k8sUserInfo.GetName(),
OrgRole: roletype.RoleAdmin,
IsGrafanaAdmin: true,
}, nil
}
}
}
return nil, fmt.Errorf("a SignedInUser was not found in the context") return nil, fmt.Errorf("a SignedInUser was not found in the context")
} }

9
pkg/services/grafana-apiserver/auth/authorizer/provider.go
View File

@ -1,9 +1,7 @@
package authorizer package authorizer
import ( import (
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/pkg/authorization/union"
"github.com/grafana/grafana/pkg/services/grafana-apiserver/auth/authorizer/org" "github.com/grafana/grafana/pkg/services/grafana-apiserver/auth/authorizer/org"
@ -17,12 +15,7 @@ func ProvideAuthorizer(
stackIDAuthorizer *stack.StackIDAuthorizer, stackIDAuthorizer *stack.StackIDAuthorizer,
cfg *setting.Cfg, cfg *setting.Cfg,
) authorizer.Authorizer { ) authorizer.Authorizer {
authorizers := []authorizer.Authorizer{ authorizers := []authorizer.Authorizer{}
// This will allow privileged uses to do anything.
// In development mode, a privileged user is configured and saved into:
// ${data}/grafana-apiserver/grafana.kubeconfig
authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup),
}
// In Hosted grafana, the StackID replaces the orgID as a valid namespace // In Hosted grafana, the StackID replaces the orgID as a valid namespace
if cfg.StackID != "" { if cfg.StackID != "" {