public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64,379 Commits 655 Branches 650 Tags
17459fe1f4f49ca81f57afa54c1f58a217841cb7
Commit Graph

22 Commits

Author SHA1 Message Date
Todd Treece 0088e55b8f Plugins App: PluginMeta -> Meta (#115034) 2025-12-09 16:01:22 -05:00
Todd Treece bcaf94f219 Plugins API: Add plugins to RBAC mapper (#114843) 2025-12-04 11:58:49 -05:00
Misi 06373ae47b IAM: Add ExternalGroupMapping kind for TeamSync (#113052) 
* wip

* wip

* Add authorizer -> VERIFY it's working correctly

* Update openapi definitions

* Authorizer wip

* regen apis

* Increase timeout of pg int tests to 20m

* Revert "Increase timeout of pg int tests to 20m"

This reverts commit 8c20568217.

* Fix NewTestStore when Truncate is enabled
 2025-11-05 18:02:34 +01:00
Charandas 6c728f8dec Provisioning: allow access check to proceed even when non access policy (#112946) 
* Provisioning: allow access check to proceed even when non access policy

* Provisioning: access checker needs this for MT

* add permissions registration

* remove scopes

* use in MT for now

* no need to document an internal flag here

* revert vscode change

* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation

* update wire

* gofmt

* add boolean to struct

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-11-02 13:14:08 -08:00
Ryan McKinley 1a372e2dec Dashboards: Use the common service authorizer (#111571) 
* authorizer

* authorizer
 2025-10-17 10:03:35 +03:00
Mihai Turdean ae5ff7e8f0 Implement CoreRole Authorizer (#112401) 2025-10-15 20:27:59 +00:00
Ieva 5c9dd9b068 AuthZ service: Correctly evaluate action sets for dashboard creation (#112425) 
correctly evaluate dash creation action sets
 2025-10-15 15:34:19 +01:00
Alexander Zobnin aa89bcf370 grafana-iam: RoleBindings implementation (#112120) 
* add permissions for rolebindings

* fix required actions

* fix VerbCreate

* transform to wildcard scope

* Apply suggestions from code review

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Apply suggestion from @gamab

* lint

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-15 10:37:23 +02:00
Ieva acbbfde256 AuthZ service: Expand the logic to also evaluate action sets (#112124) 
* expand AuthZ service logic to also evaluate action sets

* handle folder creation

* fix test

* simplify mapper code

Co-authored-by: gamab <gabi.mabs@gmail.com>

* more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com>

* break alerting import cycle

* Apply suggestion from @gamab

---------

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-08 13:37:12 +01:00
Misi 54a347463e IAM: Use the new authorizer for the User resource (#111479) 
* Use the new authorizer for the User resource

* Use accessClient

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-24 11:32:29 +02:00
Misi 29551a6edf IAM: Implement Delete in Service Account API (#110584) 
* wip

* IAM: Create Service Account

* Add dual writer

* Update openapi_test.go

* Add integration tests

* Add sql tests

* Add Role to SA spec, add validation, add DBTime, add tests

* Format, update test

* Fixes

* Add check for External

* wip

* Fix merge

* wip

* Use plugin name instead of title for ext svc account login

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Remove OrgID from DeleteUserCommand

* Use the new authorizer

* Fix tests

* cleanup

* Move test to enterprise

* Revert unnecessary change

* Address feedback

* Revert "Address feedback"

This reverts commit 8ab9559076.

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-16 15:39:01 +02:00
Gabriel MABILLE 5ce13061d5 AuthZ: Allow create without scope for specific resources (#110867) 
* AuthZ: Create without scope for resources outside of folders

* Make it explicit that create requires a scope check

* Update pkg/services/authz/rbac/service.go

* Use skipScope instead of ReqScope

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Explain why there is no need to skip scope for roles

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-09-11 11:54:41 +02:00
Andres Torres f9e82aba9c chore(rbac): Remove settings resources mappings (#110708) 2025-09-05 18:56:09 +00:00
Andres Torres 87e8c92aa4 chore(rbac): Register settings resources (#109742) 2025-08-18 10:12:33 -04:00
Gabriel MABILLE 69dc5a0b88 grafana-iam: Add resolver for permissions:type:delegate (#108789) 
* `grafana-iam`: Add resolver for `permissions:type:delegate`

* roles create -> write
 2025-07-29 21:11:06 +02:00
Gabriel MABILLE 1a7a7f1d99 grafana-iam: Wire the roles api (#108577) 2025-07-28 13:36:27 +02:00
Gabriel MABILLE 4b217c601a AuthZ: Scope resolution (#107948) 
* AuthZ: Scope resolution

* Account for PR feedback

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-07-17 14:34:10 +02:00
Gabriel MABILLE 3d543a336f IAM: Register CoreRole apis (#106924) 
* IAM: Register CoreRole apis

* one line store instantiation

* Small refactor for readability

* Add authorizer for CoreRole

* Nit

* Error strings should not end with punctiation

* Account for error

* Switch to use the local resource client

* error should not start with upper casing

* noopStorageErr should have a name starting with err

* Update workspace

* I don't know why I don't have the same output as the CI 🤷

* Dependency xOwnership

* imports

* Import order

* Rename alias to make it clear this is legacy
 2025-06-26 10:11:28 +02:00
mohammad-hamid 936dd05eac ext jwt client: map k8s-style to rbac permissions (#106279) 
* initial commit

* Proposal
Co-Authored-By: mohammad-hamid <mohammad.hamid@grafana.com>

* extend k8s-style mapper
- add tests

* address comments

* cleanup

* address comments

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-06-18 11:51:35 -04:00
Eric Leijonmarck 15bddb3712 IAM: Add datasources:query support for using the authlib/authzservice (#104107) 
* feat(add): datasources:query support for using the authlib/authzservice

* added test for datasources

* refactor to create the translation right away

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix tests

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-04-24 13:39:31 +01:00
Matheus Macabu 2ade94bbf7 SecretsManager: Add roles and access control to APIs (#102456) 2025-03-19 16:30:07 +01:00
Karl Persson d740f9fc60 Authz: Simplify mapper and only check folders if its supported (#99357) 
* Simplify mapper and only check folders if its supported
 2025-01-23 09:23:00 +01:00