public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64,272 Commits 655 Branches 650 Tags
7ae9f94de767f4170572ac2cfc69085a6d11c9dd
Commit Graph

235 Commits

Author SHA1 Message Date
Todd Treece
0088e55b8f Plugins App: PluginMeta -> Meta (#115034) 2025-12-09 16:01:22 -05:00
Alexander Zobnin
8a0fa93aec Zanzana: Fix duplicated writes in one request (#114900) 
* Zanzana: Fix duplicated writes

* add tests
 2025-12-05 13:55:56 +01:00
Todd Treece
bcaf94f219 Plugins API: Add plugins to RBAC mapper (#114843) 2025-12-04 11:58:49 -05:00
Alexander Zobnin
030c7099cb Zanzana: Fix shadow client context (#114853) 
* Zanzana: Fix shadow client context

* don't cancel on parent context cancel

* share timeout
 2025-12-04 17:09:04 +01:00
Alexander Zobnin
5c49dbf4c4 Zanzana: Non-blocking shadow compile (#114774) 2025-12-04 11:28:09 +01:00
Alexander Zobnin
ed91ada3c0 Zanzana: Allow resources to derive permissions from folders by default (#114820) 2025-12-04 11:27:59 +01:00
Alexander Zobnin
f4fbbcc4f4 Zanzana: Fix dashboard access evaluation in folders (#114718) 
* Zanzana: Fix dashboard access evaluation in folders

* add negative test

* Fix listing
 2025-12-04 09:36:03 +01:00
Gabriel MABILLE
8998b1fde4 grafana-iam: Implement api level user authorization (#114498) 
* OnGoing

comment

* WIP on the wrapper

* Get before Delete

* WIP: add an unimplemented storage authorizer

* WIP implementing the resource permission authorize

* Implement beforeCreate

* Create, Delete, Update

* List

* Use a resource permissions wrapper

* Switch the main authorizer to service

* Add namespace

* Use compile for list

* Comment

* Remove unecessary comments

* fix bug with folder permissions

* Implement tests for List

* Test get

* List test small refactor

* Delete test

* Reorganize code

* imports

* Start splitting the tests

* test AfterDelete

* actually test beforeWrite

* Implement tests for wrapper create

* Test delete

* Test List and Get

* Fix List

* Remaining tests

* simplify

* Remove comments

* Reorder

* Change authorizer to allow access
 2025-12-03 17:06:26 +01:00
Stephanie Hingtgen
aaa5d02a3e AuthZ: Set span errors (#114460) 2025-12-01 09:29:04 +01:00
Alexander Zobnin
358d0eb266 Zanzana: Role write APIs (#114533) 
* Zanzana: Role write APIs

* Add tests

* Update pkg/services/authz/zanzana/server/server_mutate_roles.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix func usage

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-11-28 11:44:58 +01:00
Alexander Zobnin
8e7ba60b93 Zanzana: Team bindings write APIs (#114493) 
* Zanzana: Team bindings write APIs

* Update pkg/services/authz/zanzana/server/server_mutate_teambindings.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix missing import

* fix linter

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-11-28 10:12:50 +01:00
Alexander Zobnin
bfda534825 Zanzana: Implement role bindings write APIs (#114385) 2025-11-26 10:40:35 +01:00
Alexander Zobnin
cb06bba243 Zanzana: Add token namespace to config (#114165) 2025-11-20 15:54:32 +01:00
Alexander Zobnin
b550750a9b Zanzana: Rename namespace to req_namespace label (#113822) 2025-11-13 12:08:10 +00:00
Gabriel MABILLE
97a6ab7b1c AuthZ: Remove outdated comments (#113817) 2025-11-13 11:06:02 +01:00
Alexander Zobnin
4bca10195e Zanzana: Fix shadow client metric (#113771) 2025-11-12 16:48:48 +00:00
Mihai Turdean
7df3582237 Authz: Implement Query operation for Zanzana with folder parent retrieval (#113483) 2025-11-06 09:06:42 -07:00
Misi
06373ae47b IAM: Add ExternalGroupMapping kind for TeamSync (#113052) 
* wip

* wip

* Add authorizer -> VERIFY it's working correctly

* Update openapi definitions

* Authorizer wip

* regen apis

* Increase timeout of pg int tests to 20m

* Revert "Increase timeout of pg int tests to 20m"

This reverts commit 8c20568217.

* Fix NewTestStore when Truncate is enabled
 2025-11-05 18:02:34 +01:00
Alexander Zobnin
d1334a6dff Zanzana: Log token namespace in case of error (#113437) 2025-11-05 11:13:08 +01:00
Alexander Zobnin
505e025d18 Zanzana: Fix namespace in remote client (#113433) 2025-11-05 11:12:41 +01:00
Alexander Zobnin
3fca7cf952 Zanzana: Refactor basic role write APIs (#113397) 
* Zanzana: Refactor basic role write APIs

* Fix updates

* fix linter
 2025-11-04 16:29:56 +01:00
Alexander Zobnin
259c7807cb Zanzana: Respect action sets for dashboards and folders during reconciliation (#113352) 
Zanzana: Respect action sets for dashboards and folders during legacy reconciliation
 2025-11-03 15:19:23 +01:00
Alexander Zobnin
d6fa822e89 Zanzana: Write API for org roles (#113339) 
* Zanzana: Add write APIs for user org roles

* Add tests

* Fix tests

* fix role translation
 2025-11-03 14:47:10 +01:00
Charandas
6c728f8dec Provisioning: allow access check to proceed even when non access policy (#112946) 
* Provisioning: allow access check to proceed even when non access policy

* Provisioning: access checker needs this for MT

* add permissions registration

* remove scopes

* use in MT for now

* no need to document an internal flag here

* revert vscode change

* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation

* update wire

* gofmt

* add boolean to struct

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-11-02 13:14:08 -08:00
Alexander Zobnin
cfc8989d24 Zanzana: Inject client into standalone AuthZ client (#113293) 2025-10-31 16:15:45 +01:00
Alexander Zobnin
7a7fd45bdd Zanzana: app platform style write APIs (#112812) 
* refactor zanzana client instantiation

* refactor client imports

* POC write API (Mutate)

* fix linter

* delete exisitng folder parents

* refactor common functions

* minor refactor

* groupd operations by type

* atomic folder operations

* use deleteExisting for deletes

* Add tests for folders

* more tests

* resource permissions tests

* add more tests

* fix mock zanzana client

* fix linter

* fix linter

* re-use types from apps

* add some comments to the protobuf
 2025-10-28 11:22:13 +01:00
Denis Vodopianov
81683d554d chore : Deprecating FeatureToggles.IsEnabledGlobally (#112885) 
* add deprecation on featuremgmt.IsEnabledGlobally

* add nolint reason

* add reasonable deprecation message

* remove junk edits

* add more nolints

* addressing review comments

* Update pkg/services/featuremgmt/models.go

Co-authored-by: Dave Henderson <dave.henderson@grafana.com>

---------

Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
 2025-10-24 12:02:53 -04:00
Jo
2e1704b56f Access: Add AfterCreate hooks for Roles/Core Roles (#112666) 
As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.

This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:

    Role permissions are immediately available for authorization checks
    The legacy RBAC system and new Zanzana system remain in sync
    Users experience consistent permission enforcement regardless of which backend is queried

safe to revert
 2025-10-23 09:47:39 +02:00
Alexander Zobnin
adf1224e82 AuthZ: Zanzana only evaluation toggle (#112715) 
* Zanzana: Feature toggle to enable zanzana only evaluation

* refactor

* Update pkg/services/featuremgmt/toggles_gen.json

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-10-21 16:03:17 +02:00
Ryan McKinley
1a372e2dec Dashboards: Use the common service authorizer (#111571) 
* authorizer

* authorizer
 2025-10-17 10:03:35 +03:00
Jo
bc9c42f5c2 AuthZ: ignore duplicates on write and missing on delete in OpenFGA (#112451) 
Authz: ignore duplicates on write and missing on delete in zanzana
 2025-10-16 15:42:44 +01:00
Mihai Turdean
ae5ff7e8f0 Implement CoreRole Authorizer (#112401) 2025-10-15 20:27:59 +00:00
Ieva
5c9dd9b068 AuthZ service: Correctly evaluate action sets for dashboard creation (#112425) 
correctly evaluate dash creation action sets
 2025-10-15 15:34:19 +01:00
Alexander Zobnin
aa89bcf370 grafana-iam: RoleBindings implementation (#112120) 
* add permissions for rolebindings

* fix required actions

* fix VerbCreate

* transform to wildcard scope

* Apply suggestions from code review

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Apply suggestion from @gamab

* lint

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-15 10:37:23 +02:00
Gabriel MABILLE
0e34164329 grafana-iam: Populate Zanzana on resource permission creation (#111654) 
* `grafana-iam`: Populate Zanzana on resource permission creation

* use zanzana const

* Adding a toggle

* Add a new feature toggle to manage zanzana sync

* wire

* wire

* WIP

* Fix hook issue

* comments and tests

* Account for PR feedback

* Add a timeout to writes

* Check tuples len

* comment

* validate basic role

* shorter error

* object reads better than entry
 2025-10-13 21:37:13 +02:00
Gabriel MABILLE
267848063d AuthZService: Add a metric to count folder app requests (#112258) 2025-10-10 11:07:02 +02:00
Gabriel MABILLE
f4cd46504b AuthZ: Add if user is allowed to the span attribute (#112197) 
* `AuthZ`: Add if user is allowed to the span attribute

* Suggestiong
 2025-10-09 10:49:50 +02:00
Gabriel MABILLE
1cbe7c8848 AuthZ: log incomplete folder tree (#112151) 2025-10-08 21:41:44 +02:00
Ieva
acbbfde256 AuthZ service: Expand the logic to also evaluate action sets (#112124) 
* expand AuthZ service logic to also evaluate action sets

* handle folder creation

* fix test

* simplify mapper code

Co-authored-by: gamab <gabi.mabs@gmail.com>

* more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com>

* break alerting import cycle

* Apply suggestion from @gamab

---------

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-08 13:37:12 +01:00
Gabriel MABILLE
26e147d01f AuthZ: Fix cacheHit computation (#112088) 
* AuthZ: Fix cacheHit computation

* Remove the ok bool
 2025-10-07 10:12:14 +02:00
Ryan McKinley
2f2289f226 Chore: Update authlib (foder as top level argument) (#111800) 2025-10-01 14:40:28 +00:00
Alexander Zobnin
5457cc5d4f Authz: Fix zookie nil pointer dereference (#111758) 2025-09-30 09:56:08 +02:00
Gabriel MABILLE
b63ba0269f AuthZ: Recover from missing split scope (#111492) 
* AuthZ: Recover from missing split scope

* Follow up changes

* Add test

* better log

* Add a comment to getScopeMap

* Punctuation
 2025-09-24 13:24:21 +02:00
Misi
54a347463e IAM: Use the new authorizer for the User resource (#111479) 
* Use the new authorizer for the User resource

* Use accessClient

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-24 11:32:29 +02:00
Alexander Zobnin
72d212c5f9 Authlib: Update authz client to use zookies (#111291) 
* Authlib: Update authz client to use zookies

* fix zookie return

* fix linter
 2025-09-18 16:24:22 +02:00
Ryan McKinley
14b6e60f31 Folders: Add better integration tests (#111241) 2025-09-17 20:19:50 +03:00
Misi
29551a6edf IAM: Implement Delete in Service Account API (#110584) 
* wip

* IAM: Create Service Account

* Add dual writer

* Update openapi_test.go

* Add integration tests

* Add sql tests

* Add Role to SA spec, add validation, add DBTime, add tests

* Format, update test

* Fixes

* Add check for External

* wip

* Fix merge

* wip

* Use plugin name instead of title for ext svc account login

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Remove OrgID from DeleteUserCommand

* Use the new authorizer

* Fix tests

* cleanup

* Move test to enterprise

* Revert unnecessary change

* Address feedback

* Revert "Address feedback"

This reverts commit 8ab9559076.

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-16 15:39:01 +02:00
Alexander Zobnin
38e5298807 Authz: Skip cache in List request if option provided (#110864) 
* Authz: Skip cache in List request if option provided

* return timestamp with list response

* update authlib

* add skipCache option test

* refactor

* fix tests

* update workspaces

* Set zookies depending on cache hit

* update workspaces

* Fix nil pointer
 2025-09-16 11:27:07 +02:00
Eric Leijonmarck
868e3a5e8e grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819) 2025-09-16 09:49:37 +01:00
Alexander Zobnin
294fd943c0 Chore: Update authlib (#110880) 
* Chore: Update authlib

* exclude incompatible version of github.com/grafana/gomemcache

* Update go-jose to v4

* fix jose imports

* remove jose v3 from go.mod

* fix tests

* fix serialize

* fix failing live tests

* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256

* accept more signature algs for okta and azuread

* azure social graph token sig

* accept more signature algs for oauth refresh and jwt auth

* update workspace

* add a static signer for inproc

* rebase and fix ext_jwt

* fix jwt tests

* apply alex patch on gomemcache

* update linting

* fix ext_jwt panic

* update workspaces

---------

Co-authored-by: Jo Garnier <git@jguer.space>
 2025-09-15 12:45:15 +02:00