* Extract "PermissionStore" from general store interface
* Add static and union permission stores
* Add GetStaticRoles
* Use accesscontrol.Service for inproc to provide static permissions
* Zanzana: Remove usage from legacy access control
* remove unused
* remove zanzana client from services where it's not used
* remove unused metrics
* fix linter
* Create and use common ResourceInfo struct
* Add support for formatting group resource with subresource
* Add initial support for handling subresource
* Add test for checking subresource for generic resource
* Bump authlib
* Zanzana: Pass contextual tuples for authorization
* global reconciler for fixed roles
* inject tuples from global store
* fix adding contextual tuples
* cleanup
* don't error on auth context fail
* add todo
* add context for List
* add caching
* remove unused
* use constant for global namespace
* Rename global namespace to cluster namespace
* Replace sql query with folder service call when collecting folder tree
* Update provider for folder service implementation for wire
* Refactor provisioning of oss service in folder permissions test util
* Ensure all internal Services are using FolderService and not FolderStore
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
---------
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* add service account to the schema
* sync managed permissions for service accounts
* sync SA basic roles
* sync SA roles
* Fix endless loop in reconciler while read openfga
* Zanzana: Search with list
* Allow to pass werb into list request
* split list search into 2 functions
* fix listing resources
* remove unused
* refactor
* remove unused function
* Add more logging to reconciler
* Fix search for users with access to all resources
* fix findFoldersZanzanaList
* search for folders as well by default
* refactor
* use compile for list and search
* remove list from client
* remove only from client
* remove list from interface
* run compile once
* refactor
* refactor
* add search tests
* fix tests
* Fix linter
* add group mapping UID returned mapped roles
* request mapped roles from the frontend, but don't attempt to update mapped roles
* lock mapped roles and show a pop-up message about why a role is locked
* update role selectors to not allow deselecting a mapped role
* swagger gen
* simplify and set mapped as bool instead of mapping UID array
* swagger gen
* Move server init into server package
* map store name to id
* refactor model loading
* pass namespace into reconcilers and collectors
* refactor
* Extend authz server with Read and Write methods
* use new read/write in reconciler
* implement server side read and write
* Sync permissions for every org
* handle namespace in check and list
* split read and write
* provide conditions
* Fix client implementation
* fix nil conditions
* remove unused client code
* use lock for store access
* move type translators to common package
* fix folder collector
* fix store creation
* remove unused AuthorizationModelId
* fix server tests
* fix linter
* Remove collectors
* Remove zanzana search check, we need to rewrite that part to the new schema
* Only use generic resource schema and cleanup code we don't want to keep / need to re-write
* add user ID API translation
* add uid to user frontend
* use users' UIDs in admin pages
* fix ldapSync page
* use global user search for user by UID
* remove active org filtering
* remove orgID params
* Rename to CheckObject
* Implement authz.AccessClient
* Move folder tree to reconciler and use new schema
* Move shared functionality to common package
* Add reconciler for managed permissions and resource translations
* Add support for folder resources
* Introduce new models RoutingTree, RouteDefaults and Route and api-server to serve them that is backed by provisioning notification policy service.
* update method UpdatePolicyTree of notification policy service to return route and new version
* declare new actions alert.notifications.routes:read and alert.notifications.routes:write and two corresponding fixed roles.
---------
Co-authored-by: Tom Ratcliffe <tom.ratcliffe@grafana.com>
Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>
* fix: Change users permissions search to use a consistent key without collisions
* Move HashString to cacheutils
* Change error handling logic for what to do with a cache key
* Add a test that confirms search cache key consistency
* add admin permissions upon creation of a folder w. SA
* Update pkg/services/folder/folderimpl/folder.go
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Grant service account permissions for creation of dashboards
* Grant service account admin permissions upon creating a datasource
* fetch user using the userservice with the userid
* Revert "fetch user using the userservice with the userid"
This reverts commit 23cba78752.
* revert back to original datasource creation
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Implement uidToResourceID
* add middleware
* Move uidToResourceID to alerting package
* Only hash uid if it's too long
* Use hashed uid in access control
* Move ReceiverUidToResourceId to ScopeProvider
* resolve uid in middleware only if param exists
* Tests
* Linting
---------
Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>
* Rewrite zanzana collector to fetch all available pages
* Register access control as a background service
* If zanzana is enabled we run Syncs and start Reconciliation job
* Update pkg/services/authz/zanzana/client/client.go
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Use server lock when doing performing reconciliation
* Pass parent folder as a contextual tuple in Check request
* Search by listing folders and dashboards
* skip dashboards listing if limit reached
* remove unused
* add some comments
* only add ContextualTuples if parent provided
* Remove parent relation for dashboards from schema and perform separate checks
