* Zanzana: Split client and server logs
* Zanzana: Improve error handling and logging
* log internal error at the server side
* refactor
* improve errors for list request
* update go modules
* handle errors for read and write
* refactor
* reset go.mod changes
* Zanzana: Setup GRPC authentication in client/server mode
* don't use grpcutils
* refactor
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Add a namespace stub for in-proc mode
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Read parameters from config
* authorize server requests
* add namespace to the tests context
* use stack id from config
* simplify authorize func
* properly format namespace
* return Unauthenticated if namespace is empty
* use insecure cred only in dev env
* check request namespace
* Use CallCredentials API for client auth
* provide config
* fail if stack id is missing
* improve error message
* use insecure connection by default
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Create and use common ResourceInfo struct
* Add support for formatting group resource with subresource
* Add initial support for handling subresource
* Add test for checking subresource for generic resource
* Bump authlib
* Zanzana: Pass contextual tuples for authorization
* global reconciler for fixed roles
* inject tuples from global store
* fix adding contextual tuples
* cleanup
* don't error on auth context fail
* add todo
* add context for List
* add caching
* remove unused
* use constant for global namespace
* Rename global namespace to cluster namespace
* Zanzana: Handle renderer service authorization requests
* only add context if render service is authorizing
* use group and resource from API definitions
* check prefix instead of full identity
* fix AddRenderContext
* remove unused type
Remove create relation from generic resources.
We cant have a create relation to a resource because they don't exist yet. So
in oder to check create we either have to have that permissions on a folder or the namespace
* Move server init into server package
* map store name to id
* refactor model loading
* pass namespace into reconcilers and collectors
* refactor
* Extend authz server with Read and Write methods
* use new read/write in reconciler
* implement server side read and write
* Sync permissions for every org
* handle namespace in check and list
* split read and write
* provide conditions
* Fix client implementation
* fix nil conditions
* remove unused client code
* use lock for store access
* move type translators to common package
* fix folder collector
* fix store creation
* remove unused AuthorizationModelId
* fix server tests
* fix linter
* Rename to CheckObject
* Implement authz.AccessClient
* Move folder tree to reconciler and use new schema
* Move shared functionality to common package
* Add reconciler for managed permissions and resource translations
* Add support for folder resources
* Implement initial check with schema for generic resources
* Implement List and add tests
* Add namespace type and change to folder_resource name
* Handle namespace grants for typed resources
* Run tests as integration tests
* Add support for verb in list requests
Alexander Zobnin
Cory Forseth
Karl Persson
Karl Persson