opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-29 17:52:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
60,980 Commits 2,382 Branches 619 Tags
Commit Graph

17 Commits

Author SHA1 Message Date
Karl Persson
4083b2208e Zanzana: periodic sync of team members (#94752) 
* Rewrite zanzana collector to fetch all available pages

* Register access control as a background service

* If zanzana is enabled we run Syncs and start Reconciliation job

* Update pkg/services/authz/zanzana/client/client.go

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

* Use server lock when doing performing reconciliation
 2024-10-17 15:28:33 +02:00
Alexander Zobnin
e642e1a804 Zanzana: Pass parent folder for the checks in search queries (#94541) 
* Pass parent folder as a contextual tuple in Check request

* Search by listing folders and dashboards

* skip dashboards listing if limit reached

* remove unused

* add some comments

* only add ContextualTuples if parent provided

* Remove parent relation for dashboards from schema and perform separate checks
 2024-10-10 17:38:15 +02:00
Alexander Zobnin
5d724c2482 Zanzana: Initial dashboard search (#93093) 
* Zanzana: Search in a background and compare results

* refactor

* Search with check

* instrument zanzana client

* add single_read option

* refactor

* refactor move check into separate function

* Fix tests

* refactor

* refactor getFindDashboardsFn

* add resource type to span attributes

* run ListObjects concurrently

* Use list and search in less cases

* adjust metrics buckets

* refactor: move Check and ListObjects to AccessControl implementation

* Revert "Fix tests"

This reverts commit b0c2f072a25029905fdbd26625fdc7a243d4a308.

* refactor: use own types for Check and ListObjects inside accesscontrol package

* Fix search scenario with low limit and empty query string

* more accurate search with checks

* revert

* fix linter

* Revert "revert"

This reverts commit ee5f14eea8c2f69e0b59f4a5094d708ac58b0169.

* add search errors metric

* fix query performance under some conditions

* simplify check strategy

* fix pagination

* refactor findDashboardsZanzanaList

* Iterate over multiple pages while making check request

* refactor listUserResources

* avoid unnecessary db call

* remove unused zclient

* Add notes for SkipAccessControlFilter

* use more accurate check loop

* always use check for search with provided UIDs

* rename single_read to zanzana_only_evaluation

* refactor

* update go workspace

* fix linter

* don't use deprecated fields

* refactor

* fail if no org specified

* refactor

* initial integration tests

* Fix tests

* fix linter errors

* fix linter

* Fix tests

* review suggestions

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix limit

* refactor

* refactor tests

* fix db config in tests

* fix migrator (postgres)

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2024-10-04 12:27:10 +02:00
Jeff Levin
a21a232a8e Revert read replica POC (#93551) 
* Revert "chore: add replDB to team service (#91799)"

This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83.

* Revert "experiment: use read replica for Get and Find Dashboards (#91706)"

This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982.

* Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)"

This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834.

* Revert "refactor replCfg to look more like plugins/plugin config (#91142)"

This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d.

* Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)"

This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e.

* Revert "Chore (sqlstore): add validation and testing for repl config (#90683)"

This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d.

* Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)"

This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46.

* Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)"

This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58.

* Revert "accesscontrol service read replica (#89963)"

This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d.

* Revert "Fix: add mapping for the new mysqlRepl driver (#89551)"

This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498.

* Revert "fix: sql instrumentation dual registration error (#89508)"

This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50.

* Revert "Experimental Feature Toggle: databaseReadReplica (#89232)"

This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
 2024-09-25 15:21:39 -08:00
Alexander Zobnin
0e0c877609 Zanzana: Model fixed roles as a part of schema (#92364) 
* model fixed roles for dashboards and folders

* Correctly translate fixed role assignments

* minor refactor

* assign fixed roles to teams

* fix linter errors

* Migrate general folder permissions for fixed roles

* fix dashboards:create permission
 2024-08-27 15:39:22 +02:00
Jeff Levin
028e8ac59e Instrument tracing across accesscontrol (#91864) 
Instrument tracing across accesscontrol 

---------

Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
 2024-08-16 14:08:19 -08:00
Alexander Zobnin
aaf33c7923 Zanzana: Migrate basic, fixed and custom roles (#91814) 
* Zanzana: Migrate basic roles permissions

* add basic roles assignments

* refactor

* Sync basic roles permissions in all orgs

* migrate fixed roles

* map root folders to orgs

* fix basic role assignments in orgs

* migrate other roles

* migrate team roles assignments

* add notes about authorization schema

* don't migrate fixed roles
 2024-08-15 16:13:27 +02:00
Alexander Zobnin
1cc438a56c Zanzana: Evaluate dashboard and folder permissions (#91539) 
* Zanzana: basic folder permissions checks

* Fix managed permissions for teams

* fix sync batch size

* add dashboards actions translations

* migrate folder tree

* migrate dashboard folders

* remove action sets from schema

* Adding more dashboard and folder-related permissions

* refactor

* Correctly translate dashboard permissions in folders

* fix dashboard parent permissions
 2024-08-09 13:48:56 +02:00
Kristin Laemmert
77a4869fca accesscontrol service read replica (#89963) 
* accesscontrol service read replica
* now using the ReplDB interface
* ReadReplica for GetUser
 2024-07-08 10:00:13 -04:00
Karl Persson
cbbc12a31b Zanzana: Sync team memberships (#89983) 
* Zanzana: Use uid for users and teams

* Zanzana: Team membership migrator

---------

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
 2024-07-03 13:37:26 +02:00
Karl Persson
e568b86ac0 Zanzana: Initial work to allow partial data migrations (#89919) 
* Zanana: Add Write method to interface

* Zanzana: Add utilities for translating RBAC to openFGA tuple keys

* RBAC: Add zanzana synchronizer

* Run zanzana sync in access controll provider
 2024-07-02 14:45:25 +02:00
Dan Cech
790e1feb93 Chore: Update test database initialization (#81673) 
* streamline initialization of test databases, support on-disk sqlite test db

* clean up test databases

* introduce testsuite helper

* use testsuite everywhere we use a test db

* update documentation

* improve error handling

* disable entity integration test until we can figure out locking error
 2024-02-09 09:35:39 -05:00
Jo
3bcde852ac AccessControl: Add safety valve truncation for long user defined scopes (#79854) 
* fix migrator bootloop by invalidating permissions

* add test for scope truncation

* lint

* fix max size scope
 2023-12-27 17:31:26 +01:00
Serge Zaitsev
8187d8cb66 Chore: capitalise log message for auth packages (#74332) 2023-09-04 18:49:47 +02:00
Ryan McKinley
025b2f3011 Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
Gabriel MABILLE
261045d182 RBAC: Batch update on scope split migration (#72182) 
* RBAC: Make the SplitScope migration concurrent

* Benchmark multiple alternatives: (updates in a loop, batch update, concurrent batch update)

* Only keep batching since mysql 5.7 does not seem to support concurrent batching

* Update pkg/services/accesscontrol/migrator/migrator.go

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
 2023-07-28 12:37:24 +02:00
Ieva
cfa1a2c55f RBAC: Split non-empty scopes into kind, attribute and identifier fields for better search performance (#71933) 
* add a feature toggle

* add the fields for attribute, kind and identifier to permission

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* set the new fields when new permissions are stored

* add migrations

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* remove comments

* Update pkg/services/accesscontrol/migrator/migrator.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split

* PR feedback: add a comment and revert an accidentally changed file

* PR feedback: handle the case with : in resource identifier

* switch from checking feature toggle through cfg to checking it through featuremgmt

* don't put the column migrations behind a feature toggle after all - this breaks permission queries from db

---------

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
 2023-07-21 15:23:01 +01:00