public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update DS Proxy to use RBAC action (#87517)

Browse Source 
iam-team: Update DS Proxy to use RBAC action
This commit is contained in:
Aaron Godin
2024-05-21 08:05:16 -05:00
committed by GitHub
parent 410e3b17e9
commit 0072e4a92d
8 changed files with 56 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/pluginproxy/ds_proxy.go
+29 -2
View File
@@ -19,6 +19,7 @@ import (
glog "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/accesscontrol"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -304,8 +305,14 @@ func (proxy *DataSourceProxy) validateRequest() error {
continue
}
if route.ReqRole.IsValid() {
if !proxy.ctx.HasUserRole(route.ReqRole) {
if proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagDatasourceProxyDisableRBAC) {
// TODO(aarongodin): following logic can be removed with FlagDatasourceProxyDisableRBAC as it is covered by
// proxy.hasAccessToRoute(..)
if route.ReqRole.IsValid() && !proxy.ctx.HasUserRole(route.ReqRole) {
return errors.New("plugin proxy route access denied")
}
} else {
if !proxy.hasAccessToRoute(route) {
return errors.New("plugin proxy route access denied")
}
}
@@ -330,6 +337,26 @@ func (proxy *DataSourceProxy) validateRequest() error {
return nil
}
func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
ctxLogger := logger.FromContext(proxy.ctx.Req.Context())
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
if useRBAC {
routeEval := accesscontrol.EvalPermission(route.ReqAction)
ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
if !ok {
ctxLogger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "action", route.ReqAction, "path", route.Path, "method", route.Method)
}
return ok
}
if route.ReqRole.IsValid() {
if hasUserRole := proxy.ctx.HasUserRole(route.ReqRole); !hasUserRole {
ctxLogger.Debug("plugin route is covered by org role, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "role", route.ReqRole, "path", route.Path, "method", route.Method)
return false
}
}
return true
}
func (proxy *DataSourceProxy) logRequest() {
if !proxy.cfg.DataProxyLogging {
return