mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 04:12:09 +08:00
Revert "Apply plugin route ReqAction to ds_proxy authorization (#86466)" This reverts commit 53f94ac50dde7bc6c25f6a8254e85a2e8b1ae138.
This commit is contained in:
Aaron Godin
@ -19,7 +19,6 @@ import (
|
||||
glog "github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
@ -305,9 +304,11 @@ func (proxy *DataSourceProxy) validateRequest() error {
|
||||
continue
|
||||
}
|
||||
|
||||
if !proxy.hasAccessToRoute(route) {
|
||||
if route.ReqRole.IsValid() {
|
||||
if !proxy.ctx.HasUserRole(route.ReqRole) {
|
||||
return errors.New("plugin proxy route access denied")
|
||||
}
|
||||
}
|
||||
|
||||
proxy.matchedRoute = route
|
||||
return nil
|
||||
@ -329,22 +330,6 @@ func (proxy *DataSourceProxy) validateRequest() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
|
||||
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
|
||||
if useRBAC {
|
||||
routeEval := accesscontrol.EvalPermission(route.ReqAction)
|
||||
ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
|
||||
if !ok {
|
||||
proxy.ctx.Logger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path)
|
||||
}
|
||||
return ok
|
||||
}
|
||||
if route.ReqRole.IsValid() {
|
||||
return proxy.ctx.HasUserRole(route.ReqRole)
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func (proxy *DataSourceProxy) logRequest() {
|
||||
if !proxy.cfg.DataProxyLogging {
|
||||
return
|
||||
|
||||
@ -122,7 +122,7 @@ func (proxy *PluginProxy) HandleRequest() {
|
||||
}
|
||||
|
||||
func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
|
||||
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
|
||||
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.RequiresRBACAction()
|
||||
if useRBAC {
|
||||
hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
|
||||
if !hasAccess {
|
||||
|
||||
@ -204,6 +204,10 @@ type Route struct {
|
||||
Body json.RawMessage `json:"body"`
|
||||
}
|
||||
|
||||
func (r *Route) RequiresRBACAction() bool {
|
||||
return r.ReqAction != ""
|
||||
}
|
||||
|
||||
// Header describes an HTTP header that is forwarded with
|
||||
// the proxied request for a plugin route
|
||||
type Header struct {
|
||||
|
||||
Reference in New Issue
Block a user