opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 02:12:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/pkg/storage/unified/apistore/permissions.go
Jean-Philippe Quéméner 002f46736a refactor(unified-storage): move generated protos to own pkg (#105356)
2025-05-15 21:36:52 +02:00

54 lines
1.4 KiB
Go
Raw Permalink Blame History

package apistore
import (
"context"
"errors"
"fmt"
"k8s.io/apimachinery/pkg/runtime"
authtypes "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/apimachinery/utils"
"github.com/grafana/grafana/pkg/storage/unified/resourcepb"
)
type permissionCreatorFunc = func(ctx context.Context) error
func afterCreatePermissionCreator(ctx context.Context,
key *resourcepb.ResourceKey,
grantPermisions string,
obj runtime.Object,
setter DefaultPermissionSetter,
) (permissionCreatorFunc, error) {
if grantPermisions == "" {
return nil, nil
}
if grantPermisions != utils.AnnoGrantPermissionsDefault {
return nil, fmt.Errorf("invalid permissions value. only '%s' supported", utils.AnnoGrantPermissionsDefault)
}
if setter == nil {
return nil, fmt.Errorf("missing default permission creator")
}
val, err := utils.MetaAccessor(obj)
if err != nil {
return nil, err
}
if val.GetAnnotation(utils.AnnoKeyManagerKind) != "" {
return nil, fmt.Errorf("managed resource may not grant permissions")
}
auth, ok := authtypes.AuthInfoFrom(ctx)
if !ok {
return nil, errors.New("missing auth info")
}
idtype := auth.GetIdentityType()
if idtype != authtypes.TypeUser && idtype != authtypes.TypeServiceAccount {
return nil, fmt.Errorf("only users or service accounts may grant themselves permissions using an annotation")
}
return func(ctx context.Context) error {
return setter(ctx, key, auth, val)
}, nil
}
Reference in New Issue View Git Blame Copy Permalink