bfda534825
Zanzana: Implement role bindings write APIs ( #114385 )
2025-11-26 10:40:35 +01:00
cb06bba243
Zanzana: Add token namespace to config ( #114165 )
2025-11-20 15:54:32 +01:00
b550750a9b
Zanzana: Rename namespace to req_namespace label ( #113822 )
2025-11-13 12:08:10 +00:00
97a6ab7b1c
AuthZ: Remove outdated comments (#113817 )
2025-11-13 11:06:02 +01:00
4bca10195e
Zanzana: Fix shadow client metric ( #113771 )
2025-11-12 16:48:48 +00:00
7df3582237
Authz: Implement Query operation for Zanzana with folder parent retrieval ( #113483 )
2025-11-06 09:06:42 -07:00
06373ae47b
IAM: Add ExternalGroupMapping kind for TeamSync ( #113052 )
...
* wip
* wip
* Add authorizer -> VERIFY it's working correctly
* Update openapi definitions
* Authorizer wip
* regen apis
* Increase timeout of pg int tests to 20m
* Revert "Increase timeout of pg int tests to 20m"
This reverts commit 8c20568217
2025-11-05 18:02:34 +01:00
d1334a6dff
Zanzana: Log token namespace in case of error ( #113437 )
2025-11-05 11:13:08 +01:00
505e025d18
Zanzana: Fix namespace in remote client ( #113433 )
2025-11-05 11:12:41 +01:00
3fca7cf952
Zanzana: Refactor basic role write APIs ( #113397 )
...
* Zanzana: Refactor basic role write APIs
* Fix updates
* fix linter
2025-11-04 16:29:56 +01:00
259c7807cb
Zanzana: Respect action sets for dashboards and folders during reconciliation ( #113352 )
...
Zanzana: Respect action sets for dashboards and folders during legacy reconciliation
2025-11-03 15:19:23 +01:00
d6fa822e89
Zanzana: Write API for org roles ( #113339 )
...
* Zanzana: Add write APIs for user org roles
* Add tests
* Fix tests
* fix role translation
2025-11-03 14:47:10 +01:00
6c728f8dec
Provisioning: allow access check to proceed even when non access policy ( #112946 )
...
* Provisioning: allow access check to proceed even when non access policy
* Provisioning: access checker needs this for MT
* add permissions registration
* remove scopes
* use in MT for now
* no need to document an internal flag here
* revert vscode change
* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation
* update wire
* gofmt
* add boolean to struct
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com >
2025-11-02 13:14:08 -08:00
cfc8989d24
Zanzana: Inject client into standalone AuthZ client ( #113293 )
2025-10-31 16:15:45 +01:00
7a7fd45bdd
Zanzana: app platform style write APIs ( #112812 )
...
* refactor zanzana client instantiation
* refactor client imports
* POC write API (Mutate)
* fix linter
* delete exisitng folder parents
* refactor common functions
* minor refactor
* groupd operations by type
* atomic folder operations
* use deleteExisting for deletes
* Add tests for folders
* more tests
* resource permissions tests
* add more tests
* fix mock zanzana client
* fix linter
* fix linter
* re-use types from apps
* add some comments to the protobuf
2025-10-28 11:22:13 +01:00
81683d554d
chore : Deprecating FeatureToggles.IsEnabledGlobally ( #112885 )
...
* add deprecation on featuremgmt.IsEnabledGlobally
* add nolint reason
* add reasonable deprecation message
* remove junk edits
* add more nolints
* addressing review comments
* Update pkg/services/featuremgmt/models.go
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
---------
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
2025-10-24 12:02:53 -04:00
2e1704b56f
Access: Add AfterCreate hooks for Roles/Core Roles ( #112666 )
...
As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.
This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:
Role permissions are immediately available for authorization checks
The legacy RBAC system and new Zanzana system remain in sync
Users experience consistent permission enforcement regardless of which backend is queried
safe to revert
2025-10-23 09:47:39 +02:00
adf1224e82
AuthZ: Zanzana only evaluation toggle ( #112715 )
...
* Zanzana: Feature toggle to enable zanzana only evaluation
* refactor
* Update pkg/services/featuremgmt/toggles_gen.json
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com >
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com >
2025-10-21 16:03:17 +02:00
1a372e2dec
Dashboards: Use the common service authorizer ( #111571 )
...
* authorizer
* authorizer
2025-10-17 10:03:35 +03:00
bc9c42f5c2
AuthZ: ignore duplicates on write and missing on delete in OpenFGA ( #112451 )
...
Authz: ignore duplicates on write and missing on delete in zanzana
2025-10-16 15:42:44 +01:00
ae5ff7e8f0
Implement CoreRole Authorizer ( #112401 )
2025-10-15 20:27:59 +00:00
5c9dd9b068
AuthZ service: Correctly evaluate action sets for dashboard creation ( #112425 )
...
correctly evaluate dash creation action sets
2025-10-15 15:34:19 +01:00
aa89bcf370
grafana-iam: RoleBindings implementation ( #112120 )
...
* add permissions for rolebindings
* fix required actions
* fix VerbCreate
* transform to wildcard scope
* Apply suggestions from code review
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
* Apply suggestion from @gamab
* lint
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
2025-10-15 10:37:23 +02:00
0e34164329
grafana-iam: Populate Zanzana on resource permission creation (#111654 )
...
* `grafana-iam`: Populate Zanzana on resource permission creation
* use zanzana const
* Adding a toggle
* Add a new feature toggle to manage zanzana sync
* wire
* wire
* WIP
* Fix hook issue
* comments and tests
* Account for PR feedback
* Add a timeout to writes
* Check tuples len
* comment
* validate basic role
* shorter error
* object reads better than entry
2025-10-13 21:37:13 +02:00
267848063d
AuthZService: Add a metric to count folder app requests ( #112258 )
2025-10-10 11:07:02 +02:00
f4cd46504b
AuthZ: Add if user is allowed to the span attribute (#112197 )
...
* `AuthZ`: Add if user is allowed to the span attribute
* Suggestiong
2025-10-09 10:49:50 +02:00
1cbe7c8848
AuthZ: log incomplete folder tree (#112151 )
2025-10-08 21:41:44 +02:00
acbbfde256
AuthZ service: Expand the logic to also evaluate action sets ( #112124 )
...
* expand AuthZ service logic to also evaluate action sets
* handle folder creation
* fix test
* simplify mapper code
Co-authored-by: gamab <gabi.mabs@gmail.com >
* more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com >
* break alerting import cycle
* Apply suggestion from @gamab
---------
Co-authored-by: gamab <gabi.mabs@gmail.com >
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
2025-10-08 13:37:12 +01:00
26e147d01f
AuthZ: Fix cacheHit computation ( #112088 )
...
* AuthZ: Fix cacheHit computation
* Remove the ok bool
2025-10-07 10:12:14 +02:00
2f2289f226
Chore: Update authlib (foder as top level argument) ( #111800 )
2025-10-01 14:40:28 +00:00
5457cc5d4f
Authz: Fix zookie nil pointer dereference ( #111758 )
2025-09-30 09:56:08 +02:00
b63ba0269f
AuthZ: Recover from missing split scope ( #111492 )
...
* AuthZ: Recover from missing split scope
* Follow up changes
* Add test
* better log
* Add a comment to getScopeMap
* Punctuation
2025-09-24 13:24:21 +02:00
54a347463e
IAM: Use the new authorizer for the User resource ( #111479 )
...
* Use the new authorizer for the User resource
* Use accessClient
* Update pkg/services/authz/rbac/mapper.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
2025-09-24 11:32:29 +02:00
72d212c5f9
Authlib: Update authz client to use zookies ( #111291 )
...
* Authlib: Update authz client to use zookies
* fix zookie return
* fix linter
2025-09-18 16:24:22 +02:00
14b6e60f31
Folders: Add better integration tests ( #111241 )
2025-09-17 20:19:50 +03:00
29551a6edf
IAM: Implement Delete in Service Account API ( #110584 )
...
* wip
* IAM: Create Service Account
* Add dual writer
* Update openapi_test.go
* Add integration tests
* Add sql tests
* Add Role to SA spec, add validation, add DBTime, add tests
* Format, update test
* Fixes
* Add check for External
* wip
* Fix merge
* wip
* Use plugin name instead of title for ext svc account login
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
* Remove OrgID from DeleteUserCommand
* Use the new authorizer
* Fix tests
* cleanup
* Move test to enterprise
* Revert unnecessary change
* Address feedback
* Revert "Address feedback"
This reverts commit 8ab9559076gamab@users.noreply.github.com >
2025-09-16 15:39:01 +02:00
38e5298807
Authz: Skip cache in List request if option provided ( #110864 )
...
* Authz: Skip cache in List request if option provided
* return timestamp with list response
* update authlib
* add skipCache option test
* refactor
* fix tests
* update workspaces
* Set zookies depending on cache hit
* update workspaces
* Fix nil pointer
2025-09-16 11:27:07 +02:00
868e3a5e8e
grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )
2025-09-16 09:49:37 +01:00
294fd943c0
Chore: Update authlib ( #110880 )
...
* Chore: Update authlib
* exclude incompatible version of github.com/grafana/gomemcache
* Update go-jose to v4
* fix jose imports
* remove jose v3 from go.mod
* fix tests
* fix serialize
* fix failing live tests
* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256
* accept more signature algs for okta and azuread
* azure social graph token sig
* accept more signature algs for oauth refresh and jwt auth
* update workspace
* add a static signer for inproc
* rebase and fix ext_jwt
* fix jwt tests
* apply alex patch on gomemcache
* update linting
* fix ext_jwt panic
* update workspaces
---------
Co-authored-by: Jo Garnier <git@jguer.space >
2025-09-15 12:45:15 +02:00
941a75964f
fix: auhtz grpc client no org id issue ( #110952 )
2025-09-11 14:02:56 +00:00
5ce13061d5
AuthZ: Allow create without scope for specific resources ( #110867 )
...
* AuthZ: Create without scope for resources outside of folders
* Make it explicit that create requires a scope check
* Update pkg/services/authz/rbac/service.go
* Use skipScope instead of ReqScope
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com >
* Explain why there is no need to skip scope for roles
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com >
2025-09-11 11:54:41 +02:00
b8b85fbf47
fix: add intrumentation for auth server grpc client ( #110875 )
2025-09-10 17:33:21 +02:00
d0f25b0cd7
Revert "Folders: Use authlib.AccessClient in authorizer" ( #110812 )
...
Revert "Folders: Use authlib.AccessClient in authorizer (#110602 )"
This reverts commit 0cb52b8be0
2025-09-09 15:45:37 +02:00
0cb52b8be0
Folders: Use authlib.AccessClient in authorizer ( #110602 )
2025-09-09 13:43:48 +03:00
7fd9ab9481
Replace check for integration tests. ( #110707 )
...
* Replace check for integration tests.
* Revert changes in pkg/tsdb/mysql packages.
* Fix formatting of few tests.
2025-09-08 15:49:49 +02:00
62cc0f9c0e
Udate IAM Folder Reconciler Operator config ( #110728 )
2025-09-05 22:56:23 +00:00
f9e82aba9c
chore(rbac): Remove settings resources mappings ( #110708 )
2025-09-05 18:56:09 +00:00
885812f694
AuthZ: Recover from an outdated cached folder tree ( #110293 )
2025-09-01 11:16:01 +02:00
a5c05ba9c1
IAM: Moving code to the /pkg/apps/iam folder ( #109985 )
...
* wip
* Gen GetTeams with app sdk
* Revert some changes, cleanup
* Format iam_manifest.go
* Remove generated file
* Regenerate openapi defs
* Cleanup
* Remove TODO
2025-08-28 12:32:15 +02:00
3eebe43c6d
Slight refactor of Zanzana GRPC Client to use it in the IAM Folder Operator ( #110120 )
2025-08-26 08:34:15 -06:00
Alexander Zobnin
Gabriel MABILLE
Mihai Turdean
Misi
Charandas
Denis Vodopianov
Jo
Ryan McKinley
Ieva
Eric Leijonmarck
Mustafa Sencer Özcan
Peter Štibraný
Andres Torres