IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-16 10:24:54 -06:00
Code Issues Packages Projects Releases Wiki Activity

K8s: Prevent the use of arbitrary namespaces (#83636)

Browse Source
This commit is contained in:
Todd Treece 2024-05-08 12:30:08 -04:00 committed by GitHub
parent 9d8507cded
commit de438eae2e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/services/apiserver/auth/authorizer/org_id.go
View File

@ -37,11 +37,15 @@ func (auth orgIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut
return authorizer.DecisionDeny, fmt.Sprintf("error reading namespace: %v", err), nil
}
// No opinion when the namespace is arbitrary
if info.OrgID == -1 {
// No opinion when the namespace is empty
if info.Value == "" {
return authorizer.DecisionNoOpinion, "", nil
}
if info.OrgID == -1 {
return authorizer.DecisionDeny, "org id is required", nil
}
if info.StackID != "" {
return authorizer.DecisionDeny, "using a stack namespace requires deployment with a fixed stack id", nil
}

4
pkg/services/apiserver/auth/authorizer/stack_id.go
View File

@ -37,8 +37,8 @@ func (auth stackIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attrib
return authorizer.DecisionDeny, fmt.Sprintf("error reading namespace: %v", err), nil
}
// No opinion when the namespace is arbitrary
if info.OrgID == -1 {
// No opinion when the namespace is empty
if info.Value == "" {
return authorizer.DecisionNoOpinion, "", nil
}