New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Extended JWT client for OBO and Service Authentication #83814
Conversation
❌ Failed to run Playwright plugin e2e tests. |
Co-authored-by: jguer <joao.guerreiro@grafana.com>
@@ -205,15 +206,18 @@ func (u *SignedInUser) GetID() string { | |||
return namespacedID(identity.NamespaceRenderService, 0) | |||
} | |||
|
|||
// backwards compatibility | |||
return namespacedID(identity.NamespaceUser, u.UserID) | |||
return u.NamespacedID | |||
} | |||
|
|||
// GetNamespacedID returns the namespace and ID of the active entity | |||
// The namespace is one of the constants defined in pkg/services/auth/identity | |||
func (u *SignedInUser) GetNamespacedID() (string, string) { | |||
parts := strings.Split(u.GetID(), ":") | |||
// Safety: GetID always returns a ':' separated string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this part if this is no longer true
// Grafana roles | ||
Permissions []string `json:"permissions"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How come we are using RBAC roles here and not just plain permissions as the name suggest?
if !strings.HasPrefix(accessTokenClaims.Subject, fmt.Sprintf("%s:", authn.NamespaceAccessPolicy)) { | ||
s.log.Error("Invalid subject", "subject", accessTokenClaims.Subject) | ||
return nil, errJWTInvalid.Errorf("Failed to parse sub: %s", "invalid subject format") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should move this check to Authenticate and remove from authenticateAsUser
and authenticateAsService
"github.com/grafana/grafana/pkg/infra/db" | ||
"github.com/grafana/grafana/pkg/tests/testsuite" | ||
"github.com/stretchr/testify/require" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can remove this change
pkg/build/wire/internal/wire/testdata/BindInjectorArg/foo/wire.go
Outdated
Show resolved
Hide resolved
"github.com/stretchr/testify/require" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"github.com/stretchr/testify/require" |
/deploy-hg |
/deploy-to-hg |
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from the plugins-platform perspective.
tested with ephemeral instance to ensure report was still sent. Merging the current state and we'll continue to iterate (and testing how well it integrates). |
May cause some services to receive unexpected namespacedIDs if the service is not parsing accepted namespaces (ex: "rendering-service:0" instead of "user:0") |
Pair PR: https://github.com/grafana/auth/pull/583
What is this feature?
Extended JWT client allows On Behalf Of (impersonation) and Service authentication via an auth api access token.
Accessing Grafana as the service
X-Access-Token should be the Cloud Access Policy Access Token
Will return the user as the access policy. The namespaced ID in grafana will be access-policy:xxxx and it will not be persisted in the database. This ID cannot own things in grafana.
Permissions will be derived from the roles present in the permissions claim of the access token.
Accessing Grafana as a user
By providing both Access Token and Grafana User ID Token it is possible to authenticate as the user. The namespaced ID in Grafana will be the user’s ID.
The permissions for this call will be the intersection between the user’s stored permissions and the allowed actions specified by “delegatedPermissions”.
Why do we need this feature?
Impersonation access missing for background tasks and proxy
Who is this feature for?
Backend platform and cloud plugin developers
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that: