datasources: querier: single-tenant auth (#102049)

2025-07-30 21:42:37 +08:00 · 2025-03-18 13:51:49 +01:00
parent 621e7012df
commit c28b49e5d1
1 changed files with 21 additions and 1 deletions
--- a/pkg/registry/apis/query/register.go
+++ b/pkg/registry/apis/query/register.go
@ -1,6 +1,7 @@
 package query

 import (
+	"context"
 	"encoding/json"

 	"github.com/prometheus/client_golang/prometheus"
@ -13,6 +14,7 @@ import (
 	common "k8s.io/kube-openapi/pkg/common"
 	"k8s.io/kube-openapi/pkg/spec3"

+	claims "github.com/grafana/authlib/types"
 	query "github.com/grafana/grafana/pkg/apis/query/v0alpha1"
 	"github.com/grafana/grafana/pkg/expr"
 	"github.com/grafana/grafana/pkg/infra/log"
@ -38,6 +40,8 @@ type QueryAPIBuilder struct {
 	userFacingDefaultError string
 	features               featuremgmt.FeatureToggles

+	authorizer authorizer.Authorizer
+
 	tracer     tracing.Tracer
 	metrics    *queryMetrics
 	parser     *queryParser
@ -49,6 +53,7 @@ type QueryAPIBuilder struct {

 func NewQueryAPIBuilder(features featuremgmt.FeatureToggles,
 	client clientapi.DataSourceClientSupplier,
+	ar authorizer.Authorizer,
 	registry query.DataSourceApiServerRegistry,
 	legacy service.LegacyDataSourceLookup,
 	registerer prometheus.Registerer,
@ -75,6 +80,7 @@ func NewQueryAPIBuilder(features featuremgmt.FeatureToggles,
 		concurrentQueryLimit: 4,
 		log:                  log.New("query_apiserver"),
 		client:               client,
+		authorizer:           ar,
 		registry:             registry,
 		parser:               newQueryParser(reader, legacy, tracer, log.New("query_parser")),
 		metrics:              newQueryMetrics(registerer),
@ -105,11 +111,25 @@ func RegisterAPIService(features featuremgmt.FeatureToggles,
 		return nil, nil // skip registration unless explicitly added (or all experimental are added)
 	}

+	ar := authorizer.AuthorizerFunc(
+		func(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+			// we only verify that we have a valid user.
+			// the "real" check will happen when the specific
+			// data sources are loaded.
+			_, ok := claims.AuthInfoFrom(ctx)
+			if !ok {
+				return authorizer.DecisionDeny, "valid user is required", nil
+			}
+
+			return authorizer.DecisionAllow, "", nil
+		})
+
 	builder, err := NewQueryAPIBuilder(
 		features,
 		&CommonDataSourceClientSupplier{
 			Client: client.NewQueryClientForPluginClient(pluginClient, pCtxProvider),
 		},
+		ar,
 		client.NewDataSourceRegistryFromStore(pluginStore, dataSourcesService),
 		legacy, registerer, tracer,
 	)
@ -167,7 +187,7 @@ func (b *QueryAPIBuilder) GetOpenAPIDefinitions() common.GetOpenAPIDefinitions {
 }

 func (b *QueryAPIBuilder) GetAuthorizer() authorizer.Authorizer {
-	return nil // default is OK
+	return b.authorizer
 }

 func (b *QueryAPIBuilder) PostProcessOpenAPI(oas *spec3.OpenAPI) (*spec3.OpenAPI, error) {