grafana

Commit Graph

Author	SHA1	Message	Date
Jo	d6c468c1c2	Auth: Add empty role definition (#64694 ) * Allow setting role as None Co-authored-by: gamab <gabi.mabs@gmail.com> Seeking for places where role.None would be used Co-authored-by: Jguer <joao.guerreiro@grafana.com> Adding None role to the frontend Co-authored-by: Jguer <joao.guerreiro@grafana.com> unify org role declaration and remove from add permission fix backend test fix backend lint * remove role none from frontend * Simplify checks Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * nits --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Ieva	533f8caafd	SAML: change the config option for making SAML UI accessible to org Admins (#67399 ) * change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment	2 years ago
Alexander Zobnin	1d99500b3e	SAML UI: Fix permissions for fixed:authentication.config:writer role (#67290 ) * SAML UI: Fix permissions for fixed:authentication.config:writer role * Remove read permissions for auth settings	2 years ago
Gabriel MABILLE	3b63844390	RBAC: Feature to override default assignments (#66561 ) * RBAC: Feature to override default assignments Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Add test and trim spaces * Pass linting * Apply the rbac overrides to fixed_authentication.config_writer * Removing from the default ini file for now * Add grants overrides section to cfg * slimmer handleGrantOverrides function --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Alexander Zobnin	7476219b0c	SAML: Configuration UI (#64054 ) * Add initial authentication config page skeleton * Add initial SAML config page WIP * Add few more pages * Add connect to IdP page * Assertion mappings page stub and url params * Able to save settings * Some tweaks for authentication page * Tweak behaviour * Tweak provider name * Move SAML config pages to enterprise * minor refactor * Able to reset settings * Configure key and cert from UI * Refactor WIP * Tweak styles * Optional save button * Some tweaks for the page * Don't show info popup when save settings * Improve key/cert validation * Fetch provider status and display on auth page * Add settings list to the auth page * Show call to action card if no auth configured * clean up * Show authentication page only if SAML available * Add access control for SSO config page * Add feature toggle for auth config UI * Add code owners for auth config page * Auth config UI disabled by default * Fix feature toggle check * Apply suggestions from review * Refactor: use forms for steps * Clean up * Improve authentication page loading * Fix CTA link * Minor tweaks * Fix page route * Fix formatting * Fix generated code formatting	2 years ago
Gabriel MABILLE	bf49c20050	RBAC: Add an endpoint to list all user permissions (#57644 ) * RBAC: Add an endpoint to see all user permissions Co-authored-by: Joey Orlando <joey.orlando@grafana.com> * Fix mock * Add feature flag * Fix merging * Return normal permissions instead of simplified ones * Fix test * Fix tests * Fix tests * Create benchtests * Split function to get basic roles * Comments * Reorg * Add two more tests to the bench * bench comment * Re-ran the test * Rename GetUsersPermissions to SearchUsersPermissions and prepare search options * Remove from model unused struct * Start adding option to get permissions by Action+Scope * Wrong import * Action and Scope * slightly tweak users permissions actionPrefix query param validation logic * Fix xor check * Lint * Account for suggeston Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add search * Remove comment on global scope * use union all and update test to make it run on all dbs * Fix MySQL needs a space * Account for suggestion. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Joey Orlando <joey.orlando@grafana.com> Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	3 years ago
Karl Persson	55c7b8add2	RBAC: Split up service into several components (#54002 ) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake	3 years ago
idafurjes	6afad51761	Move SignedInUser to user service and RoleType and Roles to org (#53445 ) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2	3 years ago
Karl Persson	b9bb0513e3	Remove version property from fixed roles (#51298 )	3 years ago
Ieva	5dbea9996b	RBAC: Make RBAC action names more consistent (#49730 ) * update action names * correctly retrieve teams for signed in user * remove test * undo swagger changes * undo swagger changes pt2 * add migration from old action names to the new ones * rename from list to read * linting * also update alertign actions * fix migration	3 years ago
Karl Persson	d82eb5902d	AccessControl: Cleanup access control interface (#49783 ) * removed unused function * Rename interface	3 years ago
Jguer	6a303bb6b8	AccessControl: Rename builtin role roles to basic roles (#48519 ) * AccessControl: Rename grafana:builtins roles to basic * AccessControl: rename macro references to basic Co-authored-by: gamab <gabi.mabs@gmail.com>	3 years ago
Gabriel MABILLE	2cc276567d	AccessControl: Hide basic roles (#48549 ) Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>	3 years ago
Gabriel MABILLE	8bd825e16c	AccessControl: Make the built-in role definitions public (#47525 ) * AccessControl: Make the built-in role definitions public * Add context to RegisterFixedRoles Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Making BuiltInRolesWithParents public to the AccessControl package Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>	3 years ago
Gabriel MABILLE	f7305965a4	AccessControl: Remove package lists for roles and grants (#47141 ) * AccessControl: Remove package variables for roles and grants Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check for inheritance during role registration Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Moving back role definition to accessscontrol * Make settings reader role public Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nits Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Forgot to update this * Account for declaration error * Fixing pkg/api init ossac * Account for error in tests * Update test to verify inheritance * Nits. * Place br inheritance behind a feature toggle * Parent -> Parents * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com>	3 years ago
Karl Persson	faf4a3f751	Access Control: Rename global users scope (#46794 ) * Rename scope from global:users to global.users to match scope convention	3 years ago
Karl Persson	5ca9d2895b	Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657 )	3 years ago
Ieva	a06564fb0d	Access control: allow granting a fixed role dynamically based on the startup settings (#43867 ) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming	3 years ago
Ieva	41b709d08d	Access control: permissions for team creation (#43506 ) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>	3 years ago
Ieva	b7f47561b6	Access control: add roles to fixed groups (#41673 ) * add roles to fixed groups * add global to group name	4 years ago
Karl Persson	d623285fcc	Access Control: Rename fixed roles (#41288 ) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>	4 years ago
Arve Knudsen	78596a6756	Migrate to Wire for dependency injection (#32289 ) Fixes #30144 Co-authored-by: dsotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com> Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Leon Sorokin <leeoniya@gmail.com> Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com> Co-authored-by: spinillos <selenepinillos@gmail.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>	4 years ago
Jeremy Price	9a71cec1f0	Access Control: Make the evaluator prefix match only (#38025 ) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com>	4 years ago
Jeremy Price	e8e1a0b50b	Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641 )" (#37397 )" (#37535 ) This reverts commit `55efeb0c02`.	4 years ago
Emil Tullstedt	55efeb0c02	Revert "AccessControl: Implement a way to register fixed roles (#35641 )" (#37397 ) This reverts commit `88c11f1cc0`.	4 years ago
Gabriel MABILLE	88c11f1cc0	AccessControl: Implement a way to register fixed roles (#35641 ) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>	4 years ago
Karl Persson	2fd7031102	Access Control: Add fine-grained access control to explore (#35883 ) * add fixed role for datasource read operations * Add action for datasource explore * add authorize middleware to explore index route * add fgac support for explore navlink * update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is * add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default * create function to evaluate permissions or using fallback if accesscontrol is disabled * change hasAccess to prop and derive the value in mapStateToProps * add test case to ensure buttons is not rendered when user does not have access * Only hide return with changes button * remove internal links if user does not have access to explorer Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>	4 years ago
Karl Persson	395b942134	Access Control: Add fine-grained access control to GET stats and settings handlers (#35622 ) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings	4 years ago
Karl Persson	36c997a625	Access Control: Add fine-grained access control to ldap handlers (#35525 ) * Add new accesscontrol action for ldap config reload * Update ldapAdminEditRole with new ldap config reload permission * wrap /ldap/reload with accesscontrol authorize middleware * document new action and update fixed:ldap:admin:edit with said action * add fake accesscontrol implementation for tests * Add accesscontrol tests for ldap handlers Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>	4 years ago
Emil Tullstedt	0f4806db8a	Access control: Rename predefined roles to fixed roles (code) (#34469 ) * s/grafana:roles:/fixed:/ * Update free text references to predefined roles	4 years ago
Vardan Torosyan	1d15686bdf	Access control: Add a role for provisioning admins (#33787 )	4 years ago
Emil Tullstedt	4496ae496e	Access control: Clean up users scopes (#33532 ) Following discussion in grafana/grafana-enterprise#1292, removing org-scoped users scopes to make it clear that the local organization is the default and the alternative to that is a global scope (for a select few endpoints)	4 years ago
Vardan Torosyan	5bf6d7dad8	Access control: Update evaluator to authorize when at least one of the scopes is a match (#33393 )	4 years ago
Vardan Torosyan	bf83fb80b7	Access control: Combine permissions through predefined roles (#33275 ) * Access control: Combine permissions through predefined roles When certain permission is required for built-in role, instead of adding those permissions to the existing predefined roles, we need to have granular predefined roles with those permissions. * Better copy... * Adding and fixing tests * Remove duplicated permission	4 years ago
Alexander Zobnin	dd9f701cd9	Access control: Fix predefined roles (#33260 )	4 years ago
Alexander Zobnin	a7e721e987	Access control: Make Admin/Users UI working with the permissions (#33176 ) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints	4 years ago
Vardan Torosyan	9f82eac833	Access control: Add access control based permissions to admins/users (#32409 ) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	4 years ago

37 Commits (96facbdfa25cdbcac51add910c7ba0d94d6b15a7)