grafana

Commit Graph

Author	SHA1	Message	Date
Kristin Laemmert	77a4869fca	accesscontrol service read replica (#89963 ) * accesscontrol service read replica * now using the ReplDB interface * ReadReplica for GetUser	1 year ago
Jeff Levin	cfe8317d45	Add auth spans and remove deduplication code for scopes (#89804 ) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	1 year ago
Karl Persson	e568b86ac0	Zanzana: Initial work to allow partial data migrations (#89919 ) * Zanana: Add Write method to interface * Zanzana: Add utilities for translating RBAC to openFGA tuple keys * RBAC: Add zanzana synchronizer * Run zanzana sync in access controll provider	1 year ago
Jeff Levin	ed13959e33	Optimize memory allocations in permissions cache (#89645 ) This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing. --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com>	1 year ago
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	2 years ago
Ieva	34c40f959f	RBAC: Add and resolve action sets when searching user's permissions (#88694 ) * include and resolve action sets when fetching user's permissions * expand both action and action prefix (returns an empty set for the one that isn't specified) Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * if action is specified, check for exact match; also extend tests	2 years ago
Ieva	3e77768144	RBAC: Expand action sets when fetching permissions (#87967 ) * logic to expand action set to the underlying actions when permissions are fetched from the DB * updates needed for dependency injection * clean up some code, also deduplicate scopes when grouping scopes and actions * expand on a comment * rename a method	2 years ago
Gabriel MABILLE	e7d5622969	RBAC: No need to filter permissions on cache hit (#87941 )	2 years ago
Alexander Zobnin	0302b75721	Access control: Use search options for computing permissions cache key (#87589 )	2 years ago
Alexander Zobnin	d1c582815a	Access control: Fix searching permissions from cache (#87489 ) * Fix searching permissions from cache * Write permissions to cache	2 years ago
Alexander Zobnin	82dea4b3e5	Access control: Cache basic roles and teams permissions (#87043 ) * RBAC: Cache basic roles permissions * Cache teams permissions * Set cache TTL to 1 minute * Add OSS implementation * Fetch basic role permissions correctly * fix conflict_user_command * Fix teams permissions query * Add traces for GetUserPermissions * Fix folders tests * Fix colflict user command * Update store mock * Fix linter error * Reuse GetUserPermissions for fetching basic roles * tests for GetTeamsPermissions * pre-allocate slice capacity * Fix linter	2 years ago
Alexander Zobnin	3127566a20	Access control: Use ResolveIdentity() for authorizing in org (#85549 ) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()	2 years ago
Jo	5340a6e548	Auth: Extended JWT client for OBO and Service Authentication (#83814 ) * reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Alexander Zobnin	82a88cc83f	Access control: Extend GetUserPermissions() to query permissions in org (#83392 ) * Access control: Extend GetUserPermissions() to query permissions in specific org * Use db query to fetch permissions in org * refactor * refactor * use conditional join * minor refactor * Add test cases * Search permissions correctly in OSS vs Enterprise * Get permissions from memory * Refactor * remove unused func * Add tests for GetUserPermissionsInOrg * fix linter	2 years ago
Gabriel MABILLE	8d9921a5ba	RBAC: Fix delete team permissions on team delete (#83442 ) * RBAC: Remove team permissions on delete * Remove unecessary deletes from store function * Nit on mock * Add test to the database * Nit on comment * Add another test to check that other permissions remain	2 years ago
Gabriel MABILLE	80d6bf6da0	AuthN: Remove embedded oauth server (#83146 ) * AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum	2 years ago
Alexander Zobnin	9bbb7f67e0	Chore: Move store interface to top level (#83153 ) * Chore: Move store interface to top level * Update store mock	2 years ago
Gabriel MABILLE	846eadff63	RBAC Search: Replace `userLogin` filter by `namespacedID` filter (#81810 ) * Add namespace ID * Refactor and add tests * Rename maxOneOption -> atMostOneOption * Add ToDo * Remove UserLogin & UserID for NamespaceID Co-authored-by: jguer <joao.guerreiro@grafana.com> * Remove unecessary import of the userSvc * Update pkg/services/accesscontrol/acimpl/service.go * fix 1 -> userID * Update pkg/services/accesscontrol/accesscontrol.go --------- Co-authored-by: jguer <joao.guerreiro@grafana.com>	2 years ago
Jo	7852ea012d	Access: Remove split scopes feature toggle (#81874 ) * remove split scopes FT * Revert "remove split scopes FT" This reverts commit `349fb081d3`. * make toggle deprecated instead * fix gen	2 years ago
Gabriel MABILLE	08f305797f	RBAC: Add metric to count search user permissions cache hits (#81451 )	2 years ago
Gabriel MABILLE	722b78f3e0	RBAC: Add userLogin filter to the permission search endpoint (#81137 ) * RBAC: Search add user login filter * Switch to a userService resolving instead * Remove unused error * Fallback to use the cache * account for userID filter * Account for the error * snake case * Add test cases * Add api tests * Fix return on error * Re-order imports	2 years ago
Alexander Zobnin	08082104e1	Access control: Add permissions cache hit/miss metrics (#80883 ) * Access control: Add permissions cache hit/miss metrics * Add metrics to OSS * Fix imports	2 years ago
Gabriel MABILLE	dce9d1e87c	RBAC: Search endpoint support wildcards (#80383 ) * RBAC: Search endpoint support wildcards * Allow wildcard filter with RAM permissions as well	2 years ago
Karl Persson	7b58f71b33	AuthN: Add auth hook that can sync grafana cloud role to rbac cloud role (#80416 ) * AuthnSync: Rename files and structures * AuthnSync: register rbac cloud role sync if feature toggle is enabled * RBAC: Add new sync function to service interface * RBAC: add common prefix and role names for cloud fixed roles * AuthnSync+RBAC: implement rbac cloud role sync Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Gabriel MABILLE	48ff532ca8	RBAC: Add histogram metric on search endpoint (#80553 ) RBAC: Add histogram on search endpoint	2 years ago
Ryan McKinley	1caaa56de0	FeatureFlags: Use interface rather than manager (#80000 )	2 years ago
Alexander Zobnin	959ebf82da	Folders: Show dashboards and folders with directly assigned permissions in "Shared" folder (#78465 ) * Folders: Show folders user has access to at the root level * Refactor * Refactor * Hide parent folders user has no access to * Skip expensive computation if possible * Fix tests * Fix potential nil access * Fix duplicated folders * Fix linter error * Fix querying folders if no managed permissions set * Update benchmark * Add special shared with me folder and fetch available non-root folders on demand * Fix parents query * Improve db query for folders * Reset benchmark changes * Fix permissions for shared with me folder * Simplify dedup * Add option to include shared folder permission to user's permissions * Fix nil UID * Remove duplicated folders from shared list * Folders: Fix fetching empty folder * Nested folders: Show dashboards with directly assigned permissions * Fix slow dashboards fetch * Refactor * Fix cycle dependencies * Move shared folder to models * Fix shared folder links * Refactor * Use feature flag for permissions * Use feature flag * Review comments * Expose shared folder UID through frontend settings * Add frontend type for sharedWithMeFolderUID option * Refactor: apply review suggestions * Fix parent uid for shared folder * Fix listing shared dashboards for users with access to all folders * Prevent creating folder with "shared" UID * Add tests for shared folders * Add test for shared dashboards * Fix linter * Add metrics for shared with me folder * Add metrics for shared with me dashboards * Fix tests * Tests: add metrics as a dependency * Fix access control metadata for shared with me folder * Use constant for shared with me * Optimize parent folders access check, fetch all folders in one query. * Use labels for metrics	2 years ago
Jo	0de66a8099	Authz: Remove use of SignedInUser copy for permission evaluation (#78448 ) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys	2 years ago
Ryan McKinley	f69fd3726b	FeatureToggles: Add context and and an explicit global check (#78081 )	2 years ago
Ryan McKinley	3509a5abb9	FeatureFlags: Cleanup usage of cfg.IsFeatureToggleEnabled (#78014 )	2 years ago
Gabriel MABILLE	797a3c57af	Plugins: Automatic service account (and token) setup (#76473 ) * Update cue to have an AuthProvider entry * Cable the new auth provider * Add feature flag check to the accesscontrol service * Fix test * Change the structure of externalServiceRegistration (#76673)	2 years ago
Karl Persson	7a38090bc0	AuthN: Fix namespaces for anonymous and render (#75661 ) * AuthN: remove IsAnonymous from identity struct and set correct namespace for anonymous and render * Don't parse user id for render namespace	2 years ago
Karl Persson	cebae4fb9a	Requester: Update GetCacheKey (#74834 ) * AuthN: re-export all namespaces * Identity: Change signature of GetCacheKey * User: check HasUniqueID * Default to org role None if role is empty	2 years ago
Ieva	58efa49933	Chore: remove `IsDisabled` method for access control (#74340 ) remove IsDisabled method for access control, clean up tests	2 years ago
Serge Zaitsev	8187d8cb66	Chore: capitalise log message for auth packages (#74332 )	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Ieva	6885b3d577	Chore: remove checks for whether RBAC is disabled (#73812 ) * remove checks for whether access control is disabled, as it is always enabled now * linting	2 years ago
Jo	bd1a856d33	Auth: Add SignedIn user interface NamespacedID (#72944 ) * wip * scope active user to 1 org * remove TODOs * add render auth namespace * import cycle fix * make condition more readable * convert Evaluate to user Requester * only use active OrgID for SearchUserPermissions * add cache key to interface definition * change final SignedInUsers to interface * fix api key managed roles fetch * fix anon auth id parsing * Update pkg/services/accesscontrol/acimpl/accesscontrol.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Ieva	cfa1a2c55f	RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933 ) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Ieva	25c4292a5f	RBAC: search v1 permission filter part 1 - cleanup & updating tests (#71913 ) * update tests and remove some AC disabled checks * remove test for old permission filter builder	2 years ago
Ieva	a65cb4d808	RBAC: remove simple RBAC disabled checks (#71137 ) * remove simple RBAC disabled checks * fixing tests * remove old AC tests	2 years ago
Gabriel MABILLE	edf1775d49	AuthN: Embed an OAuth2 server for external service authentication (#68086 ) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user🆔<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from `526e48ad45` * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>	3 years ago
Gabriel MABILLE	d7eea0d207	RBAC: Add a function to delete external service roles (#68317 ) * RBAC: Add function to delete external service roles * Adding a test to the service * Update pkg/services/accesscontrol/acimpl/service_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	3 years ago
Misi	23d8f7c2fe	RBAC: Fix SearchUsersPermissions when the filter is empty (#68176 ) Fix SearchUsersPermission action filter	3 years ago
Gabriel MABILLE	8c6b5a4319	RBAC: Add a function to save external service roles (#66299 ) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	3 years ago
Ieva	533f8caafd	SAML: change the config option for making SAML UI accessible to org Admins (#67399 ) * change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment	3 years ago
Gabriel MABILLE	3b63844390	RBAC: Feature to override default assignments (#66561 ) * RBAC: Feature to override default assignments Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Add test and trim spaces * Pass linting * Apply the rbac overrides to fixed_authentication.config_writer * Removing from the default ini file for now * Add grants overrides section to cfg * slimmer handleGrantOverrides function --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	3 years ago
Ieva	6aa5a79cad	Access control: endpoint for searching single user permissions (#59669 ) * initial commit * clean up * fix a bug and add tests * more tests * undo some unintended changes * undo some unintended changes * linting * PR feedback - add user ID to search options * simplify the query * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * remove unneeded formatting changes Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	3 years ago
Karl Persson	6d1bcd9f40	DataSourcePermissions: Handle licensing properly for ds permissions (#59694 ) * RBAC: add viewer grand if dspermissions enforcement is not enabled * RBAC: Change permissions based on role prefix * RBAC: Add option to for permission service to add a license middleware * RBAC: Remove actions from query struct	3 years ago
Gabriel MABILLE	bf49c20050	RBAC: Add an endpoint to list all user permissions (#57644 ) * RBAC: Add an endpoint to see all user permissions Co-authored-by: Joey Orlando <joey.orlando@grafana.com> * Fix mock * Add feature flag * Fix merging * Return normal permissions instead of simplified ones * Fix test * Fix tests * Fix tests * Create benchtests * Split function to get basic roles * Comments * Reorg * Add two more tests to the bench * bench comment * Re-ran the test * Rename GetUsersPermissions to SearchUsersPermissions and prepare search options * Remove from model unused struct * Start adding option to get permissions by Action+Scope * Wrong import * Action and Scope * slightly tweak users permissions actionPrefix query param validation logic * Fix xor check * Lint * Account for suggeston Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add search * Remove comment on global scope * use union all and update test to make it run on all dbs * Fix MySQL needs a space * Account for suggestion. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Joey Orlando <joey.orlando@grafana.com> Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	3 years ago

1 2

59 Commits (77a4869fcadf13827d76d5767d4de74812d6dd6d)