grafana/pkg/services/apiserver/auth/authorizer/stack_id.go

package authorizer

import (
	"context"
	"fmt"

	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/grafana/grafana/pkg/infra/log"
	grafanarequest "github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
	"github.com/grafana/grafana/pkg/setting"
	"k8s.io/apiserver/pkg/authorization/authorizer"
)

var _ authorizer.Authorizer = &stackIDAuthorizer{}

type stackIDAuthorizer struct {
	log     log.Logger
	stackID string
}

func newStackIDAuthorizer(cfg *setting.Cfg) *stackIDAuthorizer {
	return &stackIDAuthorizer{
		log:     log.New("grafana-apiserver.authorizer.stackid"),
		stackID: cfg.StackID, // this lets a single tenant grafana validate stack id (rather than orgs)
	}
}

func (auth stackIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
	signedInUser, err := identity.GetRequester(ctx)
	if err != nil {
		return authorizer.DecisionDeny, fmt.Sprintf("error getting signed in user: %v", err), nil
	}

	info, err := grafanarequest.ParseNamespace(a.GetNamespace())
	if err != nil {
		return authorizer.DecisionDeny, fmt.Sprintf("error reading namespace: %v", err), nil
	}

	// No opinion when the namespace is empty
	if info.Value == "" {
		return authorizer.DecisionNoOpinion, "", nil
	}

	if info.StackID != auth.stackID {
		return authorizer.DecisionDeny, "wrong stack id is selected", nil
	}
	if info.OrgID != 1 {
		return authorizer.DecisionDeny, "cloud instance requires org 1", nil
	}
	if signedInUser.GetOrgID() != 1 {
		return authorizer.DecisionDeny, "user must be in org 1", nil
	}

	return authorizer.DecisionNoOpinion, "", nil
}
K8s: Refactor authorization initialization (#79670) 2 years ago			`package authorizer`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago
			`import (`
			`"context"`
			`"fmt"`

K8s: Improve identity mapping setup (#89450) 1 year ago			`"github.com/grafana/grafana/pkg/apimachinery/identity"`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`"github.com/grafana/grafana/pkg/infra/log"`
K8s: Refactor config/options for aggregation (#81739) 1 year ago			`grafanarequest "github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`"github.com/grafana/grafana/pkg/setting"`
Identity: extend k8s user.Info (#90937) 12 months ago			`"k8s.io/apiserver/pkg/authorization/authorizer"`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`)`

K8s: Refactor authorization initialization (#79670) 2 years ago			`var _ authorizer.Authorizer = &stackIDAuthorizer{}`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago
K8s: Refactor authorization initialization (#79670) 2 years ago			`type stackIDAuthorizer struct {`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`log log.Logger`
			`stackID string`
			`}`

K8s: Refactor authorization initialization (#79670) 2 years ago			`func newStackIDAuthorizer(cfg setting.Cfg) stackIDAuthorizer {`
			`return &stackIDAuthorizer{`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`log: log.New("grafana-apiserver.authorizer.stackid"),`
			`stackID: cfg.StackID, // this lets a single tenant grafana validate stack id (rather than orgs)`
			`}`
			`}`

K8s: Refactor authorization initialization (#79670) 2 years ago			`func (auth stackIDAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {`
K8s: Improve identity mapping setup (#89450) 1 year ago			`signedInUser, err := identity.GetRequester(ctx)`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`if err != nil {`
			`return authorizer.DecisionDeny, fmt.Sprintf("error getting signed in user: %v", err), nil`
			`}`

			`info, err := grafanarequest.ParseNamespace(a.GetNamespace())`
			`if err != nil {`
			`return authorizer.DecisionDeny, fmt.Sprintf("error reading namespace: %v", err), nil`
			`}`

K8s: Prevent the use of arbitrary namespaces (#83636) 1 year ago			`// No opinion when the namespace is empty`
			`if info.Value == "" {`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`return authorizer.DecisionNoOpinion, "", nil`
			`}`

			`if info.StackID != auth.stackID {`
			`return authorizer.DecisionDeny, "wrong stack id is selected", nil`
			`}`
			`if info.OrgID != 1 {`
			`return authorizer.DecisionDeny, "cloud instance requires org 1", nil`
			`}`
K8s: Improve identity mapping setup (#89450) 1 year ago			`if signedInUser.GetOrgID() != 1 {`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`return authorizer.DecisionDeny, "user must be in org 1", nil`
			`}`

K8s: Add integration test infra, and fix authz patterns (#77218) 2 years ago			`return authorizer.DecisionNoOpinion, "", nil`
K8s: Namespace parsing updates (default + stack-id) (#76310) Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com> 2 years ago			`}`