K8s: Expose testdata connection as an api-server (dev mode only) (#79726)

2025-08-03 01:42:12 +08:00 · 2024-01-09 12:26:24 -08:00
parent 5589c0a8f2
commit 53411eeaa0
24 changed files with 4084 additions and 5 deletions
--- a/pkg/registry/apis/datasource/authorizer.go
+++ b/pkg/registry/apis/datasource/authorizer.go
@ -0,0 +1,82 @@
+package datasource
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+
+	"github.com/grafana/grafana/pkg/infra/appcontext"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/datasources"
+)
+
+func (b *DataSourceAPIBuilder) GetAuthorizer() authorizer.Authorizer {
+	return authorizer.AuthorizerFunc(
+		func(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+			if !attr.IsResourceRequest() {
+				return authorizer.DecisionNoOpinion, "", nil
+			}
+			user, err := appcontext.User(ctx)
+			if err != nil {
+				return authorizer.DecisionDeny, "valid user is required", err
+			}
+
+			uidScope := datasources.ScopeProvider.GetResourceScopeUID(attr.GetName())
+
+			// Must have query access to see a connection
+			if attr.GetResource() == b.connectionResourceInfo.GroupResource().Resource {
+				scopes := []string{}
+				if attr.GetName() != "" {
+					scopes = []string{uidScope}
+				}
+				ok, err := b.accessControl.Evaluate(ctx, user, ac.EvalPermission(datasources.ActionQuery, scopes...))
+				if !ok || err != nil {
+					return authorizer.DecisionDeny, "unable to query", err
+				}
+
+				if attr.GetSubresource() == "proxy" {
+					return authorizer.DecisionDeny, "TODO: map the plugin settings to access rules", err
+				}
+
+				return authorizer.DecisionAllow, "", nil
+			}
+
+			// Must have query access to see a connection
+			action := "" // invalid
+
+			switch attr.GetVerb() {
+			case "list":
+				ok, err := b.accessControl.Evaluate(ctx, user,
+					ac.EvalPermission(datasources.ActionRead)) // Can see any datasource values
+				if !ok || err != nil {
+					return authorizer.DecisionDeny, "unable to read", err
+				}
+				return authorizer.DecisionAllow, "", nil
+
+			case "get":
+				action = datasources.ActionRead
+			case "create":
+				action = datasources.ActionWrite
+			case "post":
+				fallthrough
+			case "update":
+				fallthrough
+			case "patch":
+				fallthrough
+			case "put":
+				action = datasources.ActionWrite
+			case "delete":
+				action = datasources.ActionDelete
+			default:
+				//b.log.Info("unknown verb", "verb", attr.GetVerb())
+				return authorizer.DecisionDeny, "unsupported verb", nil // Unknown verb
+			}
+			ok, err := b.accessControl.Evaluate(ctx, user,
+				ac.EvalPermission(action, uidScope))
+			if !ok || err != nil {
+				return authorizer.DecisionDeny, fmt.Sprintf("unable to %s", action), nil
+			}
+			return authorizer.DecisionAllow, "", nil
+		})
+}