* Refactor alert list panel component
- Added clickable link in stat mode that navigates to /alerting/list with matching filters
- Added threshould based coloring in stat mode
- Added value mappings in stat mode
- Added datasource reference by UID instead of name string (with migration for backward compatibility)
* Update translations
* Address code review comments
- Removed dead code related to component migration
- Guard getActiveThreshould call against empty steps in utils.ts and add color assertion in tests
- Remove redundant early return in buildAlertingListUrl
* Fix test
* Use Link instead of a for alerting list url
Alerting: Add namespace UID annotation to alert payloads.
This is required for notification history to be able to log what folder owns the
alert rule in order to filter for user visibility of alert rules.
Plugins: Forward AWS SDK credential chain env vars to external plugins
Fixes broken AWS authentication (assume role, SigV4) for external plugins
(Redshift, Athena, Amazon Prometheus, OpenSearch) in Grafana 12.4.0.
In v12.4.0, commit f041563df3 changed plugin env var handling so external
plugins no longer receive host environment variables by default. This breaks
the AWS SDK credential chain in container environments (EKS IRSA, ECS Fargate)
which rely on vars like AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.
Forward 8 critical AWS SDK credential chain env vars from the host to plugins
already in [aws] forward_settings_to_plugins. This is scoped to trusted AWS
plugins only, more targeted than PR #118870's global approach.
Includes test coverage for forwarding, non-forwarding, and selective env var
filtering.
Fixes#119235, #119603, opensearch-datasource#1012
* feat: provisioning export jobs wired with folder metadata creation
* feat: add metadata files to export jobs
write instead of create for metadata file
use options for flag management
* feat: simplify metadata creation in export jobs
* chore: undo comments changes not needed
* chore: move integration test to the right folder
* feat: add dir exitance checks in integration tests
* feat: avoid .keep file creation if metadata is added
* feat: fix unit test expectations
* feat: add integration tests for .keep export
* chore: fix lint in tests
* Revert "Dashboards: Fix liveNow not working for panels with time shift (#115902)"
This reverts commit 00b89b0d29.
* Reapply "Dashboards: Fix liveNow not working for panels with time shift (#115902)"
This reverts commit 00b92cbc56.
* DateMath: should limit parsing per token
* more tests + token limit 5
* Add faceted labels extraction and filtering utilities
- Add extractFacetedLabels to collect unique label values per key
- Add resolveFacetedFilterNames for OR-within/AND-across filtering
- Add FIELD_NAME_FACET_KEY constant for synthetic name facet
- Extend SeriesVisibilityChangeMode with SetExactly
- Widen onToggleSeriesVisibility signature to accept string[] | null
Made-with: Cursor
* Implement faceted labels filter UI and legend integration
- Add FacetedLabelsFilter component with "By name" and "By labels" sections,
select/deselect all, expand/collapse, and dimmed state indicator
- Integrate filter into PlotLegend with popover and docked sidebar modes
- Add filterAction prop to VizLegend, VizLegendList, and VizLegendTable
- Add dismissOnScroll prop to Toggletip for scroll-aware popover dismissal
- Enable faceted filter in the TimeSeries panel
- Widen onToggleSeriesVisibility signature in PanelStateWrapper and ExploreGraph
- Update @grafana/scenes to canary with SetExactly support
- Add FacetedLabelsFilter component tests
- Add dev dashboard for faceted labels scenarios
Made-with: Cursor
* Add enableFacetedFilter as timeseries legend option
- Define TimeSeriesLegendOptions extending VizLegendOptions with
enableFacetedFilter field (defaults to true)
- Add toggle in timeseries panel editor under Legend category
- Remove hardcoded enableFacetedFilter from TimeSeries component,
let it flow via legend options spread
- Explicitly disable faceted filter in Explore graph
- Update dev dashboard with enableFacetedFilter in legend options
- Regenerate locale files
Made-with: Cursor
* Fix docked filter buttons hidden behind dimmed overlay
- Add zIndex to filterDockedActions so Clear all and Unpin
buttons render above the dimmed FacetedLabelsFilter
Made-with: Cursor
* Guard faceted labels filter behind feature toggle
- Add vizLegendFacetedFilter experimental toggle in registry.go
- Gate panel editor option in module.tsx behind the toggle
- Gate rendering in TimeSeries.tsx behind the toggle
- Use TimeSeriesLegendOptions type for legend prop
Made-with: Cursor
* Consolidate FacetedLabelsFilter tests
Made-with: Cursor
* Restore limit support in bottom-placement legend
- Revert to InlineList for bottom placement to preserve
the series limit feature (useLimit + "show all" button)
- filterAction is prepended before InlineList
Made-with: Cursor
* Add test for toggleAllForKey to fix coverage
- Cover Select all / Deselect all button in FacetedLabelsFilter
- Fixes Functions coverage regression for @grafana/dataviz-squad
Made-with: Cursor
* Update dev dashboard file count in search test
- Account for new timeseries-faceted-labels.json dashboard
Made-with: Cursor
* Update search test snapshot for new dev dashboard
- Add timeseries-faceted-labels to t00-all.json snapshot
- Update totalHits from 16 to 17
Made-with: Cursor
* Update search test snapshots for changed BM25 scores
- Adding a dashboard changes maxDocs which shifts IDF values
- Updated scores in all affected snapshot files
Made-with: Cursor
* Add E2E tests for faceted labels filter
- Test filter toggle, popover sections, name selection
- Test select all, clear all, pin to sidebar
- Test dimmed state when legend click conflicts with filter
- Add data-testid attributes to filter toggle and container
Made-with: Cursor
* Use gf-pin icon and move filter to left of name column
- Replace link icon with gf-pin for Pin to sidebar button
- Move filter toggle to left of name column header in table legend
Made-with: Cursor
* Bump @grafana/scenes to 7.1.5
- Replace canary version with stable 7.1.5 release
Made-with: Cursor
* Exclude node_modules from i18n extraction
- Nested node_modules under packages/ can contain .d.ts files
that fail to parse, causing extraction to exit with error
Made-with: Cursor
* Add unit tests for PlotLegend faceted filter
- Test filter toggle visibility when enabled/disabled
- Test popover interaction and onToggleSeriesVisibility callback
- Test docked mode with clear all and unpin
Made-with: Cursor
* Authz: reduce reconciler memory by streaming diff computation
Replace the naive approach of loading all current tuples into memory
with a streaming page-by-page diff against the expected tuple map.
Build the expected map directly during CRD translation instead of
creating an intermediate slice. Fix tupleKey() to use field
concatenation instead of protobuf String() which incorrectly
included Condition fields.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Authz: fix condition-change detection in streaming reconciler diff
The streaming diff keyed on (User, Relation, Object) only, so if a
tuple's condition changed the reconciler treated it as "in sync" and
never updated it. Now compare conditions with proto.Equal when a key
matches — mismatches trigger a delete+re-add.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Authz: add configurable read page size and streaming diff tests
Make the Zanzana read page size configurable via zanzana_read_page_size
setting (default 1000). Add comprehensive tests for computeDiffStreaming
covering sync, add, delete, condition change, empty states, and
multi-page scenarios.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Provisioning: Add job metrics for warnings, file ops, and resource ops
Introduce three new Prometheus metrics to the provisioning jobs package:
- `grafana_provisioning_jobs_warnings` (histogram): distribution of warning
counts per sync by action and reason
- `grafana_provisioning_jobs_file_operations_total` (counter): file operations
by action, operation, and reason
- `grafana_provisioning_jobs_resource_operations_total` (counter): resource
operations by action, operation, reason, group, and kind
Wire the warnings histogram into the pull job via the progress recorder's
new WarningCounts() method, which counts warnings per reason as they are
recorded. The sync worker emits the histogram after each sync using the
actual job action, keeping the metrics generic across job types.
Also add the FolderMetadataConflict error type and warning reason as
plumbing for future conflict detection.
Made-with: Cursor
* Provisioning: Move metrics to driver, add errors histogram, add tests
- Pass *JobMetrics through driver constructors instead of
SetWarningRecorder on the interface, so every job gets warning/error
recording automatically without workers opting in.
- Add grafana_provisioning_jobs_errors histogram to track resource error
count distribution per job run.
- Update metric descriptions to be generic for all job types.
- Add unit tests for FolderMetadataConflict, NewFolderManifest, and
MissingFolderMetadata error formatting.
Made-with: Cursor
* Provisioning: Switch resource warnings/errors to counters, add resource prefix
- Rename metrics to grafana_provisioning_jobs_resource_warnings_total
and grafana_provisioning_jobs_resource_errors_total.
- Change from histograms to counters since distribution per job run
is not needed right now.
- Rename fields and methods to include Resource prefix for clarity.
Made-with: Cursor
* Provisioning: Restore worker_test.go to main (no changes needed)
Made-with: Cursor
* Provisioning: Fix gofmt formatting
Made-with: Cursor
* Provisioning: Emit resource metrics per-Record, remove file_operations metric
Move metric emission from Complete() snapshots to per-Record() Inc() calls,
simplifying the recording API and removing the need for snapshot/nil-guard
logic. Also remove the unused file_operations_total metric and WarningCounts
method.
Made-with: Cursor
* Provisioning: Consolidate resource metrics into single counter
Replace four separate metrics (resource_success_total, resource_warnings_total,
resource_errors_total, resource_operations_total) with a single unified
grafana_provisioning_jobs_resource_operations_total counter using an outcome
label to distinguish success/warning/error.
Made-with: Cursor
* Provisioning: Add typed constants for resource operation and outcome
Move ResourceOutcome and ResourceOperation types from metrics.go to
job_resource_result.go alongside other result types. Add OperationReplaced
constant and fileActionToOperation helper for mapping FileAction values.
Made-with: Cursor
* Provisioning: Use typed JobAction in RecordResourceOperation signature
Accept provisioning.JobAction instead of string for the action parameter.
Add OperationReplaced constant. Use existing provisioning constants in tests.
Made-with: Cursor
* Provisioning: Revert warningCounts back to resultReasons set
With per-Record metric emission we no longer need counts per reason.
Restore the original resultReasons map[string]struct{} from main.
Made-with: Cursor
* Provisioning: Remove trailing newline in progress_test.go
Made-with: Cursor
* Provisioning: Simplify RecordResourceOperation to accept JobResourceResult
Move outcome/operation/reason derivation into RecordResourceOperation so
callers just pass the action and result. Remove emitMetrics helper and
inline the call. Add OperationRenamed constant.
Made-with: Cursor
* Provisioning: Rename OperationNoop to OperationIgnored
Made-with: Cursor
* Storage: fix channelNotifier emitting events out of RV order
The Watch goroutine reads events from the raw channel one at a time
via select. When the ticker fires, Go's select randomly picks between
the raw channel and the ticker — so a tick can fire while events with
lower RVs are still unread in the channel. This causes partial batches
to be sorted and emitted, producing globally out-of-order output.
Fix by draining all pending events from the raw channel into the buffer
when the ticker fires, before sorting and emitting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Use for-loop style for drain
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* IAM: Add hidden users filtering and improved RBAC mapper for users API
- Add StoreWrapper for user resource that filters hidden users on Get/List
- Wire up StoreWrapper in the users API group registration
- Expand RBAC verb mapping for users to use explicit action translations
- Add integration tests for hidden users filtering behavior
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* IAM: Fix duplicate user validation and storewrapper context propagation
The storewrapper replaced the request context with a service identity
(OrgID=0) before invoking createValidation/updateValidation callbacks.
Since these callbacks wrap k8s admission webhooks (including the
duplicate email/login checks), the validation ran with OrgID=0 causing
SearchOrgUsers to return no results, silently passing duplicates through
to the DB which then returned a 500 instead of 409.
Fix 1 (storewrapper): Add validationWithUserContext and
updateValidationWithUserContext helpers that rebind validation callbacks
to the original user context before passing them to the inner store.
Fix 2 (legacy store): Add toUserConflictError as defense-in-depth that
converts SQLite UNIQUE constraint failures on user.email/user.login into
proper 409 Conflict API errors in CreateUser and UpdateUser.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Regen
* Use configprovider.ConfigProvider instead of setting.Cfg
* Enforce hidden-users restrictions on write operations
BeforeCreate, BeforeUpdate, and BeforeDelete in the user StoreWrapper
now return HTTP 403 when the target user's login is in the hidden-users
list, returning a generic "operation not permitted" message to callers
and logging the hidden-user detail server-side via a structured logger.
Integration tests are updated to create the user before marking it
hidden (so BeforeCreate does not block setup), then verify all four
guarded paths (get→404, list filtered, update→403, delete→403) and
add a dedicated sub-test that confirms create is blocked once a login
is in the hidden list.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* IAM: Add WithPreserveIdentity option to storewrapper
Introduces a WithPreserveIdentity() functional option on storewrapper.New()
so the users storage path passes the original caller identity through to the
inner store instead of replacing it with a service identity. This ensures
admission validation (e.g. duplicate email/login checks) runs with the correct
OrgID. Adds unit tests for the new option.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Address feedback
* Fix some minor issues
* Update pkg/registry/apis/iam/register.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Address feedback
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Datagrid: Remove from frontend
* fix mismatch
* toggle doc
* try adding these backend tests back
* these tessts are inherently tied to the frontend it seems
* remove references in CODEOWNERS and auto-triager
* update some more go tests which enforce core plugin stuff
* make gen-jsonnet
* Broadcaster: drain pending subscribes before unsubscribe to fix race
When Subscribe and Unsubscribe are called sequentially, both messages
are buffered in separate channels. Go's select can pick the unsubscribe
before the subscribe, making it a no-op and leaving the subscriber
channel unclosed forever. This caused TestBroadcasterUnsubscribe to
hang for 30 minutes in CI.
Fix by draining all pending subscribe messages before processing an
unsubscribe, since the subscribe is guaranteed to be buffered first.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Restore original comment and simplify drain comment
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* adjust SoloPanelPage to allow for children and matched panels
* fix: prevent duplicate panel accumulation in SoloPanelContext matchedPanels
Add includes() guard before pushing to matchedPanels array to prevent
the same panel being added multiple times across React re-renders.
---------
Co-authored-by: Ivan Ortega <ivanortegaalba@gmail.com>
