public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
58,751 Commits 655 Branches 650 Tags
cf767771700a4bd39c8b2da3be478d0d609982da
Commit Graph

144 Commits

Author SHA1 Message Date
Ryan McKinley
0283c98e30 K8s/Folders: Use v1beta1 and app-sdk based spec (#103975) 2025-04-14 23:20:10 +03:00
Ryan McKinley
664e5255fe Provisioning: Use role based access when the target does not yet exist (#103862) 
* role based fallback

* disable permissions cache with provisioning

* fallback to role based

* test with editor (not admin)

* test with editor (not admin)

* fix imports

* lint

* editor can create folders
 2025-04-11 17:47:26 +03:00
Stephanie Hingtgen
f5ad1ef69b K8s: Folders: Add v1 api (#103842) 2025-04-11 13:09:52 +01:00
Gabriel MABILLE
45d6bfe7cf AuthZ: Make cache ttl configurable (#103769) 
* AuthZ: Configure cache ttl

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* Client side conf

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* 0 -> No caching

* Make it possible to disable cache on the remote client as well

* Comment

* Move ttl parsing up for in-proc to have it

---------

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-04-11 10:09:47 +02:00
Stephanie Hingtgen
6eba5d74e1 Anonymous access: Allow setting org role in new authz service (#103669) 
* Anonymous access: Allow setting org role in new authz service

* back out change that is not needed; rename struct

* cleanup

* Fix tests

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-04-10 09:51:10 +01:00
Ieva
d9dc93c4a6 AuthZService: improve authz caching (#103633) 
* remove the use of client side cache for in-proc authz client

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* add a permission denial cache, fetch perms if not in either of the caches

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* Clean up tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Cache tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add test to list + cache

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add outdated cache test

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Re-organize metrics

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
 2025-04-09 17:50:48 +01:00
Alexander Zobnin
4bc9203cf6 Zanzana: Perform shadow requests (#103444) 
* Zanzana: Execute checks in the background

* add metrics

* collect metrics

* cleanup

* shadow compile checker

* add time metrics for compiler

* run compile in parallel

* prevent deadlock
 2025-04-08 10:03:35 +02:00
Leonor Oliveira
e9ed7223a6 Use authlib repo. Use otel (#103178) 
* Use authlib repo. Use otel

* Use interceptors on the provider level

* Create a new wire set with otel

* Lint

* Fix test

* make update-workflow

* make update-workspace

* make update-workspace. Try to add authlib as enterprise imports

* make update-workspace
 2025-04-07 15:47:40 +02:00
mohammad-hamid
192d3783d5 Zanzana/enable TLS for client side gRPC (#103000) 
* zanzana - add tls to the client

* remove todo

* gofmt

* adjust comment
 2025-04-02 09:12:58 -04:00
Mariell Hoversholm
d0d7078953 App Platform: Remove mutable globals (#102962) 
* App Platform: Remove mutable globals

* chore: clarify why this exists

* fix: support multi-tenant mode

* refactor: call builder providers directly

* CI: Force re-build
 2025-03-27 15:46:09 +01:00
Alexander Zobnin
63a2ce7214 Zanzana: Support subresources for users and service accounts (#102874) 
* Zanzana: Support subresources for users and service accounts

* rename relationsFolder

* fix linter error
 2025-03-26 16:07:01 +01:00
Karl Persson
c236a22284 Authz: Include context in logs when using cache (#102810) 
Include context in logs when using cache
 2025-03-26 13:55:24 +01:00
Stephanie Hingtgen
7c2890384a K8s: Dashboards: Set v1alpha1 as priority (#102729) 2025-03-25 10:32:49 -06:00
Alexander Zobnin
c34394f385 Zanzana: Support subresources for typed resources (#102470) 
* Zanzana: Support subresources for folders

* refactor

* fix subresource requests

* implement listing for folders subresources

* teams subresources PoC

* re-enable tests

* use team resource def from iam

* fix tests

* remove unused code

* refactor: rename to subresource

* split resource schema

* update workspaces

* rename folder relation to subresource

* refactor: rename folder resources to subresources

* update readme

* fix listing

* rename params in subresource filter
 2025-03-25 12:31:06 +01:00
Gabriel MABILLE
8767a8f9a1 AuthZ: Improve getUserPermissions query (INNER JOIN, UNION ALL) (#102441) 2025-03-19 16:54:32 +01:00
Matheus Macabu
2ade94bbf7 SecretsManager: Add roles and access control to APIs (#102456) 2025-03-19 16:30:07 +01:00
Gabriel MABILLE
9a556fbde6 AuthZService: Add attributes to traces (#102433) 2025-03-19 12:21:39 +01:00
Igor Suleymanov
5d2ba10113 K8s/Dashboards: Extract Dashboard APIs to an app submodule (#102029) 
* Move dashboard k8s APIs to a separate app

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Copy dashboard code in Dockerfile

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Fix conversion generation

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Update OpenAPI snapshot for dashboard/v0alpha1

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

---------

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
 2025-03-13 11:05:01 +02:00
Alexander Zobnin
f6f6ae4496 Zanzana: Update docs with subresources description (#101948) 
* Zanzana: Update docs with subresources description

* clarify resource name
 2025-03-11 16:27:17 +01:00
Gabriel MABILLE
c8f810b422 Authz: Check namespace is set in the context (#101723) 
* Authz: Test List

* Anonymous case

* Cover rendering

* Authz: Check namespace is set in the context

* Explicitly request a namespace check in the storage functions

* Revert logic
 2025-03-11 12:04:33 +01:00
Gabriel MABILLE
6a1e5dd128 AuthZ: Test List (#101721) 
* Authz: Test List

* Anonymous case

* Cover rendering
 2025-03-07 15:01:39 +01:00
Gabriel MABILLE
6accf13597 AuthZService: Test Check (#101675) 
* wip

* deny case

* Reorganise

* WIP

* Check cache

* Add anonymous test

* Add test for rendering

* Lint import

* Refactor slightly

* more input validation coverage

* Require user

* typo
 2025-03-06 13:37:37 +01:00
Gabriel MABILLE
a91081a2fc AuthZService: Add certificates to the client (#101603) 2025-03-06 10:18:58 +01:00
Alexander Zobnin
c23bb36956 Zanzana: Fix health check endpoint (#101612) 2025-03-05 15:24:58 +01:00
Ryan McKinley
806c043e45 UnifiedStorage: Rename Batch processing to Bulk (#101413) 2025-02-28 08:41:08 +03:00
Gabriel MABILLE
c3505f0864 AuthZ: Make NewGrpcTokenAuth public (#101352) 
* AuthZ: Expose NewGrpcTokenAuth

* Lint
 2025-02-26 17:29:32 +01:00
Karl Persson
fa74d1c36d Authn: Sync authlib and update how we construct authn client interceptor (#101124) 
* Sync authlib and update how we construct authn client interceptor

* Remove namespace from checker
 2025-02-26 09:22:09 +01:00
Karl Persson
74632a25c3 Authz: folder api tls settings (#101213) 
* Skip certificate verification

* Add more settings for folder api
 2025-02-24 16:03:14 +01:00
Todd Treece
9e80b0f913 K8s: Add error to GetRestConfig (#101147) 
K8s: Add error to RestConfigProvider return values
 2025-02-21 18:07:13 +02:00
Karl Persson
14886410d6 Zanzana: Use shared auth interceptor for zanzana and pass tracer (#100968) 
* Use shared auth interceptor for zanzana and pass tracer
 2025-02-20 16:07:06 +01:00
Alexander Zobnin
fcb88f6ccc Zanzana: revert cluster store for fixed roles (#100958) 
* Zanzana: revert cluster store for fixed roles

* update go workspace
 2025-02-19 13:53:25 +01:00
Karl Persson
4df398c084 Authz: Sync authlib and update authz client setup code (#100817) 
* Sync authlib and update setup code for authz client
 2025-02-18 09:09:20 +01:00
Karl Persson
e9b2f69137 Authz: Only have two modes for authz client (#100803) 
* Only have "inproc" and "clod" mode
 2025-02-17 14:37:25 +01:00
Karl Persson
1b1954de28 Authz: add support to use folder api to fetch folder tree (#100038) 
* Add FolderStore interface

* Authz: add implementation to use folders api and use it inproc with loopback config

* Add tracing and add rest.Config for talking with folder api using access tokens

* Restructure test to get rid of circular dependencies in tests

* use correct group version kind

---------

Co-authored-by: gamab <gabriel.mabille@grafana.com>
 2025-02-13 11:59:59 +01:00
Alexander Zobnin
7234a17d1d Zanzana: Use authzService audience (#100417) 2025-02-11 14:25:30 +01:00
Karl Persson
bfa4fa3c68 Authz: Refactor folder tree (#99554) 
* Refactor folder tree to its own structure

* Make it possible to json encode the tree

* Use iterations for Ancestors and Children

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-02-11 12:36:11 +01:00
Karl Persson
011301f06f Authz: client cache (#100195) 
* Reduce client permissions cache for authz client

* Adjust server cache ttl
 2025-02-06 17:16:30 +01:00
Karl Persson
d16374d339 Authz: For list collect all folder permisions into items (#99955) 
* For list collect all folder permisions into items
---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-02-03 12:14:28 +01:00
Alexander Zobnin
a95005eab5 Zanzana: Disable broken OpenFGA health check (#99818) 
* Zanzana: Disable broken OpenFGA health check

* simplify return

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-01-30 17:42:48 +01:00
Ieva
33a53d170b AuthZ service: Add metrics (#99007) 
* add metrics for authZ MT service

* remove metrics that are already tracked by the GRPC server metrics

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* undo unneeded change

* test fix

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-01-24 14:03:23 +00:00
Gabriel MABILLE
a9f0e15778 AuthZ: Change cache interface (#99058) 
* Authz: Switch to remotecache

* Todos

* lint

* lint test

* test readibility

* Remove ttls

* implement a cache wrap

* Rm unused func

* Comment

* Update workspace:

* Use cache

* Fix comment
 2025-01-24 09:51:39 +01:00
Karl Persson
b0347792cc Zazana: Fix verb to relation mapping (#99409) 2025-01-23 13:04:41 +01:00
Ieva
723fa7ddf9 MT AuthZ: Resolve renderer permissions in MT authZ service (#99362) 
* resolve renderer permissions in MT authZ service

* also include DS read perms

* fix tests and linting
 2025-01-23 10:21:43 +00:00
Karl Persson
d740f9fc60 Authz: Simplify mapper and only check folders if its supported (#99357) 
* Simplify mapper and only check folders if its supported
 2025-01-23 09:23:00 +01:00
Ryan McKinley
680e6bc1f8 Authlib: Use types package rather than claims (#99243) 2025-01-21 12:06:55 +03:00
Karl Persson
7329d2c34b Authz: Account for fixed roles when running oss and using authz service (#99244) 
* Extract "PermissionStore" from general store interface

* Add static and union permission stores

* Add GetStaticRoles

* Use accesscontrol.Service for inproc to provide static permissions
 2025-01-20 16:00:36 +01:00
Karl Persson
67252dfa46 Zanzana: Add grpc health and readiness checks for standalone zanzana (#99176) 
Add grpc health and readiness checks for standalone zanzana
 2025-01-17 13:39:42 +01:00
Alexander Zobnin
c5f14407cc Zanzana: Refactor stores listing (#99098) 
Zanzana: Refactor store loading
 2025-01-17 11:10:22 +01:00
Karl Persson
2187a66f2b Zanzana: Split up settings into client and server sections (#99066) 
* Split up zanzana settings into client and server sections

* Update workspace
 2025-01-16 13:39:39 +01:00
Ryan McKinley
cd46f1ddb9 Search: Remove history query (#99026) 2025-01-15 12:49:47 -06:00