public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fbc8a484109dfd5d73e4a2da4e1065de918fa552
grafana/pkg/services/apiserver/auth/authorizer/resource.go
T
Karl Persson 2e38329026 RBAC: Add required component to perform access control checks for user api when running single tenant (#93104) 
* Unexport store and create new constructor function

* Add ResourceAuthorizer and LegacyAccessClient

* Configure checks for user store

* List with checks if AccessClient is configured

* Allow system user service account to read all users

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-09-23 11:26:44 +02:00

50 lines
1.2 KiB
Go
Raw Blame History

package authorizer
import (
"context"
"errors"
"github.com/grafana/authlib/claims"
"k8s.io/apiserver/pkg/authorization/authorizer"
)
func NewResourceAuthorizer(c claims.AccessClient) authorizer.Authorizer {
return ResourceAuthorizer{c}
}
// ResourceAuthorizer is used to translate authorizer.Authorizer calls to claims.AccessClient calls
type ResourceAuthorizer struct {
c claims.AccessClient
}
func (r ResourceAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
if !attr.IsResourceRequest() {
return authorizer.DecisionNoOpinion, "", nil
}
ident, ok := claims.From(ctx)
if !ok {
return authorizer.DecisionDeny, "", errors.New("no identity found for request")
}
ok, err := r.c.HasAccess(ctx, ident, claims.AccessRequest{
Verb: attr.GetVerb(),
Group: attr.GetAPIGroup(),
Resource: attr.GetResource(),
Namespace: attr.GetNamespace(),
Name: attr.GetName(),
Subresource: attr.GetSubresource(),
Path: attr.GetPath(),
})
if err != nil {
return authorizer.DecisionDeny, "", err
}
if !ok {
return authorizer.DecisionDeny, "unauthorized request", nil
}
return authorizer.DecisionAllow, "", nil
}
Reference in New Issue View Git Blame Copy Permalink