RBAC: Always store action sets (#92833)
always store action sets, even if FT is disabled
(cherry picked from commit 46e81e98cf)
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* RBAC: Fix an issue with server admins not being able to manage users in orgs that they don't belong to (#92024)
* look at global perms if user is not a part of the target org
* use constant
* update tests
(cherry picked from commit 41ac5b5ae7)
* fix tests
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Cfg: Move rbac settings to own struct
* Cfg: Add setting to control if resource should generate managed permissions when created
* Dashboards: Check if we should generate default permissions when dashboard is created
* Folders: Check if we should generate default permissions when folder is created
* Datasource: Check if we should generate default permissions when datasource is created
* ServiceAccount: Check if we should generate default permissions when service account is created
* Cfg: Add option to specify resources for wich we should default seed
* ManagedPermissions: Move providers to their own files
* Dashboards: Default seed all possible managed permissions if configured
* Folders: Default seed all possible managed permissions if configured
* Cfg: Remove service account from list
* RBAC: Move utility function
* remove managed permission settings from the config file examples, change the setting names
* remove ini file changes from the PR
* fix setting reading
* fix linting errors
* fix tests
* fix wildcard role seeding
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: jguer <me@jguer.space>
* initial commit
* Action sets stored
remove the dependancy for actionsets
got the actionsets registered
storing the permissions
* fix golanglinting
* remove unused struct field
* wip
* actionset registry for a plugin from the actionsetservice
* update to make declareactionset the primary way of plugin registration and modification
* declare actually extends actionsets
* tests fixed
* tests skipped
* skip tests
* skip tests
* skip tests
* skip tests
* change to warning instead
* remove step from pipeline to see if it fails due to plugin not registering
* reintroduce step but remove features dependancy
* add back the tests that were failing
* remove comments and another skip test
* fix a comment and remove unneeded changes
* fix and clean up, put the behaviour behind a feature toggle
* clean up
* fixing tests
* hard-code allowed action sets for plugins
* Apply suggestions from code review
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* small cleanup
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing.
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
* expose ngalert API to public
* add delete action to time-intervals
* introduce time-interval model generated by app-platform-sdk from CUE model the fields of the model are chosen to be compatible with the current model
* implement api server
* add feature flag alertingApiServer
---- Test Infra
* update helper to support creating custom users with enterprise permissions
* add generator for Interval model
* resolve action sets when GetPermissions is called
* a fix to ensure that dashboard permissions that override parent folder permissions are displayed on top of the inherited permission
* linting
* linting pt2
* include and resolve action sets when fetching user's permissions
* expand both action and action prefix (returns an empty set for the one that isn't specified)
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* if action is specified, check for exact match; also extend tests
* iam-716 - prevent a folder move operation when the folder's uid or any of its parents uids begin with k6-app
* fox folder move check and only list non-k6 folders to users
* adding tests for moving
* add a test for listing folders
* fix the other tests
* use method that adds folder parent
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* make sure that DS permissions get correctly cleaned up when a DS is deleted through provisioning
* don't attempt to delete a DS if it's not found
* fixes for tests
* fix ds tests
* rename DS service used by DS provisioner to BaseDataSourceService to avoid confusions with the full DS service
* remove unused action set code, refactor the existing code
* fix import ordering
* use a separate interface for permission expansion after all, to avoid circular dependencies
* add comments, fix a test
* logic to expand action set to the underlying actions when permissions are fetched from the DB
* updates needed for dependency injection
* clean up some code, also deduplicate scopes when grouping scopes and actions
* expand on a comment
* rename a method
* add action set resolver
* rename variables
* some fixes and some tests
* more tests
* more tests, and put action set storing behind a feature toggle
* undo change from cfg to feature mgmt - will cover it in a separate PR due to the amount of test changes
* fix dependency cycle, update some tests
* add one more test
* fix for feature toggle check not being set on test configs
* linting fixes
* check that action set name can be split nicely
* clean up tests by turning GetActionSetNames into a function
* undo accidental change
* test fix
* more test fixes
* Remove different constructors and only use NewNamespaceID
* AdminUser: check typed namespace id
* Identity: Add convinient function to parse valid user id when type is either user or service account
* Annotations: Use typed namespace id instead
* clean up error handling in postDashboard and remove UserDisplayDTO
* replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type
* lint fix
* lint fix
* more lint fixes
grafana-delivery-bot[bot]
Alexander Zobnin
Gabriel MABILLE
Ieva
Ryan McKinley
Vardan Torosyan
Eric Leijonmarck
Kristin Laemmert
Karl Persson
Jeff Levin
Jeff Levin
Yuri Tseretyan
Dave Henderson
Aaron Godin
Dan Cech