From e6c831e0c17836bb6668077ad26297543e2cf7e6 Mon Sep 17 00:00:00 2001 From: Mahendra Paipuri Date: Fri, 25 Oct 2024 15:59:17 +0200 Subject: [PATCH] fix: Ensure configured token is fetched during perms check * Seems like auto provisioning does not work in multi org settings. A workaround is to turn off externalServiceAccounts feature flag and manually provision the plugin with a service account in each Org. * This commit fixes on how we fetch the token between automatically provisioned and manually provided ones during permission checks. Signed-off-by: Mahendra Paipuri --- .gitignore | 1 + pkg/plugin/resources.go | 9 ++++----- src/README.md | 37 +++++++++++++++++++++++++++++++++++-- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index e7c96f1..820e3fe 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ pids *.seed *.pid.lock .bra.toml +*.db # Directory for instrumented libs generated by jscoverage/JSCover lib-cov diff --git a/pkg/plugin/resources.go b/pkg/plugin/resources.go index ddf339c..5a70cd2 100644 --- a/pkg/plugin/resources.go +++ b/pkg/plugin/resources.go @@ -135,12 +135,11 @@ func (app *App) GetAuthZClient(req *http.Request) (authz.EnforcementClient, erro return nil, err } + // Bail we cannot get token provisioned by externalServiceAccount and no token + // has been manually configured. In this case we cannot check permissions and moreover + // we cannot make API requests to Grafana saToken, err := grafanaConfig.PluginAppClientSecret() - if err != nil || (saToken == "" && app.conf.Token == "") { - if err == nil { - err = errors.New("neither service account token nor configured token found") - } - + if err != nil && app.conf.Token == "" { ctxLogger.Error("failed to fetch service account and configured token", "error", err) return nil, err diff --git a/src/README.md b/src/README.md index 34f2115..d1203ef 100755 --- a/src/README.md +++ b/src/README.md @@ -338,7 +338,7 @@ extra configuration to get an API token from Grafana. Grafana to make API requests to Grafana. This can be done automatically by enabling feature flag `externalServiceAccounts`, which will create a service account and provision a service account token automatically for the plugin. Please consult - [Local Installation](#local-installation) on how to configure the feature flags on + [Installation](#installation) on how to configure the feature flags on Grafana server. > [!NOTE] @@ -346,6 +346,39 @@ extra configuration to get an API token from Grafana. their Grafana deployment, it is possible to manually create an API token and set it in the [plugin configuration options](#authentication-settings). +### Multiple Orgs + +Grafana does not support yet automatically provisioning the plugins with service tokens +using `externalServiceAccounts`. More details can be found in this [GH issue](https://github.com/grafana/grafana/issues/91844). +A workaround in this case is to turn off the feature flag `externalServiceAccounts` and +manually create service account token for each Org. and setting it in the plugin +configuration file. In this case, the provisioned config for the plugin will look like this: + +```yaml +apps: + - type: mahendrapaipuri-dashboardreporter-app + org_id: 1 + org_name: Main Org. + disabled: false + secureJsonData: + saToken: + jsonData: + appUrl: http://localhost:3000 + + - type: mahendrapaipuri-dashboardreporter-app + org_id: 2 + org_name: Test Org. + disabled: false + secureJsonData: + saToken: + jsonData: + appUrl: http://localhost:3000 +``` + +> [!IMPORTANT] +> It is compulsory to disable `externalServiceAccounts` feature flag in multiple Org. setting +as plugin wont work as expected with this feature flag. + ## Using plugin ### Using Grafana web UI @@ -403,7 +436,7 @@ any HTTP client of your favorite programming language. ## Security -All the feature flags listed in the [Local Installation](#local-installation) section +All the feature flags listed in the [Installation](#installation) section must be enabled on Grafana server for secure operation of your Grafana instance. These feature flags enables the plugin to verify the if the user who is making the request to generate the report has