grafana

Commit Graph

Author	SHA1	Message	Date
Jo	a6aa8f46d1	Auth: Silence no permissions warning (#74477 ) * silence no permissions warning * change warning to debug	2 years ago
linoman	13f4382214	Auth: Implement requester interface in access control module (#74289 ) * Implement requester interface in the access control module	2 years ago
Ieva	58efa49933	Chore: remove `IsDisabled` method for access control (#74340 ) remove IsDisabled method for access control, clean up tests	2 years ago
Serge Zaitsev	8187d8cb66	Chore: capitalise log message for auth packages (#74332 )	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Ieva	ca46a5c1af	Chore: prepare for removing `RBACenabled` config option (#73845 ) prepare for removing RBACenabled config option	2 years ago
Ieva	6885b3d577	Chore: remove checks for whether RBAC is disabled (#73812 ) * remove checks for whether access control is disabled, as it is always enabled now * linting	2 years ago
Marcus Efraimsson	040b7d2571	Chore: Add errutils helpers (#73577 ) Add helpers for the errutil package in favor of errutil.NewBase.	2 years ago
Jo	26339f978b	Auth: Move access control API to SignedInUser interface (#73144 ) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
Karl Persson	16d24a8429	RBAC: remove LoadPermissionsMiddleware (#73228 ) * PubDash: remove LoadPermissionMiddleware from tests * RBAC: Remove unused LoadPermission middleware	2 years ago
Dan Cech	dd97038b00	Slug: Combine various slugify fixes for special character handling (#73164 ) * combine various slugify fixes for special character handling * a couple more test cases * update more tests * goimports	2 years ago
Michael Mandrus	779e0fe311	Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022 ) * create roles for writing feature toggles * create update endpoint / handler * api changes * add feature toggle validations * hide toggles based on their state * make FlagFeatureToggle read only * add username log * add username string * refactor for better readability * refactor unit tests so we can do more validations * some skeletoning for the set tests * write unit tests for updater * break helper functions out * update sample ini to match defaults * add more logic to ReadOnly label * add user documentation * fix lint issue * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> --------- Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com> Co-authored-by: J Stickler <julie.stickler@grafana.com>	2 years ago
Jo	bd1a856d33	Auth: Add SignedIn user interface NamespacedID (#72944 ) * wip * scope active user to 1 org * remove TODOs * add render auth namespace * import cycle fix * make condition more readable * convert Evaluate to user Requester * only use active OrgID for SearchUserPermissions * add cache key to interface definition * change final SignedInUsers to interface * fix api key managed roles fetch * fix anon auth id parsing * Update pkg/services/accesscontrol/acimpl/accesscontrol.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Yuri Tseretyan	6b4a9d73d7	Alerting: Export contact points to check access control action instead legacy role (#71990 ) * introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader" * update alerting API authorization layer to let the user read provisioning with the new action * let new action use decrypt flag * add action and role to docs	2 years ago
Jo	30274a4f88	Auth: Move Team service to SignedInUserInterface (#72674 ) * move SignedInUser to specific file * add primitive interface for signedInUser	2 years ago
Gabriel MABILLE	261045d182	RBAC: Batch update on scope split migration (#72182 ) * RBAC: Make the SplitScope migration concurrent * Benchmark multiple alternatives: (updates in a loop, batch update, concurrent batch update) * Only keep batching since mysql 5.7 does not seem to support concurrent batching * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
João Calisto	4ba83173ea	Feature toggles management: Define get feature toggles api (#72106 ) * Feature Toggle Management: Define get feature toggles api * lint	2 years ago
Ieva	cfa1a2c55f	RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933 ) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	3300488667	AccessControl: Remove acmock.New from accesscontrol service tests (#71942 ) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests	2 years ago
Ieva	25c4292a5f	RBAC: search v1 permission filter part 1 - cleanup & updating tests (#71913 ) * update tests and remove some AC disabled checks * remove test for old permission filter builder	2 years ago
Jo	e56b2cae00	MESA: Allow using synced permissions (#71377 ) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit	2 years ago
Emil Tullstedt	5c19272065	Slug: Use urlencoding to support non-ASCII characters (#70691 )	2 years ago
Ieva	a65cb4d808	RBAC: remove simple RBAC disabled checks (#71137 ) * remove simple RBAC disabled checks * fixing tests * remove old AC tests	2 years ago
Jo	49e42d1a8d	AccessControl: Add resource permission deletion helper (#71222 ) * add method for deleting managed resource permissions * test method	2 years ago
Misi	607670a9fa	Auth: Use SHA-1 for generating an ID for External Service Role (#71079 ) * Use sha1 (160 bit hash) * Update pkg/services/accesscontrol/database/externalservices.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Satisfy linter, clean up --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	d6c468c1c2	Auth: Add empty role definition (#64694 ) * Allow setting role as None Co-authored-by: gamab <gabi.mabs@gmail.com> Seeking for places where role.None would be used Co-authored-by: Jguer <joao.guerreiro@grafana.com> Adding None role to the frontend Co-authored-by: Jguer <joao.guerreiro@grafana.com> unify org role declaration and remove from add permission fix backend test fix backend lint * remove role none from frontend * Simplify checks Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * nits --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Ieva	d8b66d5c4b	RBAC: remove some `IsDisabled` checks (#69272 ) * remove some access contorl IsDisabled() checks * cleaning up tests * update tests * linting	2 years ago
Ieva	d98813796c	RBAC: Remove legacy AC from HasAccess permission check (#68995 ) * remove unused HasAdmin and HasEdit permission methods * remove legacy AC from HasAccess method * remove unused function * update alerting tests to work with RBAC	2 years ago
Gabriel MABILLE	edf1775d49	AuthN: Embed an OAuth2 server for external service authentication (#68086 ) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user🆔<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from `526e48ad45` * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>	2 years ago
Ryan McKinley	e7da2a179e	Schema: Add schema for role+access policies (#68047 )	2 years ago
Ieva	4980b64274	RBAC: Remove legacy ac from authorization middleware (#68898 ) remove legacy AC fallback from RBAC middleware, and some unused auth logic	2 years ago
Gabriel MABILLE	3ffff632be	RBAC: Refine validation of external services permissions (#68633 ) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id	2 years ago
Gabriel MABILLE	d7eea0d207	RBAC: Add a function to delete external service roles (#68317 ) * RBAC: Add function to delete external service roles * Adding a test to the service * Update pkg/services/accesscontrol/acimpl/service_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Misi	23d8f7c2fe	RBAC: Fix SearchUsersPermissions when the filter is empty (#68176 ) Fix SearchUsersPermission action filter	2 years ago
Gabriel MABILLE	8c6b5a4319	RBAC: Add a function to save external service roles (#66299 ) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Ieva	533f8caafd	SAML: change the config option for making SAML UI accessible to org Admins (#67399 ) * change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment	2 years ago
Alexander Zobnin	1d99500b3e	SAML UI: Fix permissions for fixed:authentication.config:writer role (#67290 ) * SAML UI: Fix permissions for fixed:authentication.config:writer role * Remove read permissions for auth settings	2 years ago
Gabriel MABILLE	3b63844390	RBAC: Feature to override default assignments (#66561 ) * RBAC: Feature to override default assignments Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Add test and trim spaces * Pass linting * Apply the rbac overrides to fixed_authentication.config_writer * Removing from the default ini file for now * Add grants overrides section to cfg * slimmer handleGrantOverrides function --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Alexander Zobnin	7476219b0c	SAML: Configuration UI (#64054 ) * Add initial authentication config page skeleton * Add initial SAML config page WIP * Add few more pages * Add connect to IdP page * Assertion mappings page stub and url params * Able to save settings * Some tweaks for authentication page * Tweak behaviour * Tweak provider name * Move SAML config pages to enterprise * minor refactor * Able to reset settings * Configure key and cert from UI * Refactor WIP * Tweak styles * Optional save button * Some tweaks for the page * Don't show info popup when save settings * Improve key/cert validation * Fetch provider status and display on auth page * Add settings list to the auth page * Show call to action card if no auth configured * clean up * Show authentication page only if SAML available * Add access control for SSO config page * Add feature toggle for auth config UI * Add code owners for auth config page * Auth config UI disabled by default * Fix feature toggle check * Apply suggestions from review * Refactor: use forms for steps * Clean up * Improve authentication page loading * Fix CTA link * Minor tweaks * Fix page route * Fix formatting * Fix generated code formatting	2 years ago
Michael Mandrus	5626461b3c	Caching: Refactor enterprise query caching middleware to a wire service (#65616 ) * define initial service and add to wire * update caching service interface * add skipQueryCache header handler and update metrics query function to use it * add caching service as a dependency to query service * working caching impl * propagate cache status to frontend in response * beginning of improvements suggested by Lean - separate caching logic from query logic. * more changes to simplify query function * Decided to revert renaming of function * Remove error status from cache request * add extra documentation * Move query caching duration metric to query package * add a little bit of documentation * wip: convert resource caching * Change return type of query service QueryData to a QueryDataResponse with Headers * update codeowners * change X-Cache value to const * use resource caching in endpoint handlers * write resource headers to response even if it's not a cache hit * fix panic caused by lack of nil check * update unit test * remove NONE header - shouldn't show up in OSS * Convert everything to use the plugin middleware * revert a few more things * clean up unused vars * start reverting resource caching, start to implement in plugin middleware * revert more, fix typo * Update caching interfaces - resource caching now has a separate cache method * continue wiring up new resource caching conventions - still in progress * add more safety to implementation * remove some unused objects * remove some code that I left in by accident * add some comments, fix codeowners, fix duplicate registration * fix source of panic in resource middleware * Update client decorator test to provide an empty response object * create tests for caching middleware * fix unit test * Update pkg/services/caching/service.go Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> * improve error message in error log * quick docs update * Remove use of mockery. Update return signature to return an explicit hit/miss bool * create unit test for empty request context * rename caching metrics to make it clear they pertain to caching * Update pkg/services/pluginsintegration/clientmiddleware/caching_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Add clarifying comments to cache skip middleware func * Add comment pointing to the resource cache update call * fix unit tests (missing dependency) * try to fix mystery syntax error * fix a panic * Caching: Introduce feature toggle to caching service refactor (#66323) * introduce new feature toggle * hide calls to new service behind a feature flag * remove licensing flag from toggle (misunderstood what it was for) * fix unit tests * rerun toggle gen --------- Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>	2 years ago
Will Browne	31d6416157	Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258 ) * migrate licensing + access control * update package name	2 years ago
Karl Persson	382b24742a	Auth: Add feature flag to move token rotation to client (#65060 ) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Sofia Papagiannaki	fde96c91c1	Chore: Differentiate the ErrOrgNotFound error messages (#64131 ) * Better org not found error messages	2 years ago
Jo	c8db771939	Users: Fix org user always getting org id = 1 on auto assign false (#63708 ) * fix org user always getting org id = 1 on auto assign false * make tests explicit * use correct cfg in service accounts * fix api tests * fix database test of ac * fix InsertOrgUser returning affected rows as orgID	2 years ago
suntala	49b3027049	Chore: Remove Result field from datasources (#63048 ) * Remove Result field from AddDataSourceCommand * Remove DatasourcesPermissionFilterQuery Result * Remove GetDataSourceQuery Result * Remove GetDataSourcesByTypeQuery Result * Remove GetDataSourcesQuery Result * Remove GetDefaultDataSourceQuery Result * Remove UpdateDataSourceCommand Result	2 years ago
Ryan McKinley	804bd08f11	Chore: remove unused feature flag showFeatureFlagsInUI (#62908 )	2 years ago
Jo	f9163351fd	Support bundles: Refactor registry into separate service (#62945 ) * add bundle registry service to avoid dependency cycles * move user support bundle collector to user service * move usage stat bundle implementation to usage stats * add info for background service * fix remaining imports * whitespace	2 years ago
Eric Leijonmarck	ed18a249b8	Refactor: move displayname logic from backend to frontend (#62845 ) * remove fallback from backend * add: displayname logic to frontend * Update public/app/core/components/RolePicker/utils.ts Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * add: fetchTeamRoles and return earlier * refactor: change to const --------- Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>	2 years ago
idafurjes	23c27cffb3	Chore: Rename Id to ID in alerting models (#62777 ) * Chore: Rename Id to ID in alerting models * Add xorm tags for datasource * Add xorm tag for uid	2 years ago
Ieva	6ae0ea80f6	RBAC: extend `IsInherited` method to work for nested folders (#62498 ) * extend IsInherited function to work for nested folders * add tests * update tests and logic * process inherited permissions seprately to correctly grey them out in the frontend	2 years ago

1 2 3 4 5 ...

318 Commits (96facbdfa25cdbcac51add910c7ba0d94d6b15a7)