Files

T

Misi 29551a6edf IAM: Implement Delete in Service Account API (#110584 )

* wip

* IAM: Create Service Account

* Add dual writer

* Update openapi_test.go

* Add integration tests

* Add sql tests

* Add Role to SA spec, add validation, add DBTime, add tests

* Format, update test

* Fixes

* Add check for External

* wip

* Fix merge

* wip

* Use plugin name instead of title for ext svc account login

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Remove OrgID from DeleteUserCommand

* Use the new authorizer

* Fix tests

* cleanup

* Move test to enterprise

* Revert unnecessary change

* Address feedback

* Revert "Address feedback"

This reverts commit 8ab9559076.

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

2025-09-16 15:39:01 +02:00

proto/v1

UnifiedStorage: Rename Batch processing to Bulk (#101413 )

2025-02-28 08:41:08 +03:00

rbac

IAM: Implement Delete in Service Account API (#110584 )

2025-09-16 15:39:01 +02:00

zanzana

Replace check for integration tests. (#110707 )

2025-09-08 15:49:49 +02:00

rbac_settings.go

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

rbac.go

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

README.md

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

token_auth.go

AuthZ: Make NewGrpcTokenAuth public (#101352 )

2025-02-26 17:29:32 +01:00

wireset.go

Zanzana: Initial work to run openFGA as embedded or standalone service (#89211 )

2024-06-18 10:04:18 +02:00

zanzana.go

Udate IAM Folder Reconciler Operator config (#110728 )

2025-09-05 22:56:23 +00:00

README.md

Authorization

This package contains the authorization server implementation.

Feature toggles

The following feature toggles need to be activated:

[feature_toggles]
authZGRPCServer = true
grpcServer = true

Configuration

To configure the authorization server and client, use the "authorization" section of the configuration ini file.

The remote_address setting, specifies the address where the authorization server is located (ex: server.example.org:10000).

The mode setting can be set to either cloud, grpc or inproc. When set to cloud (or grpc), the client will connect to the specified address. When set to inproc the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server.

The listen setting determines whether the authorization server should listen for incoming requests. When set to true, the authorization service will be registered to the Grafana GRPC server.

The default configuration does not register the authorization service on the Grafana GRPC server and binds the client to it inproc:

[authorization]
remote_address = ""
listen = false
mode = "inproc"

For load balancing you would want to enable the load balancing configuration. This sets sane default for multiple pods to be evenly distributed with load across the different pods.

[authorization]
load_balancing_enabled = true

Example

Here is an example to connect the authorization client to a remote grpc server.

[authorization]
remote_address = "server.example.org:10000"
listen = false
mode = "grpc"

Here is an example to register the authorization service on the Grafana GRPC server and connect the client to it through grpc.

app_mode = development

[authorization]
remote_address = "localhost:10000"
listen = true
mode = "grpc"

Here is an example to connect the authorization client to a remote grpc server and use access token authentication.

[environment]
stack_id = 11

[authorization]
remote_address = "server.example.org:10000"
mode = "cloud"
listen = false

[grpc_client_authentication]
token = "ReplaceWithToken"
token_exchange_url = "signing-server.example.org/path/to/signing"
token_namespace = "stacks-11"