apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53250 Commits
1672 Branches
645 Tags
2.2 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 5a30e12a10
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5a30e12a10'
${ noResults }
grafana/pkg/registry/apis/datasource/authorizer.go

82 lines
2.5 KiB
Raw Blame History

package datasource
import (
"context"
"fmt"
"k8s.io/apiserver/pkg/authorization/authorizer"
"github.com/grafana/grafana/pkg/apimachinery/identity"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/datasources"
)
func (b *DataSourceAPIBuilder) GetAuthorizer() authorizer.Authorizer {
return authorizer.AuthorizerFunc(
func(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
if !attr.IsResourceRequest() {
return authorizer.DecisionNoOpinion, "", nil
}
user, err := identity.GetRequester(ctx)
if err != nil {
return authorizer.DecisionDeny, "valid user is required", err
}
uidScope := datasources.ScopeProvider.GetResourceScopeUID(attr.GetName())
// Must have query access to see a connection
if attr.GetResource() == b.connectionResourceInfo.GroupResource().Resource {
scopes := []string{}
if attr.GetName() != "" {
scopes = []string{uidScope}
}
ok, err := b.accessControl.Evaluate(ctx, user, ac.EvalPermission(datasources.ActionQuery, scopes...))
if !ok || err != nil {
return authorizer.DecisionDeny, "unable to query", err
}
if attr.GetSubresource() == "proxy" {
return authorizer.DecisionDeny, "TODO: map the plugin settings to access rules", err
}
return authorizer.DecisionAllow, "", nil
}
// Must have query access to see a connection
action := "" // invalid
switch attr.GetVerb() {
case "list":
ok, err := b.accessControl.Evaluate(ctx, user,
ac.EvalPermission(datasources.ActionRead)) // Can see any datasource values
if !ok || err != nil {
return authorizer.DecisionDeny, "unable to read", err
}
return authorizer.DecisionAllow, "", nil
case "get":
action = datasources.ActionRead
case "create":
action = datasources.ActionWrite
case "post":
fallthrough
case "update":
fallthrough
case "patch":
fallthrough
case "put":
action = datasources.ActionWrite
case "delete":
action = datasources.ActionDelete
default:
//b.log.Info("unknown verb", "verb", attr.GetVerb())
return authorizer.DecisionDeny, "unsupported verb", nil // Unknown verb
}
ok, err := b.accessControl.Evaluate(ctx, user,
ac.EvalPermission(action, uidScope))
if !ok || err != nil {
return authorizer.DecisionDeny, fmt.Sprintf("unable to %s", action), nil
}
return authorizer.DecisionAllow, "", nil
})
}