mirror of
https://github.com/grafana/grafana.git
synced 2025-08-01 04:21:50 +08:00
c6a6b9fdd2
* Add Create for User + DualWriter setup * Add delete User * Fix delete + access check * Add tests for delete user * Add tests for create user * Fixes * Use sqlx session to fix database locked issues * wip authz checks * legacyAccessClient * Update legacyAccessClient, add tests for create user * Close rows before running other queries * Use ExecWithReturningId * Verify deletion in the tests * Add Validate and Mutate * Other changes * Address feedback * Update tests --------- Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
111 lines
3.8 KiB
Go
111 lines
3.8 KiB
Go
package iam
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
|
|
|
authlib "github.com/grafana/authlib/types"
|
|
iamv0 "github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1"
|
|
"github.com/grafana/grafana/pkg/apimachinery/utils"
|
|
legacyiamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
|
|
"github.com/grafana/grafana/pkg/registry/apis/iam/legacy"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
gfauthorizer "github.com/grafana/grafana/pkg/services/apiserver/auth/authorizer"
|
|
)
|
|
|
|
type iamAuthorizer struct {
|
|
resourceAuthorizer map[string]authorizer.Authorizer // Map resource to its authorizer
|
|
}
|
|
|
|
func newIAMAuthorizer(accessClient authlib.AccessClient, legacyAccessClient authlib.AccessClient) authorizer.Authorizer {
|
|
resourceAuthorizer := make(map[string]authorizer.Authorizer)
|
|
|
|
// Identity specific resources
|
|
legacyAuthorizer := gfauthorizer.NewResourceAuthorizer(legacyAccessClient)
|
|
resourceAuthorizer[legacyiamv0.UserResourceInfo.GetName()] = legacyAuthorizer
|
|
resourceAuthorizer[legacyiamv0.ServiceAccountResourceInfo.GetName()] = legacyAuthorizer
|
|
resourceAuthorizer[legacyiamv0.TeamResourceInfo.GetName()] = legacyAuthorizer
|
|
resourceAuthorizer["display"] = legacyAuthorizer
|
|
|
|
// Access specific resources
|
|
authorizer := gfauthorizer.NewResourceAuthorizer(accessClient)
|
|
resourceAuthorizer[iamv0.CoreRoleInfo.GetName()] = authorizer
|
|
|
|
return &iamAuthorizer{resourceAuthorizer: resourceAuthorizer}
|
|
}
|
|
|
|
func (s *iamAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
|
if !attr.IsResourceRequest() {
|
|
return authorizer.DecisionNoOpinion, "", nil
|
|
}
|
|
|
|
authz, ok := s.resourceAuthorizer[attr.GetResource()]
|
|
if !ok {
|
|
return authorizer.DecisionDeny, "", fmt.Errorf("no authorizer found for resource %s", attr.GetResource())
|
|
}
|
|
|
|
return authz.Authorize(ctx, attr)
|
|
}
|
|
|
|
func newLegacyAccessClient(ac accesscontrol.AccessControl, store legacy.LegacyIdentityStore) authlib.AccessClient {
|
|
client := accesscontrol.NewLegacyAccessClient(
|
|
ac,
|
|
accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: legacyiamv0.UserResourceInfo.GetName(),
|
|
Attr: "id",
|
|
Mapping: map[string]string{
|
|
utils.VerbCreate: accesscontrol.ActionOrgUsersWrite,
|
|
utils.VerbDelete: accesscontrol.ActionOrgUsersWrite,
|
|
utils.VerbGet: accesscontrol.ActionOrgUsersRead,
|
|
utils.VerbList: accesscontrol.ActionOrgUsersRead,
|
|
},
|
|
Resolver: accesscontrol.ResourceResolverFunc(func(ctx context.Context, ns authlib.NamespaceInfo, name string) ([]string, error) {
|
|
res, err := store.GetUserInternalID(ctx, ns, legacy.GetUserInternalIDQuery{
|
|
UID: name,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return []string{fmt.Sprintf("users:id:%d", res.ID)}, nil
|
|
}),
|
|
},
|
|
accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: "display",
|
|
Unchecked: map[string]bool{
|
|
utils.VerbGet: true,
|
|
utils.VerbList: true,
|
|
},
|
|
},
|
|
accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: legacyiamv0.ServiceAccountResourceInfo.GetName(),
|
|
Attr: "id",
|
|
Resolver: accesscontrol.ResourceResolverFunc(func(ctx context.Context, ns authlib.NamespaceInfo, name string) ([]string, error) {
|
|
res, err := store.GetServiceAccountInternalID(ctx, ns, legacy.GetServiceAccountInternalIDQuery{
|
|
UID: name,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return []string{fmt.Sprintf("serviceaccounts:id:%d", res.ID)}, nil
|
|
}),
|
|
},
|
|
accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: legacyiamv0.TeamResourceInfo.GetName(),
|
|
Attr: "id",
|
|
Resolver: accesscontrol.ResourceResolverFunc(func(ctx context.Context, ns authlib.NamespaceInfo, name string) ([]string, error) {
|
|
res, err := store.GetTeamInternalID(ctx, ns, legacy.GetTeamInternalIDQuery{
|
|
UID: name,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return []string{fmt.Sprintf("teams:id:%d", res.ID)}, nil
|
|
}),
|
|
},
|
|
)
|
|
|
|
return client
|
|
}
|