public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64,153 Commits 655 Branches 650 Tags
b8600a43db49c2b7d959ddee69625f9dbc3c054a
Commit Graph

75 Commits

Author SHA1 Message Date
Gabriel MABILLE 97a6ab7b1c AuthZ: Remove outdated comments (#113817) 2025-11-13 11:06:02 +01:00
Misi 06373ae47b IAM: Add ExternalGroupMapping kind for TeamSync (#113052) 
* wip

* wip

* Add authorizer -> VERIFY it's working correctly

* Update openapi definitions

* Authorizer wip

* regen apis

* Increase timeout of pg int tests to 20m

* Revert "Increase timeout of pg int tests to 20m"

This reverts commit 8c20568217.

* Fix NewTestStore when Truncate is enabled
 2025-11-05 18:02:34 +01:00
Charandas 6c728f8dec Provisioning: allow access check to proceed even when non access policy (#112946) 
* Provisioning: allow access check to proceed even when non access policy

* Provisioning: access checker needs this for MT

* add permissions registration

* remove scopes

* use in MT for now

* no need to document an internal flag here

* revert vscode change

* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation

* update wire

* gofmt

* add boolean to struct

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-11-02 13:14:08 -08:00
Ryan McKinley 1a372e2dec Dashboards: Use the common service authorizer (#111571) 
* authorizer

* authorizer
 2025-10-17 10:03:35 +03:00
Mihai Turdean ae5ff7e8f0 Implement CoreRole Authorizer (#112401) 2025-10-15 20:27:59 +00:00
Ieva 5c9dd9b068 AuthZ service: Correctly evaluate action sets for dashboard creation (#112425) 
correctly evaluate dash creation action sets
 2025-10-15 15:34:19 +01:00
Alexander Zobnin aa89bcf370 grafana-iam: RoleBindings implementation (#112120) 
* add permissions for rolebindings

* fix required actions

* fix VerbCreate

* transform to wildcard scope

* Apply suggestions from code review

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Apply suggestion from @gamab

* lint

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-15 10:37:23 +02:00
Gabriel MABILLE 267848063d AuthZService: Add a metric to count folder app requests (#112258) 2025-10-10 11:07:02 +02:00
Gabriel MABILLE f4cd46504b AuthZ: Add if user is allowed to the span attribute (#112197) 
* `AuthZ`: Add if user is allowed to the span attribute

* Suggestiong
 2025-10-09 10:49:50 +02:00
Gabriel MABILLE 1cbe7c8848 AuthZ: log incomplete folder tree (#112151) 2025-10-08 21:41:44 +02:00
Ieva acbbfde256 AuthZ service: Expand the logic to also evaluate action sets (#112124) 
* expand AuthZ service logic to also evaluate action sets

* handle folder creation

* fix test

* simplify mapper code

Co-authored-by: gamab <gabi.mabs@gmail.com>

* more accurate variable name Co-authored-by: gamab <gabi.mabs@gmail.com>

* break alerting import cycle

* Apply suggestion from @gamab

---------

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-10-08 13:37:12 +01:00
Gabriel MABILLE 26e147d01f AuthZ: Fix cacheHit computation (#112088) 
* AuthZ: Fix cacheHit computation

* Remove the ok bool
 2025-10-07 10:12:14 +02:00
Alexander Zobnin 5457cc5d4f Authz: Fix zookie nil pointer dereference (#111758) 2025-09-30 09:56:08 +02:00
Gabriel MABILLE b63ba0269f AuthZ: Recover from missing split scope (#111492) 
* AuthZ: Recover from missing split scope

* Follow up changes

* Add test

* better log

* Add a comment to getScopeMap

* Punctuation
 2025-09-24 13:24:21 +02:00
Misi 54a347463e IAM: Use the new authorizer for the User resource (#111479) 
* Use the new authorizer for the User resource

* Use accessClient

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-24 11:32:29 +02:00
Ryan McKinley 14b6e60f31 Folders: Add better integration tests (#111241) 2025-09-17 20:19:50 +03:00
Misi 29551a6edf IAM: Implement Delete in Service Account API (#110584) 
* wip

* IAM: Create Service Account

* Add dual writer

* Update openapi_test.go

* Add integration tests

* Add sql tests

* Add Role to SA spec, add validation, add DBTime, add tests

* Format, update test

* Fixes

* Add check for External

* wip

* Fix merge

* wip

* Use plugin name instead of title for ext svc account login

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Remove OrgID from DeleteUserCommand

* Use the new authorizer

* Fix tests

* cleanup

* Move test to enterprise

* Revert unnecessary change

* Address feedback

* Revert "Address feedback"

This reverts commit 8ab9559076.

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-09-16 15:39:01 +02:00
Alexander Zobnin 38e5298807 Authz: Skip cache in List request if option provided (#110864) 
* Authz: Skip cache in List request if option provided

* return timestamp with list response

* update authlib

* add skipCache option test

* refactor

* fix tests

* update workspaces

* Set zookies depending on cache hit

* update workspaces

* Fix nil pointer
 2025-09-16 11:27:07 +02:00
Alexander Zobnin 294fd943c0 Chore: Update authlib (#110880) 
* Chore: Update authlib

* exclude incompatible version of github.com/grafana/gomemcache

* Update go-jose to v4

* fix jose imports

* remove jose v3 from go.mod

* fix tests

* fix serialize

* fix failing live tests

* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256

* accept more signature algs for okta and azuread

* azure social graph token sig

* accept more signature algs for oauth refresh and jwt auth

* update workspace

* add a static signer for inproc

* rebase and fix ext_jwt

* fix jwt tests

* apply alex patch on gomemcache

* update linting

* fix ext_jwt panic

* update workspaces

---------

Co-authored-by: Jo Garnier <git@jguer.space>
 2025-09-15 12:45:15 +02:00
Gabriel MABILLE 5ce13061d5 AuthZ: Allow create without scope for specific resources (#110867) 
* AuthZ: Create without scope for resources outside of folders

* Make it explicit that create requires a scope check

* Update pkg/services/authz/rbac/service.go

* Use skipScope instead of ReqScope

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Explain why there is no need to skip scope for roles

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-09-11 11:54:41 +02:00
Gabriel MABILLE d0f25b0cd7 Revert "Folders: Use authlib.AccessClient in authorizer" (#110812) 
Revert "Folders: Use authlib.AccessClient in authorizer (#110602)"

This reverts commit 0cb52b8be0.
 2025-09-09 15:45:37 +02:00
Ryan McKinley 0cb52b8be0 Folders: Use authlib.AccessClient in authorizer (#110602) 2025-09-09 13:43:48 +03:00
Andres Torres f9e82aba9c chore(rbac): Remove settings resources mappings (#110708) 2025-09-05 18:56:09 +00:00
Gabriel MABILLE 885812f694 AuthZ: Recover from an outdated cached folder tree (#110293) 2025-09-01 11:16:01 +02:00
Andres Torres 87e8c92aa4 chore(rbac): Register settings resources (#109742) 2025-08-18 10:12:33 -04:00
Gabriel MABILLE 69dc5a0b88 grafana-iam: Add resolver for permissions:type:delegate (#108789) 
* `grafana-iam`: Add resolver for `permissions:type:delegate`

* roles create -> write
 2025-07-29 21:11:06 +02:00
Gabriel MABILLE 1a7a7f1d99 grafana-iam: Wire the roles api (#108577) 2025-07-28 13:36:27 +02:00
Gabriel MABILLE 4b217c601a AuthZ: Scope resolution (#107948) 
* AuthZ: Scope resolution

* Account for PR feedback

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-07-17 14:34:10 +02:00
Gabriel MABILLE 3d543a336f IAM: Register CoreRole apis (#106924) 
* IAM: Register CoreRole apis

* one line store instantiation

* Small refactor for readability

* Add authorizer for CoreRole

* Nit

* Error strings should not end with punctiation

* Account for error

* Switch to use the local resource client

* error should not start with upper casing

* noopStorageErr should have a name starting with err

* Update workspace

* I don't know why I don't have the same output as the CI 🤷

* Dependency xOwnership

* imports

* Import order

* Rename alias to make it clear this is legacy
 2025-06-26 10:11:28 +02:00
mohammad-hamid 936dd05eac ext jwt client: map k8s-style to rbac permissions (#106279) 
* initial commit

* Proposal
Co-Authored-By: mohammad-hamid <mohammad.hamid@grafana.com>

* extend k8s-style mapper
- add tests

* address comments

* cleanup

* address comments

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-06-18 11:51:35 -04:00
Jean-Philippe Quéméner 9a565ff46e chore(authz): contextualize the authz logger (#106078) 2025-05-27 16:28:58 +02:00
Gabriel MABILLE cb3cd021b7 AuthZ-Service: Add traces to cache (#105718) 2025-05-21 14:35:43 +02:00
Matheus Macabu 38de0cac3a Chore: Replace usages of golang.org/x/net/context with stdlib context package (#105676) 2025-05-20 14:59:40 +02:00
Gabriel MABILLE 80898c14d0 AuthZ-Service: Add debug logs with the function execution duration (#105621) 
AuthZ-Service: Add simple logs with the execution duration
 2025-05-19 17:47:01 +02:00
Eric Leijonmarck 15bddb3712 IAM: Add datasources:query support for using the authlib/authzservice (#104107) 
* feat(add): datasources:query support for using the authlib/authzservice

* added test for datasources

* refactor to create the translation right away

* Update pkg/services/authz/rbac/mapper.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix tests

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-04-24 13:39:31 +01:00
Stephanie Hingtgen b887e8aa05 K8s: Dashboards: Add fine grained access control checks to /apis (#104347) 
---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
Co-authored-by: Marco de Abreu <marco.deabreu@grafana.com>
Co-authored-by: Georges Chaudy <chaudyg@gmail.com>
 2025-04-23 03:29:05 +01:00
Matheus Macabu fc9f32a9f6 SQLTemplates: Add helper to ensure all templates have a test-case (#103964) 
* SQLTemplates: Add helper to ensure all templates have a test-case associated

* UnifiedStorage: Add missing sql template test case

* LegacyDashboards: Add sql templates fs to test cases for exhaustiveness check

* RBACStore: Add sql templates fs to test cases for exhaustiveness check

* LegacyIAM: Add missing sql template test cases
 2025-04-22 11:21:51 +02:00
Ryan McKinley 0283c98e30 K8s/Folders: Use v1beta1 and app-sdk based spec (#103975) 2025-04-14 23:20:10 +03:00
Stephanie Hingtgen f5ad1ef69b K8s: Folders: Add v1 api (#103842) 2025-04-11 13:09:52 +01:00
Gabriel MABILLE 45d6bfe7cf AuthZ: Make cache ttl configurable (#103769) 
* AuthZ: Configure cache ttl

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* Client side conf

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* 0 -> No caching

* Make it possible to disable cache on the remote client as well

* Comment

* Move ttl parsing up for in-proc to have it

---------

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-04-11 10:09:47 +02:00
Stephanie Hingtgen 6eba5d74e1 Anonymous access: Allow setting org role in new authz service (#103669) 
* Anonymous access: Allow setting org role in new authz service

* back out change that is not needed; rename struct

* cleanup

* Fix tests

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-04-10 09:51:10 +01:00
Ieva d9dc93c4a6 AuthZService: improve authz caching (#103633) 
* remove the use of client side cache for in-proc authz client

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* add a permission denial cache, fetch perms if not in either of the caches

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* Clean up tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Cache tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add test to list + cache

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add outdated cache test

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Re-organize metrics

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
 2025-04-09 17:50:48 +01:00
Karl Persson c236a22284 Authz: Include context in logs when using cache (#102810) 
Include context in logs when using cache
 2025-03-26 13:55:24 +01:00
Gabriel MABILLE 8767a8f9a1 AuthZ: Improve getUserPermissions query (INNER JOIN, UNION ALL) (#102441) 2025-03-19 16:54:32 +01:00
Matheus Macabu 2ade94bbf7 SecretsManager: Add roles and access control to APIs (#102456) 2025-03-19 16:30:07 +01:00
Gabriel MABILLE 9a556fbde6 AuthZService: Add attributes to traces (#102433) 2025-03-19 12:21:39 +01:00
Gabriel MABILLE c8f810b422 Authz: Check namespace is set in the context (#101723) 
* Authz: Test List

* Anonymous case

* Cover rendering

* Authz: Check namespace is set in the context

* Explicitly request a namespace check in the storage functions

* Revert logic
 2025-03-11 12:04:33 +01:00
Gabriel MABILLE 6a1e5dd128 AuthZ: Test List (#101721) 
* Authz: Test List

* Anonymous case

* Cover rendering
 2025-03-07 15:01:39 +01:00
Gabriel MABILLE 6accf13597 AuthZService: Test Check (#101675) 
* wip

* deny case

* Reorganise

* WIP

* Check cache

* Add anonymous test

* Add test for rendering

* Lint import

* Refactor slightly

* more input validation coverage

* Require user

* typo
 2025-03-06 13:37:37 +01:00
Todd Treece 9e80b0f913 K8s: Add error to GetRestConfig (#101147) 
K8s: Add error to RestConfigProvider return values
 2025-02-21 18:07:13 +02:00