* Alerting: Protect sensitive fields of contact points from
unauthorized modification
- Introduce a new permission alert.notifications.receivers.protected:write. The permission is granted to contact point administrators.
- Introduce field Protected to NotifierOption
- Introduce DiffReport for models.Integrations with focus on Settings. The diff report is extended with methods that return all keys that are different between two settings.
- Add new annotation 'grafana.com/access/CanModifyProtected' to Receiver model
- Update receiver service to enforce the permission and return status 403 if unauthorized user modifies protected field
- Update receiver testing API to enforce permission and return status 403 if unauthorized user modifies protected field.
- Update UI to disable protected fields if user cannot modify them
* Alerting: Improve ASH Loki query efficiency by including folderUID
Previously, the folderUID label was only included when ruleUID was not specified
and the user did not have full alert rule read permissions.
To improve ASH Loki query efficiency, this PR includes the folderUID in the ASH
Loki query when ruleUID is specified, even if the user has full alert rule read
permissions.
Some non-obvious considerations:
- The naive implementation of just including the current folder UID would have
the unintended side-effect of no longer returning history after a rule is moved
between folders.
- The previous implementation made the trade-off of only checking RBAC on the
current folder, including any history from old folders that may exist.
To solve both of the above, we make an extra query to the database to check the
alert rule's previous versions so we can include any old folderUIDs, checking
RBAC at the same time.
The querying and inclusion of history from old folders is done best-effort, any
issues that might arise are logged and ignored so as not to prevent the current
folder history.
* Fix merge conflicts
* Reduce scanning on GetAlertRuleVersionFolders by grouping in query
**What is this feature?**
Add `rule_matcher` filter to the Prometheus-compatible list rules API: `/api/prometheus/grafana/api/v1/rules`. It allows to filter rules by static labels (not by alert instance labels).
**Special notes:**
- Equality (`=`) and inequality (`!=`) matchers are pushed down to the database. Regex matchers (`=~`, `!~`) are applied in-memory at the API layer.
- SQLite: Uses GLOB pattern matching
- MySQL / PostgreSQL: Use JSON functions to compare label values
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
Enhancement: Introduce optimized folder permission relations and new permission definitions
- Added `can_get_permissions` and `can_set_permissions` relations to enhance permission management.
- Implemented `FolderPermissionRelation` function to optimize permission checks for folder resources.
- Updated `checkTyped` and `listTyped` methods to utilize optimized relations for permission management.
- Introduced a new benchmark test file for performance evaluation of permission checks and listings.
* init
* it works! but what a mess
* nil ptr bug
* split up client.go
* split up search_request.go
* split up data_query.go
* split up response_parser
* fix merge
* update handling request
* raw dsl agg parser
* change rawQuery to rawDSLQuery
* agg parser works but needs work
* clean up agg parser
* fix bugs with raw dsl parsers
* feature toggle
* fix tests
* editor type selector
* editor type added
* add fix builder vs code by not using same query field
* clean up
* fix lint
* pretty
* editor type selection should be behind ft
* adam's feedback
* prettier
* initial generation
* went through doc to add new resource
* added dummy kind so grafana will run
* added dummy handler and custom route
* fix app name
* gets custom route working - still a dummy route
* adds groupOverride to manifest
* adds quotas to grpc client and server
* WIP - trying to get api recognized - not working
* Gets route working
* fixes group and resource vars
* expects group and resource as separate params
* set content-type header on response
* removes Quotas kind and regens
* Update grafana-app-sdk to v0.48.5
* Update codegen
* updates manifest
* formatting
* updates grafana-app-sdk version to 0.48.5
* regen ResourceClient mocks
* adds tests
* remove commented code
* uncomment go mod tidy
* fix tests and make update workspace
* adds quotas app to codeowners
* formatting
* make gen-apps
* deletes temp file
* fix generated folder code
* make gofmt
* make gen-go
* make update-workspace
* add COPY apps/quotas to Dockerfile
* fix test mock
* fixes undefined NewFolderStatus()
* make gen-apps, and add func for NewFolderStatus
* make gen-apps again
* make update-workspace
* regen folder_object_gen.go
* gofmt
* fix linting
* apps/folder make update-workspace
* make gen-apps
* make gen-apps
* fixes enterprise_imports.go
* go get testcontainers
* adds feature toggle
* make update-workspace
* fix go mod
* fix another client mock
---------
Co-authored-by: Steve Simpson <steve@grafana.com>
* Reapply "K8s: read resource configs from API Enablement for API Builders" (#114475)
This reverts commit 4130bd9cd3.
* revert part that broke things
* FF service changes are gonna come later
* MTFF: allow viewers access to MTFF by enforcing runtime_config for custom routes
* unused var
* removed now
* pass the test, include defaults
* revert sample.ini change
Ryan McKinley
Yuri Tseretyan
Matthew Jacobson
Alexander Akhmetov
mohammad-hamid
Sarah Zinger
Andres Martinez Gotor
Yulia Shanyrova
Daniele Stefano Ferru
Levente Balogh
Matheus Macabu
Georges Chaudy
Misi
Santiago
Andrew Hackmann
alerting-team[bot]
Jean-Philippe Quéméner
colin-stuart
Renato Costa
Alexander Zobnin
William Wernert
Serge Zaitsev
Charandas
Andres Torres
Ashley Harrison
Stephanie Hingtgen
Tania
Yunwen Zheng
Todd Treece
Marc M.
owensmallwood
Victor Marin