public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
62,065 Commits 655 Branches 650 Tags
f2f1663dba8a5f6884df19bebd2dbe61c831d8d5
Commit Graph

35 Commits

Author SHA1 Message Date
Gabriel MABILLE 885812f694 AuthZ: Recover from an outdated cached folder tree (#110293) 2025-09-01 11:16:01 +02:00
Gabriel MABILLE 4b217c601a AuthZ: Scope resolution (#107948) 
* AuthZ: Scope resolution

* Account for PR feedback

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-07-17 14:34:10 +02:00
mohammad-hamid 936dd05eac ext jwt client: map k8s-style to rbac permissions (#106279) 
* initial commit

* Proposal
Co-Authored-By: mohammad-hamid <mohammad.hamid@grafana.com>

* extend k8s-style mapper
- add tests

* address comments

* cleanup

* address comments

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-06-18 11:51:35 -04:00
Jean-Philippe Quéméner 9a565ff46e chore(authz): contextualize the authz logger (#106078) 2025-05-27 16:28:58 +02:00
Gabriel MABILLE cb3cd021b7 AuthZ-Service: Add traces to cache (#105718) 2025-05-21 14:35:43 +02:00
Gabriel MABILLE 80898c14d0 AuthZ-Service: Add debug logs with the function execution duration (#105621) 
AuthZ-Service: Add simple logs with the execution duration
 2025-05-19 17:47:01 +02:00
Stephanie Hingtgen b887e8aa05 K8s: Dashboards: Add fine grained access control checks to /apis (#104347) 
---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
Co-authored-by: Marco de Abreu <marco.deabreu@grafana.com>
Co-authored-by: Georges Chaudy <chaudyg@gmail.com>
 2025-04-23 03:29:05 +01:00
Gabriel MABILLE 45d6bfe7cf AuthZ: Make cache ttl configurable (#103769) 
* AuthZ: Configure cache ttl

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* Client side conf

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

* 0 -> No caching

* Make it possible to disable cache on the remote client as well

* Comment

* Move ttl parsing up for in-proc to have it

---------

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2025-04-11 10:09:47 +02:00
Stephanie Hingtgen 6eba5d74e1 Anonymous access: Allow setting org role in new authz service (#103669) 
* Anonymous access: Allow setting org role in new authz service

* back out change that is not needed; rename struct

* cleanup

* Fix tests

---------

Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
 2025-04-10 09:51:10 +01:00
Ieva d9dc93c4a6 AuthZService: improve authz caching (#103633) 
* remove the use of client side cache for in-proc authz client

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* add a permission denial cache, fetch perms if not in either of the caches

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

* Clean up tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Cache tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add test to list + cache

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add outdated cache test

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Re-organize metrics

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
 2025-04-09 17:50:48 +01:00
Gabriel MABILLE 9a556fbde6 AuthZService: Add attributes to traces (#102433) 2025-03-19 12:21:39 +01:00
Karl Persson 4df398c084 Authz: Sync authlib and update authz client setup code (#100817) 
* Sync authlib and update setup code for authz client
 2025-02-18 09:09:20 +01:00
Karl Persson 1b1954de28 Authz: add support to use folder api to fetch folder tree (#100038) 
* Add FolderStore interface

* Authz: add implementation to use folders api and use it inproc with loopback config

* Add tracing and add rest.Config for talking with folder api using access tokens

* Restructure test to get rid of circular dependencies in tests

* use correct group version kind

---------

Co-authored-by: gamab <gabriel.mabille@grafana.com>
 2025-02-13 11:59:59 +01:00
Karl Persson bfa4fa3c68 Authz: Refactor folder tree (#99554) 
* Refactor folder tree to its own structure

* Make it possible to json encode the tree

* Use iterations for Ancestors and Children

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
 2025-02-11 12:36:11 +01:00
Karl Persson 011301f06f Authz: client cache (#100195) 
* Reduce client permissions cache for authz client

* Adjust server cache ttl
 2025-02-06 17:16:30 +01:00
Karl Persson d16374d339 Authz: For list collect all folder permisions into items (#99955) 
* For list collect all folder permisions into items
---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-02-03 12:14:28 +01:00
Ieva 33a53d170b AuthZ service: Add metrics (#99007) 
* add metrics for authZ MT service

* remove metrics that are already tracked by the GRPC server metrics

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* undo unneeded change

* test fix

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2025-01-24 14:03:23 +00:00
Gabriel MABILLE a9f0e15778 AuthZ: Change cache interface (#99058) 
* Authz: Switch to remotecache

* Todos

* lint

* lint test

* test readibility

* Remove ttls

* implement a cache wrap

* Rm unused func

* Comment

* Update workspace:

* Use cache

* Fix comment
 2025-01-24 09:51:39 +01:00
Ieva 723fa7ddf9 MT AuthZ: Resolve renderer permissions in MT authZ service (#99362) 
* resolve renderer permissions in MT authZ service

* also include DS read perms

* fix tests and linting
 2025-01-23 10:21:43 +00:00
Karl Persson d740f9fc60 Authz: Simplify mapper and only check folders if its supported (#99357) 
* Simplify mapper and only check folders if its supported
 2025-01-23 09:23:00 +01:00
Ryan McKinley 680e6bc1f8 Authlib: Use types package rather than claims (#99243) 2025-01-21 12:06:55 +03:00
Karl Persson 7329d2c34b Authz: Account for fixed roles when running oss and using authz service (#99244) 
* Extract "PermissionStore" from general store interface

* Add static and union permission stores

* Add GetStaticRoles

* Use accesscontrol.Service for inproc to provide static permissions
 2025-01-20 16:00:36 +01:00
Ieva 9b34a56d7c AuthZ service: Take action sets into account when checking folder create permissions (#98751) 
take action sets into account when checking folder create permissions
 2025-01-14 08:33:42 +00:00
Ieva 338a41f178 AuthZ service: Add single flight groups for permission fetching (#98607) 
add single flight groups for user and anonymous permission checking
 2025-01-08 14:53:32 +02:00
Ieva 5a98432ba6 AuthZ service: Add traces for authZ service and store (#98445) 
* add traces for authz service and store

* fix tests
 2025-01-03 10:23:03 +02:00
Ieva 1334caa6c8 AuthZ service: Support anonymous access (#98322) 
support anonymous access
 2024-12-20 16:32:57 +01:00
Gabriel MABILLE efb7cc0343 Chore: Authlib upgrade (#98319) 
* Chore: Authlib upgrade

* Upgrade authlib

* Uncommit file
 2024-12-20 15:48:35 +01:00
Ieva 2503b31f53 AuthZ service: Implement listing (#98220) 
* listing implementation pt 1

* validate list request

* register GRPC endpoint, pass the correct user UID and return folder identifiers not scopes

* uncomment code that was only commented out for testing

* fix tests

* remove unneeded changes

* remove unused import

* Update pkg/services/authz/rbac/service.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* refactor to improve efficiency

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* use variable names when logging

* adding tests for listing

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2024-12-20 15:48:20 +02:00
Gabriel MABILLE 55f8be62a1 AuthZ Service: Use singleflight group to fetch and build the folder tree (#98299) 
* AuthZ Service: Use singleflight group to fetch and build the folder tree

* Change the sfgroup key

* Future proof
 2024-12-20 10:26:30 +01:00
Gabriel MABILLE c175722dfd AuthZService: Cache folder tree (#98210) 
* AuthZService: Cache folder tree

* Remove fmt

* Suggestion

* Add tests
 2024-12-19 13:55:59 +01:00
Ieva 40a9f7162a AuthZ service: Build folder tree and check inherited permissions (#98074) 
* build folder tree and check inherited permissions

* don't fetch dashboards

* remove unused queries
 2024-12-18 14:19:16 +00:00
Gabriel MABILLE 961211b21a AuthZ Service: Add caching (#98008) 
* AuthZ Service: Add caching

* split in functions

* Test getUserTeams

* Add tests to getUserBasicRole

* Test getUserPermissions

* Cache user identifiers

* fix test
 2024-12-18 14:07:19 +01:00
Ieva 32554c78a8 Direct DB perm checks: check that the namespaces match (#97828) 
check that the namespace of the caller matches the namespace in the request
 2024-12-12 12:57:16 +02:00
Ieva ded90fa28d App platform: Implement perm check with direct db access (#97579) 
* implement perm check with direct db access

* add tests

* more tests

* Update pkg/services/authz/rbac/service.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update pkg/services/authz/rbac/service.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* allow fetching permissions for a user who is not a member of the org

* linting

* fix typo

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2024-12-12 08:52:14 +00:00
Gabriel MABILLE aa2b4751a0 AuthZ: Launch service within IAM app (#96421) 2024-11-20 11:13:33 +01:00