grafana

Author	SHA1	Message	Date
Yuri Tseretyan	47f7b3e095	Alerting: Dedicated permission for Template testing API (#115032 )	2025-12-10 10:56:29 -05:00
Todd Treece	0088e55b8f	Plugins App: PluginMeta -> Meta (#115034 )	2025-12-09 16:01:22 -05:00
Todd Treece	5b89d3b807	Plugins App: Add access control (#114869 )	2025-12-05 12:56:01 -05:00
mohammad-hamid	3c5d905e0f	`AuthZ`: Redirect legacy resource permissions handler to k8s (part I) (#114199 ) * Add K8s API redirect for GET resource permissions * wire * move restconfig to options * address comments * fix helper after adding RestConfigProvider * Revert K8s redirect changes for service accounts, teams, and receivers Keep only dashboard and folder redirect functionality for this PR. Service accounts, teams, and receivers will be handled in a separate PR. * address comments * lint	2025-12-04 10:04:23 -05:00
Denis Vodopianov	0e460a267e	chore : Deprecating FeatureToggles.IsEnabled (#113062 ) * Deprecating features.IsEnabled * add one more nolint * add one more nolint * Give better hints to devs in the deprecation message of IsEnabledGlobally * adding more doc strings * fix linter after rebase * Extend deprecation message	2025-11-21 18:43:42 +01:00
Tom Ratcliffe	9a542489a7	APIs: Fix pre-processing of getApiResources & update godoc for teams endpoints (#113536 )	2025-11-10 12:59:40 +00:00
Mihai Turdean	7df3582237	Authz: Implement Query operation for Zanzana with folder parent retrieval (#113483 )	2025-11-06 09:06:42 -07:00
Alexander Zobnin	7a7fd45bdd	Zanzana: app platform style write APIs (#112812 ) * refactor zanzana client instantiation * refactor client imports * POC write API (Mutate) * fix linter * delete exisitng folder parents * refactor common functions * minor refactor * groupd operations by type * atomic folder operations * use deleteExisting for deletes * Add tests for folders * more tests * resource permissions tests * add more tests * fix mock zanzana client * fix linter * fix linter * re-use types from apps * add some comments to the protobuf	2025-10-28 11:22:13 +01:00
Denis Vodopianov	81683d554d	chore : Deprecating `FeatureToggles.IsEnabledGlobally` (#112885 ) * add deprecation on featuremgmt.IsEnabledGlobally * add nolint reason * add reasonable deprecation message * remove junk edits * add more nolints * addressing review comments * Update pkg/services/featuremgmt/models.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com>	2025-10-24 12:02:53 -04:00
Jo	71d10a3fa3	FolderPermissions: Return 404 error when folder does not exist instead of 500 (#112919 ) * AccessControl: Improve folder permissions error handling - Add proper error type handling for folder permission checks - Convert dashboards.ErrFolderNotFound to folder.ErrFolderNotFound - Preserve errutil.Error types when returned - Wrap unhandled errors with new ErrFolderUnhandledError for better error tracking * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update pkg/services/accesscontrol/ossaccesscontrol/folder.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-10-24 09:50:38 +00:00
Jo	2e1704b56f	Access: Add AfterCreate hooks for Roles/Core Roles (#112666 ) As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions. This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that: Role permissions are immediately available for authorization checks The legacy RBAC system and new Zanzana system remain in sync Users experience consistent permission enforcement regardless of which backend is queried safe to revert	2025-10-23 09:47:39 +02:00
Dave Henderson	fbc81d2fd0	fix(accesscontrol): Reduce memory usage in GroupScopesByActionContext (#112295 ) Signed-off-by: Dave Henderson <dave.henderson@grafana.com>	2025-10-22 18:25:10 -04:00
Todd Treece	638a1808f8	Access Control: Add fixed role loader service (#112747 )	2025-10-22 12:04:42 -04:00
Matheus Macabu	5a798afb3f	AccessControl: Fix flaky set resource permission integration test (#112738 ) * AccessControl: Fix flaky set resource permission integration test * Also remove println	2025-10-21 15:45:35 +00:00
Ieva	0a0311a2b2	RBAC: Only write action sets (#112429 ) * implementation + broken tests * finish tests and cleanup * fix a bug in logic where we'd return too early for non dash and folder resources	2025-10-20 16:02:56 +01:00
Todd Treece	89da0bf178	Access Control: Fix plugin async install role registration (#112123 )	2025-10-10 09:44:02 -04:00
Ieva	acbbfde256	AuthZ service: Expand the logic to also evaluate action sets (#112124 ) * expand AuthZ service logic to also evaluate action sets * handle folder creation * fix test * simplify mapper code Co-authored-by: gamab <gabi.mabs@gmail.com> * more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com> * break alerting import cycle * Apply suggestion from @gamab --------- Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2025-10-08 13:37:12 +01:00
Ryan McKinley	2f2289f226	Chore: Update authlib (foder as top level argument) (#111800 )	2025-10-01 14:40:28 +00:00
Gabriel MABILLE	a98870f8f9	Extsvcacc: Split permission scope (#111491 ) * Extsvcacc: Split permission scope * Fix integration test * Trigger CI/CD pipeline * Change extsvc permission comparing * Recreate unsplit permissions	2025-09-24 13:25:44 +02:00
colin-stuart	1ef27e9749	Auth: Add SCIM settings permission to auth config writer role (#111326 ) * Auth: add SCIM settings permission to authentication config writer role * make update-workspace	2025-09-19 09:55:18 -05:00
Alexander Zobnin	72d212c5f9	Authlib: Update authz client to use zookies (#111291 ) * Authlib: Update authz client to use zookies * fix zookie return * fix linter	2025-09-18 16:24:22 +02:00
Jo	ba65aa6529	AccessControl: Remove deprecated scope split migration (#111071 ) remove scope migrator	2025-09-15 11:47:08 +02:00
Jo	edcd113054	Authz: Remove legacy API Key permissions (#110860 ) * remove API key roles * remove API key gen * remove frontend and doc mentions * restore legacy keygen * restore codeowners * prettier * update swagger * remove permissions including apikeys * add migrator for removing deprecated permissions * add tracing * update openapi3 * simplify migrator for now * accesscontrol/migrator: remove batching for deprecated permissions deletion	2025-09-12 13:59:37 +02:00
Ryan McKinley	9a54243f09	Chore: update golang.org/x/exp (#110980 )	2025-09-11 22:13:07 +03:00
Peter Štibraný	c32650e9d8	Replace remaining calls to testing.Short where possible. (#110765 ) * Replace remaining calls to testing.Short where possible. * Update style guide. * Revert change in TestAlertmanager_ExtraDedupStage, as it doesn't work. * Make TestAlertRulePostExport into integration test.	2025-09-09 08:16:12 +00:00
Ryan McKinley	7c95d3c8a9	Folders: Split legacy out of folder.Service (and remove folder.FolderStore) (#110734 )	2025-09-08 18:27:49 +03:00
Peter Štibraný	7fd9ab9481	Replace check for integration tests. (#110707 ) * Replace check for integration tests. * Revert changes in pkg/tsdb/mysql packages. * Fix formatting of few tests.	2025-09-08 15:49:49 +02:00
Jo	f3896624f5	Access: Remove plugin app access in plugin basic role seeder (#108526 ) * draft: remove plugin app access in plugin basic role seeder * fix log * remove mods to gosum * fix missing plugin check * debug log, not warn * Secrets: Better error message for not matching resource owner (#109113) --------- Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>	2025-08-06 09:25:06 +01:00
Stephanie Hingtgen	6b86277ecf	Nested folders: Remove feature flag (#109212 )	2025-08-06 10:07:23 +03:00
Serge Zaitsev	a95fb3a37c	Chore: Omit integration tests if short test flag is passed (#108777 ) * omit integration tests if short test flag is passed * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/cmd/grafana-cli/commands/datamigrations/to_unified_storage_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * fix the rest * false positive --------- Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>	2025-07-28 13:38:54 +02:00
Misi	c6a6b9fdd2	IAM: Create and delete user from the legacy store (#107694 ) * Add Create for User + DualWriter setup * Add delete User * Fix delete + access check * Add tests for delete user * Add tests for create user * Fixes * Use sqlx session to fix database locked issues * wip authz checks * legacyAccessClient * Update legacyAccessClient, add tests for create user * Close rows before running other queries * Use ExecWithReturningId * Verify deletion in the tests * Add Validate and Mutate * Other changes * Address feedback * Update tests --------- Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>	2025-07-17 11:50:40 +02:00
Ryan McKinley	3f502f305d	Chore: Update mocks with recent mockery (#107816 )	2025-07-09 09:15:34 +02:00
Serge Zaitsev	f66a693438	Chore: Rename integration tests to follow the common convention (#105987 ) * automatically rename integration tests to follow the common convention * name tests differently * alter column type to bigint * update another column to bigint * add another alter * fix subquery for mysql	2025-06-29 16:56:24 +02:00
mohammad-hamid	55cc6c120a	Zanzana: incorrect folder tree bug (#106478 ) use pagination to get all folders	2025-06-23 11:07:16 -04:00
Cory Forseth	40164cb09e	Authorization: Fix/provisioned permission display (#106179 ) * add isProvisioned flag to permission DTO * handle provisioned permissions explicitly * lint * swagger * simplify logic to always show non-managed permissions first; remove unnecessary isProvisioned * fix docs * oops * actually just generate the docs	2025-06-03 11:21:42 -05:00
Alexander Zobnin	cb05eb3cd6	RBAC: Return bad request when header is malformed (#105448 )	2025-06-02 16:31:15 +02:00
Alexander Zobnin	ef14992f00	Zanzana: Fix reconciling role with empty UID (#106045 )	2025-05-27 14:23:29 +02:00
Alexander Zobnin	cfba630f5c	RBAC: Don't additionally cache all users permissions (#105607 ) * RBAC: Don't additionally cache all users permissions * remove unused tests	2025-05-20 09:28:46 +02:00
Ezequiel Victorero	310b234fbc	Reporting: Update filter and docs to get reports by dashboard (#104560 )	2025-05-08 11:35:43 -03:00
Alexander Zobnin	4ea56b2cfb	Zanzana: Fix reconciliation for roles (#103889 ) * Zanzana: Fix reconciliation for roles * update go workspaces * update go.sum	2025-04-15 11:33:40 +02:00
Mihai Doarna	f8fc3d2db2	Chore: Fix lint error in accesscontrol API endpoints (#103792 ) fix lint error	2025-04-10 12:29:04 -05:00
Mihai Doarna	42dd2336b9	Team: Add validation for provisioned teams in setUserPermission endpoint (#103623 ) * removed provisioned team validation from team permissions * validate team in setUserPermission	2025-04-10 17:28:31 +03:00
Mariell Hoversholm	757be6365a	CI: Bump golangci-lint to 2.0.2 (#103572 )	2025-04-10 14:42:23 +02:00
Cory Forseth	4caa9853cb	Authorization: Add group to role DisplayName to make filtered list more clear (#102950 ) * add group to role DisplayName to make searching easier * clean up more role names; add filtered display text when fetching * pass filter state into role menu to decide how to display role name * prop name better describes what it does	2025-04-08 09:15:03 -05:00
Mihai Doarna	64e005d12f	Teams: Restrict provisioned teams from being updated and deleted (#103454 ) * restrict provisioned teams from being updated and deleted * check if team is provisioned before update and delete * add function getTeamDTOByID() * check if team is provisioned in access control * fix TestDeleteTeamMembersAPIEndpoint * add unit tests * add function for validating a team	2025-04-08 11:27:30 +03:00
Mihai Doarna	10411361e7	Team: Add columns external_uid and is_provisioned to the team table (#103285 ) * add columns external_id and is_provisioned to the team table * generate openapi specs * rename column to external_uid * generate open api specs * increase limit for external_uid to 256	2025-04-04 11:00:14 +03:00
Eric Leijonmarck	180f579f18	Revert "Anonymous: Enforce org role Viewer setting (#102070 )" (#103043 ) This reverts commit `e216c2f29d`.	2025-03-31 10:31:53 +01:00
Mariell Hoversholm	d0d7078953	App Platform: Remove mutable globals (#102962 ) * App Platform: Remove mutable globals * chore: clarify why this exists * fix: support multi-tenant mode * refactor: call builder providers directly * CI: Force re-build	2025-03-27 15:46:09 +01:00
Eric Leijonmarck	e216c2f29d	Anonymous: Enforce org role Viewer setting (#102070 ) * Anon: Remove org role setting * remove from ini * remove setting from documentation	2025-03-27 09:10:30 +00:00
Ieva	ff6039567b	RBAC: Return 404 instead of 403 if a dashboard cannot be found (#102815 ) return 404 instead of 403 if a dashboard cannot be found	2025-03-26 12:26:14 +00:00

1 2 3 4 5 ...

609 Commits