K8s: Add integration test infra, and fix authz patterns (#77218)

2025-02-25 18:55:37 -06:00 · 2023-10-26 10:02:33 -07:00
parent 9a0af13dbc
commit c122ffc72b
8 changed files with 398 additions and 8 deletions
--- a/pkg/services/grafana-apiserver/auth/authorizer/org/org_id.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/org/org_id.go
@@ -48,7 +48,7 @@ func (auth OrgIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut

 	// Quick check that the same org is used
 	if signedInUser.OrgID == info.OrgID {
-		return authorizer.DecisionAllow, "", nil
+		return authorizer.DecisionNoOpinion, "", nil
 	}

 	// Check if the user has access to the specified org
@@ -60,7 +60,7 @@ func (auth OrgIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut

 	for _, org := range result {
 		if org.OrgID == info.OrgID {
-			return authorizer.DecisionAllow, "", nil
+			return authorizer.DecisionNoOpinion, "", nil
 		}
 	}

--- a/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/org/org_role.go
@@ -28,25 +28,25 @@ func (auth OrgRoleAuthorizer) Authorize(ctx context.Context, a authorizer.Attrib

 	switch signedInUser.OrgRole {
 	case org.RoleAdmin:
-		return authorizer.DecisionAllow, "", nil
+		return authorizer.DecisionNoOpinion, "", nil
 	case org.RoleEditor:
 		switch a.GetVerb() {
 		case "get", "list", "watch", "create", "update", "patch", "delete", "put", "post":
-			return authorizer.DecisionAllow, "", nil
+			return authorizer.DecisionNoOpinion, "", nil
 		default:
 			return authorizer.DecisionDeny, errorMessageForGrafanaOrgRole(string(signedInUser.OrgRole), a), nil
 		}
 	case org.RoleViewer:
 		switch a.GetVerb() {
 		case "get", "list", "watch":
-			return authorizer.DecisionAllow, "", nil
+			return authorizer.DecisionNoOpinion, "", nil
 		default:
 			return authorizer.DecisionDeny, errorMessageForGrafanaOrgRole(string(signedInUser.OrgRole), a), nil
 		}
 	case org.RoleNone:
 		return authorizer.DecisionDeny, errorMessageForGrafanaOrgRole(string(signedInUser.OrgRole), a), nil
 	}
-	return authorizer.DecisionNoOpinion, "", nil
+	return authorizer.DecisionDeny, "", nil
 }

 func errorMessageForGrafanaOrgRole(grafanaOrgRole string, a authorizer.Attributes) string {
--- a/pkg/services/grafana-apiserver/auth/authorizer/provider.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/provider.go
@@ -28,7 +28,11 @@ func ProvideAuthorizer(
 		authorizers = append(authorizers, orgIDAuthorizer)
 	}

-	authorizers = append(authorizers, orgRoleAuthorizer)
+	authorizers = append(authorizers,
+		orgRoleAuthorizer,

+		// Add this last so that if nothing says authorizer.DecisionDeny, it will pass
+		authorizerfactory.NewAlwaysAllowAuthorizer(),
+	)
 	return union.New(authorizers...)
 }
--- a/pkg/services/grafana-apiserver/auth/authorizer/stack/stack_id.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/stack/stack_id.go
@@ -52,5 +52,5 @@ func (auth StackIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attrib
 		return authorizer.DecisionDeny, "user must be in org 1", nil
 	}

-	return authorizer.DecisionAllow, "", nil
+	return authorizer.DecisionNoOpinion, "", nil
 }