mirror of
https://github.com/grafana/grafana.git
synced 2025-09-15 16:42:53 +08:00
grafana-iam: init mt resourcepermission apis (#110821)
* Init mt resource permissions * Few fixes for the mt service to work * Refactor NewAPIService to take the provider and enabledapis
This commit is contained in:
Gabriel MABILLE
@ -237,6 +237,16 @@ func AddAuthZKnownTypes(scheme *runtime.Scheme) error {
|
||||
&CoreRoleList{},
|
||||
&Role{},
|
||||
&RoleList{},
|
||||
|
||||
// What is this about?
|
||||
&metav1.PartialObjectMetadata{},
|
||||
&metav1.PartialObjectMetadataList{},
|
||||
)
|
||||
return nil
|
||||
}
|
||||
|
||||
func AddResourcePermissionKnownTypes(scheme *runtime.Scheme, version schema.GroupVersion) error {
|
||||
scheme.AddKnownTypes(version,
|
||||
&ResourcePermission{},
|
||||
&ResourcePermissionList{},
|
||||
|
||||
|
||||
@ -35,6 +35,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/registry/apis/iam/team"
|
||||
"github.com/grafana/grafana/pkg/registry/apis/iam/user"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
gfauthorizer "github.com/grafana/grafana/pkg/services/apiserver/auth/authorizer"
|
||||
"github.com/grafana/grafana/pkg/services/apiserver/builder"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/ssosettings"
|
||||
@ -80,12 +81,26 @@ func RegisterAPIService(
|
||||
return builder, nil
|
||||
}
|
||||
|
||||
func NewAPIService(store legacy.LegacyIdentityStore) *IdentityAccessManagementAPIBuilder {
|
||||
func NewAPIService(
|
||||
accessClient types.AccessClient,
|
||||
dbProvider legacysql.LegacyDatabaseProvider,
|
||||
enabledApis map[string]bool,
|
||||
) *IdentityAccessManagementAPIBuilder {
|
||||
store := legacy.NewLegacySQLStores(dbProvider)
|
||||
resourcePermissionsStorage := resourcepermission.ProvideStorageBackend(dbProvider)
|
||||
resourceAuthorizer := gfauthorizer.NewResourceAuthorizer(accessClient)
|
||||
return &IdentityAccessManagementAPIBuilder{
|
||||
store: store,
|
||||
display: user.NewLegacyDisplayREST(store),
|
||||
resourcePermissionsStorage: resourcePermissionsStorage,
|
||||
enableResourcePermissionApis: enabledApis["resourcepermissions"],
|
||||
authorizer: authorizer.AuthorizerFunc(
|
||||
func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||
// For now only authorize resourcepermissions resource
|
||||
if a.GetResource() == "resourcepermissions" {
|
||||
return resourceAuthorizer.Authorize(ctx, a)
|
||||
}
|
||||
|
||||
user, err := identity.GetRequester(ctx)
|
||||
if err != nil {
|
||||
return authorizer.DecisionDeny, "no identity found", err
|
||||
@ -108,6 +123,11 @@ func (b *IdentityAccessManagementAPIBuilder) InstallSchema(scheme *runtime.Schem
|
||||
return err
|
||||
}
|
||||
}
|
||||
if b.enableResourcePermissionApis {
|
||||
if err := iamv0.AddResourcePermissionKnownTypes(scheme, iamv0.SchemeGroupVersion); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if err := iamv0.AddAuthNKnownTypes(scheme); err != nil {
|
||||
return err
|
||||
|
||||
Reference in New Issue
Block a user