apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57201 Commits
2158 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: 16fda6f686
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '16fda6f686'
${ noResults }
grafana/pkg/services/authn/authnimpl/sync/access_claims.go

33 lines
962 B
Raw Normal View History Unescape

Authz: Setup access claims for service identity (#100986) * Setup access claims for service identity and add them to identityes without any claims
4 months ago
package sync
import (
"context"
authnlib "github.com/grafana/authlib/authn"
"github.com/grafana/grafana/pkg/apimachinery/identity"
"github.com/grafana/grafana/pkg/services/authn"
)
func NewAccessClaimsSync() AccessClaimsSync {
return AccessClaimsSync{}
}
type AccessClaimsSync struct{}
func AccessClaimsHook(ctx context.Context, id *authn.Identity, _ *authn.Request) error {
if id.AccessTokenClaims == nil {
// When normal authencation flows are used withint grafana we don't have any access token e.g. using user
// session. This makes it impossible to authorize using AccessClient because we don't have any access claims
// with deletegated permissions. To get around this we use the hardcoded delegated
// permissions.
id.AccessTokenClaims = &authnlib.Claims[authnlib.AccessTokenClaims]{
Rest: authnlib.AccessTokenClaims{
DelegatedPermissions: identity.ServiceIdentityClaims.Rest.DelegatedPermissions,
},
}
}
return nil
}