Skip to content

Queriers: Implement RBAC on external queriers#2593

Merged
joe-elliott merged 13 commits intografana:mainfrom
modulitos:2477-external-querier
Jul 19, 2023
Merged

Queriers: Implement RBAC on external queriers#2593
joe-elliott merged 13 commits intografana:mainfrom
modulitos:2477-external-querier

Conversation

@modulitos
Copy link
Copy Markdown
Contributor

@modulitos modulitos commented Jun 26, 2023
edited
Loading

What this PR does:
This PR adds RBAC support when querying the external endpoints. It adds an "external client" struct to encapsulate the concerns around sending remote requests to an external endpoint, which makes it easier to inject RBAC behavior into that struct.

It only supports RBAC on CloudRun, but adding Lambda support should be an easy followup. I also did a red/green smoke test using a CloudRun backend, and it's behaving as expected.

Which issue(s) this PR fixes:
Resolves #2477

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

@modulitos modulitos force-pushed the 2477-external-querier branch 3 times, most recently from f0d5e15 to 42abc1b Compare June 26, 2023 08:06
modulitos
modulitos commented Jun 26, 2023
View reviewed changes
Comment thread CONTRIBUTING.md
Comment thread modules/querier/external/client.go
@knylander-grafana knylander-grafana added the type/docs Improvements or additions to documentation label Jun 26, 2023
knylander-grafana
knylander-grafana reviewed Jun 26, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@knylander-grafana knylander-grafana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding some doc content. When we add more support, it would be great to add a configuration page with information about use cases, benefits, etc.

joe-elliott
joe-elliott reviewed Jun 26, 2023
View reviewed changes
Comment thread CHANGELOG.md Outdated
Comment thread CONTRIBUTING.md
Comment thread modules/querier/external/cloud_run.go Outdated
Comment thread docs/sources/tempo/configuration/_index.md Outdated
@knylander-grafana knylander-grafana removed the type/docs Improvements or additions to documentation label Jun 26, 2023
@modulitos modulitos force-pushed the 2477-external-querier branch 2 times, most recently from c20bdd5 to 5cb0fd8 Compare July 3, 2023 00:07
modulitos
modulitos commented Jul 6, 2023
View reviewed changes
Comment thread modules/querier/external/token_provider.go
@modulitos modulitos force-pushed the 2477-external-querier branch 2 times, most recently from 5881a2d to 0827d56 Compare July 6, 2023 06:32
joe-elliott
joe-elliott reviewed Jul 10, 2023
View reviewed changes
Comment thread docs/sources/tempo/configuration/_index.md Outdated
Comment thread modules/querier/external/client.go Outdated
Comment thread modules/querier/external/client.go
Comment thread modules/querier/external/token_provider.go
Comment thread modules/querier/external/token_provider.go
Comment thread modules/querier/external/token_provider.go
@modulitos modulitos force-pushed the 2477-external-querier branch 2 times, most recently from 23623e4 to a328a02 Compare July 16, 2023 01:21
modulitos added 4 commits July 18, 2023 23:00
@modulitos
Implement external querier with RBAC
8fd98ec 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Update contributing.md
7370eb6 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Update vendor-check
ec4b7c9 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Update changelog
8cfe509 
Signed-off-by: modulitos <hi@modulitos.com>
modulitos added 8 commits July 18, 2023 23:00
@modulitos
Update docs
848a905 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Update changelog - pr feedback
5ff73a6 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Implement TokenSource caching per endpoint
70e5aad 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Implement external search config with separate structs
8c1fcba 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Update docs
938e072 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
Move request hedging settings into parent config
efad8a1 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
implement same interface for all token providers
3eb41ef 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos
revert using same interface for all token providers
fc0367f 
Signed-off-by: modulitos <hi@modulitos.com>
@modulitos modulitos force-pushed the 2477-external-querier branch from a328a02 to fc0367f Compare July 19, 2023 06:47
@modulitos
Always wrap token source with ReuseTokenSource
57e5c1a 
Signed-off-by: modulitos <hi@modulitos.com>
joe-elliott
joe-elliott approved these changes Jul 19, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@joe-elliott joe-elliott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work! appreciate this contribution. adds a nice authentication option for GCR and starts laying the groundwork for additional configuration per backend.

@joe-elliott joe-elliott merged commit 8c0be5b into grafana:main Jul 19, 2023
@modulitos modulitos mentioned this pull request Jul 28, 2023
Merged
3 tasks
@github-actions github-actions Bot mentioned this pull request Jul 28, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knylander-grafana knylander-grafana knylander-grafana left review comments

@joe-elliott joe-elliott joe-elliott approved these changes

@annanay25 annanay25 Awaiting requested review from annanay25

@mdisibio mdisibio Awaiting requested review from mdisibio mdisibio is a code owner

@mapno mapno Awaiting requested review from mapno mapno is a code owner

@yvrhdn yvrhdn Awaiting requested review from yvrhdn yvrhdn is a code owner

@zalegrala zalegrala Awaiting requested review from zalegrala zalegrala is a code owner

@electron0zero electron0zero Awaiting requested review from electron0zero electron0zero is a code owner

@ie-pham ie-pham Awaiting requested review from ie-pham ie-pham is a code owner

@stoewer stoewer Awaiting requested review from stoewer stoewer is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support RBAC on remote calls from the querier to the serverless backend

3 participants

@modulitos @joe-elliott @knylander-grafana