mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
remove the NamespaceAuthorizer
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
This commit is contained in:
Claudiu Dragalina-Paraipan
parent
4a03ed7d7d
commit
ffdc301718
@ -1,30 +0,0 @@
|
||||
package grpcutils
|
||||
|
||||
import (
|
||||
authzlib "github.com/grafana/authlib/authz"
|
||||
"github.com/grafana/authlib/claims"
|
||||
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
func NewNamespaceAuthorizer(cfg *setting.Cfg) authzlib.AuthorizeFunc {
|
||||
var na authzlib.NamespaceAccessChecker
|
||||
|
||||
if cfg.StackID != "" {
|
||||
na = authzlib.NewNamespaceAccessChecker(
|
||||
claims.CloudNamespaceFormatter,
|
||||
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
||||
)
|
||||
} else {
|
||||
na = authzlib.NewNamespaceAccessChecker(
|
||||
claims.OrgNamespaceFormatter,
|
||||
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
|
||||
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
|
||||
)
|
||||
}
|
||||
|
||||
return authzlib.NamespaceAuthorizationFunc(
|
||||
na,
|
||||
authzlib.MetadataNamespaceExtractor(authzlib.DefaultNamespaceMetadataKey),
|
||||
)
|
||||
}
|
||||
@ -6,7 +6,6 @@ import (
|
||||
"net"
|
||||
"time"
|
||||
|
||||
authzlib "github.com/grafana/authlib/authz"
|
||||
"github.com/grafana/dskit/instrument"
|
||||
"github.com/grafana/dskit/middleware"
|
||||
"github.com/grafana/grafana-plugin-sdk-go/backend"
|
||||
@ -19,7 +18,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
"github.com/grafana/grafana/pkg/registry"
|
||||
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/grpcserver/interceptors"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
@ -71,8 +69,6 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
|
||||
}
|
||||
}
|
||||
|
||||
namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg)
|
||||
|
||||
// Default auth is admin token check, but this can be overridden by
|
||||
// services which implement ServiceAuthFuncOverride interface.
|
||||
// See https://github.com/grpc-ecosystem/go-grpc-middleware/blob/main/interceptors/auth/auth.go#L30.
|
||||
@ -80,14 +76,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
|
||||
grpc.StatsHandler(otelgrpc.NewServerHandler()),
|
||||
grpc.ChainUnaryInterceptor(
|
||||
grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
|
||||
authzlib.UnaryAuthorizeInterceptor(namespaceAuthz),
|
||||
interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id
|
||||
middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration),
|
||||
),
|
||||
grpc.ChainStreamInterceptor(
|
||||
interceptors.TracingStreamInterceptor(tracer),
|
||||
grpcAuth.StreamServerInterceptor(authenticator.Authenticate),
|
||||
authzlib.StreamAuthorizeInterceptor(namespaceAuthz),
|
||||
middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
|
||||
),
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user