apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

K8s: Ensure there is always a user in appcontext.User (#78247)

Browse Source
fix/0.28-example-apiserver
Ryan McKinley 2 years ago committed by GitHub
parent 768fde02aa
commit 71f32d4e19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 8 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 24
      pkg/infra/appcontext/user.go
  2. 9
      pkg/services/grafana-apiserver/auth/authorizer/provider.go

24
pkg/infra/appcontext/user.go
Unescape View File

@ -4,6 +4,10 @@ import (
"context"
"fmt"
k8suser "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/request"
"github.com/grafana/grafana/pkg/models/roletype"
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
grpccontext "github.com/grafana/grafana/pkg/services/grpcserver/context"
@ -38,6 +42,26 @@ func User(ctx context.Context) (*user.SignedInUser, error) {
return c.SignedInUser, nil
}
// Find the kubernetes user info
k8sUserInfo, ok := request.UserFrom(ctx)
if ok {
for _, group := range k8sUserInfo.GetGroups() {
switch group {
case k8suser.APIServerUser:
fallthrough
case k8suser.SystemPrivilegedGroup:
return &user.SignedInUser{
UserID: 1,
OrgID: 1,
Name: k8sUserInfo.GetName(),
Login: k8sUserInfo.GetName(),
OrgRole: roletype.RoleAdmin,
IsGrafanaAdmin: true,
}, nil
}
}
}
return nil, fmt.Errorf("a SignedInUser was not found in the context")
}

9
pkg/services/grafana-apiserver/auth/authorizer/provider.go
Unescape View File

@ -1,9 +1,7 @@
package authorizer
import (
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union"
"github.com/grafana/grafana/pkg/services/grafana-apiserver/auth/authorizer/org"
@ -17,12 +15,7 @@ func ProvideAuthorizer(
stackIDAuthorizer *stack.StackIDAuthorizer,
cfg *setting.Cfg,
) authorizer.Authorizer {
authorizers := []authorizer.Authorizer{
// This will allow privileged uses to do anything.
// In development mode, a privileged user is configured and saved into:
// ${data}/grafana-apiserver/grafana.kubeconfig
authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup),
}
authorizers := []authorizer.Authorizer{}
// In Hosted grafana, the StackID replaces the orgID as a valid namespace
if cfg.StackID != "" {

Write Preview
Loading…
Cancel
Save