grafana

Commit Graph

Author	SHA1	Message	Date
Jeff Levin	ed13959e33	Optimize memory allocations in permissions cache (#89645 ) This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing. --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com>	11 months ago
Karl Persson	7f4faaa45b	ExtJWT: Remove test (#89665 ) Remove test	11 months ago
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	12 months ago
Misi	2e811c5438	Chore: Use OrgRoleMapper in Grafana.com client (#89013 ) * Use OrgRoleMapper in Grafana.com client * Clean up	12 months ago
Misi	9a44296bc2	Auth: Add org to role mappings support to AzureAD/Entra integration (#88861 ) * Added implementation and tests * Add docs, simplify implementation * Remove unused func * Update docs	12 months ago
Karl Persson	f3efd95bb4	Auth: Add org to role mappings support to Google integration (#88891 ) * Auth: Implement org role mapping for google oauth provider * Update docs * Remove unused function Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	12 months ago
Misi	4f2a9a47f3	Auth: Add org to role mappings support to Okta integration (#88770 ) * Add org mapping support to Okta * Update docs and configs * Prettier docs * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Improve tests --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>	12 months ago
Karl Persson	f28905f8c4	Auth: Add org to role mappings support to Gitlab integration (#88751 ) * Conf: Add org_mapping and org_attribute_path to github and gitlab conf * Gitlab: Implement org role mapping * Update docs --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>	12 months ago
Misi	eacf6e0a4d	Auth: Add org to role mappings support to GitHub integration (#88537 ) * wip: add extra tests for verifying current logic * Add OrgRole mapping and tests * Update docs * Clean up * Update docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md Co-authored-by: Mihai Doarna <mihai.doarna@grafana.com> * Update docs with None role * Apply suggestions from code review Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Fix * Prettier docs * Cleanup tests --------- Co-authored-by: Mihai Doarna <mihai.doarna@grafana.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>	12 months ago
Misi	ed6b3e9e7c	Auth: Introduce pre-logout hooks + add GCOM LogoutHook (#88475 ) * Introduce preLogoutHooks in authn service * Add gcom_logout_hook * Config the api token from the Grafana config file * Simplify * Add tests for logout hook * Clean up * Update * Address PR comment * Fix	1 year ago
Carl Bergquist	6c79f63c04	Auth: Pass ctx when updating last seen (#88496 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	1 year ago
Mathieu Parent	b8c9ae0eb7	OIDC: Support Generic OAuth org to role mappings (#87394 ) * Social: link to OrgRoleMapper * OIDC: support Generic Oauth org to role mappings Fixes: #73448 Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Handle when getAllOrgs fails in the org_role_mapper * Add more tests * OIDC: ensure orgs are evaluated from API when not from token Signed-off-by: Mathieu Parent <math.parent@gmail.com> * OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Extend docs * Fix test, lint --------- Signed-off-by: Mathieu Parent <math.parent@gmail.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>	1 year ago
Kristin Laemmert	16b1e285ea	Chore: Use cache for all signed in user lookups (#88133 ) * GetSignedInUser unexported (renamed to getSignedInUser) * GetSignedInUserWithCacheCtx renamed to GetSignedInUser * added a check for a nil cacheservice (as defensive programming / test convenience)	1 year ago
Karl Persson	78d1b2a250	Authn: Share key retriever between id and access token verifiers (#87978 )	1 year ago
Karl Persson	5c27f223af	Authn: Support access token wildcard namespace (#87816 ) * Authn+ExtJWT: allow wildcard namespace for access tokens and restructure validation	1 year ago
Karl Persson	9977258d04	AuthN: Set uid during authentication (#87797 ) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts	1 year ago
Karl Persson	0f3080ecb8	AuthN: Fix signout redirect url (#87631 ) * Add missing return * Use sign out redirect url from auth config if configured * remove option from auth.jwt that is not used	1 year ago
Karl Persson	be5ced4287	Identity: Use typed version of namespace id (#87257 ) * Remove different constructors and only use NewNamespaceID * AdminUser: check typed namespace id * Identity: Add convinient function to parse valid user id when type is either user or service account * Annotations: Use typed namespace id instead	1 year ago
Charandas	a9da6ce1d5	ext_jwt: streamline expected aud in access tokens and id tokens (#87401 )	1 year ago
Dan Cech	41bee274fd	Chore: Fix error handling in postDashboard, remove UserDisplayDTO, fix live redis client initialization (#87206 ) * clean up error handling in postDashboard and remove UserDisplayDTO * replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type * lint fix * lint fix * more lint fixes	1 year ago
Charandas	0c59baf62d	ext_jwt: switch to new authlib (#87157 )	1 year ago
Gabriel MABILLE	8802282ebc	RBAC: fix panic role not found permission sync (#87217 )	1 year ago
Karl Persson	d8fbbdefea	Identity: Use typed namespace id (#87121 ) * Use typed namespace id	1 year ago
Karl Persson	c4cfee8d96	User: support setting org and help flags though update function (#86535 ) * User: Support setting active org through update function * User: add support to update help flags through update function	1 year ago
Karl Persson	cd724d74aa	Authn: move namespace id type (#86853 ) * Use RoleType from org package * Move to identity package and re-export from authn * Replace usage of top level functions for identity Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Charandas	d46b163810	Authn (jwt_auth): add tracing spans for validating newer use cases (#86812 )	1 year ago
Karl Persson	0fa983ad8e	AuthN: Use typed namespace id inside authn package (#86048 ) * authn: Use typed namespace id inside package	1 year ago
Ieva	036f826b87	AuthZ: Further protect admin endpoints (#86285 ) * only users with Grafana Admin role can grant/revoke Grafana Admin role * check permissions to user amdin endpoints globally * allow checking global permissions for service accounts * use a middleware for checking whether the caller is Grafana Admin	1 year ago
Karl Persson	0f06120b56	User: Clean up update functions (#86341 ) * User: remove unused function * User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead * User: Remove Disable function and use Update instead	1 year ago
Karl Persson	8520892923	User: Fix GetByID (#86282 ) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID	1 year ago
linoman	51da96d94e	Auth: Add `IsClientEnabled` and `IsEnabled` for the `authn.Service` and `authn.Client` interfaces (#86034 ) * Add `Service. IsClientEnabled` and `Client.IsEnabled` functions * Implement `IsEnabled` function for authn clients * Implement `IsClientEnabled` function for authn services	1 year ago
Karl Persson	73fecc8d80	Authn: Identity resolvers (#85930 ) * AuthN: Add NamespaceID struct. We should replace the usage of encoded namespaceID with this one * AuthN: Add optional interface that clients can implement to be able to resolve identity for a namespace * Authn: Implement IdentityResolverClient for api keys * AuthN: use idenity resolvers Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Karl Persson	895222725c	Session: set authID and authenticatedBy (#85806 ) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places	1 year ago
Alexander Zobnin	3127566a20	Access control: Use ResolveIdentity() for authorizing in org (#85549 ) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()	1 year ago
Karl Persson	ebb4bb859e	Authn: allow ResolveIdentity to authenticate in "global" scope (#85835 ) * Authn: allow ResolveIdentity to authenticate in "global" scope * Use constant	1 year ago
Karl Persson	46ee87a0fc	Authn: Ignore context.Canceled errors when logging auth errors (#85707 ) Ignore context.Canceled errors when logging auth errors	1 year ago
Misi	8796d2d307	Auth: Convert SetDefaultOrgHook to PostLoginHook (#85649 ) * Convert SetDefaultOrgHook to PostLoginHook	1 year ago
Karl Persson	b1fc0861f1	AuthN: reset email verified on email change (#85643 ) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Karl Persson	ba41954854	Email: trigger email verification flow (#85587 ) * Add email and email_verified to id token if identity is a user * Add endpoint to trigger email verification for user * Add function to clear stored id tokens and use it when email verification is completed	1 year ago
Karl Persson	504870f10a	Auth: Decouple client and hook registration (#85084 )	1 year ago
Jo	5340a6e548	Auth: Extended JWT client for OBO and Service Authentication (#83814 ) * reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	1 year ago
linoman	e4250a72db	JWT: Find login and email claims with JMESPATH (#85305 ) * add function to static function to static service * find email and login claims with jmespath * rename configuration files * Replace JWTClaims struct for map * check for subclaims error	1 year ago
Karl Persson	152cb47692	AuthN: Add IsAuthenticatedBy to identity interface and replace checks (#85262 ) Add IsAuthenticatedBy to identity interface and replace checks	1 year ago
Jo	da40158fed	Auth: Improve org role sync debugging (#85146 ) add login to the context of the logger	1 year ago
Karl Persson	2f3a01f79f	OAuth: Make sub claim required for generic oauth behind feature toggle (#85065 ) * Add feature toggle for sub claims requirement * OAuth: require valid auth id * Fix feature toggle description	1 year ago
Eric Leijonmarck	bb792ff540	Auth: Remove oauth skip org role sync (#84972 ) * remove oauth wide skip org role sync * we are warning from config * set it to false * removed from config ini files and updated docs	1 year ago
Karl Persson	d4e802dd47	Authn: Add function to resolve identity from org and namespace id (#84555 ) * Add function to get the namespaced id * Add function to resolve an identity through authn.Service from org and namespace id * Switch to resolve identity for re-authenticate in another org	1 year ago
Misi	63f1c30313	Auth: Set the default org after User login (#83918 ) * poc * add logger, skip hook when user is not assigned to default org * Add tests, move to hook folder * docs * Skip for OrgId < 1 * Address feedback * Update docs/sources/setup-grafana/configure-grafana/_index.md * lint * Move the hook to org_sync.go * Update pkg/services/authn/authnimpl/sync/org_sync.go * Handle the case when GetUserOrgList returns error --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com>	1 year ago
Karl Persson	6ea9f0c447	AuthN: Use fetch user sync hook for render keys connected to a user (#84080 ) * Use fetch user sync hook for render keys connected to a user	1 year ago
Karl Persson	9c292d2c3f	AuthN: Use sync hook to fetch service account (#84078 ) * Use sync hook to fetch service account	1 year ago

1 2 3 4 5

212 Commits (c8ce20a807819626979fdf3facce1db53ec511d9)