ExtJwt: don't log verify errors as they spam for grafana-agent (#90351)

* ExtJwt: don't log verify errors as they spam for grafana-agent * remove dead code * revert unintended change * revert unintended change
1 year ago · 4abb4d1662
parent d2bc4f3255
commit 4abb4d1662
3 changed files with 44 additions and 42 deletions
--- a/pkg/apiserver/endpoints/filters/requester.go
+++ b/pkg/apiserver/endpoints/filters/requester.go
@ -16,54 +16,57 @@ func WithRequester(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		requester, err := identity.GetRequester(ctx)
-		if err != nil {
-			// Find the kubernetes user info
-			info, ok := request.UserFrom(ctx)
-			if ok {
-				if info.GetName() == user.Anonymous {
-					requester = &identity.StaticRequester{
-						Namespace:   identity.NamespaceAnonymous,
-						Name:        info.GetName(),
-						Login:       info.GetName(),
-						Permissions: map[int64]map[string][]string{},
-					}
+		if err == nil {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		// Find the kubernetes user info
+		info, ok := request.UserFrom(ctx)
+		if ok {
+			if info.GetName() == user.Anonymous {
+				requester = &identity.StaticRequester{
+					Namespace:   identity.NamespaceAnonymous,
+					Name:        info.GetName(),
+					Login:       info.GetName(),
+					Permissions: map[int64]map[string][]string{},
 				}
+			}

-				if info.GetName() == user.APIServerUser ||
-					slices.Contains(info.GetGroups(), user.SystemPrivilegedGroup) {
-					orgId := int64(1)
-					requester = &identity.StaticRequester{
-						Namespace: identity.NamespaceServiceAccount, // system:apiserver
-						UserID:    1,
-						OrgID:     orgId,
-						Name:      info.GetName(),
-						Login:     info.GetName(),
-						OrgRole:   identity.RoleAdmin,
+			if info.GetName() == user.APIServerUser ||
+				slices.Contains(info.GetGroups(), user.SystemPrivilegedGroup) {
+				orgId := int64(1)
+				requester = &identity.StaticRequester{
+					Namespace: identity.NamespaceServiceAccount, // system:apiserver
+					UserID:    1,
+					OrgID:     orgId,
+					Name:      info.GetName(),
+					Login:     info.GetName(),
+					OrgRole:   identity.RoleAdmin,

-						IsGrafanaAdmin:             true,
-						AllowedKubernetesNamespace: "default",
+					IsGrafanaAdmin:             true,
+					AllowedKubernetesNamespace: "default",

-						Permissions: map[int64]map[string][]string{
-							orgId: {
-								"*": {"*"}, // all resources, all scopes
+					Permissions: map[int64]map[string][]string{
+						orgId: {
+							"*": {"*"}, // all resources, all scopes

-								// Dashboards do not support wildcard action
-								// dashboards.ActionDashboardsRead:   {"*"},
-								// dashboards.ActionDashboardsCreate: {"*"},
-								// dashboards.ActionDashboardsWrite:  {"*"},
-								// dashboards.ActionDashboardsDelete: {"*"},
-								// dashboards.ActionFoldersCreate:    {"*"},
-								// dashboards.ActionFoldersRead:      {dashboards.ScopeFoldersAll}, // access to read all folders
-							},
+							// Dashboards do not support wildcard action
+							// dashboards.ActionDashboardsRead:   {"*"},
+							// dashboards.ActionDashboardsCreate: {"*"},
+							// dashboards.ActionDashboardsWrite:  {"*"},
+							// dashboards.ActionDashboardsDelete: {"*"},
+							// dashboards.ActionFoldersCreate:    {"*"},
+							// dashboards.ActionFoldersRead:      {dashboards.ScopeFoldersAll}, // access to read all folders
 						},
-					}
+					},
 				}
+			}

-				if requester != nil {
-					req = req.WithContext(identity.WithRequester(ctx, requester))
-				} else {
-					klog.V(5).Info("unable to map the k8s user to grafana requester", "user", info)
-				}
+			if requester != nil {
+				req = req.WithContext(identity.WithRequester(ctx, requester))
+			} else {
+				klog.V(5).Info("unable to map the k8s user to grafana requester", "user", info)
 			}
 		}
 		handler.ServeHTTP(w, req)
--- a/pkg/services/apiserver/builder/helper.go
+++ b/pkg/services/apiserver/builder/helper.go
@ -102,6 +102,7 @@ func SetupConfig(

 		// Needs to run last in request chain to function as expected, hence we register it first.
 		handler := filters.WithTracingHTTPLoggingAttributes(requestHandler)
+		// filters.WithRequester needs to be after the K8s chain because it depends on the K8s user in context
 		handler = filters.WithRequester(handler)
 		handler = genericapiserver.DefaultBuildHandlerChain(handler, c)

--- a/pkg/services/authn/clients/ext_jwt.go
+++ b/pkg/services/authn/clients/ext_jwt.go
@ -74,7 +74,6 @@ func (s *ExtendedJWT) Authenticate(ctx context.Context, r *authn.Request) (*auth

 	claims, err := s.accessTokenVerifier.Verify(ctx, jwtToken)
 	if err != nil {
-		s.log.Error("Failed to verify access token", "error", err)
 		return nil, errExtJWTInvalid.Errorf("failed to verify access token: %w", err)
 	}

@ -82,7 +81,6 @@ func (s *ExtendedJWT) Authenticate(ctx context.Context, r *authn.Request) (*auth
 	if idToken != "" {
 		idTokenClaims, err := s.idTokenVerifier.Verify(ctx, idToken)
 		if err != nil {
-			s.log.Error("Failed to verify id token", "error", err)
 			return nil, errExtJWTInvalid.Errorf("failed to verify id token: %w", err)
 		}