grafana

Commit Graph

Author	SHA1	Message	Date
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	1 year ago
Aaron Godin	59a6a6513f	Prevent moving a k6 folder (#88884 ) * iam-716 - prevent a folder move operation when the folder's uid or any of its parents uids begin with k6-app * fox folder move check and only list non-k6 folders to users * adding tests for moving * add a test for listing folders * fix the other tests * use method that adds folder parent --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	1 year ago
Yuri Tseretyan	356a29592b	Alerting: Add two sets of provisioning actions for rules and notifications (#87149 )	1 year ago
Yuri Tseretyan	509691b416	Alerting: Introduce authorization logic for operations on silences (#85418 ) * extract genericService from RuleService just to reuse it later * implement silence service --------- Co-authored-by: William Wernert <william.wernert@grafana.com> Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>	1 year ago
Karl Persson	504870f10a	Auth: Decouple client and hook registration (#85084 )	1 year ago
Yuri Tseretyan	48de8657c9	Alerting: Editor role can access all provisioning API (#85022 )	1 year ago
Ieva	7aa0ba8c59	Teams: Display teams page to team reader if they also have the access to list team permissions (#84650 ) * display teams to team reader if they also have the access to list team permissions * fix a typo in the docs	1 year ago
Alexander Zobnin	fd9031ca37	Access Control: Get org from request data for authorization (#84359 ) * Access Control: Get org from request data for authorization * move type to models * Update pkg/services/accesscontrol/middleware.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * refactor * refactor * Fix linter --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	1 year ago
Gabriel MABILLE	80d6bf6da0	AuthN: Remove embedded oauth server (#83146 ) * AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum	1 year ago
William Wernert	2ab7d3c725	Alerting: Receivers API (read only endpoints) (#81751 ) * Add single receiver method * Add receiver permissions * Add single/multi GET endpoints for receivers * Remove stable tag from time intervals See end of PR description here: https://github.com/grafana/grafana/pull/81672	1 year ago
Yuri Tseretyan	d1073deefd	Alerting: Time intervals API (read only endpoints) (#81672 ) * declare new API and models GettableTimeIntervals, PostableTimeIntervals * add new actions alert.notifications.time-intervals:read and alert.notifications.time-intervals:write. * update existing alerting roles with the read action. Add to all alerting roles. * add integration tests	1 year ago
Gabriel MABILLE	3df0611f81	RBAC: Fix authorize in org (#81552 ) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case	1 year ago
Alexander Zobnin	08082104e1	Access control: Add permissions cache hit/miss metrics (#80883 ) * Access control: Add permissions cache hit/miss metrics * Add metrics to OSS * Fix imports	1 year ago
Julien Duchesne	b232c64d9a	`accesscontrol` swagger: Add `global` field to `RoleDTO` type (#79351 ) * `accesscontrol` swagger: Add `global` field to `RoleDTO` type The field is currently added in the MarshalJSON function so it isn't reflected in the spec This PR sets the "static" version of the RoleDTO, that has the global field, as the swagger model * Revert the marshalling logic	2 years ago
Gabriel MABILLE	72d32eed27	ExtSvcAuth: Assign roles locally (#78669 ) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case	2 years ago
Misi	7ae0ff1309	RBAC: Add OAuth provider scopes separately to fixed:authentication.config:writer (#78202 ) Add OAuth provider setting scopes to fixed:authentication writer * Change SSO Settings api scopes * Remove unused RBAC Action	2 years ago
Karl Persson	ae5e03034b	RBAC: generated prefixed uids for external service role (#76601 ) * Replace FixedRoleUID function with a common function to generate these prefixes * Use common function to generate prefixed uid for external service accounts Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com> --------- Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>	2 years ago
kay delaney	a12cb8cbf3	LibraryPanels: Add RBAC support (#73475 )	2 years ago
Gabriel MABILLE	9dd38de5c1	RBAC: Make fixed role UIDs deterministic (#76239 ) * Add fixed role UID Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use base64 url encoding --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Jo	4474f19836	Service Accounts: Enable adding folder, dashboard and data source permissions to service accounts (#76133 ) * Add SAs to Datasource permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * add SAs to dashboards/folders managed permissions * Update public/app/core/components/AccessControl/Permissions.tsx Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * regenerate i18n * add doc --------- Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
linoman	c4bc90ff5b	Chore: Add const variables for No Basic Role (#74868 ) * Add const variables for No Basic Role	2 years ago
Marcus Efraimsson	040b7d2571	Chore: Add errutils helpers (#73577 ) Add helpers for the errutil package in favor of errutil.NewBase.	2 years ago
Michael Mandrus	779e0fe311	Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022 ) * create roles for writing feature toggles * create update endpoint / handler * api changes * add feature toggle validations * hide toggles based on their state * make FlagFeatureToggle read only * add username log * add username string * refactor for better readability * refactor unit tests so we can do more validations * some skeletoning for the set tests * write unit tests for updater * break helper functions out * update sample ini to match defaults * add more logic to ReadOnly label * add user documentation * fix lint issue * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> --------- Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com> Co-authored-by: J Stickler <julie.stickler@grafana.com>	2 years ago
Yuri Tseretyan	6b4a9d73d7	Alerting: Export contact points to check access control action instead legacy role (#71990 ) * introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader" * update alerting API authorization layer to let the user read provisioning with the new action * let new action use decrypt flag * add action and role to docs	2 years ago
João Calisto	4ba83173ea	Feature toggles management: Define get feature toggles api (#72106 ) * Feature Toggle Management: Define get feature toggles api * lint	2 years ago
Ieva	cfa1a2c55f	RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933 ) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Gabriel MABILLE	edf1775d49	AuthN: Embed an OAuth2 server for external service authentication (#68086 ) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user🆔<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from `526e48ad45` * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>	2 years ago
Gabriel MABILLE	3ffff632be	RBAC: Refine validation of external services permissions (#68633 ) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id	2 years ago
Gabriel MABILLE	8c6b5a4319	RBAC: Add a function to save external service roles (#66299 ) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Ieva	533f8caafd	SAML: change the config option for making SAML UI accessible to org Admins (#67399 ) * change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment	2 years ago
Gabriel MABILLE	3b63844390	RBAC: Feature to override default assignments (#66561 ) * RBAC: Feature to override default assignments Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Add test and trim spaces * Pass linting * Apply the rbac overrides to fixed_authentication.config_writer * Removing from the default ini file for now * Add grants overrides section to cfg * slimmer handleGrantOverrides function --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Alexander Zobnin	7476219b0c	SAML: Configuration UI (#64054 ) * Add initial authentication config page skeleton * Add initial SAML config page WIP * Add few more pages * Add connect to IdP page * Assertion mappings page stub and url params * Able to save settings * Some tweaks for authentication page * Tweak behaviour * Tweak provider name * Move SAML config pages to enterprise * minor refactor * Able to reset settings * Configure key and cert from UI * Refactor WIP * Tweak styles * Optional save button * Some tweaks for the page * Don't show info popup when save settings * Improve key/cert validation * Fetch provider status and display on auth page * Add settings list to the auth page * Show call to action card if no auth configured * clean up * Show authentication page only if SAML available * Add access control for SSO config page * Add feature toggle for auth config UI * Add code owners for auth config page * Auth config UI disabled by default * Fix feature toggle check * Apply suggestions from review * Refactor: use forms for steps * Clean up * Improve authentication page loading * Fix CTA link * Minor tweaks * Fix page route * Fix formatting * Fix generated code formatting	2 years ago
Eric Leijonmarck	ed18a249b8	Refactor: move displayname logic from backend to frontend (#62845 ) * remove fallback from backend * add: displayname logic to frontend * Update public/app/core/components/RolePicker/utils.ts Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * add: fetchTeamRoles and return earlier * refactor: change to const --------- Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>	2 years ago
Ieva	ee3d742c7d	RBAC: inherit folder permissions when resolving managed permissions (#62244 ) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package	2 years ago
Karl Persson	6d1bcd9f40	DataSourcePermissions: Handle licensing properly for ds permissions (#59694 ) * RBAC: add viewer grand if dspermissions enforcement is not enabled * RBAC: Change permissions based on role prefix * RBAC: Add option to for permission service to add a license middleware * RBAC: Remove actions from query struct	3 years ago
Gabriel MABILLE	bf49c20050	RBAC: Add an endpoint to list all user permissions (#57644 ) * RBAC: Add an endpoint to see all user permissions Co-authored-by: Joey Orlando <joey.orlando@grafana.com> * Fix mock * Add feature flag * Fix merging * Return normal permissions instead of simplified ones * Fix test * Fix tests * Fix tests * Create benchtests * Split function to get basic roles * Comments * Reorg * Add two more tests to the bench * bench comment * Re-ran the test * Rename GetUsersPermissions to SearchUsersPermissions and prepare search options * Remove from model unused struct * Start adding option to get permissions by Action+Scope * Wrong import * Action and Scope * slightly tweak users permissions actionPrefix query param validation logic * Fix xor check * Lint * Account for suggeston Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add search * Remove comment on global scope * use union all and update test to make it run on all dbs * Fix MySQL needs a space * Account for suggestion. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Joey Orlando <joey.orlando@grafana.com> Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	3 years ago
Sasha Melentyev	febcaeff3a	Chore: Use strings.ReplaceAll and preallocate containers (#58483 )	3 years ago
Gabriel MABILLE	30fae33f66	RBAC: Allow role registration for plugins (#57387 ) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	3 years ago
Ieva	5c1a1c8318	change json command parameter names from userID to userId and teamID to teamId (#57902 )	3 years ago
Ieva	2546437e20	add an endpoint for updating several managed permissions with one call (#57893 )	3 years ago
Torkel Ödegaard	09f4068849	NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552 )	3 years ago
Ieva	6f93630e97	RBAC: add check for whether a role is managed (#55617 ) * add check for whether a role is managed * fix typo	3 years ago
Karl Persson	55c7b8add2	RBAC: Split up service into several components (#54002 ) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake	3 years ago
Karl Persson	cc78486535	RBAC: Display indicator if a permission is inherited (#54080 ) * RBAC: Add IsInherited property * PermissionList: Display inherited indicator	3 years ago
Karl Persson	4069fe1c39	RBAC: Update permission query to not join on team table (#53677 ) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids	3 years ago
idafurjes	6afad51761	Move SignedInUser to user service and RoleType and Roles to org (#53445 ) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2	3 years ago
Ieva	b3a10202d4	Revert "Service accounts: Add service account to teams" (#52710 ) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit `0f919671e7`. * remove unneeded line * fix test	3 years ago
Eric Leijonmarck	0f919671e7	Service accounts: Add service account to teams (#51536 ) * Revert "Serviceaccounts: #48995 Do not display service accounts assigned to team (#48995)" This reverts commit `cbf71fbd7f`. * fix: test to not include more actions than necessary * adding service accounts to teams - backend and frontend changes * also support SA addition through the old team membership endpoints * fix tests * tests * serviceaccounts permission tests * serviceaccounts permission service tests run * added back test that was removed by accident * lint * refactor: add testoptionsTeams * fix a bug * service account picker change * explicitly set SA managed permissions to false for dash and folders * lint * allow team creator to list service accounts Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	3 years ago
Yuriy Tseretyan	54fa04263b	Alerting: Add RBAC actions and role for provisioning API routes (#50459 ) * add alert provisioning actions and role * linter	3 years ago
Ieva	5dbea9996b	RBAC: Make RBAC action names more consistent (#49730 ) * update action names * correctly retrieve teams for signed in user * remove test * undo swagger changes * undo swagger changes pt2 * add migration from old action names to the new ones * rename from list to read * linting * also update alertign actions * fix migration	3 years ago

1 2 3

109 Commits (99d8025829e896b68f6cd5eb11d4ff448d6c3b30)