grafana

Commit Graph

Author	SHA1	Message	Date
Jeff Levin	028e8ac59e	Instrument tracing across accesscontrol (#91864 ) Instrument tracing across accesscontrol --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com>	11 months ago
Karl Persson	bcfb66b416	Identity: remove GetTypedID (#91745 )	11 months ago
Ryan McKinley	9db3bc926e	Identity: Rename "namespace" to "type" in the requester interface (#90567 )	11 months ago
Ieva	9bb2cf4968	RBAC: Allow omitting default permissions when a new resource is created (#90720 ) * Cfg: Move rbac settings to own struct * Cfg: Add setting to control if resource should generate managed permissions when created * Dashboards: Check if we should generate default permissions when dashboard is created * Folders: Check if we should generate default permissions when folder is created * Datasource: Check if we should generate default permissions when datasource is created * ServiceAccount: Check if we should generate default permissions when service account is created * Cfg: Add option to specify resources for wich we should default seed * ManagedPermissions: Move providers to their own files * Dashboards: Default seed all possible managed permissions if configured * Folders: Default seed all possible managed permissions if configured * Cfg: Remove service account from list * RBAC: Move utility function * remove managed permission settings from the config file examples, change the setting names * remove ini file changes from the PR * fix setting reading * fix linting errors * fix tests * fix wildcard role seeding --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: jguer <me@jguer.space>	11 months ago
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	1 year ago
Aaron Godin	d409d8e860	IAM - Fix error messages for resource permissions endpoints (#85773 ) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec	1 year ago
Ieva	58059da10b	RBAC: Fix global role deletion in hosted Grafana (#85980 ) take into account the value of RBACSingleOrganization setting when determining org	1 year ago
Alexander Zobnin	3127566a20	Access control: Use ResolveIdentity() for authorizing in org (#85549 ) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()	1 year ago
Ieva	beb15d938b	RBAC: Fix access checks for interactions with RBAC roles in hosted Grafana (#85485 ) * don't check global permissions for cloud instances * linting	1 year ago
Alexander Zobnin	f36ad469d0	Access Control: Get global role from request params (#84469 )	1 year ago
Alexander Zobnin	fd9031ca37	Access Control: Get org from request data for authorization (#84359 ) * Access Control: Get org from request data for authorization * move type to models * Update pkg/services/accesscontrol/middleware.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * refactor * refactor * Fix linter --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	1 year ago
Jo	0aebb9ee39	Misc: Remove unused params and impossible logic (#83756 ) * remove unused params and impossible logic * remove unused param	1 year ago
Gabriel MABILLE	3df0611f81	RBAC: Fix authorize in org (#81552 ) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case	1 year ago
Jo	0de66a8099	Authz: Remove use of SignedInUser copy for permission evaluation (#78448 ) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys	2 years ago
Gabriel MABILLE	b6b86bb0b3	RBAC: Check `plugins:install` globally (#78438 ) * RBAC: Check plugins:install globally * Add disclamer to the RBACSingleOrganization config option	2 years ago
Jo	48ef88aed7	Access: Fetch fresh permissions for target GlobalOrgID in AuthorizeInOrgMiddleware (#76569 ) fetch fresh permissions for global in AuthorizeInOrgMiddleware Update pkg/services/accesscontrol/authorize_in_org_test.go do not load viewer permissions in global ID	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Jo	26339f978b	Auth: Move access control API to SignedInUser interface (#73144 ) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
Karl Persson	16d24a8429	RBAC: remove LoadPermissionsMiddleware (#73228 ) * PubDash: remove LoadPermissionMiddleware from tests * RBAC: Remove unused LoadPermission middleware	2 years ago
Jo	e56b2cae00	MESA: Allow using synced permissions (#71377 ) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit	2 years ago
Ieva	a65cb4d808	RBAC: remove simple RBAC disabled checks (#71137 ) * remove simple RBAC disabled checks * fixing tests * remove old AC tests	2 years ago
Ieva	4980b64274	RBAC: Remove legacy ac from authorization middleware (#68898 ) remove legacy AC fallback from RBAC middleware, and some unused auth logic	2 years ago
Karl Persson	382b24742a	Auth: Add feature flag to move token rotation to client (#65060 ) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Sofia Papagiannaki	fde96c91c1	Chore: Differentiate the ErrOrgNotFound error messages (#64131 ) * Better org not found error messages	2 years ago
idafurjes	6c5a573772	Chore: Move ReqContext to contexthandler service (#62102 ) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports	2 years ago
idafurjes	bb35f37b66	Chore: Delete org model duplicates (#60940 ) * Delete org model duplicates * Fix lint * Move OrgDetailsDTO to org pkg	3 years ago
Karl Persson	fef1e1d5bc	Auth: Refactor auth package (#58920 ) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency	3 years ago
Kristina	5d7d54d076	Auth: Write the redirect cookie if denied - do not write a blank redirect (#57381 ) * Write the redirect cookie if denied - do not write a blank redirect * Remove redundant code, reverse polarity	3 years ago
Emil Tullstedt	bb479e030a	RBAC: Redirect to /login when forceLogin is set (#56469 )	3 years ago
idafurjes	a863a4d95d	Chore: Copy user methods over to user store (#56000 ) * Chore: Copy user methods over to user store * Fix some tests and bugs * Add some more tests * Move tests to user store * Move back the tests * Add some tests	3 years ago
Karl Persson	bcd7afd1f5	RBAC: Remove service dependency in Evaluator component (#54910 ) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user	3 years ago
Karl Persson	55c7b8add2	RBAC: Split up service into several components (#54002 ) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake	3 years ago
idafurjes	fa2e74cd6e	Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734 ) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>	3 years ago
idafurjes	a14621fff6	Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343 ) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields	3 years ago
idafurjes	6afad51761	Move SignedInUser to user service and RoleType and Roles to org (#53445 ) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2	3 years ago
Karl Persson	e9a93ebfc9	Access Control: Move access control middlewares to domain package (#48322 ) * Move access control middleware to domain package	3 years ago
Gabriel MABILLE	3440e7c8f7	AccessControl: Fix locked role picker in orgs/edit page (#46539 ) * AccessControl: Fix locked role picker in orgs/edit page * Use correct org when computing metadata	3 years ago
Gabriel MABILLE	6fbf346747	AccessControl: Add endpoint to get user permissions (#45309 ) * AccessControl: Add endpoint to get user permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Fix SA tests * Linter is wrong :p * Wait I was wrong * Adding the route for teams:creator too Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>	3 years ago
idafurjes	1b286e6bb5	Remove bus from quota, preferences, plugins, user_token (#44762 ) * Remove bus from quota, preferences, plugins, user_token * Bind sqlstore.Store to sqlstore.SQLStore Fix test * Fix sqlstore wire injection, dependency	3 years ago
J Guerreiro	2894f07f05	AccessControl: improve denied message (#44551 ) * AccessControl: improve denied message * AccessControl: tweak permission denied	3 years ago
Gabriel MABILLE	54280fc9d7	AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742 ) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com>	3 years ago
ying-jeanne	7422789ec7	Remove Macaron ParamsInt64 function from code base (#43810 ) * draft commit * change all calls * Compilation errors	4 years ago
J Guerreiro	a0cf57b5b8	AccessControl: Reduce tone of access error (#43601 )	4 years ago
Karl Persson	c3ca2d214d	Access control: Refactor managed permission system to create api and frontend components (#42540 ) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	4 years ago
Karl Persson	9558c09a7c	Access Control: Store permissions on SignedInUser (#43040 ) * add permission structure to signedinuser * add middleware to load user permissions into signedinuser struct * apply LoadPermissionsMiddleware to http server * check for permissions in signedinuser struct Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	4 years ago
Gabriel MABILLE	818b8739c0	AccessControl: Remove scopes from orgs endpoints (#41709 ) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva	4 years ago
Emil Tullstedt	3b637f4b44	Access control: Redirect non-API calls (#41100 )	4 years ago
Serge Zaitsev	57fcfd578d	Chore: replace macaron with web package (#40136 ) * replace macaron with web package * add web.go	4 years ago
Gabriel MABILLE	458371c8eb	AccessControl: Extend scope parameters with extra params from context (#39722 ) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	4 years ago
Serge Zaitsev	063160aae2	Chore: pass url parameters through context.Context (#38826 ) * pass url parameters through context.Context * fix url param names without colon prefix * change context params to vars * replace url vars in tests using new api * rename vars to params * add some comments * rename seturlvars to seturlparams	4 years ago

36 Commits (40cdfeb00b4e15ee3d65e70d9a99b7d603daf597)