-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support user-auth service principal #68
Conversation
- If no user present OR no ID token AND usernameAssertion is disallowed - Update tests
We need to have design discussion regarding this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AzureSeetings need a new switch to allow/disallow usage of the service credentials.
I would move the fallback logic directly into the user token provider. It needs to be redesigned somehow. Probably should contain an instance of service token provider internally and delegate access token request to it. e.g. work as a composite token provider (a decorator).
azcredentials/credentials.go
Outdated
@@ -14,6 +14,7 @@ type AzureCredentials interface { | |||
|
|||
// AadCurrentUserCredentials "Current User" user identity credentials of the current Grafana user. | |||
type AadCurrentUserCredentials struct { | |||
ServicePrincipal AzureClientSecretCredentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Maybe let's we call it 'ServiceCredentials' to not introduce new terminology?
- Let's not limit it to
AzureClientSecretCredentials
, since there's no functional difference between which type of credentials is going to be used as long as it's service credentials. I would not bother to define new type hierarchy for "service" credentials specifically. Would just use "AzureCredentials" and have runtime check that they are not user identity. - It should be optional, I think it needs to be a pointer (or once it's changed to interface
AzureCredentials
it will be fine).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made changes here that should meet the requirements.
@@ -71,6 +71,14 @@ func NewAzureAccessTokenProvider(settings *azsettings.AzureSettings, credentials | |||
err = fmt.Errorf("user identity authentication is not enabled in Grafana config") | |||
return nil, err | |||
} | |||
|
|||
var tokenRetriever TokenRetriever |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather move the logic upper, before the switch (line 34) and wrote something like this (pseudocode):
nonUserContext = <determine from user context> // i.e. not user initiated, no user context
if isUserIdentityCredentials(*credentials) && nonUserContext {
if credentials.ServiceCredentials != nils {
credentials = credentials.ServiceCredentials
} else {
error = "Attempt to user user credentials in non-user context"
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OBO is also user identity authentication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I see, user context isn't available in NewAzureAccessTokenProvider
. It needs to be done inside userTokenProvider. userTokenProvider can be a decorator for service token provider.
# Conflicts: # azsettings/settings_test.go
This PR updates the SDK to support a service principal credential when using user-authentication methods. This will allow us to support backend functionality via the service principal credentials which will always be present.
Changes:
ServiceCredentials
andServiceCredentialsEnabled
properties added to current user credentials structUserIdentityFallbackCredentialsEnabled
setting. Enabling this will allow users to specify fallback credentials when creating user identity data sources. This defaults totrue
.CurrentUserContext
struct and request functions to appropriately setGrafanaIdToken
It should be noted that for backend requests to be identified accurately the feature toggle
idForwarding
should be enabled.Part of grafana/grafana#81918
Fixes #122