IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

remove the NamespaceAuthorizer

Browse Source 
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
This commit is contained in:
Claudiu Dragalina-Paraipan 2024-10-14 18:37:22 +03:00
parent 4a03ed7d7d
commit ffdc301718
2 changed files with 0 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/services/authn/grpcutils/ns_authorizer.go
View File

@ -1,30 +0,0 @@
package grpcutils
import (
authzlib "github.com/grafana/authlib/authz"
"github.com/grafana/authlib/claims"
"github.com/grafana/grafana/pkg/setting"
)
func NewNamespaceAuthorizer(cfg *setting.Cfg) authzlib.AuthorizeFunc {
var na authzlib.NamespaceAccessChecker
if cfg.StackID != "" {
na = authzlib.NewNamespaceAccessChecker(
claims.CloudNamespaceFormatter,
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
)
} else {
na = authzlib.NewNamespaceAccessChecker(
claims.OrgNamespaceFormatter,
authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
)
}
return authzlib.NamespaceAuthorizationFunc(
na,
authzlib.MetadataNamespaceExtractor(authzlib.DefaultNamespaceMetadataKey),
)
}

6
pkg/services/grpcserver/service.go
View File

@ -6,7 +6,6 @@ import (
"net" "net"
"time" "time"
authzlib "github.com/grafana/authlib/authz"
"github.com/grafana/dskit/instrument" "github.com/grafana/dskit/instrument"
"github.com/grafana/dskit/middleware" "github.com/grafana/dskit/middleware"
"github.com/grafana/grafana-plugin-sdk-go/backend" "github.com/grafana/grafana-plugin-sdk-go/backend"
@ -19,7 +18,6 @@ import (
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/registry" "github.com/grafana/grafana/pkg/registry"
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
"github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/grpcserver/interceptors" "github.com/grafana/grafana/pkg/services/grpcserver/interceptors"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
@ -71,8 +69,6 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
} }
} }
namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg)
// Default auth is admin token check, but this can be overridden by // Default auth is admin token check, but this can be overridden by
// services which implement ServiceAuthFuncOverride interface. // services which implement ServiceAuthFuncOverride interface.
// See https://github.com/grpc-ecosystem/go-grpc-middleware/blob/main/interceptors/auth/auth.go#L30. // See https://github.com/grpc-ecosystem/go-grpc-middleware/blob/main/interceptors/auth/auth.go#L30.
@ -80,14 +76,12 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
grpc.StatsHandler(otelgrpc.NewServerHandler()), grpc.StatsHandler(otelgrpc.NewServerHandler()),
grpc.ChainUnaryInterceptor( grpc.ChainUnaryInterceptor(
grpcAuth.UnaryServerInterceptor(authenticator.Authenticate), grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
authzlib.UnaryAuthorizeInterceptor(namespaceAuthz),
interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id
middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration), middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration),
), ),
grpc.ChainStreamInterceptor( grpc.ChainStreamInterceptor(
interceptors.TracingStreamInterceptor(tracer), interceptors.TracingStreamInterceptor(tracer),
grpcAuth.StreamServerInterceptor(authenticator.Authenticate), grpcAuth.StreamServerInterceptor(authenticator.Authenticate),
authzlib.StreamAuthorizeInterceptor(namespaceAuthz),
middleware.StreamServerInstrumentInterceptor(grpcRequestDuration), middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
), ),
} }