Alerting: Update rule access control to return errutil errors #78284
Conversation
that's what accesscontrol middleware uses
yuri-tceretian
requested review from
a team,
rwwiv,
JacobsonMT and
grobinson-grafana
and removed request for
a team
yuri-tceretian
added
add to changelog
no-backport
| return false | ||
| // getRulesReadEvaluator constructs accesscontrol.Evaluator that checks all permission required to read all provided rules | ||
| func (r *RuleService) getRulesReadEvaluator(rules ...*models.AlertRule) accesscontrol.Evaluator { | ||
| return r.getRulesQueryEvaluator(rules...) |
There was a problem hiding this comment.
I will add more in a follow-up PR.
| }) | ||
| } | ||
|
|
||
| // HasAccessToRuleGroup returns false if |
There was a problem hiding this comment.
Missing some text in the comment
| if !srv.authz.AuthorizeAccessToRuleGroup(c.Req.Context(), c.SignedInUser, ngmodels.RulesGroup{rule}) { | ||
| return errorToResponse(fmt.Errorf("%w to query one or many data sources used by the rule", accesscontrol.ErrAuthorization)) | ||
| if err := srv.authz.AuthorizeAccessToRuleGroup(c.Req.Context(), c.SignedInUser, ngmodels.RulesGroup{rule}); err != nil { | ||
| return response.ErrOrFallback(http.StatusInternalServerError, "failed to authorize access to rule group", err) |
There was a problem hiding this comment.
NIT: Should this be errorToResponse(err) as well to be inline with the rest of the api?
There was a problem hiding this comment.
oh, I think it is better to do the opposite because ErrOrFallback lets us return some meaningful message in the response if error does not happen to be errutils' one.
This could be useful if authz happen to return some generic errors (eg from db or other service).
WDYT?
| @@ -2284,7 +2284,7 @@ func TestIntegrationEval(t *testing.T) { | |||
| }, | |||
| expectedMessage: func() string { | |||
| if setting.IsEnterprise { | |||
| return "user is not authorized to query one or many data sources used by the rule" | |||
| return "user is not authorized to access rule group in folder " | |||
There was a problem hiding this comment.
Let's quote the rule group name and folder to avoid this odd double space in
| evals := make([]accesscontrol.Evaluator, 0, 2) | ||
| for _, rule := range rules { | ||
| for _, query := range rule.Data { | ||
| if query.QueryType == expr.DatasourceType || query.DatasourceUID == expr.DatasourceUID || query. |
There was a problem hiding this comment.
I know this wasn't technically changed in this PR, but could consider using query.IsExpression() here. Could even do a very small refactor to remove the unused error return so it can be inlined.
There was a problem hiding this comment.
I would rather get rid of the query.IsExpression because it makes a dependency on expr package, and keep the logic that binds expr and ng.models packages in 3rd package.
This check is not necessary, though, and can be replaced by similar logic as
grafana/pkg/services/ngalert/eval/eval.go
Lines 298 to 307 in 580477b
to facilitate checks for MLNode in the future.
I would like to keep it as is to reduce the diff, and address in a follow-up
What is this feature?
This PR updates the rule access control service to return errutil.Error errors that are used throughout the Grafana code.
Notable changes:
AuthorizeDatasourceAccessForRuleandAuthorizeAccessToRuleGroupnow collect all data source scopes and evaluate permissions once.AuthorizeRuleChangeschanged to evaluate permissions on its own using a new method HasAccessOrError. This opens the possibility for better messaging.Now the authorization error response will look like
{ "statusCode": 401, "messageId": "ngalert.unauthorized", "message": "user is not authorized to access rule group NO-ACCESS in folder a1309456-f4a8-4a20-8eab-b2dcdf5ef115", "extra": { "permissions": "all(action:datasources:query scopes:datasources:uid:b4aac448-430c-4c7d-a9e3-5724d1deb0a9 action:datasources:query scopes:datasources:uid:aa09159d-7e2f-4d20-a043-7e87f8634f3d)" } }Why do we need this feature?
Special notes for your reviewer:
Please check that: