Files

T

Gabriel MABILLE 8998b1fde4 grafana-iam: Implement api level user authorization (#114498 )

* OnGoing

comment

* WIP on the wrapper

* Get before Delete

* WIP: add an unimplemented storage authorizer

* WIP implementing the resource permission authorize

* Implement beforeCreate

* Create, Delete, Update

* List

* Use a resource permissions wrapper

* Switch the main authorizer to service

* Add namespace

* Use compile for list

* Comment

* Remove unecessary comments

* fix bug with folder permissions

* Implement tests for List

* Test get

* List test small refactor

* Delete test

* Reorganize code

* imports

* Start splitting the tests

* test AfterDelete

* actually test beforeWrite

* Implement tests for wrapper create

* Test delete

* Test List and Get

* Fix List

* Remaining tests

* simplify

* Remove comments

* Reorder

* Change authorizer to allow access

2025-12-03 17:06:26 +01:00

proto/v1

Zanzana: Role write APIs (#114533 )

2025-11-28 11:44:58 +01:00

rbac

grafana-iam: Implement api level user authorization (#114498 )

2025-12-03 17:06:26 +01:00

zanzana

AuthZ: Set span errors (#114460 )

2025-12-01 09:29:04 +01:00

rbac_settings.go

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

rbac.go

Zanzana: Inject client into standalone AuthZ client (#113293 )

2025-10-31 16:15:45 +01:00

README.md

grafana-iam: Adds config opts for RBACRemoteClient for load balancing (#110819 )

2025-09-16 09:49:37 +01:00

token_auth.go

AuthZ: Make NewGrpcTokenAuth public (#101352 )

2025-02-26 17:29:32 +01:00

wireset.go

Zanzana: app platform style write APIs (#112812 )

2025-10-28 11:22:13 +01:00

zanzana.go

Zanzana: Add token namespace to config (#114165 )

2025-11-20 15:54:32 +01:00

README.md

Authorization

This package contains the authorization server implementation.

Feature toggles

The following feature toggles need to be activated:

[feature_toggles]
authZGRPCServer = true
grpcServer = true

Configuration

To configure the authorization server and client, use the "authorization" section of the configuration ini file.

The remote_address setting, specifies the address where the authorization server is located (ex: server.example.org:10000).

The mode setting can be set to either cloud, grpc or inproc. When set to cloud (or grpc), the client will connect to the specified address. When set to inproc the client will use inprocgrpc (relying on go channels) to wrap a local instantiation of the server.

The listen setting determines whether the authorization server should listen for incoming requests. When set to true, the authorization service will be registered to the Grafana GRPC server.

The default configuration does not register the authorization service on the Grafana GRPC server and binds the client to it inproc:

[authorization]
remote_address = ""
listen = false
mode = "inproc"

For load balancing you would want to enable the load balancing configuration. This sets sane default for multiple pods to be evenly distributed with load across the different pods.

[authorization]
load_balancing_enabled = true

Example

Here is an example to connect the authorization client to a remote grpc server.

[authorization]
remote_address = "server.example.org:10000"
listen = false
mode = "grpc"

Here is an example to register the authorization service on the Grafana GRPC server and connect the client to it through grpc.

app_mode = development

[authorization]
remote_address = "localhost:10000"
listen = true
mode = "grpc"

Here is an example to connect the authorization client to a remote grpc server and use access token authentication.

[environment]
stack_id = 11

[authorization]
remote_address = "server.example.org:10000"
mode = "cloud"
listen = false

[grpc_client_authentication]
token = "ReplaceWithToken"
token_exchange_url = "signing-server.example.org/path/to/signing"
token_namespace = "stacks-11"