From aa0f8caa350eed959e79f62bc0dbfa278908a13b Mon Sep 17 00:00:00 2001
From: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Date: Fri, 18 Jul 2025 16:40:34 +0200
Subject: [PATCH] `Authorizer`: rename and enforce only once for
 `NewGrafanaAuthorizer` (#108294)

* renaming of GrafanaAuthorizer to make it less confusing

* enforce only once by runtime

* comment only
---
 pkg/services/apiserver/auth/authorizer/authorizer.go | 5 +++--
 pkg/services/apiserver/service.go                    | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/services/apiserver/auth/authorizer/authorizer.go b/pkg/services/apiserver/auth/authorizer/authorizer.go
index b41849df347..54ea8c081d7 100644
--- a/pkg/services/apiserver/auth/authorizer/authorizer.go
+++ b/pkg/services/apiserver/auth/authorizer/authorizer.go
@@ -18,7 +18,8 @@ type GrafanaAuthorizer struct {
 	auth authorizer.Authorizer
 }
 
-// NewGrafanaAuthorizer returns an authorizer configured for a grafana instance.
+// NewGrafanaBuiltInSTAuthorizer returns an authorizer configured for a grafana instance.
+// should not be used anywhere except for ST builtin Grafana
 // This authorizer is a chain of smaller authorizers that together form the decision if
 // access should be granted.
 //  1. We deny all impersonate request.
@@ -28,7 +29,7 @@ type GrafanaAuthorizer struct {
 //  4. We check authorizer that is configured speficially for an api.
 //  5. As a last fallback we check Role, this will only happen if an api have not configured
 //     an authorizer or return authorizer.DecisionNoOpinion
-func NewGrafanaAuthorizer(cfg *setting.Cfg) *GrafanaAuthorizer {
+func NewGrafanaBuiltInSTAuthorizer(cfg *setting.Cfg) *GrafanaAuthorizer {
 	authorizers := []authorizer.Authorizer{
 		newImpersonationAuthorizer(),
 		authorizerfactory.NewPrivilegedGroups(k8suser.SystemPrivilegedGroup),
diff --git a/pkg/services/apiserver/service.go b/pkg/services/apiserver/service.go
index 52c8ad568b7..5feffe4697b 100644
--- a/pkg/services/apiserver/service.go
+++ b/pkg/services/apiserver/service.go
@@ -138,7 +138,7 @@ func ProvideService(
 		rr:                                rr,
 		stopCh:                            make(chan struct{}),
 		builders:                          []builder.APIGroupBuilder{},
-		authorizer:                        authorizer.NewGrafanaAuthorizer(cfg),
+		authorizer:                        authorizer.NewGrafanaBuiltInSTAuthorizer(cfg),
 		tracing:                           tracing,
 		db:                                db, // For Unified storage
 		metrics:                           reg,