-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add service account checks in plugin auth #5305
Conversation
bfcc21c
to
6b69970
Compare
@@ -133,6 +134,14 @@ def _get_user(request: Request, organization: Organization) -> User: | |||
except KeyError: | |||
user_id = context["UserID"] | |||
|
|||
if context.get("IsServiceAccount", False): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just reminded me we need to clean-up the GrafanaHeadersMixin in mixins.py at some point whenever we remove the old status endpoint. This way of doing it is better in that it is more tolerant of missing/different fields when dealing with plugin rollout difference between objects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
grafana_url = request.headers.get(X_GRAFANA_URL) | ||
if grafana_url: | ||
organization = Organization.objects.filter(grafana_url=grafana_url).first() | ||
if not organization: | ||
raise exceptions.AuthenticationFailed("Invalid Grafana URL.") | ||
success = setup_organization(grafana_url, auth) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just out of curiosity, what's the use-case for the new setup_organization
call here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a use case in which you can bootstrap a Grafana stack from scratch (via Terraform), setting up a service account token in the process with which you could hit our API and OnCall may not know about the organization yet, so this should sync the org if the service account token auth passes and we don't have a record for that org yet.
Related to https://github.com/grafana/oncall-private/issues/2826
Related to https://github.com/grafana/irm/pull/459
Allow org sync requests from service account users. Also trigger a sync during public API requests if the org wasn't yet setup.