mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 18:02:30 +08:00
Revert "Apply plugin route ReqAction to ds_proxy authorization (#86466)" This reverts commit 53f94ac50dde7bc6c25f6a8254e85a2e8b1ae138.
This commit is contained in:
Aaron Godin
@ -19,7 +19,6 @@ import (
|
|||||||
glog "github.com/grafana/grafana/pkg/infra/log"
|
glog "github.com/grafana/grafana/pkg/infra/log"
|
||||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/plugins"
|
"github.com/grafana/grafana/pkg/plugins"
|
||||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
||||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||||
"github.com/grafana/grafana/pkg/services/datasources"
|
"github.com/grafana/grafana/pkg/services/datasources"
|
||||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||||
@ -305,8 +304,10 @@ func (proxy *DataSourceProxy) validateRequest() error {
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if !proxy.hasAccessToRoute(route) {
|
if route.ReqRole.IsValid() {
|
||||||
return errors.New("plugin proxy route access denied")
|
if !proxy.ctx.HasUserRole(route.ReqRole) {
|
||||||
|
return errors.New("plugin proxy route access denied")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy.matchedRoute = route
|
proxy.matchedRoute = route
|
||||||
@ -329,22 +330,6 @@ func (proxy *DataSourceProxy) validateRequest() error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
|
|
||||||
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
|
|
||||||
if useRBAC {
|
|
||||||
routeEval := accesscontrol.EvalPermission(route.ReqAction)
|
|
||||||
ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
|
|
||||||
if !ok {
|
|
||||||
proxy.ctx.Logger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path)
|
|
||||||
}
|
|
||||||
return ok
|
|
||||||
}
|
|
||||||
if route.ReqRole.IsValid() {
|
|
||||||
return proxy.ctx.HasUserRole(route.ReqRole)
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func (proxy *DataSourceProxy) logRequest() {
|
func (proxy *DataSourceProxy) logRequest() {
|
||||||
if !proxy.cfg.DataProxyLogging {
|
if !proxy.cfg.DataProxyLogging {
|
||||||
return
|
return
|
||||||
|
|||||||
@ -122,7 +122,7 @@ func (proxy *PluginProxy) HandleRequest() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
|
func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
|
||||||
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
|
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.RequiresRBACAction()
|
||||||
if useRBAC {
|
if useRBAC {
|
||||||
hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
|
hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
|
||||||
if !hasAccess {
|
if !hasAccess {
|
||||||
|
|||||||
@ -204,6 +204,10 @@ type Route struct {
|
|||||||
Body json.RawMessage `json:"body"`
|
Body json.RawMessage `json:"body"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *Route) RequiresRBACAction() bool {
|
||||||
|
return r.ReqAction != ""
|
||||||
|
}
|
||||||
|
|
||||||
// Header describes an HTTP header that is forwarded with
|
// Header describes an HTTP header that is forwarded with
|
||||||
// the proxied request for a plugin route
|
// the proxied request for a plugin route
|
||||||
type Header struct {
|
type Header struct {
|
||||||
|
|||||||
Reference in New Issue
Block a user