Use NamespaceAuthorizer

1 year ago · 6032ab3ae1
parent 601beb5327
commit 6032ab3ae1
2 changed files with 13 additions and 7 deletions
--- a/pkg/services/authn/grpcutils/namespace_checker.go
+++ b/pkg/services/authn/grpcutils/namespace_checker.go
@ -7,17 +7,24 @@ import (
 	"github.com/grafana/grafana/pkg/setting"
 )

-func NewNamespaceAccessChecker(cfg *setting.Cfg) authzlib.NamespaceAccessChecker {
+func NewNamespaceAuthorizer(cfg *setting.Cfg) authzlib.AuthorizeFunc {
+	var na authzlib.NamespaceAccessChecker
+
 	if cfg.StackID != "" {
-		return authzlib.NewNamespaceAccessChecker(
+		na = authzlib.NewNamespaceAccessChecker(
 			claims.CloudNamespaceFormatter,
 			authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
 		)
 	}

-	return authzlib.NewNamespaceAccessChecker(
+	na = authzlib.NewNamespaceAccessChecker(
 		claims.OrgNamespaceFormatter,
 		authzlib.WithDisableAccessTokenNamespaceAccessCheckerOption(),
 		authzlib.WithIDTokenNamespaceAccessCheckerOption(true),
 	)
+
+	return authzlib.NamespaceAuthorizationFunc(
+		na,
+		authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey),
+	)
 }
--- a/pkg/services/grpcserver/service.go
+++ b/pkg/services/grpcserver/service.go
@ -73,8 +73,7 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe

 	var opts []grpc.ServerOption

-	namespaceChecker := grpcutils.NewNamespaceAccessChecker(cfg)
-	stackIdExtractor := authzlib.MetadataStackIDExtractor(authzlib.DefaultStackIDMetadataKey)
+	namespaceAuthz := grpcutils.NewNamespaceAuthorizer(cfg)

 	// Default auth is admin token check, but this can be overridden by
 	// services which implement ServiceAuthFuncOverride interface.
@ -83,14 +82,14 @@ func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, authe
 		grpc.StatsHandler(otelgrpc.NewServerHandler()),
 		grpc.ChainUnaryInterceptor(
 			grpcAuth.UnaryServerInterceptor(authenticator.Authenticate),
-			authzlib.UnaryNamespaceAccessInterceptor(namespaceChecker, stackIdExtractor),
+			authzlib.UnaryAuthorizeInterceptor(namespaceAuthz),
 			interceptors.LoggingUnaryInterceptor(s.cfg, s.logger), // needs to be registered after tracing interceptor to get trace id
 			middleware.UnaryServerInstrumentInterceptor(grpcRequestDuration),
 		),
 		grpc.ChainStreamInterceptor(
 			interceptors.TracingStreamInterceptor(tracer),
 			grpcAuth.StreamServerInterceptor(authenticator.Authenticate),
-			authzlib.StreamNamespaceAccessInterceptor(namespaceChecker, stackIdExtractor),
+			authzlib.StreamAuthorizeInterceptor(namespaceAuthz),
 			middleware.StreamServerInstrumentInterceptor(grpcRequestDuration),
 		),
 	}...)