grafana

Commit Graph

Author	SHA1	Message	Date
Ieva	159bb3c032	RBAC: Allow scoping access to root level dashboards (#76987 ) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Gabriel MABILLE	797a3c57af	Plugins: Automatic service account (and token) setup (#76473 ) * Update cue to have an AuthProvider entry * Cable the new auth provider * Add feature flag check to the accesscontrol service * Fix test * Change the structure of externalServiceRegistration (#76673)	2 years ago
Karl Persson	ae5e03034b	RBAC: generated prefixed uids for external service role (#76601 ) * Replace FixedRoleUID function with a common function to generate these prefixes * Use common function to generate prefixed uid for external service accounts Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com> --------- Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>	2 years ago
Jo	48ef88aed7	Access: Fetch fresh permissions for target GlobalOrgID in AuthorizeInOrgMiddleware (#76569 ) fetch fresh permissions for global in AuthorizeInOrgMiddleware Update pkg/services/accesscontrol/authorize_in_org_test.go do not load viewer permissions in global ID	2 years ago
kay delaney	a12cb8cbf3	LibraryPanels: Add RBAC support (#73475 )	2 years ago
Gabriel MABILLE	9dd38de5c1	RBAC: Make fixed role UIDs deterministic (#76239 ) * Add fixed role UID Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use base64 url encoding --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Jo	4474f19836	Service Accounts: Enable adding folder, dashboard and data source permissions to service accounts (#76133 ) * Add SAs to Datasource permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * add SAs to dashboards/folders managed permissions * Update public/app/core/components/AccessControl/Permissions.tsx Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * regenerate i18n * add doc --------- Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
Karl Persson	7a38090bc0	AuthN: Fix namespaces for anonymous and render (#75661 ) * AuthN: remove IsAnonymous from identity struct and set correct namespace for anonymous and render * Don't parse user id for render namespace	2 years ago
Carl Bergquist	764478b9e7	Instrumentation: Set auth as owners for more routes (#75105 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	2 years ago
linoman	c4bc90ff5b	Chore: Add const variables for No Basic Role (#74868 ) * Add const variables for No Basic Role	2 years ago
Karl Persson	cebae4fb9a	Requester: Update GetCacheKey (#74834 ) * AuthN: re-export all namespaces * Identity: Change signature of GetCacheKey * User: check HasUniqueID * Default to org role None if role is empty	2 years ago
Gabriel MABILLE	729f9a01a0	RBAC: Fix search user permissions (#74729 ) Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>	2 years ago
Jo	a6aa8f46d1	Auth: Silence no permissions warning (#74477 ) * silence no permissions warning * change warning to debug	2 years ago
linoman	13f4382214	Auth: Implement requester interface in access control module (#74289 ) * Implement requester interface in the access control module	2 years ago
Ieva	58efa49933	Chore: remove `IsDisabled` method for access control (#74340 ) remove IsDisabled method for access control, clean up tests	2 years ago
Serge Zaitsev	8187d8cb66	Chore: capitalise log message for auth packages (#74332 )	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Ieva	ca46a5c1af	Chore: prepare for removing `RBACenabled` config option (#73845 ) prepare for removing RBACenabled config option	2 years ago
Ieva	6885b3d577	Chore: remove checks for whether RBAC is disabled (#73812 ) * remove checks for whether access control is disabled, as it is always enabled now * linting	2 years ago
Marcus Efraimsson	040b7d2571	Chore: Add errutils helpers (#73577 ) Add helpers for the errutil package in favor of errutil.NewBase.	2 years ago
Jo	26339f978b	Auth: Move access control API to SignedInUser interface (#73144 ) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
Karl Persson	16d24a8429	RBAC: remove LoadPermissionsMiddleware (#73228 ) * PubDash: remove LoadPermissionMiddleware from tests * RBAC: Remove unused LoadPermission middleware	2 years ago
Dan Cech	dd97038b00	Slug: Combine various slugify fixes for special character handling (#73164 ) * combine various slugify fixes for special character handling * a couple more test cases * update more tests * goimports	2 years ago
Michael Mandrus	779e0fe311	Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022 ) * create roles for writing feature toggles * create update endpoint / handler * api changes * add feature toggle validations * hide toggles based on their state * make FlagFeatureToggle read only * add username log * add username string * refactor for better readability * refactor unit tests so we can do more validations * some skeletoning for the set tests * write unit tests for updater * break helper functions out * update sample ini to match defaults * add more logic to ReadOnly label * add user documentation * fix lint issue * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> --------- Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com> Co-authored-by: J Stickler <julie.stickler@grafana.com>	2 years ago
Jo	bd1a856d33	Auth: Add SignedIn user interface NamespacedID (#72944 ) * wip * scope active user to 1 org * remove TODOs * add render auth namespace * import cycle fix * make condition more readable * convert Evaluate to user Requester * only use active OrgID for SearchUserPermissions * add cache key to interface definition * change final SignedInUsers to interface * fix api key managed roles fetch * fix anon auth id parsing * Update pkg/services/accesscontrol/acimpl/accesscontrol.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Yuri Tseretyan	6b4a9d73d7	Alerting: Export contact points to check access control action instead legacy role (#71990 ) * introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader" * update alerting API authorization layer to let the user read provisioning with the new action * let new action use decrypt flag * add action and role to docs	2 years ago
Jo	30274a4f88	Auth: Move Team service to SignedInUserInterface (#72674 ) * move SignedInUser to specific file * add primitive interface for signedInUser	2 years ago
Gabriel MABILLE	261045d182	RBAC: Batch update on scope split migration (#72182 ) * RBAC: Make the SplitScope migration concurrent * Benchmark multiple alternatives: (updates in a loop, batch update, concurrent batch update) * Only keep batching since mysql 5.7 does not seem to support concurrent batching * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
João Calisto	4ba83173ea	Feature toggles management: Define get feature toggles api (#72106 ) * Feature Toggle Management: Define get feature toggles api * lint	2 years ago
Ieva	cfa1a2c55f	RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933 ) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	3300488667	AccessControl: Remove acmock.New from accesscontrol service tests (#71942 ) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests	2 years ago
Ieva	25c4292a5f	RBAC: search v1 permission filter part 1 - cleanup & updating tests (#71913 ) * update tests and remove some AC disabled checks * remove test for old permission filter builder	2 years ago
Jo	e56b2cae00	MESA: Allow using synced permissions (#71377 ) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit	2 years ago
Emil Tullstedt	5c19272065	Slug: Use urlencoding to support non-ASCII characters (#70691 )	2 years ago
Ieva	a65cb4d808	RBAC: remove simple RBAC disabled checks (#71137 ) * remove simple RBAC disabled checks * fixing tests * remove old AC tests	2 years ago
Jo	49e42d1a8d	AccessControl: Add resource permission deletion helper (#71222 ) * add method for deleting managed resource permissions * test method	2 years ago
Misi	607670a9fa	Auth: Use SHA-1 for generating an ID for External Service Role (#71079 ) * Use sha1 (160 bit hash) * Update pkg/services/accesscontrol/database/externalservices.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Satisfy linter, clean up --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	d6c468c1c2	Auth: Add empty role definition (#64694 ) * Allow setting role as None Co-authored-by: gamab <gabi.mabs@gmail.com> Seeking for places where role.None would be used Co-authored-by: Jguer <joao.guerreiro@grafana.com> Adding None role to the frontend Co-authored-by: Jguer <joao.guerreiro@grafana.com> unify org role declaration and remove from add permission fix backend test fix backend lint * remove role none from frontend * Simplify checks Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * nits --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Ieva	d8b66d5c4b	RBAC: remove some `IsDisabled` checks (#69272 ) * remove some access contorl IsDisabled() checks * cleaning up tests * update tests * linting	2 years ago
Ieva	d98813796c	RBAC: Remove legacy AC from HasAccess permission check (#68995 ) * remove unused HasAdmin and HasEdit permission methods * remove legacy AC from HasAccess method * remove unused function * update alerting tests to work with RBAC	2 years ago
Gabriel MABILLE	edf1775d49	AuthN: Embed an OAuth2 server for external service authentication (#68086 ) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user🆔<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from `526e48ad45` * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>	2 years ago
Ryan McKinley	e7da2a179e	Schema: Add schema for role+access policies (#68047 )	2 years ago
Ieva	4980b64274	RBAC: Remove legacy ac from authorization middleware (#68898 ) remove legacy AC fallback from RBAC middleware, and some unused auth logic	2 years ago
Gabriel MABILLE	3ffff632be	RBAC: Refine validation of external services permissions (#68633 ) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id	2 years ago
Gabriel MABILLE	d7eea0d207	RBAC: Add a function to delete external service roles (#68317 ) * RBAC: Add function to delete external service roles * Adding a test to the service * Update pkg/services/accesscontrol/acimpl/service_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Misi	23d8f7c2fe	RBAC: Fix SearchUsersPermissions when the filter is empty (#68176 ) Fix SearchUsersPermission action filter	2 years ago
Gabriel MABILLE	8c6b5a4319	RBAC: Add a function to save external service roles (#66299 ) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Ieva	533f8caafd	SAML: change the config option for making SAML UI accessible to org Admins (#67399 ) * change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment	2 years ago
Alexander Zobnin	1d99500b3e	SAML UI: Fix permissions for fixed:authentication.config:writer role (#67290 ) * SAML UI: Fix permissions for fixed:authentication.config:writer role * Remove read permissions for auth settings	2 years ago
Gabriel MABILLE	3b63844390	RBAC: Feature to override default assignments (#66561 ) * RBAC: Feature to override default assignments Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Add test and trim spaces * Pass linting * Apply the rbac overrides to fixed_authentication.config_writer * Removing from the default ini file for now * Add grants overrides section to cfg * slimmer handleGrantOverrides function --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago

1 2 3 4 5 ...

330 Commits (b8105caa05af19c8887a421e803e9591e14da5fe)