skip auth check when server is running in insecure mode (#107820)

* skip auth check when server is running in insecure mode * add some useful logs * lint
4 days ago · a0085b6cab
parent 9c15662cf6
commit a0085b6cab
7 changed files with 17 additions and 6 deletions
--- a/pkg/services/authz/zanzana.go
+++ b/pkg/services/authz/zanzana.go
@ -234,6 +234,9 @@ func (z *Zanzana) running(ctx context.Context) error {
 				z.logger.Error("failed to create OpenFGA HTTP server", "error", err)
 			} else {
 				z.logger.Info("Starting OpenFGA HTTP server")
+				if z.cfg.ZanzanaServer.AllowInsecure {
+					z.logger.Warn("Allowing unauthenticated connections!")
+				}
 				if err := srv.ListenAndServe(); err != nil {
 					z.logger.Error("failed to start OpenFGA HTTP server", "error", err)
 				}
--- a/pkg/services/authz/zanzana/server/auth.go
+++ b/pkg/services/authz/zanzana/server/auth.go
@ -3,13 +3,21 @@ package server
 import (
 	"context"

+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/setting"
+
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

 	claims "github.com/grafana/authlib/types"
 )

-func authorize(ctx context.Context, namespace string) error {
+func authorize(ctx context.Context, namespace string, ss setting.ZanzanaServerSettings) error {
+	logger := log.New("zanzana.server.auth")
+	if ss.AllowInsecure {
+		logger.Debug("AllowInsecure=true; skipping authorization check")
+		return nil
+	}
 	c, ok := claims.AuthInfoFrom(ctx)
 	if !ok {
 		return status.Errorf(codes.Unauthenticated, "unauthenticated")
--- a/pkg/services/authz/zanzana/server/server_batch_check.go
+++ b/pkg/services/authz/zanzana/server/server_batch_check.go
@ -14,7 +14,7 @@ func (s *Server) BatchCheck(ctx context.Context, r *authzextv1.BatchCheckRequest
 	ctx, span := s.tracer.Start(ctx, "server.BatchCheck")
 	defer span.End()

-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}

--- a/pkg/services/authz/zanzana/server/server_check.go
+++ b/pkg/services/authz/zanzana/server/server_check.go
@ -30,7 +30,7 @@ func (s *Server) Check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.C
 }

 func (s *Server) check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.CheckResponse, error) {
-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}

--- a/pkg/services/authz/zanzana/server/server_list.go
+++ b/pkg/services/authz/zanzana/server/server_list.go
@ -33,7 +33,7 @@ func (s *Server) List(ctx context.Context, r *authzv1.ListRequest) (*authzv1.Lis
 }

 func (s *Server) list(ctx context.Context, r *authzv1.ListRequest) (*authzv1.ListResponse, error) {
-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}

--- a/pkg/services/authz/zanzana/server/server_read.go
+++ b/pkg/services/authz/zanzana/server/server_read.go
@ -25,7 +25,7 @@ func (s *Server) Read(ctx context.Context, req *authzextv1.ReadRequest) (*authze
 }

 func (s *Server) read(ctx context.Context, req *authzextv1.ReadRequest) (*authzextv1.ReadResponse, error) {
-	if err := authorize(ctx, req.GetNamespace()); err != nil {
+	if err := authorize(ctx, req.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}

--- a/pkg/services/authz/zanzana/server/server_write.go
+++ b/pkg/services/authz/zanzana/server/server_write.go
@ -25,7 +25,7 @@ func (s *Server) Write(ctx context.Context, req *authzextv1.WriteRequest) (*auth
 }

 func (s *Server) write(ctx context.Context, req *authzextv1.WriteRequest) (*authzextv1.WriteResponse, error) {
-	if err := authorize(ctx, req.GetNamespace()); err != nil {
+	if err := authorize(ctx, req.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}