public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
58,058 Commits 655 Branches 650 Tags
db50c3c5fb9516c19c4e8cfa3ade53bafde9dbaf
Commit Graph

132 Commits

Author SHA1 Message Date
Stephanie Hingtgen 7c2890384a K8s: Dashboards: Set v1alpha1 as priority (#102729) 2025-03-25 10:32:49 -06:00
Alexander Zobnin c34394f385 Zanzana: Support subresources for typed resources (#102470) 
* Zanzana: Support subresources for folders

* refactor

* fix subresource requests

* implement listing for folders subresources

* teams subresources PoC

* re-enable tests

* use team resource def from iam

* fix tests

* remove unused code

* refactor: rename to subresource

* split resource schema

* update workspaces

* rename folder relation to subresource

* refactor: rename folder resources to subresources

* update readme

* fix listing

* rename params in subresource filter
 2025-03-25 12:31:06 +01:00
Gabriel MABILLE 8767a8f9a1 AuthZ: Improve getUserPermissions query (INNER JOIN, UNION ALL) (#102441) 2025-03-19 16:54:32 +01:00
Matheus Macabu 2ade94bbf7 SecretsManager: Add roles and access control to APIs (#102456) 2025-03-19 16:30:07 +01:00
Gabriel MABILLE 9a556fbde6 AuthZService: Add attributes to traces (#102433) 2025-03-19 12:21:39 +01:00
Igor Suleymanov 5d2ba10113 K8s/Dashboards: Extract Dashboard APIs to an app submodule (#102029) 
* Move dashboard k8s APIs to a separate app

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Copy dashboard code in Dockerfile

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Fix conversion generation

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

* Update OpenAPI snapshot for dashboard/v0alpha1

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>

---------

Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
 2025-03-13 11:05:01 +02:00
Alexander Zobnin f6f6ae4496 Zanzana: Update docs with subresources description (#101948) 
* Zanzana: Update docs with subresources description

* clarify resource name
 2025-03-11 16:27:17 +01:00
Gabriel MABILLE c8f810b422 Authz: Check namespace is set in the context (#101723) 
* Authz: Test List

* Anonymous case

* Cover rendering

* Authz: Check namespace is set in the context

* Explicitly request a namespace check in the storage functions

* Revert logic
 2025-03-11 12:04:33 +01:00
Gabriel MABILLE 6a1e5dd128 AuthZ: Test List (#101721) 
* Authz: Test List

* Anonymous case

* Cover rendering
 2025-03-07 15:01:39 +01:00
Gabriel MABILLE 6accf13597 AuthZService: Test Check (#101675) 
* wip

* deny case

* Reorganise

* WIP

* Check cache

* Add anonymous test

* Add test for rendering

* Lint import

* Refactor slightly

* more input validation coverage

* Require user

* typo
 2025-03-06 13:37:37 +01:00
Gabriel MABILLE a91081a2fc AuthZService: Add certificates to the client (#101603) 2025-03-06 10:18:58 +01:00
Alexander Zobnin c23bb36956 Zanzana: Fix health check endpoint (#101612) 2025-03-05 15:24:58 +01:00
Ryan McKinley 806c043e45 UnifiedStorage: Rename Batch processing to Bulk (#101413) 2025-02-28 08:41:08 +03:00
Gabriel MABILLE c3505f0864 AuthZ: Make NewGrpcTokenAuth public (#101352) 
* AuthZ: Expose NewGrpcTokenAuth

* Lint
 2025-02-26 17:29:32 +01:00
Karl Persson fa74d1c36d Authn: Sync authlib and update how we construct authn client interceptor (#101124) 
* Sync authlib and update how we construct authn client interceptor

* Remove namespace from checker
 2025-02-26 09:22:09 +01:00
Karl Persson 74632a25c3 Authz: folder api tls settings (#101213) 
* Skip certificate verification

* Add more settings for folder api
 2025-02-24 16:03:14 +01:00
Todd Treece 9e80b0f913 K8s: Add error to GetRestConfig (#101147) 
K8s: Add error to RestConfigProvider return values
 2025-02-21 18:07:13 +02:00
Karl Persson 14886410d6 Zanzana: Use shared auth interceptor for zanzana and pass tracer (#100968) 
* Use shared auth interceptor for zanzana and pass tracer
 2025-02-20 16:07:06 +01:00
Alexander Zobnin fcb88f6ccc Zanzana: revert cluster store for fixed roles (#100958) 
* Zanzana: revert cluster store for fixed roles

* update go workspace
 2025-02-19 13:53:25 +01:00
Karl Persson 4df398c084 Authz: Sync authlib and update authz client setup code (#100817) 
* Sync authlib and update setup code for authz client
 2025-02-18 09:09:20 +01:00
Karl Persson e9b2f69137 Authz: Only have two modes for authz client (#100803) 
* Only have "inproc" and "clod" mode
 2025-02-17 14:37:25 +01:00
Karl Persson 1b1954de28 Authz: add support to use folder api to fetch folder tree (#100038) 
* Add FolderStore interface

* Authz: add implementation to use folders api and use it inproc with loopback config

* Add tracing and add rest.Config for talking with folder api using access tokens

* Restructure test to get rid of circular dependencies in tests

* use correct group version kind

---------

Co-authored-by: gamab <gabriel.mabille@grafana.com>
 2025-02-13 11:59:59 +01:00
Alexander Zobnin 7234a17d1d Zanzana: Use authzService audience (#100417) 2025-02-11 14:25:30 +01:00
Karl Persson bfa4fa3c68 Authz: Refactor folder tree (#99554) 
* Refactor folder tree to its own structure

* Make it possible to json encode the tree

* Use iterations for Ancestors and Children

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-02-11 12:36:11 +01:00
Karl Persson 011301f06f Authz: client cache (#100195) 
* Reduce client permissions cache for authz client

* Adjust server cache ttl
 2025-02-06 17:16:30 +01:00
Karl Persson d16374d339 Authz: For list collect all folder permisions into items (#99955) 
* For list collect all folder permisions into items
---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-02-03 12:14:28 +01:00
Alexander Zobnin a95005eab5 Zanzana: Disable broken OpenFGA health check (#99818) 
* Zanzana: Disable broken OpenFGA health check

* simplify return

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-01-30 17:42:48 +01:00
Ieva 33a53d170b AuthZ service: Add metrics (#99007) 
* add metrics for authZ MT service

* remove metrics that are already tracked by the GRPC server metrics

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* undo unneeded change

* test fix

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-01-24 14:03:23 +00:00
Gabriel MABILLE a9f0e15778 AuthZ: Change cache interface (#99058) 
* Authz: Switch to remotecache

* Todos

* lint

* lint test

* test readibility

* Remove ttls

* implement a cache wrap

* Rm unused func

* Comment

* Update workspace:

* Use cache

* Fix comment
 2025-01-24 09:51:39 +01:00
Karl Persson b0347792cc Zazana: Fix verb to relation mapping (#99409) 2025-01-23 13:04:41 +01:00
Ieva 723fa7ddf9 MT AuthZ: Resolve renderer permissions in MT authZ service (#99362) 
* resolve renderer permissions in MT authZ service

* also include DS read perms

* fix tests and linting
 2025-01-23 10:21:43 +00:00
Karl Persson d740f9fc60 Authz: Simplify mapper and only check folders if its supported (#99357) 
* Simplify mapper and only check folders if its supported
 2025-01-23 09:23:00 +01:00
Ryan McKinley 680e6bc1f8 Authlib: Use types package rather than claims (#99243) 2025-01-21 12:06:55 +03:00
Karl Persson 7329d2c34b Authz: Account for fixed roles when running oss and using authz service (#99244) 
* Extract "PermissionStore" from general store interface

* Add static and union permission stores

* Add GetStaticRoles

* Use accesscontrol.Service for inproc to provide static permissions
 2025-01-20 16:00:36 +01:00
Karl Persson 67252dfa46 Zanzana: Add grpc health and readiness checks for standalone zanzana (#99176) 
Add grpc health and readiness checks for standalone zanzana
 2025-01-17 13:39:42 +01:00
Alexander Zobnin c5f14407cc Zanzana: Refactor stores listing (#99098) 
Zanzana: Refactor store loading
 2025-01-17 11:10:22 +01:00
Karl Persson 2187a66f2b Zanzana: Split up settings into client and server sections (#99066) 
* Split up zanzana settings into client and server sections

* Update workspace
 2025-01-16 13:39:39 +01:00
Ryan McKinley cd46f1ddb9 Search: Remove history query (#99026) 2025-01-15 12:49:47 -06:00
Karl Persson 3f71a72c1a Authz: Remove "wrapper" interface and only check feature toggle for grpc mode (#98933) 
* Remove "wrapper" interface and only check feature toggle for grpc and cloud mode

* Only set name for update checks

* Set dashboard permissions for admin user
 2025-01-15 09:23:56 +01:00
Karl Persson ce0d986673 Zanzana: Use cache for both streamed and non-stream version of list objects (#98882) 
* Add prefix constants and use string builders / string concatinations

* Use cache for both streamed and non-stream versions of list objects

* Remove unused constants
 2025-01-14 16:00:59 +01:00
Gabriel MABILLE 4c86de2678 Chore: Update authlib (#98870) 
* Chore: Update authlib

* AccessChecker -> AccessClient
 2025-01-14 09:42:17 +01:00
Ieva 9b34a56d7c AuthZ service: Take action sets into account when checking folder create permissions (#98751) 
take action sets into account when checking folder create permissions
 2025-01-14 08:33:42 +00:00
Gabriel MABILLE 4d699d4810 AuthZ: Use M3 AuthZ Service (#98621) 
* AuthZ: Use M3 AuthZ Service

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Fix oss

* fake auth info

---------

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-01-13 16:03:14 +01:00
Karl Persson 0f9b107201 Zanzana: Consistently add context (#98862) 
* Zanzana: Reworks how contextuals are loaded

* Cleanup listObjectWithStream

* Run list test with streaming enabled
 2025-01-13 12:11:51 +01:00
Alexander Zobnin 5922015fec Zanzana: Setup GRPC authentication in client/server mode (#98680) 
* Zanzana: Setup GRPC authentication in client/server mode

* don't use grpcutils

* refactor

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

* Add a namespace stub for in-proc mode

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

* Read parameters from config

* authorize server requests

* add namespace to the tests context

* use stack id from config

* simplify authorize func

* properly format namespace

* return Unauthenticated if namespace is empty

* use insecure cred only in dev env

* check request namespace

* Use CallCredentials API for client auth

* provide config

* fail if stack id is missing

* improve error message

* use insecure connection by default

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
 2025-01-13 10:02:15 +01:00
Gabriel MABILLE bc7e90bc28 AuthZ: Fix client dial options (#98827) 2025-01-10 17:41:56 +01:00
Karl Persson c593b20465 Zanana: Add custom verb for get_permissions and set_permissions. (#98616) 
* Add custom verb for get_permissions and update_permissions.

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
 2025-01-10 11:49:26 +01:00
Karl Persson fb5783691d Zanzana: Fix reconciliation of fixed roles (#98696) 
Remove "globalReconciler" and reuse the same one but only run them for cluster namespace
 2025-01-09 10:40:18 +01:00
Ieva 338a41f178 AuthZ service: Add single flight groups for permission fetching (#98607) 
add single flight groups for user and anonymous permission checking
 2025-01-08 14:53:32 +02:00
Karl Persson 9ed4bf3cd2 Zanzana: Support sub resources (#98201) 
* Create and use common ResourceInfo struct

* Add support for formatting group resource with subresource

* Add initial support for handling subresource

* Add test for checking subresource for generic resource

* Bump authlib
 2025-01-07 15:16:14 +01:00