K8s/IAM: Use raw handler for display (not rest.Connector) (grafana#99898

)
tipee-sa · Feb 3, 2025 · b636b81 · b636b81
1 parent 2aa7813
commit b636b81
Show file tree

Hide file tree

Showing 7 changed files with 270 additions and 262 deletions.
diff --git a/pkg/apis/iam/v0alpha1/types_display.go b/pkg/apis/iam/v0alpha1/types_display.go
@@ -33,16 +33,17 @@ type Display struct {
 	// AvatarURL is the url where we can get the avatar for identity
 	AvatarURL string `json:"avatarURL,omitempty"`
 
-	// InternalID is the legacy numreric id for identity, this is deprecated and should be phased out
+	// InternalID is the legacy numeric id for identity,
+	// Deprecated: use the identityRef where possible
 	InternalID int64 `json:"internalId,omitempty"`
 }
 
 type IdentityRef struct {
 	// Type of identity e.g. "user".
-	// For a full list see https://github.com/grafana/authlib/blob/2f8d13a83ca3e82da08b53726de1697ee5b5b4cc/claims/type.go#L15-L24
+	// For a full list see https://github.com/grafana/authlib/blob/d6737a7dc8f55e9d42834adb83b5da607ceed293/types/type.go#L15
 	Type claims.IdentityType `json:"type"`
 
-	// Name is the unique identifier for identity, guaranteed jo be a unique value for the type within a namespace.
+	// Name is the unique identifier for identity, guaranteed to be a unique value for the type within a namespace.
 	Name string `json:"name"`
 }
 

diff --git a/pkg/apis/iam/v0alpha1/zz_generated.openapi.go b/pkg/apis/iam/v0alpha1/zz_generated.openapi.go
diff --git a/pkg/registry/apis/iam/register.go b/pkg/registry/apis/iam/register.go
@@ -10,6 +10,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	common "k8s.io/kube-openapi/pkg/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
 
 	"github.com/grafana/authlib/types"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
@@ -34,6 +35,9 @@ type IdentityAccessManagementAPIBuilder struct {
 	authorizer   authorizer.Authorizer
 	accessClient types.AccessClient
 
+	// non-k8s api route
+	display *user.LegacyDisplayREST
+
 	// Not set for multi-tenant deployment for now
 	sso ssosettings.Service
 }
@@ -52,6 +56,7 @@ func RegisterAPIService(
 		sso:          ssoService,
 		authorizer:   authorizer,
 		accessClient: client,
+		display:      user.NewLegacyDisplayREST(store),
 	}
 	apiregistration.RegisterAPI(builder)
 
@@ -60,7 +65,8 @@ func RegisterAPIService(
 
 func NewAPIService(store legacy.LegacyIdentityStore) *IdentityAccessManagementAPIBuilder {
 	return &IdentityAccessManagementAPIBuilder{
-		store: store,
+		store:   store,
+		display: user.NewLegacyDisplayREST(store),
 		authorizer: authorizer.AuthorizerFunc(
 			func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
 				user, err := identity.GetRequester(ctx)
@@ -114,9 +120,6 @@ func (b *IdentityAccessManagementAPIBuilder) UpdateAPIGroupInfo(apiGroupInfo *ge
 		storage[ssoResource.StoragePath()] = sso.NewLegacyStore(b.sso)
 	}
 
-	// The display endpoint -- NOTE, this uses a rewrite hack to allow requests without a name parameter
-	storage["display"] = user.NewLegacyDisplayREST(b.store)
-
 	apiGroupInfo.VersionedResourcesStorageMap[iamv0.VERSION] = storage
 	return nil
 }
@@ -125,6 +128,11 @@ func (b *IdentityAccessManagementAPIBuilder) GetOpenAPIDefinitions() common.GetO
 	return iamv0.GetOpenAPIDefinitions
 }
 
+func (b *IdentityAccessManagementAPIBuilder) GetAPIRoutes() *builder.APIRoutes {
+	defs := b.GetOpenAPIDefinitions()(func(path string) spec.Ref { return spec.Ref{} })
+	return b.display.GetAPIRoutes(defs)
+}
+
 func (b *IdentityAccessManagementAPIBuilder) GetAuthorizer() authorizer.Authorizer {
 	return b.authorizer
 }