mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Chore: clean up access control for data sources (#73010)
* move DS guardian interfaces to OSS, move allow guardian to OSS * update codeowner file
This commit is contained in:
Ieva
GitHub
@@ -9,6 +9,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/localcache"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/datasources/guardian"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
)
|
||||
|
||||
@@ -16,12 +17,13 @@ const (
|
||||
DefaultCacheTTL = 5 * time.Second
|
||||
)
|
||||
|
||||
func ProvideCacheService(cacheService *localcache.CacheService, sqlStore db.DB) *CacheServiceImpl {
|
||||
func ProvideCacheService(cacheService *localcache.CacheService, sqlStore db.DB, dsGuardian guardian.DatasourceGuardianProvider) *CacheServiceImpl {
|
||||
return &CacheServiceImpl{
|
||||
logger: log.New("datasources"),
|
||||
cacheTTL: DefaultCacheTTL,
|
||||
CacheService: cacheService,
|
||||
SQLStore: sqlStore,
|
||||
dsGuardian: dsGuardian,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,6 +32,7 @@ type CacheServiceImpl struct {
|
||||
cacheTTL time.Duration
|
||||
CacheService *localcache.CacheService
|
||||
SQLStore db.DB
|
||||
dsGuardian guardian.DatasourceGuardianProvider
|
||||
}
|
||||
|
||||
func (dc *CacheServiceImpl) GetDatasource(
|
||||
@@ -44,6 +47,9 @@ func (dc *CacheServiceImpl) GetDatasource(
|
||||
if cached, found := dc.CacheService.Get(cacheKey); found {
|
||||
ds := cached.(*datasources.DataSource)
|
||||
if ds.OrgID == user.OrgID {
|
||||
if err := dc.canQuery(user, ds); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return ds, nil
|
||||
}
|
||||
}
|
||||
@@ -62,6 +68,11 @@ func (dc *CacheServiceImpl) GetDatasource(
|
||||
dc.CacheService.Set(uidKey(ds.OrgID, ds.UID), ds, time.Second*5)
|
||||
}
|
||||
dc.CacheService.Set(cacheKey, ds, dc.cacheTTL)
|
||||
|
||||
if err = dc.canQuery(user, ds); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ds, nil
|
||||
}
|
||||
|
||||
@@ -83,6 +94,9 @@ func (dc *CacheServiceImpl) GetDatasourceByUID(
|
||||
if cached, found := dc.CacheService.Get(uidCacheKey); found {
|
||||
ds := cached.(*datasources.DataSource)
|
||||
if ds.OrgID == user.OrgID {
|
||||
if err := dc.canQuery(user, ds); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return ds, nil
|
||||
}
|
||||
}
|
||||
@@ -98,6 +112,11 @@ func (dc *CacheServiceImpl) GetDatasourceByUID(
|
||||
|
||||
dc.CacheService.Set(uidCacheKey, ds, dc.cacheTTL)
|
||||
dc.CacheService.Set(idKey(ds.ID), ds, dc.cacheTTL)
|
||||
|
||||
if err = dc.canQuery(user, ds); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ds, nil
|
||||
}
|
||||
|
||||
@@ -108,3 +127,14 @@ func idKey(id int64) string {
|
||||
func uidKey(orgID int64, uid string) string {
|
||||
return fmt.Sprintf("ds-orgid-uid-%d-%s", orgID, uid)
|
||||
}
|
||||
|
||||
func (dc *CacheServiceImpl) canQuery(user *user.SignedInUser, ds *datasources.DataSource) error {
|
||||
guardian := dc.dsGuardian.New(user.OrgID, user, *ds)
|
||||
if canQuery, err := guardian.CanQuery(ds.ID); err != nil || !canQuery {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return datasources.ErrDataSourceAccessDenied
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user