e9ed7223a6
Use authlib repo. Use otel ( #103178 )
...
* Use authlib repo. Use otel
* Use interceptors on the provider level
* Create a new wire set with otel
* Lint
* Fix test
* make update-workflow
* make update-workspace
* make update-workspace. Try to add authlib as enterprise imports
* make update-workspace
2025-04-07 15:47:40 +02:00
c3b039f3a2
Start using otel in storage/unified/resource ( #102616 )
...
* Start using otel storage/unified/resource
* make update-workspace
* Go mod build owners
* Make workspace-update
* Update pkg/storage/unified/resource/access.go
Co-authored-by: maicon <maiconscosta@gmail.com >
* Add introduced pkg/apis to dependabot file
* Revert "Update pkg/storage/unified/resource/access.go"
This reverts commit f50e29d0394e48d5cd5bfbab154cb83da0b2f8b2.
* Revert "Update pkg/storage/unified/resource/access.go"
This reverts commit f50e29d0394e48d5cd5bfbab154cb83da0b2f8b2.
* Use traceid only
---------
Co-authored-by: maicon <maiconscosta@gmail.com >
2025-03-31 09:58:01 -03:00
1f637d07eb
unistore: check namespace ( #102020 )
...
* check namespace in unistore
* fix tests
* fix trace status
* Use capital letter
---------
Co-authored-by: Karl Persson <23356117+kalleep@users.noreply.github.com >
2025-03-12 14:37:17 +01:00
fa74d1c36d
Authn: Sync authlib and update how we construct authn client interceptor ( #101124 )
...
* Sync authlib and update how we construct authn client interceptor
* Remove namespace from checker
2025-02-26 09:22:09 +01:00
14886410d6
Zanzana: Use shared auth interceptor for zanzana and pass tracer ( #100968 )
...
* Use shared auth interceptor for zanzana and pass tracer
2025-02-20 16:07:06 +01:00
16fda6f686
Authz: Setup access claims for service identity ( #100986 )
...
* Setup access claims for service identity and add them to identityes without any claims
2025-02-20 13:54:47 +01:00
a897ec3426
Authn: grpc errors ( #100951 )
...
* update authlib
* Map to grpc status
2025-02-19 11:46:48 +01:00
6eeb28e312
Authn: use authenticator for grpc ( #99573 )
...
* Remove usage of grpc-authenticator
* Cleanup client construction code
2025-02-17 10:58:59 +01:00
d5d8abcd64
Authn: Use authenticator for inproc ( #99550 )
...
Use generic authenticator for inproc
2025-01-27 14:28:46 +01:00
437b7a565d
Auth: Add access token to in-proc communication and ServiceIdentity ( #98926 )
...
Use fake access token for in-proc grpc and add ServiceIdentity
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com >
Co-authored-by: Karl Persson <23356117+kalleep@users.noreply.github.com >
2025-01-24 14:03:23 +01:00
3fe2227c82
[auth] make id-token optional ( #97831 )
...
make idtoken optional
enure there is always an identity in the context
fix: update token
fix: now it should work
fix: now it should work
2024-12-17 13:28:00 +02:00
f6124344ba
authnz: Fix panic in the authenticator and rename metric ( #97150 )
...
* Fix: panic
* suggestion
2024-11-28 14:03:54 +02:00
6e2d3cae5e
AuthN: Register flags for grpc_server_authentication configuration ( #97063 )
...
* AuthZServer: Add authenticator
* Add flags
2024-11-27 10:35:35 +01:00
ca2c874161
authn: grpcutils: Mark ID Tokens optional in cloud mode in gRPC Authenticator ( #96824 )
...
This patch marks ID tokens as not required when initalising a gRPC
Authenticator to be used in `cloud` mode. ID Tokens are still enabled in
`cloud` mode, but the `Required` option is set to `false`.
This is needed for MT services like Cloud API Server to authenticate
against gRPC services like Resource Store with only an Access Token.
Signed-off-by: Prem Kumar <prem.saraswat@grafana.com >
2024-11-21 18:41:49 +05:30
8bb59c64f0
unistore: handle auth when fallback is used ( #96772 )
...
* handle auth when fallback is used
* handle auth when fallback is used
* add traces
2024-11-21 12:21:22 +02:00
df8b6e6862
Fix: Close grpc_authenticator fallback trace ( #96009 )
...
Fix: Close grpc_authenticator trace
2024-11-07 11:29:25 +01:00
5a0ef46280
Add tracing to the gRPC Authentication flow ( #94466 )
...
commit ad4df4b3f63bdf3e16423ac8c3fdb1a7fae5582e
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:24:04 2024 +0200
nit
commit eb8b9cf2f3e27cae258b3ae310f1584da5ba36b5
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:23:25 2024 +0200
miss
commit aab1aed204a5dedcc6dd187b2f636995bbe2c5c6
Merge: 5aafdec9233 7fe710b141gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:22:05 2024 +0200
Merge remote-tracking branch 'origin/main' into gamab/resourcestore/tracing
commit 5aafdec9233d6824cba977b069d71eabc3d21a8d
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 18:03:56 2024 +0200
Did not fix the issue
commit 20522a7f64222fad27268ac640d4b4fb9259c748
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:42:35 2024 +0200
Test
commit b45199a341b6a57e93927c9eb7de8d7758ed7619
Merge: c0fbbdb95d4 e9e2b11ba2gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:31:59 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit e9e2b11ba2claudiu.dragalina@grafana.com >
Date: Wed Oct 16 18:28:31 2024 +0300
PR feedback: simplified fallback implementation
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit b5209dba64drclau@users.noreply.github.com >
Date: Wed Oct 16 18:03:06 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit c0fbbdb95d4605f349b902ca8698e7b560433867
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:32:52 2024 +0200
Add traces to fallback
commit 75aa8dcbd49288f1dca53cdf6e9a7b41688dff38
Merge: d92fafcaf0d 562d499e85gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:29:41 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit 562d499e85claudiu.dragalina@grafana.com >
Date: Wed Oct 16 11:05:01 2024 +0300
switched to features.IsEnabledGlobally()
commit addc6aaca4claudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:21:31 2024 +0300
imports cleanup
commit 7c6d80f6aa64a5e55d619dc2ccdbfdclaudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:18:54 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 64a5e55d61claudiu.dragalina@grafana.com >
Date: Tue Oct 15 11:01:54 2024 +0300
cleanup
commit 4fe2c03457claudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:31:06 2024 +0300
always enable FlagAppPlatformGrpcClientAuth for k8s int tests
commit c7e36759cdclaudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:30:43 2024 +0300
use sync.Once as it's more idiomatic
commit f5c2c79981claudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:43:48 2024 +0300
remove client side namespace extractor
commit 742295c89aclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:04:11 2024 +0300
avoid double registration of metrics (fallbackCounter)
commit a45998c8d3claudiu.dragalina@grafana.com >
Date: Mon Oct 14 19:03:41 2024 +0300
use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
commit ffdc301718claudiu.dragalina@grafana.com >
Date: Mon Oct 14 18:37:22 2024 +0300
remove the NamespaceAuthorizer
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
commit 4a03ed7d7dclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 15:59:08 2024 +0300
allow using the legacy resource client via
commit a2c30f5328ead390f6082f3c539d9bclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 14:08:32 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit ead390f608claudiu.dragalina@grafana.com >
Date: Fri Oct 11 09:38:49 2024 +0300
added server side gRPC authn fallback-to-legacy mechanism
- brought back the old gRPC authenticator
- added `grpc_server_authentication.legacy_fallback` config option
- introduced `AuthenticatorWithFallback`
- added telemetry to track fallbacks
commit d92fafcaf0db9c8d97a5d071759fc21ede7d8848
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:58:25 2024 +0200
Fix test
commit 54f05ff0fecf3d696a0e98621db6991282503917
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:42:18 2024 +0200
Forgot the tracer 😁
commit 3948048880c7a0eb2360a35b0cc9f3686f2edfef
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:02:41 2024 +0200
Add traces to NamespaceAuthorizer
commit cc695bb77c37a097174556303721fbc48b9464a0
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:48 2024 +0200
Add traces to authentication flow
commit 8686c46be508c3d237dc4a3ce66193gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:26 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 08c3d237dc33fd104cfd84d580179dgabriel.mabille@grafana.com >
Date: Wed Oct 9 12:41:57 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 33fd104cfd68af25fbc338f57d270agabriel.mabille@grafana.com >
Date: Wed Oct 9 12:13:25 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 68af25fbc3gamab@users.noreply.github.com >
Date: Mon Oct 7 16:31:09 2024 +0200
Update pkg/services/authz/config.go
commit 4fba5c9b32gabriel.mabille@grafana.com >
Date: Fri Oct 4 15:17:41 2024 +0200
PR Feedback
commit 86867a14cagamab@users.noreply.github.com >
Date: Fri Oct 4 15:13:06 2024 +0200
Update pkg/services/authn/grpcutils/config.go
Co-authored-by: Dan Cech <dcech@grafana.com >
commit c591631135c80c46ca6ae37b43117bgabriel.mabille@grafana.com >
Date: Fri Oct 4 13:07:48 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit c80c46ca6a3acada9d474224d05934gabriel.mabille@grafana.com >
Date: Thu Oct 3 14:58:51 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 3acada9d47claudiu.dragalina@grafana.com >
Date: Fri Sep 27 17:39:59 2024 +0300
introducing `mode` config for gRPC auth server & client side
commit 914ca237e2claudiu.dragalina@grafana.com >
Date: Thu Sep 26 20:47:57 2024 +0300
Fixed integration tests
commit 71c33dcbe352f248eebb920d79680dclaudiu.dragalina@grafana.com >
Date: Thu Sep 26 19:25:33 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 52f248eebbclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 18:44:38 2024 +0300
updated namespace extractor usage
commit a6c977ba4dfb7bbf743b8da1d78c92claudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:35:03 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit fb7bbf743bclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:34:36 2024 +0300
unistor client side updates
commit a28440c40b79d9969aa8a8b07b0c81claudiu.dragalina@grafana.com >
Date: Tue Sep 24 10:45:09 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 79d9969aa8gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:14:02 2024 +0200
Rename NewResourceClient funcs
commit 36b37524908ce354bb06b89f3f8115gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:00:54 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8ce354bb06gabriel.mabille@grafana.com >
Date: Mon Sep 9 10:40:06 2024 +0200
Align
commit bdf79f3b2f8f4df8973d8eb7e55f8fgabriel.mabille@grafana.com >
Date: Mon Sep 9 10:38:45 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8f4df8973d2441cd8d539338e40dc3gabriel.mabille@grafana.com >
Date: Thu Sep 5 11:26:39 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 2441cd8d532904074a2f2bbce8a7f7claudiu.dragalina@grafana.com >
Date: Tue Sep 3 17:31:36 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 2904074a2fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:35:25 2024 +0300
refactoring
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 125cb3c834claudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:34:18 2024 +0300
refactoring (aesthetics)
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 499a31df53claudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:59:09 2024 +0300
update usage of ReadGprcServerConfig()
commit f5d383644dclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:44:09 2024 +0300
make update-workspace
commit 755485751egabriel.mabille@grafana.com >
Date: Tue Sep 3 14:43:22 2024 +0200
Fix trace
commit d09e14c26aclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:42:50 2024 +0300
removed WithIDTokenExtractorOption, and other PR feedback
commit 21220c2ccagabriel.mabille@grafana.com >
Date: Tue Sep 3 14:36:59 2024 +0200
Else statement
commit 6cf1efdcc4gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:35:02 2024 +0200
Mod update
commit 4b73a93883gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:32:20 2024 +0200
Add Auth func overrides
commit 6032ab3ae1gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:26:18 2024 +0200
Use NamespaceAuthorizer
commit 601beb5327gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:20:47 2024 +0200
Update authlib
commit a1b64081270d70225c1a1128c417d8gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:18:49 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 0d70225c1adrclau@users.noreply.github.com >
Date: Tue Sep 3 15:15:54 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 62f165f6f9claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:55:45 2024 +0300
refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit bb5ee88d4fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:39:11 2024 +0300
added stackIdExtractor for cloud mode
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 84866a8a51claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:38:19 2024 +0300
authz client cfg changes
- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
- reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 14a1021605claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:44:35 2024 +0300
make update-workspace
commit 84f8c9be94claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:36:10 2024 +0300
cleanup: refactoring leftover
commit 7fe8d62304claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:30:51 2024 +0300
update authlib version (small fix)
commit 7c2353ae25claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:17:11 2024 +0300
cleanup: remove unused `GrpcServerConfig.Mode`
commit 52b7cf8550claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:06:59 2024 +0300
make update-workspace
commit 14ddfbd8fbclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:02:40 2024 +0300
finalize authlib grpc interceptors usage
commit 884c4a8c240fd1988beda1190b165bclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:00:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0fd1988bedb766bfb24fe0950a1283claudiu.dragalina@grafana.com >
Date: Fri Aug 30 10:45:51 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit b766bfb24f6993f108a268751ed310claudiu.dragalina@grafana.com >
Date: Wed Aug 28 15:46:04 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6993f108a25f073b04d0f1ba609b34claudiu.dragalina@grafana.com >
Date: Tue Aug 27 12:51:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 5f073b04d00620891d45ac5ebe6e4dclaudiu.dragalina@grafana.com >
Date: Mon Aug 19 21:09:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0620891d456a272e8e2a15f2b08f00claudiu.dragalina@grafana.com >
Date: Mon Aug 12 14:14:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6a272e8e2aclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 18:53:43 2024 +0300
allow insecure conns in dev mode + refactoring
commit 31c7b030baclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 10:31:13 2024 +0300
allow insecure connections (for testing purposes); remove audience checks
audience checks will still need to be done for Access tokens, but not for ID tokens
commit 0fdd2ff802763961210cf384759ad1claudiu.dragalina@grafana.com >
Date: Wed Aug 7 14:42:39 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 763961210cclaudiu.dragalina@grafana.com >
Date: Fri Aug 2 18:54:29 2024 +0300
wip
commit c46b42a59592aba937a90145b0fe70claudiu.dragalina@grafana.com >
Date: Fri Aug 2 14:44:06 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 92aba937a9claudiu.dragalina@grafana.com >
Date: Thu Aug 1 18:32:19 2024 +0300
authn: client side updates
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
2024-10-28 14:35:30 +02:00
830600dab0
AuthN: Optionally use tokens for unified storage client authentication ( #91665 )
...
* extracted in-proc mode to #93124
* allow insecure conns in dev mode + refactoring
* removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
* remove the NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
* use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
* extracted authz package changes in #95120
* extracted server side changes in #95086
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
Co-authored-by: gamab <gabriel.mabille@grafana.com >
Co-authored-by: Dan Cech <dcech@grafana.com >
2024-10-24 09:12:37 +02:00
b68b69c2b4
AuthN: Use tokens for unified storage server authentication ( #95086 )
...
* Extract server code
---------
Co-authored-by: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com >
2024-10-23 15:04:15 +02:00
a8b07b0c81
[authn] use authlib client+interceptors for in-proc mode ( #93124 )
...
* Add authlib gRPC authenticators for in-proc mode
* implement `StaticRequester` signing in the unified resource client
- [x] when the `claims.AuthInfo` value type is `identity.StaticRequester`, and there's no ID token set, create an internal token and sign it with symmetrical key. This is a workaround for `go-jose` not offering the possibility to create an unsigned token.
- [x] update `IDClaimsWrapper` to support the scenario above
- [x] Switch to using `claims.From()` in `dashboardSqlAccess.SaveDashboard()`
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com >
2024-09-24 09:03:48 +03:00
Leonor Oliveira
Georges Chaudy
Karl Persson
Misi
Gabriel MABILLE
Prem Saraswat
Claudiu Dragalina-Paraipan