public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
60,600 Commits 655 Branches 650 Tags
b58b9144a5ca584890162f6a2803914a94de4eac
Commit Graph

164 Commits

Author SHA1 Message Date
Alexander Zobnin
0e41f58db9 Zanzana: Add detailed instructions for running and instrumenting (#107237) 
* Zanzana: Add detailed instructions for running and instrumenting

* Running Zanzana standalone server WIP

* Describe how to run zanzana server

* Fix readme link

* Update cli info

* update how to run postgres
 2025-07-02 15:33:08 +02:00
Gabriel MABILLE
3d543a336f IAM: Register CoreRole apis (#106924) 
* IAM: Register CoreRole apis

* one line store instantiation

* Small refactor for readability

* Add authorizer for CoreRole

* Nit

* Error strings should not end with punctiation

* Account for error

* Switch to use the local resource client

* error should not start with upper casing

* noopStorageErr should have a name starting with err

* Update workspace

* I don't know why I don't have the same output as the CI 🤷

* Dependency xOwnership

* imports

* Import order

* Rename alias to make it clear this is legacy
 2025-06-26 10:11:28 +02:00
Cory Forseth
41a4841e57 Zanzana: add flag for running zanzana server insecurely (#107130) 
* add flag for running zanzana server insecurely

* Only allow insecure connections in dev environment

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

---------

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
 2025-06-25 22:47:53 +00:00
mohammad-hamid
936dd05eac ext jwt client: map k8s-style to rbac permissions (#106279) 
* initial commit

* Proposal
Co-Authored-By: mohammad-hamid <mohammad.hamid@grafana.com>

* extend k8s-style mapper
- add tests

* address comments

* cleanup

* address comments

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-06-18 11:51:35 -04:00
Alexander Zobnin
0270152e35 Zanzana: Improve server side tracing (#106804) 2025-06-18 12:53:39 +02:00
Alexander Zobnin
aa92dc860b Zanzana: Improve server side error handling (#106378) 
* Zanzana: Split client and server logs

* Zanzana: Improve error handling and logging

* log internal error at the server side

* refactor

* improve errors for list request

* update go modules

* handle errors for read and write

* refactor

* reset go.mod changes
 2025-06-05 22:11:26 +02:00
Eric Leijonmarck
69653ea3dc Zanzana: Adds running migrations from openfga w. RunMigrations() (#105691) 2025-05-29 15:54:12 +01:00
Jean-Philippe Quéméner
9a565ff46e chore(authz): contextualize the authz logger (#106078) 2025-05-27 16:28:58 +02:00
Gabriel MABILLE
cb3cd021b7 AuthZ-Service: Add traces to cache (#105718) 2025-05-21 14:35:43 +02:00
Matheus Macabu
38de0cac3a Chore: Replace usages of golang.org/x/net/context with stdlib context package (#105676) 2025-05-20 14:59:40 +02:00
Gabriel MABILLE
80898c14d0 AuthZ-Service: Add debug logs with the function execution duration (#105621) 
AuthZ-Service: Add simple logs with the execution duration
 2025-05-19 17:47:01 +02:00
Serge Zaitsev
694b9dfe50 Chore: Replace xorm.io/xorm imports (#104458) 
* replace xorm.io/xorm imports

* replace xorm from other go.mod files

* clean up workspace

* nolint does not make sense anymore as it is not a module

* try if nolint directive helps

* use nolint:all for xorm

* add more nolints

* try to skip xorm in linter config

* exclude xorm differently

* retrigger ci
 2025-05-02 17:13:01 +02:00
Alexander Zobnin
da32b9e16f Zanzana: Fix health check endpoint (#104670) 2025-04-30 16:05:39 +03:00
Eric Leijonmarck
15bddb3712 IAM: Add datasources:query support for using the authlib/authzservice (#104107) 
* feat(add): datasources:query support for using the authlib/authzservice

* added test for datasources

* refactor to create the translation right away

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix tests

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-04-24 13:39:31 +01:00
Alexander Zobnin
1584349b99 Zanzana: Use authz client (#104037) 
* Zanzana: use client from authzlib

* update go.sum

* use user UID for debugging

* Remove unused function
 2025-04-24 10:57:24 +02:00
Ryan McKinley
b09d79b21c K8s/Dashboard: Promote from alpha1 to beta1 (#104009) 2025-04-23 20:54:35 +03:00
Stephanie Hingtgen
b887e8aa05 K8s: Dashboards: Add fine grained access control checks to /apis (#104347) 
---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
Co-authored-by: Marco de Abreu <marco.deabreu@grafana.com>
Co-authored-by: Georges Chaudy <chaudyg@gmail.com>
 2025-04-23 03:29:05 +01:00
Eric Leijonmarck
4bf32f3651 Zanzana: Adds readme with configuration for openfga cli (#104276) 2025-04-22 17:36:47 +00:00
Alexander Zobnin
073e6dc98c Zanzana: Fix OpenFGA HTTP server (#104088) 
Zanzana: Fix OpenFGA grpc server
 2025-04-22 15:18:59 +02:00
Matheus Macabu
fc9f32a9f6 SQLTemplates: Add helper to ensure all templates have a test-case (#103964) 
* SQLTemplates: Add helper to ensure all templates have a test-case associated

* UnifiedStorage: Add missing sql template test case

* LegacyDashboards: Add sql templates fs to test cases for exhaustiveness check

* RBACStore: Add sql templates fs to test cases for exhaustiveness check

* LegacyIAM: Add missing sql template test cases
 2025-04-22 11:21:51 +02:00
Ryan McKinley
0283c98e30 K8s/Folders: Use v1beta1 and app-sdk based spec (#103975) 2025-04-14 23:20:10 +03:00
Ryan McKinley
664e5255fe Provisioning: Use role based access when the target does not yet exist (#103862) 
* role based fallback

* disable permissions cache with provisioning

* fallback to role based

* test with editor (not admin)

* test with editor (not admin)

* fix imports

* lint

* editor can create folders
 2025-04-11 17:47:26 +03:00
Stephanie Hingtgen
f5ad1ef69b K8s: Folders: Add v1 api (#103842) 2025-04-11 13:09:52 +01:00
Gabriel MABILLE
45d6bfe7cf AuthZ: Make cache ttl configurable (#103769) 
* AuthZ: Configure cache ttl

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* Client side conf

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* 0 -> No caching

* Make it possible to disable cache on the remote client as well

* Comment

* Move ttl parsing up for in-proc to have it

---------

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-04-11 10:09:47 +02:00
Stephanie Hingtgen
6eba5d74e1 Anonymous access: Allow setting org role in new authz service (#103669) 
* Anonymous access: Allow setting org role in new authz service

* back out change that is not needed; rename struct

* cleanup

* Fix tests

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-04-10 09:51:10 +01:00
Ieva
d9dc93c4a6 AuthZService: improve authz caching (#103633) 
* remove the use of client side cache for in-proc authz client

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* add a permission denial cache, fetch perms if not in either of the caches

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* Clean up tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Cache tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add test to list + cache

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add outdated cache test

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Re-organize metrics

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
 2025-04-09 17:50:48 +01:00
Alexander Zobnin
4bc9203cf6 Zanzana: Perform shadow requests (#103444) 
* Zanzana: Execute checks in the background

* add metrics

* collect metrics

* cleanup

* shadow compile checker

* add time metrics for compiler

* run compile in parallel

* prevent deadlock
 2025-04-08 10:03:35 +02:00
Leonor Oliveira
e9ed7223a6 Use authlib repo. Use otel (#103178) 
* Use authlib repo. Use otel

* Use interceptors on the provider level

* Create a new wire set with otel

* Lint

* Fix test

* make update-workflow

* make update-workspace

* make update-workspace. Try to add authlib as enterprise imports

* make update-workspace
 2025-04-07 15:47:40 +02:00
mohammad-hamid
192d3783d5 Zanzana/enable TLS for client side gRPC (#103000) 
* zanzana - add tls to the client

* remove todo

* gofmt

* adjust comment
 2025-04-02 09:12:58 -04:00
Mariell Hoversholm
d0d7078953 App Platform: Remove mutable globals (#102962) 
* App Platform: Remove mutable globals

* chore: clarify why this exists

* fix: support multi-tenant mode

* refactor: call builder providers directly

* CI: Force re-build
 2025-03-27 15:46:09 +01:00
Alexander Zobnin
63a2ce7214 Zanzana: Support subresources for users and service accounts (#102874) 
* Zanzana: Support subresources for users and service accounts

* rename relationsFolder

* fix linter error
 2025-03-26 16:07:01 +01:00
Karl Persson
c236a22284 Authz: Include context in logs when using cache (#102810) 
Include context in logs when using cache
 2025-03-26 13:55:24 +01:00
Stephanie Hingtgen
7c2890384a K8s: Dashboards: Set v1alpha1 as priority (#102729) 2025-03-25 10:32:49 -06:00
Alexander Zobnin
c34394f385 Zanzana: Support subresources for typed resources (#102470) 
* Zanzana: Support subresources for folders

* refactor

* fix subresource requests

* implement listing for folders subresources

* teams subresources PoC

* re-enable tests

* use team resource def from iam

* fix tests

* remove unused code

* refactor: rename to subresource

* split resource schema

* update workspaces

* rename folder relation to subresource

* refactor: rename folder resources to subresources

* update readme

* fix listing

* rename params in subresource filter
 2025-03-25 12:31:06 +01:00
Gabriel MABILLE
8767a8f9a1 AuthZ: Improve getUserPermissions query (INNER JOIN, UNION ALL) (#102441) 2025-03-19 16:54:32 +01:00
Matheus Macabu
2ade94bbf7 SecretsManager: Add roles and access control to APIs (#102456) 2025-03-19 16:30:07 +01:00
Gabriel MABILLE
9a556fbde6 AuthZService: Add attributes to traces (#102433) 2025-03-19 12:21:39 +01:00
Igor Suleymanov
5d2ba10113 K8s/Dashboards: Extract Dashboard APIs to an app submodule (#102029) 
* Move dashboard k8s APIs to a separate app

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Copy dashboard code in Dockerfile

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Fix conversion generation

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Update OpenAPI snapshot for dashboard/v0alpha1

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

---------

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
 2025-03-13 11:05:01 +02:00
Alexander Zobnin
f6f6ae4496 Zanzana: Update docs with subresources description (#101948) 
* Zanzana: Update docs with subresources description

* clarify resource name
 2025-03-11 16:27:17 +01:00
Gabriel MABILLE
c8f810b422 Authz: Check namespace is set in the context (#101723) 
* Authz: Test List

* Anonymous case

* Cover rendering

* Authz: Check namespace is set in the context

* Explicitly request a namespace check in the storage functions

* Revert logic
 2025-03-11 12:04:33 +01:00
Gabriel MABILLE
6a1e5dd128 AuthZ: Test List (#101721) 
* Authz: Test List

* Anonymous case

* Cover rendering
 2025-03-07 15:01:39 +01:00
Gabriel MABILLE
6accf13597 AuthZService: Test Check (#101675) 
* wip

* deny case

* Reorganise

* WIP

* Check cache

* Add anonymous test

* Add test for rendering

* Lint import

* Refactor slightly

* more input validation coverage

* Require user

* typo
 2025-03-06 13:37:37 +01:00
Gabriel MABILLE
a91081a2fc AuthZService: Add certificates to the client (#101603) 2025-03-06 10:18:58 +01:00
Alexander Zobnin
c23bb36956 Zanzana: Fix health check endpoint (#101612) 2025-03-05 15:24:58 +01:00
Ryan McKinley
806c043e45 UnifiedStorage: Rename Batch processing to Bulk (#101413) 2025-02-28 08:41:08 +03:00
Gabriel MABILLE
c3505f0864 AuthZ: Make NewGrpcTokenAuth public (#101352) 
* AuthZ: Expose NewGrpcTokenAuth

* Lint
 2025-02-26 17:29:32 +01:00
Karl Persson
fa74d1c36d Authn: Sync authlib and update how we construct authn client interceptor (#101124) 
* Sync authlib and update how we construct authn client interceptor

* Remove namespace from checker
 2025-02-26 09:22:09 +01:00
Karl Persson
74632a25c3 Authz: folder api tls settings (#101213) 
* Skip certificate verification

* Add more settings for folder api
 2025-02-24 16:03:14 +01:00
Todd Treece
9e80b0f913 K8s: Add error to GetRestConfig (#101147) 
K8s: Add error to RestConfigProvider return values
 2025-02-21 18:07:13 +02:00
Karl Persson
14886410d6 Zanzana: Use shared auth interceptor for zanzana and pass tracer (#100968) 
* Use shared auth interceptor for zanzana and pass tracer
 2025-02-20 16:07:06 +01:00