* Alerting: Protect sensitive fields of contact points from
unauthorized modification
- Introduce a new permission alert.notifications.receivers.protected:write. The permission is granted to contact point administrators.
- Introduce field Protected to NotifierOption
- Introduce DiffReport for models.Integrations with focus on Settings. The diff report is extended with methods that return all keys that are different between two settings.
- Add new annotation 'grafana.com/access/CanModifyProtected' to Receiver model
- Update receiver service to enforce the permission and return status 403 if unauthorized user modifies protected field
- Update receiver testing API to enforce permission and return status 403 if unauthorized user modifies protected field.
- Update UI to disable protected fields if user cannot modify them
* Add K8s API redirect for GET resource permissions
* wire
* move restconfig to options
* address comments
* fix helper after adding RestConfigProvider
* Revert K8s redirect changes for service accounts, teams, and receivers
Keep only dashboard and folder redirect functionality for this PR.
Service accounts, teams, and receivers will be handled in a separate PR.
* address comments
* lint
* Deprecating features.IsEnabled
* add one more nolint
* add one more nolint
* Give better hints to devs in the deprecation message of IsEnabledGlobally
* adding more doc strings
* fix linter after rebase
* Extend deprecation message
As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.
This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:
Role permissions are immediately available for authorization checks
The legacy RBAC system and new Zanzana system remain in sync
Users experience consistent permission enforcement regardless of which backend is queried
safe to revert
* Replace remaining calls to testing.Short where possible.
* Update style guide.
* Revert change in TestAlertmanager_ExtraDedupStage, as it doesn't work.
* Make TestAlertRulePostExport into integration test.
* Add Create for User + DualWriter setup
* Add delete User
* Fix delete + access check
* Add tests for delete user
* Add tests for create user
* Fixes
* Use sqlx session to fix database locked issues
* wip authz checks
* legacyAccessClient
* Update legacyAccessClient, add tests for create user
* Close rows before running other queries
* Use ExecWithReturningId
* Verify deletion in the tests
* Add Validate and Mutate
* Other changes
* Address feedback
* Update tests
---------
Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
* automatically rename integration tests to follow the common convention
* name tests differently
* alter column type to bigint
* update another column to bigint
* add another alter
* fix subquery for mysql
* add group to role DisplayName to make searching easier
* clean up more role names; add filtered display text when fetching
* pass filter state into role menu to decide how to display role name
* prop name better describes what it does
* restrict provisioned teams from being updated and deleted
* check if team is provisioned before update and delete
* add function getTeamDTOByID()
* check if team is provisioned in access control
* fix TestDeleteTeamMembersAPIEndpoint
* add unit tests
* add function for validating a team
* add columns external_id and is_provisioned to the team table
* generate openapi specs
* rename column to external_uid
* generate open api specs
* increase limit for external_uid to 256
