mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Cloud migrations: create endpoint to create an access token (#84690)
* fix merge conflicts * make token expiration configurable
This commit is contained in:
Bruno
GitHub
@@ -7,6 +7,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/api/response"
|
||||
"github.com/grafana/grafana/pkg/api/routing"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
"github.com/grafana/grafana/pkg/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/cloudmigration"
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
@@ -17,16 +18,19 @@ type CloudMigrationAPI struct {
|
||||
cloudMigrationsService cloudmigration.Service
|
||||
routeRegister routing.RouteRegister
|
||||
log log.Logger
|
||||
tracer tracing.Tracer
|
||||
}
|
||||
|
||||
func RegisterApi(
|
||||
rr routing.RouteRegister,
|
||||
cms cloudmigration.Service,
|
||||
tracer tracing.Tracer,
|
||||
) *CloudMigrationAPI {
|
||||
api := &CloudMigrationAPI{
|
||||
log: log.New("cloudmigrations.api"),
|
||||
routeRegister: rr,
|
||||
cloudMigrationsService: cms,
|
||||
tracer: tracer,
|
||||
}
|
||||
api.registerEndpoints()
|
||||
return api
|
||||
@@ -43,15 +47,23 @@ func (cma *CloudMigrationAPI) registerEndpoints() {
|
||||
cloudMigrationRoute.Post("/migration/:id/run", routing.Wrap(cma.RunMigration))
|
||||
cloudMigrationRoute.Get("/migration/:id/run", routing.Wrap(cma.GetMigrationRunList))
|
||||
cloudMigrationRoute.Get("/migration/:id/run/:runID", routing.Wrap(cma.GetMigrationRun))
|
||||
cloudMigrationRoute.Post("/token", routing.Wrap(cma.CreateToken))
|
||||
}, middleware.ReqGrafanaAdmin)
|
||||
}
|
||||
|
||||
func (cma *CloudMigrationAPI) CreateToken(c *contextmodel.ReqContext) response.Response {
|
||||
err := cma.cloudMigrationsService.CreateToken(c.Req.Context())
|
||||
ctx, span := cma.tracer.Start(c.Req.Context(), "MigrationAPI.CreateAccessToken")
|
||||
defer span.End()
|
||||
|
||||
logger := cma.log.FromContext(ctx)
|
||||
|
||||
resp, err := cma.cloudMigrationsService.CreateToken(ctx)
|
||||
if err != nil {
|
||||
return response.Error(http.StatusInternalServerError, "token creation error", err)
|
||||
logger.Error("creating gcom access token", "err", err.Error())
|
||||
return response.Error(http.StatusInternalServerError, "creating gcom access token", err)
|
||||
}
|
||||
return response.Success("Token created")
|
||||
|
||||
return response.JSON(http.StatusOK, cloudmigration.CreateAccessTokenResponseDTO(resp))
|
||||
}
|
||||
|
||||
func (cma *CloudMigrationAPI) GetMigrationList(c *contextmodel.ReqContext) response.Response {
|
||||
|
||||
@@ -5,7 +5,7 @@ import (
|
||||
)
|
||||
|
||||
type Service interface {
|
||||
CreateToken(context.Context) error
|
||||
CreateToken(context.Context) (CreateAccessTokenResponse, error)
|
||||
ValidateToken(context.Context, string) error
|
||||
SaveEncryptedToken(context.Context, string) error
|
||||
// migration
|
||||
|
||||
@@ -2,14 +2,20 @@ package cloudmigrationimpl
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/api/routing"
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
"github.com/grafana/grafana/pkg/services/cloudmigration"
|
||||
"github.com/grafana/grafana/pkg/services/cloudmigration/api"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/gcom"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
)
|
||||
@@ -18,18 +24,27 @@ import (
|
||||
type Service struct {
|
||||
store store
|
||||
|
||||
log log.Logger
|
||||
log *log.ConcreteLogger
|
||||
cfg *setting.Cfg
|
||||
|
||||
features featuremgmt.FeatureToggles
|
||||
dsService datasources.DataSourceService
|
||||
features featuremgmt.FeatureToggles
|
||||
dsService datasources.DataSourceService
|
||||
gcomService gcom.Service
|
||||
|
||||
api *api.CloudMigrationAPI
|
||||
// metrics *Metrics
|
||||
api *api.CloudMigrationAPI
|
||||
tracer tracing.Tracer
|
||||
metrics *Metrics
|
||||
}
|
||||
|
||||
var LogPrefix = "cloudmigration.service"
|
||||
|
||||
const (
|
||||
// nolint:gosec
|
||||
cloudMigrationAccessPolicyName = "grafana-cloud-migrations"
|
||||
//nolint:gosec
|
||||
cloudMigrationTokenName = "grafana-cloud-migrations"
|
||||
)
|
||||
|
||||
var _ cloudmigration.Service = (*Service)(nil)
|
||||
|
||||
// ProvideService Factory for method used by wire to inject dependencies.
|
||||
@@ -41,30 +56,129 @@ func ProvideService(
|
||||
dsService datasources.DataSourceService,
|
||||
routeRegister routing.RouteRegister,
|
||||
prom prometheus.Registerer,
|
||||
tracer tracing.Tracer,
|
||||
) cloudmigration.Service {
|
||||
if !features.IsEnabledGlobally(featuremgmt.FlagOnPremToCloudMigrations) {
|
||||
return &NoopServiceImpl{}
|
||||
}
|
||||
|
||||
s := &Service{
|
||||
store: &sqlStore{db: db},
|
||||
log: log.New(LogPrefix),
|
||||
cfg: cfg,
|
||||
features: features,
|
||||
dsService: dsService,
|
||||
store: &sqlStore{db: db},
|
||||
log: log.New(LogPrefix),
|
||||
cfg: cfg,
|
||||
features: features,
|
||||
dsService: dsService,
|
||||
gcomService: gcom.New(gcom.Config{ApiURL: cfg.GrafanaComAPIURL, Token: cfg.CloudMigration.GcomAPIToken}),
|
||||
tracer: tracer,
|
||||
metrics: newMetrics(),
|
||||
}
|
||||
s.api = api.RegisterApi(routeRegister, s)
|
||||
s.api = api.RegisterApi(routeRegister, s, tracer)
|
||||
|
||||
if err := s.registerMetrics(prom); err != nil {
|
||||
if err := s.registerMetrics(prom, s.metrics); err != nil {
|
||||
s.log.Warn("error registering prom metrics", "error", err.Error())
|
||||
}
|
||||
|
||||
return s
|
||||
}
|
||||
|
||||
func (s *Service) CreateToken(ctx context.Context) error {
|
||||
// TODO: Implement method
|
||||
return nil
|
||||
func (s *Service) CreateToken(ctx context.Context) (cloudmigration.CreateAccessTokenResponse, error) {
|
||||
ctx, span := s.tracer.Start(ctx, "CloudMigrationService.CreateToken")
|
||||
defer span.End()
|
||||
logger := s.log.FromContext(ctx)
|
||||
requestID := tracing.TraceIDFromContext(ctx, false)
|
||||
|
||||
timeoutCtx, cancel := context.WithTimeout(ctx, s.cfg.CloudMigration.FetchInstanceTimeout)
|
||||
defer cancel()
|
||||
instance, err := s.gcomService.GetInstanceByID(timeoutCtx, requestID, s.cfg.StackID)
|
||||
if err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("fetching instance by id: id=%s %w", s.cfg.StackID, err)
|
||||
}
|
||||
|
||||
timeoutCtx, cancel = context.WithTimeout(ctx, s.cfg.CloudMigration.FetchAccessPolicyTimeout)
|
||||
defer cancel()
|
||||
existingAccessPolicy, err := s.findAccessPolicyByName(timeoutCtx, instance.RegionSlug, cloudMigrationAccessPolicyName)
|
||||
if err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("fetching access policy by name: name=%s %w", cloudMigrationAccessPolicyName, err)
|
||||
}
|
||||
|
||||
if existingAccessPolicy != nil {
|
||||
timeoutCtx, cancel := context.WithTimeout(ctx, s.cfg.CloudMigration.DeleteAccessPolicyTimeout)
|
||||
defer cancel()
|
||||
if _, err := s.gcomService.DeleteAccessPolicy(timeoutCtx, gcom.DeleteAccessPolicyParams{
|
||||
RequestID: requestID,
|
||||
AccessPolicyID: existingAccessPolicy.ID,
|
||||
Region: instance.RegionSlug,
|
||||
}); err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("deleting access policy: id=%s region=%s %w", existingAccessPolicy.ID, instance.RegionSlug, err)
|
||||
}
|
||||
logger.Info("deleted access policy", existingAccessPolicy.ID, "name", existingAccessPolicy.Name)
|
||||
}
|
||||
|
||||
timeoutCtx, cancel = context.WithTimeout(ctx, s.cfg.CloudMigration.CreateAccessPolicyTimeout)
|
||||
defer cancel()
|
||||
accessPolicy, err := s.gcomService.CreateAccessPolicy(timeoutCtx,
|
||||
gcom.CreateAccessPolicyParams{
|
||||
RequestID: requestID,
|
||||
Region: instance.RegionSlug,
|
||||
},
|
||||
gcom.CreateAccessPolicyPayload{
|
||||
Name: cloudMigrationAccessPolicyName,
|
||||
DisplayName: cloudMigrationAccessPolicyName,
|
||||
Realms: []gcom.Realm{{Type: "stack", Identifier: s.cfg.StackID, LabelPolicies: []gcom.LabelPolicy{}}},
|
||||
Scopes: []string{"cloud-migrations:read", "cloud-migrations:write"},
|
||||
})
|
||||
if err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("creating access policy: %w", err)
|
||||
}
|
||||
logger.Info("created access policy", "id", accessPolicy.ID, "name", accessPolicy.Name)
|
||||
|
||||
timeoutCtx, cancel = context.WithTimeout(ctx, s.cfg.CloudMigration.CreateTokenTimeout)
|
||||
defer cancel()
|
||||
token, err := s.gcomService.CreateToken(timeoutCtx,
|
||||
gcom.CreateTokenParams{RequestID: requestID, Region: instance.RegionSlug},
|
||||
gcom.CreateTokenPayload{
|
||||
AccessPolicyID: accessPolicy.ID,
|
||||
DisplayName: cloudMigrationTokenName,
|
||||
Name: cloudMigrationTokenName,
|
||||
ExpiresAt: time.Now().Add(s.cfg.CloudMigration.TokenExpiresAfter),
|
||||
})
|
||||
if err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("creating access token: %w", err)
|
||||
}
|
||||
logger.Info("created access token", "id", token.ID, "name", token.Name)
|
||||
s.metrics.accessTokenCreated.With(prometheus.Labels{"slug": s.cfg.Slug}).Inc()
|
||||
|
||||
bytes, err := json.Marshal(map[string]string{
|
||||
"token": token.Token,
|
||||
"region": instance.ClusterSlug,
|
||||
})
|
||||
if err != nil {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, fmt.Errorf("encoding token: %w", err)
|
||||
}
|
||||
|
||||
return cloudmigration.CreateAccessTokenResponse{Token: base64.StdEncoding.EncodeToString(bytes)}, nil
|
||||
}
|
||||
|
||||
func (s *Service) findAccessPolicyByName(ctx context.Context, regionSlug, accessPolicyName string) (*gcom.AccessPolicy, error) {
|
||||
ctx, span := s.tracer.Start(ctx, "CloudMigrationService.findAccessPolicyByName")
|
||||
defer span.End()
|
||||
|
||||
accessPolicies, err := s.gcomService.ListAccessPolicies(ctx, gcom.ListAccessPoliciesParams{
|
||||
RequestID: tracing.TraceIDFromContext(ctx, false),
|
||||
Region: regionSlug,
|
||||
Name: accessPolicyName,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("listing access policies: name=%s region=%s :%w", accessPolicyName, regionSlug, err)
|
||||
}
|
||||
|
||||
for _, accessPolicy := range accessPolicies {
|
||||
if accessPolicy.Name == accessPolicyName {
|
||||
return &accessPolicy, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (s *Service) ValidateToken(ctx context.Context, token string) error {
|
||||
|
||||
@@ -15,10 +15,9 @@ func (s *NoopServiceImpl) MigrateDatasources(ctx context.Context, request *cloud
|
||||
return nil, cloudmigration.ErrFeatureDisabledError
|
||||
}
|
||||
|
||||
func (s *NoopServiceImpl) CreateToken(ctx context.Context) error {
|
||||
return cloudmigration.ErrFeatureDisabledError
|
||||
func (s *NoopServiceImpl) CreateToken(ctx context.Context) (cloudmigration.CreateAccessTokenResponse, error) {
|
||||
return cloudmigration.CreateAccessTokenResponse{}, cloudmigration.ErrFeatureDisabledError
|
||||
}
|
||||
|
||||
func (s *NoopServiceImpl) ValidateToken(ctx context.Context, token string) error {
|
||||
return cloudmigration.ErrFeatureDisabledError
|
||||
}
|
||||
|
||||
@@ -2,25 +2,50 @@ package cloudmigrationimpl
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/cloudmigration"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
)
|
||||
|
||||
// type Metrics struct {
|
||||
// log log.Logger
|
||||
// }
|
||||
const (
|
||||
namespace = "grafana"
|
||||
subsystem = "cloudmigrations"
|
||||
)
|
||||
|
||||
func (s *Service) registerMetrics(prom prometheus.Registerer) error {
|
||||
for _, m := range cloudmigration.PromMetrics {
|
||||
if err := prom.Register(m); err != nil {
|
||||
var alreadyRegisterErr prometheus.AlreadyRegisteredError
|
||||
if errors.As(err, &alreadyRegisterErr) {
|
||||
s.log.Warn("metric already registered", "metric", m)
|
||||
continue
|
||||
}
|
||||
return err
|
||||
var PromMetrics = []prometheus.Collector{
|
||||
prometheus.NewCounterVec(prometheus.CounterOpts{
|
||||
Namespace: namespace,
|
||||
Subsystem: subsystem,
|
||||
Name: "datasources_migrated",
|
||||
Help: "Total amount of data sources migrated",
|
||||
}, []string{"pdc_converted"}),
|
||||
}
|
||||
|
||||
type Metrics struct {
|
||||
accessTokenCreated *prometheus.CounterVec
|
||||
}
|
||||
|
||||
func newMetrics() *Metrics {
|
||||
return &Metrics{
|
||||
accessTokenCreated: prometheus.NewCounterVec(prometheus.CounterOpts{
|
||||
Namespace: namespace,
|
||||
Subsystem: subsystem,
|
||||
Name: "access_token_created",
|
||||
Help: "Total of access tokens created",
|
||||
}, []string{"slug"}),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Service) registerMetrics(prom prometheus.Registerer, metrics *Metrics) error {
|
||||
if err := prom.Register(metrics.accessTokenCreated); err != nil {
|
||||
var alreadyRegisterErr prometheus.AlreadyRegisteredError
|
||||
if errors.As(err, &alreadyRegisterErr) {
|
||||
s.log.Warn("metric already registered", "metric", metrics.accessTokenCreated)
|
||||
} else {
|
||||
return fmt.Errorf("registering access token created metric: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -4,7 +4,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/util/errutil"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -77,16 +76,10 @@ type MigrateDatasourcesResponseDTO struct {
|
||||
DatasourcesMigrated int `json:"datasourcesMigrated"`
|
||||
}
|
||||
|
||||
const (
|
||||
namespace = "grafana"
|
||||
subsystem = "cloudmigrations"
|
||||
)
|
||||
|
||||
var PromMetrics = []prometheus.Collector{
|
||||
prometheus.NewCounterVec(prometheus.CounterOpts{
|
||||
Namespace: namespace,
|
||||
Subsystem: subsystem,
|
||||
Name: "datasources_migrated",
|
||||
Help: "Total amount of data sources migrated",
|
||||
}, []string{"pdc_converted"}),
|
||||
type CreateAccessTokenResponse struct {
|
||||
Token string
|
||||
}
|
||||
|
||||
type CreateAccessTokenResponseDTO struct {
|
||||
Token string `json:"token"`
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user