* add metrics for authZ MT service
* remove metrics that are already tracked by the GRPC server metrics
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* undo unneeded change
* test fix
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Extract "PermissionStore" from general store interface
* Add static and union permission stores
* Add GetStaticRoles
* Use accesscontrol.Service for inproc to provide static permissions
* Remove "wrapper" interface and only check feature toggle for grpc and cloud mode
* Only set name for update checks
* Set dashboard permissions for admin user
* Add prefix constants and use string builders / string concatinations
* Use cache for both streamed and non-stream versions of list objects
* Remove unused constants
* Zanzana: Setup GRPC authentication in client/server mode
* don't use grpcutils
* refactor
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Add a namespace stub for in-proc mode
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Read parameters from config
* authorize server requests
* add namespace to the tests context
* use stack id from config
* simplify authorize func
* properly format namespace
* return Unauthenticated if namespace is empty
* use insecure cred only in dev env
* check request namespace
* Use CallCredentials API for client auth
* provide config
* fail if stack id is missing
* improve error message
* use insecure connection by default
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Create and use common ResourceInfo struct
* Add support for formatting group resource with subresource
* Add initial support for handling subresource
* Add test for checking subresource for generic resource
* Bump authlib
* Zanzana: Pass contextual tuples for authorization
* global reconciler for fixed roles
* inject tuples from global store
* fix adding contextual tuples
* cleanup
* don't error on auth context fail
* add todo
* add context for List
* add caching
* remove unused
* use constant for global namespace
* Rename global namespace to cluster namespace
* listing implementation pt 1
* validate list request
* register GRPC endpoint, pass the correct user UID and return folder identifiers not scopes
* uncomment code that was only commented out for testing
* fix tests
* remove unneeded changes
* remove unused import
* Update pkg/services/authz/rbac/service.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* refactor to improve efficiency
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* use variable names when logging
* adding tests for listing
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* AuthZ Service: Add caching
* split in functions
* Test getUserTeams
* Add tests to getUserBasicRole
* Test getUserPermissions
* Cache user identifiers
* fix test
* implement perm check with direct db access
* add tests
* more tests
* Update pkg/services/authz/rbac/service.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/authz/rbac/service.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* allow fetching permissions for a user who is not a member of the org
* linting
* fix typo
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Zanzana: Handle renderer service authorization requests
* only add context if render service is authorizing
* use group and resource from API definitions
* check prefix instead of full identity
* fix AddRenderContext
* remove unused type
* add service account to the schema
* sync managed permissions for service accounts
* sync SA basic roles
* sync SA roles
* Fix endless loop in reconciler while read openfga
* Initial streamed version of list
* instantiate openfga client to use StreamedListObjects
* Add config option for using streamed version
* Use caching
* fix cache init
* Fix hashing
* refactor
Remove create relation from generic resources.
We cant have a create relation to a resource because they don't exist yet. So
in oder to check create we either have to have that permissions on a folder or the namespace
* Zanzana: Search with list
* Allow to pass werb into list request
* split list search into 2 functions
* fix listing resources
* remove unused
* refactor
* remove unused function
* Add more logging to reconciler
* Fix search for users with access to all resources
* fix findFoldersZanzanaList
* search for folders as well by default
* refactor
* use compile for list and search
* remove list from client
* remove only from client
* remove list from interface
* run compile once
* refactor
* refactor
* add search tests
* fix tests
* Fix linter
