Files

T

Jo 2e1704b56f Access: Add AfterCreate hooks for Roles/Core Roles (#112666 )

As part of migrating Grafana's authorization system to Zanzana (OpenFGA), we need to ensure that role permissions defined in the IAM API are automatically synced to the authorization backend. Without this sync, roles created through the API would not be enforced by Zanzana, creating an inconsistency between defined permissions and actual authorization decisions.

This is a critical piece of the dual-write pattern during the migration to Zanzana, ensuring that:

    Role permissions are immediately available for authorization checks
    The legacy RBAC system and new Zanzana system remain in sync
    Users experience consistent permission enforcement regardless of which backend is queried

safe to revert

2025-10-23 09:47:39 +02:00

proto/v1

UnifiedStorage: Rename Batch processing to Bulk (#101413 )

2025-02-28 08:41:08 +03:00

rbac

Dashboards: Use the common service authorizer (#111571 )

2025-10-17 10:03:35 +03:00

zanzana

Access: Add AfterCreate hooks for Roles/Core Roles (#112666 )

2025-10-23 09:47:39 +02:00

rbac_settings.go

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

rbac.go

AuthZ: Zanzana only evaluation toggle (#112715 )

2025-10-21 16:03:17 +02:00

README.md

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

token_auth.go

AuthZ: Make NewGrpcTokenAuth public (#101352 )

2025-02-26 17:29:32 +01:00

wireset.go

Zanzana: Initial work to run openFGA as embedded or standalone service (#89211 )

2024-06-18 10:04:18 +02:00

zanzana.go

Udate IAM Folder Reconciler Operator config (#110728 )

2025-09-05 22:56:23 +00:00

README.md

Authorization

This package contains the authorization server implementation.

Feature toggles

The following feature toggles need to be activated:

[feature_toggles]
authZGRPCServer = true
grpcServer = true

Configuration

To configure the authorization server and client, use the "authorization" section of the configuration ini file.

The remote_address setting, specifies the address where the authorization server is located (ex: server.example.org:10000).

The mode setting can be set to either cloud, grpc or inproc. When set to cloud (or grpc), the client will connect to the specified address. When set to inproc the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server.

The listen setting determines whether the authorization server should listen for incoming requests. When set to true, the authorization service will be registered to the Grafana GRPC server.

The default configuration does not register the authorization service on the Grafana GRPC server and binds the client to it inproc:

[authorization]
remote_address = ""
listen = false
mode = "inproc"

For load balancing you would want to enable the load balancing configuration. This sets sane default for multiple pods to be evenly distributed with load across the different pods.

[authorization]
load_balancing_enabled = true

Example

Here is an example to connect the authorization client to a remote grpc server.

[authorization]
remote_address = "server.example.org:10000"
listen = false
mode = "grpc"

Here is an example to register the authorization service on the Grafana GRPC server and connect the client to it through grpc.

app_mode = development

[authorization]
remote_address = "localhost:10000"
listen = true
mode = "grpc"

Here is an example to connect the authorization client to a remote grpc server and use access token authentication.

[environment]
stack_id = 11

[authorization]
remote_address = "server.example.org:10000"
mode = "cloud"
listen = false

[grpc_client_authentication]
token = "ReplaceWithToken"
token_exchange_url = "signing-server.example.org/path/to/signing"
token_namespace = "stacks-11"