RBAC: Remove dashboard guardians pt 2 (#102556)

* remove NewByDashboard guardian * remove unused authorizer * more cleanup * simplify canAdmin evaluation
2025-07-31 15:42:55 +08:00 · 2025-03-21 10:32:27 +00:00
parent f2770b0984
commit e2737f195b
7 changed files with 22 additions and 151 deletions
--- a/pkg/registry/apis/dashboard/authorizer.go
+++ b/pkg/registry/apis/dashboard/authorizer.go
@ -1,91 +0,0 @@
-package dashboard
-
-import (
-	"context"
-
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-
-	claims "github.com/grafana/authlib/types"
-	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/grafana/grafana/pkg/infra/log"
-	"github.com/grafana/grafana/pkg/services/dashboards"
-	"github.com/grafana/grafana/pkg/services/guardian"
-)
-
-func GetAuthorizer(dashboardService dashboards.DashboardService, l log.Logger) authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(
-		func(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
-			// Use the standard authorizer
-			if !attr.IsResourceRequest() {
-				return authorizer.DecisionNoOpinion, "", nil
-			}
-
-			user, err := identity.GetRequester(ctx)
-			if err != nil {
-				return authorizer.DecisionDeny, "", err
-			}
-
-			// Allow search and list requests
-			if attr.GetResource() == "search" || attr.GetName() == "" {
-				return authorizer.DecisionNoOpinion, "", nil
-			}
-
-			ns := attr.GetNamespace()
-			if ns == "" {
-				return authorizer.DecisionDeny, "expected namespace", nil
-			}
-
-			info, err := claims.ParseNamespace(attr.GetNamespace())
-			if err != nil {
-				return authorizer.DecisionDeny, "error reading org from namespace", err
-			}
-
-			// expensive path to lookup permissions for a single dashboard
-			dto, err := dashboardService.GetDashboard(ctx, &dashboards.GetDashboardQuery{
-				UID:   attr.GetName(),
-				OrgID: info.OrgID,
-			})
-			if err != nil {
-				return authorizer.DecisionDeny, "error loading dashboard", err
-			}
-
-			ok := false
-			guardian, err := guardian.NewByDashboard(ctx, dto, info.OrgID, user)
-			if err != nil {
-				return authorizer.DecisionDeny, "", err
-			}
-
-			switch attr.GetVerb() {
-			case "get":
-				ok, err = guardian.CanView()
-				if !ok || err != nil {
-					return authorizer.DecisionDeny, "can not view dashboard", err
-				}
-			case "create":
-				fallthrough
-			case "post":
-				ok, err = guardian.CanSave() // vs Edit?
-				if !ok || err != nil {
-					return authorizer.DecisionDeny, "can not save dashboard", err
-				}
-			case "update":
-				fallthrough
-			case "patch":
-				fallthrough
-			case "put":
-				ok, err = guardian.CanEdit() // vs Save
-				if !ok || err != nil {
-					return authorizer.DecisionDeny, "can not edit dashboard", err
-				}
-			case "delete":
-				ok, err = guardian.CanDelete()
-				if !ok || err != nil {
-					return authorizer.DecisionDeny, "can not delete dashboard", err
-				}
-			default:
-				l.Info("unknown verb", "verb", attr.GetVerb())
-				return authorizer.DecisionNoOpinion, "unsupported verb", nil // Unknown verb
-			}
-			return authorizer.DecisionAllow, "", nil
-		})
-}