apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57182 Commits
6009 Branches
596 Tags
1.8 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 55aaf4aac0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '55aaf4aac0'
${ noResults }
grafana/pkg/services/authz/rbac.go

208 lines
6.3 KiB
Raw Blame History

package authz
import (
"context"
"errors"
"fmt"
"net/http"
"time"
"github.com/fullstorydev/grpchan/inprocgrpc"
grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
"github.com/prometheus/client_golang/prometheus"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
"k8s.io/client-go/rest"
authnlib "github.com/grafana/authlib/authn"
authzlib "github.com/grafana/authlib/authz"
authzv1 "github.com/grafana/authlib/authz/proto/v1"
"github.com/grafana/authlib/cache"
authlib "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/registry/apis/iam/legacy"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/apiserver"
"github.com/grafana/grafana/pkg/services/authz/rbac"
"github.com/grafana/grafana/pkg/services/authz/rbac/store"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/grpcserver"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/storage/legacysql"
)
// `authzService` is hardcoded in authz-service
const authzServiceAudience = "authzService"
// ProvideAuthZClient provides an AuthZ client and creates the AuthZ service.
func ProvideAuthZClient(
cfg *setting.Cfg,
features featuremgmt.FeatureToggles,
grpcServer grpcserver.Provider,
tracer tracing.Tracer,
reg prometheus.Registerer,
db db.DB,
acService accesscontrol.Service,
) (authlib.AccessClient, error) {
authCfg, err := readAuthzClientSettings(cfg)
if err != nil {
return nil, err
}
if !features.IsEnabledGlobally(featuremgmt.FlagAuthZGRPCServer) && authCfg.mode == clientModeCloud {
return nil, errors.New("authZGRPCServer feature toggle is required for cloud and grpc mode")
}
switch authCfg.mode {
case clientModeCloud:
return newRemoteRBACClient(authCfg, tracer)
default:
sql := legacysql.NewDatabaseProvider(db)
// Register the server
server := rbac.NewService(
sql,
// When running in-proc we get a injection cycle between
// authz client, resource client and apiserver so we need to use
// package level function to get rest config
store.NewAPIFolderStore(tracer, apiserver.GetRestConfig),
legacy.NewLegacySQLStores(sql),
store.NewUnionPermissionStore(
store.NewStaticPermissionStore(acService),
store.NewSQLPermissionStore(sql, tracer),
),
log.New("authz-grpc-server"),
tracer,
reg,
cache.NewLocalCache(cache.Config{Expiry: 5 * time.Minute, CleanupInterval: 10 * time.Minute}),
)
channel := &inprocgrpc.Channel{}
channel.WithServerUnaryInterceptor(grpcAuth.UnaryServerInterceptor(func(ctx context.Context) (context.Context, error) {
ctx = authlib.WithAuthInfo(ctx, authnlib.NewAccessTokenAuthInfo(authnlib.Claims[authnlib.AccessTokenClaims]{
Rest: authnlib.AccessTokenClaims{
Namespace: "*",
},
}))
return ctx, nil
}))
authzv1.RegisterAuthzServiceServer(channel, server)
return newRBACClient(channel, tracer), nil
}
}
// ProvideStandaloneAuthZClient provides a standalone AuthZ client, without registering the AuthZ service.
// You need to provide a remote address in the configuration
func ProvideStandaloneAuthZClient(
cfg *setting.Cfg, features featuremgmt.FeatureToggles, tracer tracing.Tracer,
) (authlib.AccessClient, error) {
if !features.IsEnabledGlobally(featuremgmt.FlagAuthZGRPCServer) {
return nil, nil
}
authCfg, err := readAuthzClientSettings(cfg)
if err != nil {
return nil, err
}
return newRemoteRBACClient(authCfg, tracer)
}
func newRemoteRBACClient(clientCfg *authzClientSettings, tracer tracing.Tracer) (authlib.AccessClient, error) {
tokenClient, err := authnlib.NewTokenExchangeClient(authnlib.TokenExchangeConfig{
Token: clientCfg.token,
TokenExchangeURL: clientCfg.tokenExchangeURL,
})
if err != nil {
return nil, fmt.Errorf("failed to initialize token exchange client: %w", err)
}
conn, err := grpc.NewClient(
clientCfg.remoteAddress,
grpc.WithTransportCredentials(insecure.NewCredentials()),
grpc.WithPerRPCCredentials(
newGRPCTokenAuth(authzServiceAudience, clientCfg.tokenNamespace, tokenClient),
),
)
if err != nil {
return nil, fmt.Errorf("failed to create authz client to remote server: %w", err)
}
return newRBACClient(conn, tracer), nil
}
func newRBACClient(conn grpc.ClientConnInterface, tracer tracing.Tracer) authlib.AccessClient {
return authzlib.NewClient(
conn,
authzlib.WithCacheClientOption(cache.NewLocalCache(cache.Config{
Expiry: 30 * time.Second,
CleanupInterval: 2 * time.Minute,
})),
authzlib.WithTracerClientOption(tracer),
)
}
func RegisterRBACAuthZService(
handler grpcserver.Provider,
db legacysql.LegacyDatabaseProvider,
tracer tracing.Tracer,
reg prometheus.Registerer,
cache cache.Cache,
exchangeClient authnlib.TokenExchanger,
folderAPIURL string,
) {
var folderStore store.FolderStore
// FIXME: for now we default to using database read proxy for folders if the api url is not configured.
// we should remove this and the sql implementation once we have verified that is works correctly
if folderAPIURL == "" {
folderStore = store.NewSQLFolderStore(db, tracer)
} else {
folderStore = store.NewAPIFolderStore(tracer, func(ctx context.Context) *rest.Config {
return &rest.Config{
Host: folderAPIURL,
WrapTransport: func(rt http.RoundTripper) http.RoundTripper {
return &tokenExhangeRoundTripper{te: exchangeClient, rt: rt}
},
QPS: 50,
Burst: 100,
}
})
}
server := rbac.NewService(
db,
folderStore,
legacy.NewLegacySQLStores(db),
store.NewSQLPermissionStore(db, tracer),
log.New("authz-grpc-server"),
tracer,
reg,
cache,
)
srv := handler.GetServer()
authzv1.RegisterAuthzServiceServer(srv, server)
}
var _ http.RoundTripper = tokenExhangeRoundTripper{}
type tokenExhangeRoundTripper struct {
te authnlib.TokenExchanger
rt http.RoundTripper
}
func (t tokenExhangeRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
res, err := t.te.Exchange(r.Context(), authnlib.TokenExchangeRequest{
Namespace: "*",
Audiences: []string{"folder.grafana.app"},
})
if err != nil {
return nil, fmt.Errorf("create access token: %w", err)
}
r.Header.Set("X-Access-Token", "Bearer "+res.Token)
return t.rt.RoundTrip(r)
}