* Provisioning: allow access check to proceed even when non access policy
* Provisioning: access checker needs this for MT
* add permissions registration
* remove scopes
* use in MT for now
* no need to document an internal flag here
* revert vscode change
* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation
* update wire
* gofmt
* add boolean to struct
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.
This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:
Role permissions are immediately available for authorization checks
The legacy RBAC system and new Zanzana system remain in sync
Users experience consistent permission enforcement regardless of which backend is queried
safe to revert
* Use the new authorizer for the User resource
* Use accessClient
* Update pkg/services/authz/rbac/mapper.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Chore: Update authlib
* exclude incompatible version of github.com/grafana/gomemcache
* Update go-jose to v4
* fix jose imports
* remove jose v3 from go.mod
* fix tests
* fix serialize
* fix failing live tests
* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256
* accept more signature algs for okta and azuread
* azure social graph token sig
* accept more signature algs for oauth refresh and jwt auth
* update workspace
* add a static signer for inproc
* rebase and fix ext_jwt
* fix jwt tests
* apply alex patch on gomemcache
* update linting
* fix ext_jwt panic
* update workspaces
---------
Co-authored-by: Jo Garnier <git@jguer.space>
* AuthZ: Create without scope for resources outside of folders
* Make it explicit that create requires a scope check
* Update pkg/services/authz/rbac/service.go
* Use skipScope instead of ReqScope
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Explain why there is no need to skip scope for roles
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Revert "Revert: Future-proofing query and data source model in Dashboard Sche… (#107985)"
This reverts commit 13a89d4ae3.
* Revert "Revert "Schema V2: Simplify annotations v1<->v2 conversions" (#107984)"
This reverts commit 2b8c5bea1a.
* make gen apps
* e2e update
* Use v2alpha2 by default (#108177)
* Use v2alpha2 by default
* Apply only DS changes to alpha2
* Use v2alpha2 by default except to query
* Create a v2 index in @grafana/schema
* Update path and apply lint
* Update tests
* Update imports to v2 status
* Fix failing openapi test
* Schemav2 breaking changes: conversion implementation (#108224)
* provision v2alpha1 dashboard
* Run conversions for DS refactor
* Run snapshot testing on conversions
* Normalize output name
* Update snapshots to include all panel and variable cases
* fix lint
* fix lint
* fix test and go lint
* more go lint
---------
Co-authored-by: Ivan Ortega <ivanortegaalba@gmail.com>
Co-authored-by: Haris Rozajac <haris.rozajac12@gmail.com>
* Schema v2: Introduce group/datasource convention to GroupBy and AdHoc variable (#108237)
* Schema v2: Introduce group/datasource convention to GroupBy and AdHoc variables
* add conversion
* App Installer: Authorizer support (#108419)
* Chore: use `satisfies` and remove a load of `any`s (#108397)
use satisfies and remove a load of anys
* improve logging and fail unified-storage migration with more than 0 errors (#108471)
improve logging and fail unified-storage migration with more than 0 errors
* fix conversion test
* Secrets: Create more granular fixed roles for SecureValues (#108382)
* Provisioning: Fix bug in job progress recording (#108440)
Fix bug in job progress recording
* Provisioning: Fix ImportAllPanelsFromLocalRepository test (#108441)
* Provisioning: Skip flaky test
* Fix flaky provisioning test
* Fix lint
---------
Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com>
* BulkDeleteProvisionedResource: Move progress bar into a second step (#108417)
* Move progress bar into a second step
---------
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* [Dashboard Schema Codegen] Move dashboard CUE codegen block back up into kind body (#108476)
[Dashboard Schema Codegen] Move dashboard CUE codegen block back up into kind body to make sure new versions have the same settings.
---------
Co-authored-by: Haris Rozajac <haris.rozajac12@gmail.com>
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
Co-authored-by: Will Assis <35489495+gassiss@users.noreply.github.com>
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>
Co-authored-by: Roberto Jiménez Sánchez <jszroberto@gmail.com>
Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com>
Co-authored-by: Yunwen Zheng <yunwen.zheng@grafana.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
Co-authored-by: Austin Pond <IfSentient@users.noreply.github.com>
Co-authored-by: Ivan Ortega <ivanortegaalba@gmail.com>
* Dashboard Schema V2: Refactor VizConfigKind to follow DataQueryKind convention (#108148)
* Dashboards API: Register v2alpha2 API
* Prepare conversion functions
* Fix test
* Refactor VizConfigKind to follow DataQueryKind convention
* fix tests
* use new dataquerykind convention alpha 2
* add conversion
* fix tests
* fix tests
* fix another test
* Fix merge
---------
Co-authored-by: Dominik Prokop <dominik.prokop@grafana.com>
* fix k8s codegen
* Update e2e-playwright/dashboards/TestV2Dashboard.json
* Update e2e/dashboards/TestV2Dashboard.json
* revert app generation for non-related apps
* try again
* another try
* also revert folder and secret app generation
* v2alpha1 provisioned dashboard
* Fix kind
* Fix conversion snapshots
* Update API discovery registry
* Rename to v2beta1
* Rename migrations
* Update apps/dashboard/pkg/apis/dashboard/v2beta1/doc.go
Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>
* Ensure conditional rendering and other non changed properties
---------
Co-authored-by: Ivan Ortega <ivanortegaalba@gmail.com>
Co-authored-by: Haris Rozajac <haris.rozajac12@gmail.com>
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
Co-authored-by: Will Assis <35489495+gassiss@users.noreply.github.com>
Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>
Co-authored-by: Roberto Jiménez Sánchez <jszroberto@gmail.com>
Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com>
Co-authored-by: Yunwen Zheng <yunwen.zheng@grafana.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
Co-authored-by: Austin Pond <IfSentient@users.noreply.github.com>
Co-authored-by: Haris Rozajac <58232930+harisrozajac@users.noreply.github.com>
Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>
* Dashboards API: v2alpha2 missing pieces
* Fix issue with dashboard client scope for alpha versions
As we now have 2 different alpha versions for v2 we need to store the
clients separately.
* Improve debuggability of provisioning export test
- Add a helper function to print the tree structure.
- Be explicit about the expected file names expected in each case.
* Update pkg/registry/apis/dashboard/mutate.go
* Update pkg/services/authz/zanzana/server/server.go
Co-authored-by: Igor Suleymanov <radiohead@users.noreply.github.com>
* Review
* go lint
---------
Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com>
Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>
Co-authored-by: Igor Suleymanov <radiohead@users.noreply.github.com>
* Zanzana: Add detailed instructions for running and instrumenting
* Running Zanzana standalone server WIP
* Describe how to run zanzana server
* Fix readme link
* Update cli info
* update how to run postgres
* IAM: Register CoreRole apis
* one line store instantiation
* Small refactor for readability
* Add authorizer for CoreRole
* Nit
* Error strings should not end with punctiation
* Account for error
* Switch to use the local resource client
* error should not start with upper casing
* noopStorageErr should have a name starting with err
* Update workspace
* I don't know why I don't have the same output as the CI 🤷
* Dependency xOwnership
* imports
* Import order
* Rename alias to make it clear this is legacy
Charandas
Alexander Zobnin
Denis Vodopianov
Jo
Ryan McKinley
Mihai Turdean
Ieva
Gabriel MABILLE
Misi
Eric Leijonmarck
Mustafa Sencer Özcan
Peter Štibraný
Andres Torres
Dominik Prokop
Cory Forseth