47f7b3e095
Alerting: Dedicated permission for Template testing API ( #115032 )
2025-12-10 10:56:29 -05:00
0088e55b8f
Plugins App: PluginMeta -> Meta ( #115034 )
2025-12-09 16:01:22 -05:00
5b89d3b807
Plugins App: Add access control ( #114869 )
2025-12-05 12:56:01 -05:00
3c5d905e0f
AuthZ: Redirect legacy resource permissions handler to k8s (part I) (#114199 )
...
* Add K8s API redirect for GET resource permissions
* wire
* move restconfig to options
* address comments
* fix helper after adding RestConfigProvider
* Revert K8s redirect changes for service accounts, teams, and receivers
Keep only dashboard and folder redirect functionality for this PR.
Service accounts, teams, and receivers will be handled in a separate PR.
* address comments
* lint
2025-12-04 10:04:23 -05:00
0e460a267e
chore : Deprecating FeatureToggles.IsEnabled ( #113062 )
...
* Deprecating features.IsEnabled
* add one more nolint
* add one more nolint
* Give better hints to devs in the deprecation message of IsEnabledGlobally
* adding more doc strings
* fix linter after rebase
* Extend deprecation message
2025-11-21 18:43:42 +01:00
9a542489a7
APIs: Fix pre-processing of getApiResources & update godoc for teams endpoints ( #113536 )
2025-11-10 12:59:40 +00:00
7df3582237
Authz: Implement Query operation for Zanzana with folder parent retrieval ( #113483 )
2025-11-06 09:06:42 -07:00
7a7fd45bdd
Zanzana: app platform style write APIs ( #112812 )
...
* refactor zanzana client instantiation
* refactor client imports
* POC write API (Mutate)
* fix linter
* delete exisitng folder parents
* refactor common functions
* minor refactor
* groupd operations by type
* atomic folder operations
* use deleteExisting for deletes
* Add tests for folders
* more tests
* resource permissions tests
* add more tests
* fix mock zanzana client
* fix linter
* fix linter
* re-use types from apps
* add some comments to the protobuf
2025-10-28 11:22:13 +01:00
81683d554d
chore : Deprecating FeatureToggles.IsEnabledGlobally ( #112885 )
...
* add deprecation on featuremgmt.IsEnabledGlobally
* add nolint reason
* add reasonable deprecation message
* remove junk edits
* add more nolints
* addressing review comments
* Update pkg/services/featuremgmt/models.go
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
---------
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
2025-10-24 12:02:53 -04:00
71d10a3fa3
FolderPermissions: Return 404 error when folder does not exist instead of 500 ( #112919 )
...
* AccessControl: Improve folder permissions error handling
- Add proper error type handling for folder permission checks
- Convert dashboards.ErrFolderNotFound to folder.ErrFolderNotFound
- Preserve errutil.Error types when returned
- Wrap unhandled errors with new ErrFolderUnhandledError for better error tracking
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update pkg/services/accesscontrol/ossaccesscontrol/folder.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-10-24 09:50:38 +00:00
2e1704b56f
Access: Add AfterCreate hooks for Roles/Core Roles ( #112666 )
...
As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.
This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:
Role permissions are immediately available for authorization checks
The legacy RBAC system and new Zanzana system remain in sync
Users experience consistent permission enforcement regardless of which backend is queried
safe to revert
2025-10-23 09:47:39 +02:00
fbc81d2fd0
fix(accesscontrol): Reduce memory usage in GroupScopesByActionContext ( #112295 )
...
Signed-off-by: Dave Henderson <dave.henderson@grafana.com >
2025-10-22 18:25:10 -04:00
638a1808f8
Access Control: Add fixed role loader service ( #112747 )
2025-10-22 12:04:42 -04:00
5a798afb3f
AccessControl: Fix flaky set resource permission integration test ( #112738 )
...
* AccessControl: Fix flaky set resource permission integration test
* Also remove println
2025-10-21 15:45:35 +00:00
0a0311a2b2
RBAC: Only write action sets ( #112429 )
...
* implementation + broken tests
* finish tests and cleanup
* fix a bug in logic where we'd return too early for non dash and folder resources
2025-10-20 16:02:56 +01:00
89da0bf178
Access Control: Fix plugin async install role registration ( #112123 )
2025-10-10 09:44:02 -04:00
acbbfde256
AuthZ service: Expand the logic to also evaluate action sets ( #112124 )
...
* expand AuthZ service logic to also evaluate action sets
* handle folder creation
* fix test
* simplify mapper code
Co-authored-by: gamab <gabi.mabs@gmail.com >
* more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com >
* break alerting import cycle
* Apply suggestion from @gamab
---------
Co-authored-by: gamab <gabi.mabs@gmail.com >
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
2025-10-08 13:37:12 +01:00
2f2289f226
Chore: Update authlib (foder as top level argument) ( #111800 )
2025-10-01 14:40:28 +00:00
a98870f8f9
Extsvcacc: Split permission scope ( #111491 )
...
* Extsvcacc: Split permission scope
* Fix integration test
* Trigger CI/CD pipeline
* Change extsvc permission comparing
* Recreate unsplit permissions
2025-09-24 13:25:44 +02:00
1ef27e9749
Auth: Add SCIM settings permission to auth config writer role ( #111326 )
...
* Auth: add SCIM settings permission to authentication config writer role
* make update-workspace
2025-09-19 09:55:18 -05:00
72d212c5f9
Authlib: Update authz client to use zookies ( #111291 )
...
* Authlib: Update authz client to use zookies
* fix zookie return
* fix linter
2025-09-18 16:24:22 +02:00
ba65aa6529
AccessControl: Remove deprecated scope split migration ( #111071 )
...
remove scope migrator
2025-09-15 11:47:08 +02:00
edcd113054
Authz: Remove legacy API Key permissions ( #110860 )
...
* remove API key roles
* remove API key gen
* remove frontend and doc mentions
* restore legacy keygen
* restore codeowners
* prettier
* update swagger
* remove permissions including apikeys
* add migrator for removing deprecated permissions
* add tracing
* update openapi3
* simplify migrator for now
* accesscontrol/migrator: remove batching for deprecated permissions deletion
2025-09-12 13:59:37 +02:00
9a54243f09
Chore: update golang.org/x/exp ( #110980 )
2025-09-11 22:13:07 +03:00
c32650e9d8
Replace remaining calls to testing.Short where possible. ( #110765 )
...
* Replace remaining calls to testing.Short where possible.
* Update style guide.
* Revert change in TestAlertmanager_ExtraDedupStage, as it doesn't work.
* Make TestAlertRulePostExport into integration test.
2025-09-09 08:16:12 +00:00
7c95d3c8a9
Folders: Split legacy out of folder.Service (and remove folder.FolderStore) ( #110734 )
2025-09-08 18:27:49 +03:00
7fd9ab9481
Replace check for integration tests. ( #110707 )
...
* Replace check for integration tests.
* Revert changes in pkg/tsdb/mysql packages.
* Fix formatting of few tests.
2025-09-08 15:49:49 +02:00
f3896624f5
Access: Remove plugin app access in plugin basic role seeder ( #108526 )
...
* draft: remove plugin app access in plugin basic role seeder
* fix log
* remove mods to gosum
* fix missing plugin check
* debug log, not warn
* Secrets: Better error message for not matching resource owner (#109113 )
---------
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
2025-08-06 09:25:06 +01:00
6b86277ecf
Nested folders: Remove feature flag ( #109212 )
2025-08-06 10:07:23 +03:00
a95fb3a37c
Chore: Omit integration tests if short test flag is passed ( #108777 )
...
* omit integration tests if short test flag is passed
* Update pkg/services/ngalert/models/receivers_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/tests/api/alerting/api_ruler_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/tests/api/alerting/api_ruler_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/tests/api/alerting/api_ruler_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/tests/api/alerting/api_ruler_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/tests/api/alerting/api_ruler_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/services/ngalert/models/receivers_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/cmd/grafana-cli/commands/datamigrations/to_unified_storage_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* Update pkg/services/ngalert/models/receivers_test.go
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
* fix the rest
* false positive
---------
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com >
2025-07-28 13:38:54 +02:00
c6a6b9fdd2
IAM: Create and delete user from the legacy store ( #107694 )
...
* Add Create for User + DualWriter setup
* Add delete User
* Fix delete + access check
* Add tests for delete user
* Add tests for create user
* Fixes
* Use sqlx session to fix database locked issues
* wip authz checks
* legacyAccessClient
* Update legacyAccessClient, add tests for create user
* Close rows before running other queries
* Use ExecWithReturningId
* Verify deletion in the tests
* Add Validate and Mutate
* Other changes
* Address feedback
* Update tests
---------
Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com >
2025-07-17 11:50:40 +02:00
3f502f305d
Chore: Update mocks with recent mockery ( #107816 )
2025-07-09 09:15:34 +02:00
f66a693438
Chore: Rename integration tests to follow the common convention ( #105987 )
...
* automatically rename integration tests to follow the common convention
* name tests differently
* alter column type to bigint
* update another column to bigint
* add another alter
* fix subquery for mysql
2025-06-29 16:56:24 +02:00
55cc6c120a
Zanzana: incorrect folder tree bug ( #106478 )
...
use pagination to get all folders
2025-06-23 11:07:16 -04:00
40164cb09e
Authorization: Fix/provisioned permission display ( #106179 )
...
* add isProvisioned flag to permission DTO
* handle provisioned permissions explicitly
* lint
* swagger
* simplify logic to always show non-managed permissions first; remove unnecessary isProvisioned
* fix docs
* oops
* actually just generate the docs
2025-06-03 11:21:42 -05:00
cb05eb3cd6
RBAC: Return bad request when header is malformed ( #105448 )
2025-06-02 16:31:15 +02:00
ef14992f00
Zanzana: Fix reconciling role with empty UID ( #106045 )
2025-05-27 14:23:29 +02:00
cfba630f5c
RBAC: Don't additionally cache all users permissions ( #105607 )
...
* RBAC: Don't additionally cache all users permissions
* remove unused tests
2025-05-20 09:28:46 +02:00
310b234fbc
Reporting: Update filter and docs to get reports by dashboard ( #104560 )
2025-05-08 11:35:43 -03:00
4ea56b2cfb
Zanzana: Fix reconciliation for roles ( #103889 )
...
* Zanzana: Fix reconciliation for roles
* update go workspaces
* update go.sum
2025-04-15 11:33:40 +02:00
f8fc3d2db2
Chore: Fix lint error in accesscontrol API endpoints ( #103792 )
...
fix lint error
2025-04-10 12:29:04 -05:00
42dd2336b9
Team: Add validation for provisioned teams in setUserPermission endpoint ( #103623 )
...
* removed provisioned team validation from team permissions
* validate team in setUserPermission
2025-04-10 17:28:31 +03:00
757be6365a
CI: Bump golangci-lint to 2.0.2 ( #103572 )
2025-04-10 14:42:23 +02:00
4caa9853cb
Authorization: Add group to role DisplayName to make filtered list more clear ( #102950 )
...
* add group to role DisplayName to make searching easier
* clean up more role names; add filtered display text when fetching
* pass filter state into role menu to decide how to display role name
* prop name better describes what it does
2025-04-08 09:15:03 -05:00
64e005d12f
Teams: Restrict provisioned teams from being updated and deleted ( #103454 )
...
* restrict provisioned teams from being updated and deleted
* check if team is provisioned before update and delete
* add function getTeamDTOByID()
* check if team is provisioned in access control
* fix TestDeleteTeamMembersAPIEndpoint
* add unit tests
* add function for validating a team
2025-04-08 11:27:30 +03:00
10411361e7
Team: Add columns external_uid and is_provisioned to the team table ( #103285 )
...
* add columns external_id and is_provisioned to the team table
* generate openapi specs
* rename column to external_uid
* generate open api specs
* increase limit for external_uid to 256
2025-04-04 11:00:14 +03:00
180f579f18
Revert "Anonymous: Enforce org role Viewer setting ( #102070 )" ( #103043 )
...
This reverts commit e216c2f29d
2025-03-31 10:31:53 +01:00
d0d7078953
App Platform: Remove mutable globals ( #102962 )
...
* App Platform: Remove mutable globals
* chore: clarify why this exists
* fix: support multi-tenant mode
* refactor: call builder providers directly
* CI: Force re-build
2025-03-27 15:46:09 +01:00
e216c2f29d
Anonymous: Enforce org role Viewer setting ( #102070 )
...
* Anon: Remove org role setting
* remove from ini
* remove setting from documentation
2025-03-27 09:10:30 +00:00
ff6039567b
RBAC: Return 404 instead of 403 if a dashboard cannot be found ( #102815 )
...
return 404 instead of 403 if a dashboard cannot be found
2025-03-26 12:26:14 +00:00
Yuri Tseretyan
Todd Treece
mohammad-hamid
Denis Vodopianov
Tom Ratcliffe
Mihai Turdean
Alexander Zobnin
Jo
Dave Henderson
Matheus Macabu
Ieva
Ryan McKinley
Gabriel MABILLE
colin-stuart
Peter Štibraný
Stephanie Hingtgen
Serge Zaitsev
Misi
Cory Forseth
Ezequiel Victorero
Mihai Doarna
Mariell Hoversholm
Eric Leijonmarck