grafana

Commit Graph

Author	SHA1	Message	Date
Eric Leijonmarck	ddabef9895	RBAC: Add actionsets struct and write path (#86108 ) * Add actionsets struct and failing test * update from review * review comments * review comments update * refactor: create interface * actionset service * fix tests * move from wireoss to wire * Apply suggestions from code review remove unnecessary comments Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * nil for the actionsetservice * Revert "nil for the actionsetservice" This reverts commit `e3d3cc8171`. --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Aaron Godin	d409d8e860	IAM - Fix error messages for resource permissions endpoints (#85773 ) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec	2 years ago
Yuri Tseretyan	12605bfed2	Alerting: Update fixed roles to include silences permissions (#85826 ) * update fixed roles to include silences * add silence actions to managed permissions * update documentation	2 years ago
Karl Persson	73fecc8d80	Authn: Identity resolvers (#85930 ) * AuthN: Add NamespaceID struct. We should replace the usage of encoded namespaceID with this one * AuthN: Add optional interface that clients can implement to be able to resolve identity for a namespace * Authn: Implement IdentityResolverClient for api keys * AuthN: use idenity resolvers Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Ieva	58059da10b	RBAC: Fix global role deletion in hosted Grafana (#85980 ) take into account the value of RBACSingleOrganization setting when determining org	2 years ago
Alexander Zobnin	3127566a20	Access control: Use ResolveIdentity() for authorizing in org (#85549 ) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()	2 years ago
Yuri Tseretyan	509691b416	Alerting: Introduce authorization logic for operations on silences (#85418 ) * extract genericService from RuleService just to reuse it later * implement silence service --------- Co-authored-by: William Wernert <william.wernert@grafana.com> Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>	2 years ago
Serge Zaitsev	faa1244518	Chore: Replace sqlstore with db interface (#85366 ) * replace sqlstore with db interface in a few packages * remove from stats * remove sqlstore in admin test * remove sqlstore from api plugin tests * fix another createUser * remove sqlstore in publicdashboards * remove sqlstore from orgs * clean up orguser test * more clean up in sso * clean up service accounts * further cleanup * more cleanup in accesscontrol * last cleanup in accesscontrol * clean up teams * more removals * split cfg from db in testenv * few remaining fixes * fix test with bus * pass cfg for testing inside db as an option * set query retries when no opts provided * revert golden test data * rebase and rollback	2 years ago
Karl Persson	504870f10a	Auth: Decouple client and hook registration (#85084 )	2 years ago
Ieva	beb15d938b	RBAC: Fix access checks for interactions with RBAC roles in hosted Grafana (#85485 ) * don't check global permissions for cloud instances * linting	2 years ago
Jo	5340a6e548	Auth: Extended JWT client for OBO and Service Authentication (#83814 ) * reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
linoman	147154d2ea	Remove AuthConfigUIAdminAccess (#85452 ) * Remove AuthConfigUIAdminAccess	2 years ago
Karl Persson	5dd98a0fd5	RBAC: handle partially resolved scopes (#85323 ) * RBAC: handle partially resolved scopes Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Gabriel MABILLE	5e48804364	RBAC: Fix slow user permission search query on MySQL (#85058 ) * Bench testing search user perm * Add BenchmarkSearchUsersPermissions_1K_1K * Clarify benchmark searches by action prefix * Make MySQL more efficient * Move all filter options * Expand after assignments union * update comments	2 years ago
Yuri Tseretyan	48de8657c9	Alerting: Editor role can access all provisioning API (#85022 )	2 years ago
Ieva	7aa0ba8c59	Teams: Display teams page to team reader if they also have the access to list team permissions (#84650 ) * display teams to team reader if they also have the access to list team permissions * fix a typo in the docs	2 years ago
Alexander Zobnin	f36ad469d0	Access Control: Get global role from request params (#84469 )	2 years ago
Alexander Zobnin	fd9031ca37	Access Control: Get org from request data for authorization (#84359 ) * Access Control: Get org from request data for authorization * move type to models * Update pkg/services/accesscontrol/middleware.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * refactor * refactor * Fix linter --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Misi	f5c78e0ad9	RBAC: Add ActionSettingsRead action to general.auth.config writer (#84366 ) Add ActionSettingsRead action to general.auth.config writer	2 years ago
Yuri Tseretyan	21719a6b5b	Chore: Fix log message in access control (#84101 )	2 years ago
Karl Persson	22074c5026	RBAC: add debug log for permission evaluation (#83880 ) * fix: add debug log when evaluating permissions that includes target permissions	2 years ago
Alexander Zobnin	82a88cc83f	Access control: Extend GetUserPermissions() to query permissions in org (#83392 ) * Access control: Extend GetUserPermissions() to query permissions in specific org * Use db query to fetch permissions in org * refactor * refactor * use conditional join * minor refactor * Add test cases * Search permissions correctly in OSS vs Enterprise * Get permissions from memory * Refactor * remove unused func * Add tests for GetUserPermissionsInOrg * fix linter	2 years ago
Jo	0aebb9ee39	Misc: Remove unused params and impossible logic (#83756 ) * remove unused params and impossible logic * remove unused param	2 years ago
Gabriel MABILLE	8d9921a5ba	RBAC: Fix delete team permissions on team delete (#83442 ) * RBAC: Remove team permissions on delete * Remove unecessary deletes from store function * Nit on mock * Add test to the database * Nit on comment * Add another test to check that other permissions remain	2 years ago
Jo	cc3b088b6c	Teams: Fix missing context in team service (#83327 ) fix missing context in team service	2 years ago
Gabriel MABILLE	80d6bf6da0	AuthN: Remove embedded oauth server (#83146 ) * AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum	2 years ago
Alexander Zobnin	9bbb7f67e0	Chore: Move store interface to top level (#83153 ) * Chore: Move store interface to top level * Update store mock	2 years ago
Serge Zaitsev	1aff748e8f	Use split scopes instead of substr in search v1 (#82092 ) * use split scopes instead of substr in search v1 * tests, of course * yet, some test helpers dont use split scopes * another test helper to fix * add permission.identifier to group by * check if attribute is uid * fix tests * use SplitScope() * fix more tests	2 years ago
Misi	bb9d5799cf	Auth: Load `oauth_allow_insecure_email_lookup` using the SettingsProvider (#82460 ) * wip * Introduce fixed:server.config:writer role * Fix tests * Update name	2 years ago
Gabriel MABILLE	846eadff63	RBAC Search: Replace `userLogin` filter by `namespacedID` filter (#81810 ) * Add namespace ID * Refactor and add tests * Rename maxOneOption -> atMostOneOption * Add ToDo * Remove UserLogin & UserID for NamespaceID Co-authored-by: jguer <joao.guerreiro@grafana.com> * Remove unecessary import of the userSvc * Update pkg/services/accesscontrol/acimpl/service.go * fix 1 -> userID * Update pkg/services/accesscontrol/accesscontrol.go --------- Co-authored-by: jguer <joao.guerreiro@grafana.com>	2 years ago
Karl Persson	1315c67c8b	Team/User: UID migrations (#82298 ) * Add user uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario * Add team uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario * Run team uid migration	2 years ago
Dan Cech	790e1feb93	Chore: Update test database initialization (#81673 ) * streamline initialization of test databases, support on-disk sqlite test db * clean up test databases * introduce testsuite helper * use testsuite everywhere we use a test db * update documentation * improve error handling * disable entity integration test until we can figure out locking error	2 years ago
Jo	6ac0bc5ecf	Seeder: Add missing methods to Registrations (#81961 ) * add slice copy method * fix slice copy	2 years ago
William Wernert	2ab7d3c725	Alerting: Receivers API (read only endpoints) (#81751 ) * Add single receiver method * Add receiver permissions * Add single/multi GET endpoints for receivers * Remove stable tag from time intervals See end of PR description here: https://github.com/grafana/grafana/pull/81672	2 years ago
Jo	7852ea012d	Access: Remove split scopes feature toggle (#81874 ) * remove split scopes FT * Revert "remove split scopes FT" This reverts commit `349fb081d3`. * make toggle deprecated instead * fix gen	2 years ago
Gabriel MABILLE	4a1e8f3d98	RBAC: Reject plugin registrations without a name (#81719 ) * RBAC: Reject plugin registrations without a name * Lint'	2 years ago
Yuri Tseretyan	d1073deefd	Alerting: Time intervals API (read only endpoints) (#81672 ) * declare new API and models GettableTimeIntervals, PostableTimeIntervals * add new actions alert.notifications.time-intervals:read and alert.notifications.time-intervals:write. * update existing alerting roles with the read action. Add to all alerting roles. * add integration tests	2 years ago
Gabriel MABILLE	3df0611f81	RBAC: Fix authorize in org (#81552 ) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case	2 years ago
Gabriel MABILLE	08f305797f	RBAC: Add metric to count search user permissions cache hits (#81451 )	2 years ago
Ieva	048d1e7c86	RBAC: Annotation permission migration (#78899 ) * add annotation permissions to dashboard managed role and add migrations for annotation permissions * fix a bug with conditional access level definitions * add tests * Update pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * apply feedback * add batching, fix tests and a typo * add one more test * undo unneeded change * undo unwanted change * only check the default basic permissions for non-OSS instances * account for all wildcards and simplify the check a bit * error handling and extra conditionals to avoid test failures * fix a bug with admin permissions not appearing for folders * fix the OSS check --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Gabriel MABILLE	7512b1a519	RBAC: Search fix userID filter (#81337 )	2 years ago
Gabriel MABILLE	19194ea122	RBAC: Remove redundant search endpoint (#81331 )	2 years ago
Gabriel MABILLE	722b78f3e0	RBAC: Add userLogin filter to the permission search endpoint (#81137 ) * RBAC: Search add user login filter * Switch to a userService resolving instead * Remove unused error * Fallback to use the cache * account for userID filter * Account for the error * snake case * Add test cases * Add api tests * Fix return on error * Re-order imports	2 years ago
Ieva	dc9e590b7b	RBAC: Return the underlying error instead of internal server or bad request for managed permission endpoints (#80974 ) * return not found instead of an internal server error when listing/updating permissions * openapi gen	2 years ago
Misi	4577e61ee7	Auth: Improve /admin/authentication permission checks and include new SSO pages (#81183 ) * Move evalAuthSettings to ssoutils * Improve permission check for auth page	2 years ago
idafurjes	7e5544ab21	Add MFolderIDsServiceCount to count folderIDs in services pkg (#81237 )	2 years ago
Marcus Efraimsson	6768c6c059	Chore: Remove public vars in setting package (#81018 ) Removes the public variable setting.SecretKey plus some other ones. Introduces some new functions for creating setting.Cfg.	2 years ago
Alexander Zobnin	08082104e1	Access control: Add permissions cache hit/miss metrics (#80883 ) * Access control: Add permissions cache hit/miss metrics * Add metrics to OSS * Fix imports	2 years ago
Gabriel MABILLE	dce9d1e87c	RBAC: Search endpoint support wildcards (#80383 ) * RBAC: Search endpoint support wildcards * Allow wildcard filter with RAM permissions as well	2 years ago
Karl Persson	7b58f71b33	AuthN: Add auth hook that can sync grafana cloud role to rbac cloud role (#80416 ) * AuthnSync: Rename files and structures * AuthnSync: register rbac cloud role sync if feature toggle is enabled * RBAC: Add new sync function to service interface * RBAC: add common prefix and role names for cloud fixed roles * AuthnSync+RBAC: implement rbac cloud role sync Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago

1 2 3 4 5 ...

402 Commits (59eb302fc14e54b1889a5df0431d97b51f25bd7f)