From 7d619199d0c04c08717279be6ac19d7857bfe65b Mon Sep 17 00:00:00 2001
From: Ryan McKinley <ryantxu@gmail.com>
Date: Thu, 26 Oct 2023 10:46:45 -0700
Subject: [PATCH] K8s/Authorizer: Move allow from fallback to org_role (#77235)

---
 .../grafana-apiserver/auth/authorizer/org/org_role.go    | 9 +++++----
 .../grafana-apiserver/auth/authorizer/provider.go        | 9 +++------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go b/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go
index 93268f976cc..3776da4377d 100644
--- a/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go
@@ -4,10 +4,11 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+
 	"github.com/grafana/grafana/pkg/infra/appcontext"
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/org"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
 
 var _ authorizer.Authorizer = &OrgIDAuthorizer{}
@@ -28,18 +29,18 @@ func (auth OrgRoleAuthorizer) Authorize(ctx context.Context, a authorizer.Attrib
 
 	switch signedInUser.OrgRole {
 	case org.RoleAdmin:
-		return authorizer.DecisionNoOpinion, "", nil
+		return authorizer.DecisionAllow, "", nil
 	case org.RoleEditor:
 		switch a.GetVerb() {
 		case "get", "list", "watch", "create", "update", "patch", "delete", "put", "post":
-			return authorizer.DecisionNoOpinion, "", nil
+			return authorizer.DecisionAllow, "", nil
 		default:
 			return authorizer.DecisionDeny, errorMessageForGrafanaOrgRole(string(signedInUser.OrgRole), a), nil
 		}
 	case org.RoleViewer:
 		switch a.GetVerb() {
 		case "get", "list", "watch":
-			return authorizer.DecisionNoOpinion, "", nil
+			return authorizer.DecisionAllow, "", nil
 		default:
 			return authorizer.DecisionDeny, errorMessageForGrafanaOrgRole(string(signedInUser.OrgRole), a), nil
 		}
diff --git a/pkg/services/grafana-apiserver/auth/authorizer/provider.go b/pkg/services/grafana-apiserver/auth/authorizer/provider.go
index 4441da7dbe0..c658252bb41 100644
--- a/pkg/services/grafana-apiserver/auth/authorizer/provider.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/provider.go
@@ -28,11 +28,8 @@ func ProvideAuthorizer(
 		authorizers = append(authorizers, orgIDAuthorizer)
 	}
 
-	authorizers = append(authorizers,
-		orgRoleAuthorizer,
-
-		// Add this last so that if nothing says authorizer.DecisionDeny, it will pass
-		authorizerfactory.NewAlwaysAllowAuthorizer(),
-	)
+	// org role is last -- and will return allow for verbs that match expectations
+	// Ideally FGAC happens earlier and returns an explicit answer
+	authorizers = append(authorizers, orgRoleAuthorizer)
 	return union.New(authorizers...)
 }