IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Zanzana: Implement initial check and list with schema for generic resources (#95056)

Browse Source 
* Implement initial check with schema for generic resources

* Implement List and add tests

* Add namespace type and change to folder_resource name

* Handle namespace grants for typed resources

* Run tests as integration tests

* Add support for verb in list requests
This commit is contained in:
Karl Persson
2024-10-25 14:19:11 +02:00
committed by GitHub
parent e894b19c1a
commit bdbe12e980
12 changed files with 1003 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
pkg/services/authz/zanzana/proto/v1/extention.pb.go
View File

@@ -10,6 +10,7 @@ import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
@@ -19,23 +20,202 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type ListRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Subject string `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"`
Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"`
Verb string `protobuf:"bytes,3,opt,name=verb,proto3" json:"verb,omitempty"`
Resource string `protobuf:"bytes,4,opt,name=resource,proto3" json:"resource,omitempty"`
Namespace string `protobuf:"bytes,5,opt,name=namespace,proto3" json:"namespace,omitempty"`
}
func (x *ListRequest) Reset() {
*x = ListRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_extention_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ListRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ListRequest) ProtoMessage() {}
func (x *ListRequest) ProtoReflect() protoreflect.Message {
mi := &file_extention_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ListRequest.ProtoReflect.Descriptor instead.
func (*ListRequest) Descriptor() ([]byte, []int) {
return file_extention_proto_rawDescGZIP(), []int{0}
}
func (x *ListRequest) GetSubject() string {
if x != nil {
return x.Subject
}
return ""
}
func (x *ListRequest) GetGroup() string {
if x != nil {
return x.Group
}
return ""
}
func (x *ListRequest) GetVerb() string {
if x != nil {
return x.Verb
}
return ""
}
func (x *ListRequest) GetResource() string {
if x != nil {
return x.Resource
}
return ""
}
func (x *ListRequest) GetNamespace() string {
if x != nil {
return x.Namespace
}
return ""
}
type ListResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
All bool `protobuf:"varint,1,opt,name=all,proto3" json:"all,omitempty"`
Folders []string `protobuf:"bytes,2,rep,name=folders,proto3" json:"folders,omitempty"`
Items []string `protobuf:"bytes,3,rep,name=items,proto3" json:"items,omitempty"`
}
func (x *ListResponse) Reset() {
*x = ListResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_extention_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ListResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ListResponse) ProtoMessage() {}
func (x *ListResponse) ProtoReflect() protoreflect.Message {
mi := &file_extention_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ListResponse.ProtoReflect.Descriptor instead.
func (*ListResponse) Descriptor() ([]byte, []int) {
return file_extention_proto_rawDescGZIP(), []int{1}
}
func (x *ListResponse) GetAll() bool {
if x != nil {
return x.All
}
return false
}
func (x *ListResponse) GetFolders() []string {
if x != nil {
return x.Folders
}
return nil
}
func (x *ListResponse) GetItems() []string {
if x != nil {
return x.Items
}
return nil
}
var File_extention_proto protoreflect.FileDescriptor
var file_extention_proto_rawDesc = []byte{
0x0a, 0x0f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x12, 0x12, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x74, 0x69,
0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x32, 0x17, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x45, 0x78,
0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x42, 0x38,
0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61,
0x66, 0x61, 0x6e, 0x61, 0x2f, 0x67, 0x72, 0x61, 0x66, 0x61, 0x6e, 0x61, 0x2f, 0x70, 0x6b, 0x67,
0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2f,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x22, 0x8b, 0x01, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65,
0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12,
0x14, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
0x67, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x12, 0x0a, 0x04, 0x76, 0x65, 0x72, 0x62, 0x18, 0x03, 0x20,
0x01, 0x28, 0x09, 0x52, 0x04, 0x76, 0x65, 0x72, 0x62, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
0x63, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
0x61, 0x63, 0x65, 0x22, 0x50, 0x0a, 0x0c, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x6c, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08,
0x52, 0x03, 0x61, 0x6c, 0x6c, 0x12, 0x18, 0x0a, 0x07, 0x66, 0x6f, 0x6c, 0x64, 0x65, 0x72, 0x73,
0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x66, 0x6f, 0x6c, 0x64, 0x65, 0x72, 0x73, 0x12,
0x14, 0x0a, 0x05, 0x69, 0x74, 0x65, 0x6d, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05,
0x69, 0x74, 0x65, 0x6d, 0x73, 0x32, 0x62, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x45, 0x78,
0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x49,
0x0a, 0x04, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x1f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x65,
0x78, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e,
0x65, 0x78, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73,
0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x38, 0x5a, 0x36, 0x67, 0x69, 0x74,
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x66, 0x61, 0x6e, 0x61, 0x2f,
0x67, 0x72, 0x61, 0x66, 0x61, 0x6e, 0x61, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x65, 0x72, 0x76,
0x69, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var file_extention_proto_goTypes = []any{}
var (
file_extention_proto_rawDescOnce sync.Once
file_extention_proto_rawDescData = file_extention_proto_rawDesc
)
func file_extention_proto_rawDescGZIP() []byte {
file_extention_proto_rawDescOnce.Do(func() {
file_extention_proto_rawDescData = protoimpl.X.CompressGZIP(file_extention_proto_rawDescData)
})
return file_extention_proto_rawDescData
}
var file_extention_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_extention_proto_goTypes = []any{
(*ListRequest)(nil), // 0: authz.extention.v1.ListRequest
(*ListResponse)(nil), // 1: authz.extention.v1.ListResponse
}
var file_extention_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for method output_type
0, // [0:0] is the sub-list for method input_type
0, // 0: authz.extention.v1.AuthzExtentionService.List:input_type -> authz.extention.v1.ListRequest
1, // 1: authz.extention.v1.AuthzExtentionService.List:output_type -> authz.extention.v1.ListResponse
1, // [1:2] is the sub-list for method output_type
0, // [0:1] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
@@ -46,18 +226,45 @@ func file_extention_proto_init() {
if File_extention_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_extention_proto_msgTypes[0].Exporter = func(v any, i int) any {
switch v := v.(*ListRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_extention_proto_msgTypes[1].Exporter = func(v any, i int) any {
switch v := v.(*ListResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_extention_proto_rawDesc,
NumEnums: 0,
NumMessages: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_extention_proto_goTypes,
DependencyIndexes: file_extention_proto_depIdxs,
MessageInfos: file_extention_proto_msgTypes,
}.Build()
File_extention_proto = out.File
file_extention_proto_rawDesc = nil

18
pkg/services/authz/zanzana/proto/v1/extention.proto
View File

@@ -4,4 +4,20 @@ option go_package = "github.com/grafana/grafana/pkg/services/authz/proto/v1";
package authz.extention.v1;
service AuthzExtentionService {}
service AuthzExtentionService {
rpc List(ListRequest) returns (ListResponse);
}
message ListRequest {
string subject = 1;
string group = 2;
string verb = 3;
string resource = 4;
string namespace = 5;
}
message ListResponse {
bool all = 1;
repeated string folders = 2;
repeated string items = 3;
}

52
pkg/services/authz/zanzana/proto/v1/extention_grpc.pb.go
View File

@@ -7,7 +7,10 @@
package v1
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
@@ -15,10 +18,15 @@ import (
// Requires gRPC-Go v1.62.0 or later.
const _ = grpc.SupportPackageIsVersion8
const (
AuthzExtentionService_List_FullMethodName = "/authz.extention.v1.AuthzExtentionService/List"
)
// AuthzExtentionServiceClient is the client API for AuthzExtentionService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type AuthzExtentionServiceClient interface {
List(ctx context.Context, in *ListRequest, opts ...grpc.CallOption) (*ListResponse, error)
}
type authzExtentionServiceClient struct {
@@ -29,16 +37,31 @@ func NewAuthzExtentionServiceClient(cc grpc.ClientConnInterface) AuthzExtentionS
return &authzExtentionServiceClient{cc}
}
func (c *authzExtentionServiceClient) List(ctx context.Context, in *ListRequest, opts ...grpc.CallOption) (*ListResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(ListResponse)
err := c.cc.Invoke(ctx, AuthzExtentionService_List_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// AuthzExtentionServiceServer is the server API for AuthzExtentionService service.
// All implementations should embed UnimplementedAuthzExtentionServiceServer
// for forward compatibility
type AuthzExtentionServiceServer interface {
List(context.Context, *ListRequest) (*ListResponse, error)
}
// UnimplementedAuthzExtentionServiceServer should be embedded to have forward compatible implementations.
type UnimplementedAuthzExtentionServiceServer struct {
}
func (UnimplementedAuthzExtentionServiceServer) List(context.Context, *ListRequest) (*ListResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method List not implemented")
}
// UnsafeAuthzExtentionServiceServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to AuthzExtentionServiceServer will
// result in compilation errors.
@@ -50,13 +73,36 @@ func RegisterAuthzExtentionServiceServer(s grpc.ServiceRegistrar, srv AuthzExten
s.RegisterService(&AuthzExtentionService_ServiceDesc, srv)
}
func _AuthzExtentionService_List_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(ListRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzExtentionServiceServer).List(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: AuthzExtentionService_List_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzExtentionServiceServer).List(ctx, req.(*ListRequest))
}
return interceptor(ctx, in, info, handler)
}
// AuthzExtentionService_ServiceDesc is the grpc.ServiceDesc for AuthzExtentionService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var AuthzExtentionService_ServiceDesc = grpc.ServiceDesc{
ServiceName: "authz.extention.v1.AuthzExtentionService",
HandlerType: (*AuthzExtentionServiceServer)(nil),
Methods: []grpc.MethodDesc{},
Streams: []grpc.StreamDesc{},
Metadata: "extention.proto",
Methods: []grpc.MethodDesc{
{
MethodName: "List",
Handler: _AuthzExtentionService_List_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "extention.proto",
}

61
pkg/services/authz/zanzana/schema/resource.fga Normal file
View File

@@ -0,0 +1,61 @@
module resource
type namespace
relations
define view: [user, team#member, role#assignee] or edit
define edit: [user, team#member, role#assignee] or admin
define admin: [user, team#member, role#assignee]
define read: [user, team#member, role#assignee] or view
define create: [user, team#member, role#assignee] or edit
define write: [user, team#member, role#assignee] or edit
define delete: [user, team#member, role#assignee] or edit
define permissions_read: [user, team#member, role#assignee] or admin
define permissions_write: [user, team#member, role#assignee] or admin
type folder2
relations
define parent: [folder2]
# Action sets
define view: [user, team#member, role#assignee] or edit
define edit: [user, team#member, role#assignee] or admin
define admin: [user, team#member, role#assignee]
define read: [user, team#member, role#assignee] or view or read from parent
define create: [user, team#member, role#assignee] or edit or create from parent
define write: [user, team#member, role#assignee] or edit or write from parent
define delete: [user, team#member, role#assignee] or edit or delete from parent
define permissions_read: [user, team#member, role#assignee] or admin or permissions_read from parent
define permissions_write: [user, team#member, role#assignee] or admin or permissions_write from parent
type folder_resource
relations
define view: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define edit: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
define admin: [user with group_filter, team#member with group_filter, role#assignee with group_filter]
define read: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or view
define create: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define write: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define delete: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define permissions_read: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
define permissions_write: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
type resource
relations
define view: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define edit: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
define admin: [user with group_filter, team#member with group_filter, role#assignee with group_filter]
define read: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or view
define create: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define write: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define delete: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or edit
define permissions_read: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
define permissions_write: [user with group_filter, team#member with group_filter, role#assignee with group_filter] or admin
condition group_filter(requested_group: string, resource_group: string) {
resource_group == requested_group
}

22
pkg/services/authz/zanzana/schema/schema.go
View File

@@ -6,14 +6,16 @@ import (
"github.com/openfga/language/pkg/go/transformer"
)
//go:embed core.fga
var coreDSL string
//go:embed dashboard.fga
var dashboardDSL string
//go:embed folder.fga
var folderDSL string
var (
//go:embed core.fga
coreDSL string
//go:embed dashboard.fga
dashboardDSL string
//go:embed folder.fga
folderDSL string
//go:embed resource.fga
resourceDSL string
)
var SchemaModules = []transformer.ModuleFile{
{
@@ -28,4 +30,8 @@ var SchemaModules = []transformer.ModuleFile{
Name: "folder.fga",
Contents: folderDSL,
},
{
Name: "resource.fga",
Contents: resourceDSL,
},
}

58
pkg/services/authz/zanzana/server/authz_server.go → pkg/services/authz/zanzana/server/server.go
View File

@@ -11,11 +11,19 @@ import (
"go.opentelemetry.io/otel"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/grafana/grafana/pkg/apimachinery/utils"
folderalpha1 "github.com/grafana/grafana/pkg/apis/folder/v0alpha1"
"github.com/grafana/grafana/pkg/infra/log"
authzextv1 "github.com/grafana/grafana/pkg/services/authz/zanzana/proto/v1"
"github.com/grafana/grafana/pkg/services/authz/zanzana/schema"
)
const (
resourceType = "resource"
namespaceType = "namespace"
folderResourceType = "folder_resource"
)
var _ authzv1.AuthzServiceServer = (*Server)(nil)
var _ authzextv1.AuthzExtentionServiceServer = (*Server)(nil)
@@ -93,12 +101,6 @@ func NewAuthz(openfga openfgav1.OpenFGAServiceServer, opts ...ServerOption) (*Se
return s, nil
}
func (s *Server) Check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.CheckResponse, error) {
tracer.Start(ctx, "authzServer.Check")
return &authzv1.CheckResponse{}, nil
}
func (s *Server) getOrCreateStore(ctx context.Context, name string) (*openfgav1.Store, error) {
store, err := s.getStore(ctx, name)
@@ -197,3 +199,47 @@ func (s *Server) loadModel(ctx context.Context, storeID string, modules []transf
return writeRes.GetAuthorizationModelId(), nil
}
func newTypedIdent(typ string, name string) string {
return fmt.Sprintf("%s:%s", typ, name)
}
func newResourceIdent(group, resource, name string) string {
return fmt.Sprintf("%s:%s/%s", resourceType, formatGroupResource(group, resource), name)
}
func newFolderResourceIdent(group, resource, folder string) string {
return fmt.Sprintf("%s:%s/%s", folderResourceType, formatGroupResource(group, resource), folder)
}
func newNamespaceResourceIdent(group, resource string) string {
return fmt.Sprintf("%s:%s", namespaceType, formatGroupResource(group, resource))
}
func formatGroupResource(group, resource string) string {
return fmt.Sprintf("%s/%s", group, resource)
}
type TypeInfo struct {
typ string
}
var typedResources = map[string]TypeInfo{
newNamespaceResourceIdent(folderalpha1.GROUP, folderalpha1.RESOURCE): TypeInfo{typ: "folder2"},
}
func typeInfo(group, resource string) (TypeInfo, bool) {
info, ok := typedResources[newNamespaceResourceIdent(group, resource)]
return info, ok
}
var mapping = map[string]string{
utils.VerbGet: "read",
utils.VerbList: "read",
utils.VerbWatch: "read",
utils.VerbCreate: "create",
utils.VerbUpdate: "write",
utils.VerbPatch: "write",
utils.VerbDelete: "delete",
utils.VerbDeleteCollection: "delete",
}

130
pkg/services/authz/zanzana/server/server_check.go Normal file
View File

@@ -0,0 +1,130 @@
package server
import (
"context"
authzv1 "github.com/grafana/authlib/authz/proto/v1"
openfgav1 "github.com/openfga/api/proto/openfga/v1"
"google.golang.org/protobuf/types/known/structpb"
)
func (s *Server) Check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.CheckResponse, error) {
ctx, span := tracer.Start(ctx, "authzServer.Check")
defer span.End()
if info, ok := typeInfo(r.GetGroup(), r.GetResource()); ok {
return s.checkTyped(ctx, r, info)
}
return s.checkGeneric(ctx, r)
}
func (s *Server) checkTyped(ctx context.Context, r *authzv1.CheckRequest, info TypeInfo) (*authzv1.CheckResponse, error) {
relation := mapping[r.GetVerb()]
// 1. check if subject has direct access to resource
res, err := s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newTypedIdent(info.typ, r.GetName()),
},
})
if err != nil {
return nil, err
}
if res.GetAllowed() {
return &authzv1.CheckResponse{Allowed: true}, nil
}
// 2. check if subject has access through namespace
res, err = s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newNamespaceResourceIdent(r.GetGroup(), r.GetResource()),
},
})
if err != nil {
return nil, err
}
return &authzv1.CheckResponse{Allowed: res.GetAllowed()}, nil
}
func (s *Server) checkGeneric(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.CheckResponse, error) {
relation := mapping[r.GetVerb()]
// 1. check if subject has direct access to resource
res, err := s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newResourceIdent(r.GetGroup(), r.GetResource(), r.GetName()),
},
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"requested_group": structpb.NewStringValue(formatGroupResource(r.GetGroup(), r.GetResource())),
},
},
})
if err != nil {
// FIXME: wrap error
return nil, err
}
if res.GetAllowed() {
return &authzv1.CheckResponse{Allowed: true}, nil
}
// 2. check if subject has access through namespace
res, err = s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newNamespaceResourceIdent(r.GetGroup(), r.GetResource()),
},
})
if err != nil {
return nil, err
}
if res.GetAllowed() {
return &authzv1.CheckResponse{Allowed: true}, nil
}
if r.Folder == "" {
return &authzv1.CheckResponse{Allowed: false}, nil
}
// 3. check if subject has access as a sub resource for the folder
res, err = s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newFolderResourceIdent(r.GetGroup(), r.GetResource(), r.GetFolder()),
},
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"requested_group": structpb.NewStringValue(formatGroupResource(r.GetGroup(), r.GetResource())),
},
},
})
if err != nil {
return nil, err
}
return &authzv1.CheckResponse{Allowed: res.GetAllowed()}, nil
}

96
pkg/services/authz/zanzana/server/server_check_test.go Normal file
View File

@@ -0,0 +1,96 @@
package server
import (
"context"
"testing"
authzv1 "github.com/grafana/authlib/authz/proto/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/apimachinery/utils"
)
func testCheck(t *testing.T, server *Server) {
newRead := func(subject, group, resource, folder, name string) *authzv1.CheckRequest {
return &authzv1.CheckRequest{
// FIXME: namespace should map to store
// Namespace: storeID,
Subject: subject,
Verb: utils.VerbGet,
Group: group,
Resource: resource,
Name: name,
Folder: folder,
}
}
t.Run("user:1 should only be able to read resource:dashboards.grafana.app/dashboards/1", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:1", dashboardGroup, dashboardResource, "1", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
// sanity check
res, err = server.Check(context.Background(), newRead("user:1", dashboardGroup, dashboardResource, "1", "2"))
require.NoError(t, err)
assert.False(t, res.GetAllowed())
})
t.Run("user:2 should be able to read resource:dashboards.grafana.app/dashboards/1 through namespace", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:2", dashboardGroup, dashboardResource, "1", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
})
t.Run("user:3 should be able to read resource:dashboards.grafana.app/dashboards/1 with set relation", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:3", dashboardGroup, dashboardResource, "1", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
// sanity check
res, err = server.Check(context.Background(), newRead("user:3", dashboardGroup, dashboardResource, "1", "2"))
require.NoError(t, err)
assert.False(t, res.GetAllowed())
})
t.Run("user:4 should be able to read all dashboards.grafana.app/dashboards in folder 1 and 3", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:4", dashboardGroup, dashboardResource, "1", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
res, err = server.Check(context.Background(), newRead("user:4", dashboardGroup, dashboardResource, "3", "2"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
// sanity check
res, err = server.Check(context.Background(), newRead("user:4", dashboardGroup, dashboardResource, "1", "2"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
res, err = server.Check(context.Background(), newRead("user:4", dashboardGroup, dashboardResource, "2", "2"))
require.NoError(t, err)
assert.False(t, res.GetAllowed())
})
t.Run("user:5 should be able to read resource:dashboards.grafana.app/dashboards/1 through folder with set relation", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:5", dashboardGroup, dashboardResource, "1", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
})
t.Run("user:6 should be able to read folder 1 ", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:6", folderGroup, folderResource, "", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
})
t.Run("user:7 should be able to read folder one through namespace access", func(t *testing.T) {
res, err := server.Check(context.Background(), newRead("user:7", folderGroup, folderResource, "", "1"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
res, err = server.Check(context.Background(), newRead("user:7", folderGroup, folderResource, "", "10"))
require.NoError(t, err)
assert.True(t, res.GetAllowed())
})
}

146
pkg/services/authz/zanzana/server/server_list.go Normal file
View File

@@ -0,0 +1,146 @@
package server
import (
"context"
"fmt"
"strings"
openfgav1 "github.com/openfga/api/proto/openfga/v1"
"google.golang.org/protobuf/types/known/structpb"
"github.com/grafana/grafana/pkg/apimachinery/utils"
authzextv1 "github.com/grafana/grafana/pkg/services/authz/zanzana/proto/v1"
)
func (s *Server) List(ctx context.Context, r *authzextv1.ListRequest) (*authzextv1.ListResponse, error) {
ctx, span := tracer.Start(ctx, "authzServer.List")
defer span.End()
if info, ok := typeInfo(r.GetGroup(), r.GetResource()); ok {
return s.listTyped(ctx, r, info)
}
return s.listGeneric(ctx, r)
}
func (s *Server) listTyped(ctx context.Context, r *authzextv1.ListRequest, info TypeInfo) (*authzextv1.ListResponse, error) {
relation := mapping[r.GetVerb()]
// 1. check if subject has access through namespace because then they can read all of them
res, err := s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newNamespaceResourceIdent(r.GetGroup(), r.GetResource()),
},
})
if err != nil {
return nil, err
}
if res.GetAllowed() {
return &authzextv1.ListResponse{All: true}, nil
}
// 2. List all resources user has access too
listRes, err := s.openfga.ListObjects(ctx, &openfgav1.ListObjectsRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
Type: info.typ,
Relation: mapping[utils.VerbGet],
User: r.GetSubject(),
})
if err != nil {
return nil, err
}
return &authzextv1.ListResponse{
Items: typedObjects(info.typ, listRes.GetObjects()),
}, nil
}
func (s *Server) listGeneric(ctx context.Context, r *authzextv1.ListRequest) (*authzextv1.ListResponse, error) {
relation := mapping[r.GetVerb()]
// 1. check if subject has access through namespace because then they can read all of them
res, err := s.openfga.Check(ctx, &openfgav1.CheckRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
TupleKey: &openfgav1.CheckRequestTupleKey{
User: r.GetSubject(),
Relation: relation,
Object: newNamespaceResourceIdent(r.GetGroup(), r.GetResource()),
},
})
if err != nil {
return nil, err
}
if res.Allowed {
return &authzextv1.ListResponse{All: true}, nil
}
// 2. List all folders subject has access to resource type in
folders, err := s.openfga.ListObjects(ctx, &openfgav1.ListObjectsRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
Type: "folder_resource",
Relation: relation,
User: r.GetSubject(),
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"requested_group": structpb.NewStringValue(formatGroupResource(r.GetGroup(), r.GetResource())),
},
},
})
if err != nil {
return nil, err
}
// 3. List all resource directly assigned to subject
direct, err := s.openfga.ListObjects(ctx, &openfgav1.ListObjectsRequest{
StoreId: s.storeID,
AuthorizationModelId: s.modelID,
Type: "resource",
Relation: relation,
User: r.GetSubject(),
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"requested_group": structpb.NewStringValue(formatGroupResource(r.GetGroup(), r.GetResource())),
},
},
})
if err != nil {
return nil, err
}
return &authzextv1.ListResponse{
Folders: folderObject(r.GetGroup(), r.GetResource(), folders.GetObjects()),
Items: directObjects(r.GetGroup(), r.GetResource(), direct.GetObjects()),
}, nil
}
func typedObjects(typ string, objects []string) []string {
prefix := fmt.Sprintf("%s:", typ)
for i := range objects {
objects[i] = strings.TrimPrefix(objects[i], prefix)
}
return objects
}
func directObjects(group, resource string, objects []string) []string {
prefix := fmt.Sprintf("%s:%s/%s/", resourceType, group, resource)
for i := range objects {
objects[i] = strings.TrimPrefix(objects[i], prefix)
}
return objects
}
func folderObject(group, resource string, objects []string) []string {
prefix := fmt.Sprintf("%s:%s/%s/", folderResourceType, group, resource)
for i := range objects {
objects[i] = strings.TrimPrefix(objects[i], prefix)
}
return objects
}

83
pkg/services/authz/zanzana/server/server_list_test.go Normal file
View File

@@ -0,0 +1,83 @@
package server
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/apimachinery/utils"
authzextv1 "github.com/grafana/grafana/pkg/services/authz/zanzana/proto/v1"
)
func testList(t *testing.T, server *Server) {
newList := func(subject, group, resource string) *authzextv1.ListRequest {
return &authzextv1.ListRequest{
// FIXME: namespace should map to store
// Namespace: storeID,
Verb: utils.VerbList,
Subject: subject,
Group: group,
Resource: resource,
}
}
t.Run("user:1 should list resource:dashboards.grafana.app/dashboards/1", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:1", dashboardGroup, dashboardResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 1)
assert.Len(t, res.GetFolders(), 0)
assert.Equal(t, res.GetItems()[0], "1")
})
t.Run("user:2 should be able to list all through group", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:2", dashboardGroup, dashboardResource))
require.NoError(t, err)
assert.True(t, res.GetAll())
assert.Len(t, res.GetItems(), 0)
assert.Len(t, res.GetFolders(), 0)
})
t.Run("user:3 should be able to list resource:dashboards.grafana.app/dashboards/1 with set relation", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:3", dashboardGroup, dashboardResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 1)
assert.Len(t, res.GetFolders(), 0)
assert.Equal(t, res.GetItems()[0], "1")
})
t.Run("user:4 should be able to list all dashboards.grafana.app/dashboards in folder 1 and 3", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:4", dashboardGroup, dashboardResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 0)
assert.Len(t, res.GetFolders(), 2)
assert.Equal(t, res.GetFolders()[0], "1")
assert.Equal(t, res.GetFolders()[1], "3")
})
t.Run("user:5 should be get list all dashboards.grafana.app/dashboards in folder 1 with set relation", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:5", dashboardGroup, dashboardResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 0)
assert.Len(t, res.GetFolders(), 1)
assert.Equal(t, res.GetFolders()[0], "1")
})
t.Run("user:6 should be able to list folder 1", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:6", folderGroup, folderResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 1)
assert.Len(t, res.GetFolders(), 0)
assert.Equal(t, res.GetItems()[0], "1")
})
t.Run("user:7 should be able to list all folders", func(t *testing.T) {
res, err := server.List(context.Background(), newList("user:7", folderGroup, folderResource))
require.NoError(t, err)
assert.Len(t, res.GetItems(), 0)
assert.Len(t, res.GetFolders(), 0)
assert.True(t, res.GetAll())
})
}

131
pkg/services/authz/zanzana/server/server_test.go Normal file
View File

@@ -0,0 +1,131 @@
package server
import (
"context"
"testing"
openfgav1 "github.com/openfga/api/proto/openfga/v1"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/structpb"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/authz/zanzana/store"
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tests/testsuite"
)
const (
dashboardGroup = "dashboard.grafana.app"
dashboardResource = "dashboards"
folderGroup = "folder.grafana.app"
folderResource = "folders"
)
func TestMain(m *testing.M) {
testsuite.Run(m)
}
func TestIntegrationServer(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
testDB, cfg := db.InitTestDBWithCfg(t)
// Hack to skip these tests on mysql 5.7
if testDB.GetDialect().DriverName() == migrator.MySQL {
if supported, err := testDB.RecursiveQueriesAreSupported(); !supported || err != nil {
t.Skip("skipping integration test")
}
}
srv := setup(t, testDB, cfg)
t.Run("test check", func(t *testing.T) {
testCheck(t, srv)
})
t.Run("test list", func(t *testing.T) {
testList(t, srv)
})
}
func setup(t *testing.T, testDB db.DB, cfg *setting.Cfg) *Server {
t.Helper()
store, err := store.NewEmbeddedStore(cfg, testDB, log.NewNopLogger())
require.NoError(t, err)
openfga, err := NewOpenFGA(&cfg.Zanzana, store, log.NewNopLogger())
require.NoError(t, err)
srv, err := NewAuthz(openfga)
require.NoError(t, err)
// seed tuples
_, err = openfga.Write(context.Background(), &openfgav1.WriteRequest{
StoreId: srv.storeID,
AuthorizationModelId: srv.modelID,
Writes: &openfgav1.WriteRequestWrites{
TupleKeys: []*openfgav1.TupleKey{
newResourceTuple("user:1", "read", dashboardGroup, dashboardResource, "1"),
newNamespaceResourceTuple("user:2", "read", dashboardGroup, dashboardResource),
newResourceTuple("user:3", "view", dashboardGroup, dashboardResource, "1"),
newFolderResourceTuple("user:4", "read", dashboardGroup, dashboardResource, "1"),
newFolderResourceTuple("user:4", "read", dashboardGroup, dashboardResource, "3"),
newFolderResourceTuple("user:5", "view", dashboardGroup, dashboardResource, "1"),
newFolderTuple("user:6", "read", "1"),
newNamespaceResourceTuple("user:7", "read", folderGroup, folderResource),
},
},
})
require.NoError(t, err)
return srv
}
func newResourceTuple(subject, relation, group, resource, name string) *openfgav1.TupleKey {
return &openfgav1.TupleKey{
User: subject,
Relation: relation,
Object: newResourceIdent(group, resource, name),
Condition: &openfgav1.RelationshipCondition{
Name: "group_filter",
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"resource_group": structpb.NewStringValue(formatGroupResource(group, resource)),
},
},
},
}
}
func newFolderResourceTuple(subject, relation, group, resource, folder string) *openfgav1.TupleKey {
return &openfgav1.TupleKey{
User: subject,
Relation: relation,
Object: newFolderResourceIdent(group, resource, folder),
Condition: &openfgav1.RelationshipCondition{
Name: "group_filter",
Context: &structpb.Struct{
Fields: map[string]*structpb.Value{
"resource_group": structpb.NewStringValue(formatGroupResource(group, resource)),
},
},
},
}
}
func newNamespaceResourceTuple(subject, relation, group, resource string) *openfgav1.TupleKey {
return &openfgav1.TupleKey{
User: subject,
Relation: relation,
Object: newNamespaceResourceIdent(group, resource),
}
}
func newFolderTuple(subject, relation, name string) *openfgav1.TupleKey {
return &openfgav1.TupleKey{
User: subject,
Relation: relation,
Object: newTypedIdent("folder2", name),
}
}

7
pkg/services/authz/zanzana/store/store.go
View File

@@ -113,6 +113,13 @@ func parseConfig(cfg *setting.Cfg, logger log.Logger) (*sqlstore.DatabaseConfig,
}
func sqliteConnectionString(v string) string {
// handle test setup by replacing grafana-test with zanzana-test
if strings.Contains(v, "grafana-test/grafana-test") {
name := v[strings.LastIndex(v, "/")+1:]
name = strings.Replace(name, "grafana-test", "zanzana-test", 1)
return v[0:strings.LastIndex(v, "/")+1] + name
}
// hardcode zanzana.db for now
return v[0:strings.LastIndex(v, "/")+1] + "zanzana.db"
}