Zanzana: revert cluster store for fixed roles (#100958)

* Zanzana: revert cluster store for fixed roles * update go workspace
3 months ago · fcb88f6ccc
parent 011726c80f
commit fcb88f6ccc
7 changed files with 6 additions and 51 deletions
--- a/pkg/services/accesscontrol/dualwrite/reconciler.go
+++ b/pkg/services/accesscontrol/dualwrite/reconciler.go
@ -35,8 +35,6 @@ type ZanzanaReconciler struct {
 	// reconcilers are migrations that tries to reconcile the state of grafana db to zanzana store.
 	// These are run periodically to try to maintain a consistent state.
 	reconcilers []resourceReconciler
-	// globalReconcilers are reconcilers that should only run for cluster namespace
-	globalReconcilers []resourceReconciler
 }

 func ProvideZanzanaReconciler(cfg *setting.Cfg, features featuremgmt.FeatureToggles, client zanzana.Client, store db.DB, lock *serverlock.ServerLockService, folderService folder.Service) *ZanzanaReconciler {
@ -96,8 +94,6 @@ func ProvideZanzanaReconciler(cfg *setting.Cfg, features featuremgmt.FeatureTogg
 				zanzanaCollector([]string{zanzana.RelationAssignee}),
 				client,
 			),
-		},
-		globalReconcilers: []resourceReconciler{
 			newResourceReconciler(
 				"fixed role pemissions",
 				fixedRolePermissionsCollector(store),
@ -148,15 +144,6 @@ func (r *ZanzanaReconciler) Reconcile(ctx context.Context) error {
 }

 func (r *ZanzanaReconciler) reconcile(ctx context.Context) {
-	runGlobal := func(ctx context.Context) {
-		for _, reconciler := range r.globalReconcilers {
-			r.log.Debug("Performing zanzana reconciliation", "reconciler", reconciler.name)
-			if err := reconciler.reconcile(ctx, zanzana.ClusterNamespace); err != nil {
-				r.log.Warn("Failed to perform reconciliation for resource", "err", err)
-			}
-		}
-	}
-
 	run := func(ctx context.Context, namespace string) {
 		now := time.Now()
 		r.log.Debug("Started reconciliation")
@ -192,7 +179,6 @@ func (r *ZanzanaReconciler) reconcile(ctx context.Context) {
 	}

 	if r.lock == nil {
-		runGlobal(ctx)
 		for _, ns := range namespaces {
 			run(ctx, ns)
 		}
@ -201,7 +187,6 @@ func (r *ZanzanaReconciler) reconcile(ctx context.Context) {

 	// We ignore the error for now
 	err := r.lock.LockExecuteAndRelease(ctx, "zanzana-reconciliation", 10*time.Hour, func(ctx context.Context) {
-		runGlobal(ctx)
 		for _, ns := range namespaces {
 			run(ctx, ns)
 		}
--- a/pkg/services/authz/zanzana/common/tuple.go
+++ b/pkg/services/authz/zanzana/common/tuple.go
@ -11,8 +11,6 @@ import (
 	authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
 )

-const ClusterNamespace = "cluster"
-
 const (
 	TypeUser           string = "user"
 	TypeServiceAccount string = "service-account"
--- a/pkg/services/authz/zanzana/server/server.go
+++ b/pkg/services/authz/zanzana/server/server.go
@ -78,11 +78,8 @@ func (s *Server) IsHealthy(ctx context.Context) (bool, error) {
 	return err == nil, nil
 }

-func (s *Server) getContextuals(ctx context.Context, subject string) (*openfgav1.ContextualTupleKeys, error) {
-	contextuals, err := s.getGlobalAuthorizationContext(ctx)
-	if err != nil {
-		return nil, err
-	}
+func (s *Server) getContextuals(subject string) (*openfgav1.ContextualTupleKeys, error) {
+	contextuals := make([]*openfgav1.TupleKey, 0)

 	if strings.HasPrefix(subject, common.TypeRenderService+":") {
 		contextuals = append(
@ -105,27 +102,3 @@ func (s *Server) getContextuals(ctx context.Context, subject string) (*openfgav1

 	return nil, nil
 }
-
-func (s *Server) getGlobalAuthorizationContext(ctx context.Context) ([]*openfgav1.TupleKey, error) {
-	const cacheKey = "global_authorization_context"
-	cached, found := s.cache.Get(cacheKey)
-	if found {
-		return cached.([]*openfgav1.TupleKey), nil
-	}
-
-	res, err := s.Read(ctx, &authzextv1.ReadRequest{
-		Namespace: common.ClusterNamespace,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	contextualTuples := make([]*openfgav1.TupleKey, 0, len(res.GetTuples()))
-	tuples := common.ToOpenFGATuples(res.GetTuples())
-	for _, t := range tuples {
-		contextualTuples = append(contextualTuples, t.GetKey())
-	}
-
-	s.cache.SetDefault(cacheKey, contextualTuples)
-	return contextualTuples, nil
-}
--- a/pkg/services/authz/zanzana/server/server_batch_check.go
+++ b/pkg/services/authz/zanzana/server/server_batch_check.go
@ -27,7 +27,7 @@ func (s *Server) BatchCheck(ctx context.Context, r *authzextv1.BatchCheckRequest
 		return nil, err
 	}

-	contextuals, err := s.getContextuals(ctx, r.GetSubject())
+	contextuals, err := s.getContextuals(r.GetSubject())
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/services/authz/zanzana/server/server_check.go
+++ b/pkg/services/authz/zanzana/server/server_check.go
@ -24,7 +24,7 @@ func (s *Server) Check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.C

 	relation := common.VerbMapping[r.GetVerb()]

-	contextuals, err := s.getContextuals(ctx, r.GetSubject())
+	contextuals, err := s.getContextuals(r.GetSubject())
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/services/authz/zanzana/server/server_list.go
+++ b/pkg/services/authz/zanzana/server/server_list.go
@ -27,7 +27,7 @@ func (s *Server) List(ctx context.Context, r *authzv1.ListRequest) (*authzv1.Lis
 		return nil, err
 	}

-	contextuals, err := s.getContextuals(ctx, r.GetSubject())
+	contextuals, err := s.getContextuals(r.GetSubject())
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/services/authz/zanzana/zanzana.go
+++ b/pkg/services/authz/zanzana/zanzana.go
@ -7,6 +7,7 @@ import (
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"

 	authlib "github.com/grafana/authlib/types"
+
 	"github.com/grafana/grafana/pkg/services/authz/zanzana/common"
 )

@ -58,8 +59,6 @@ const (
 	KindFolders    string = "folders"
 )

-var ClusterNamespace = common.ClusterNamespace
-
 var (
 	ToAuthzExtTupleKey                  = common.ToAuthzExtTupleKey
 	ToAuthzExtTupleKeys                 = common.ToAuthzExtTupleKeys