* remove action set feature toggle
* don't pass feature toggles to action set service instantiation
* linting
* test fixes and frontend clean-up
* fix test
* RBAC: Remove accessControlOnCall feature toggle
* Leave the other one in place
* Tests
* frontend
* Readd empty ft to frontend test
* Remove legacy RBAC check
* Fix test
* no need for context
* Remove unused variable
* Remove unecessary param
* remove unecessary param from tests
* More tests :D
* Extract "PermissionStore" from general store interface
* Add static and union permission stores
* Add GetStaticRoles
* Use accesscontrol.Service for inproc to provide static permissions
* Replace sql query with folder service call when collecting folder tree
* Update provider for folder service implementation for wire
* Refactor provisioning of oss service in folder permissions test util
* fix: Change users permissions search to use a consistent key without collisions
* Move HashString to cacheutils
* Change error handling logic for what to do with a cache key
* Add a test that confirms search cache key consistency
* Rewrite zanzana collector to fetch all available pages
* Register access control as a background service
* If zanzana is enabled we run Syncs and start Reconciliation job
* Update pkg/services/authz/zanzana/client/client.go
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Use server lock when doing performing reconciliation
* ManagedServiceAccounts: Add a config option to disabled by default
* Update log in pkg/services/extsvcauth/registry/service.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Revert "chore: add replDB to team service (#91799)"
This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83.
* Revert "experiment: use read replica for Get and Find Dashboards (#91706)"
This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982.
* Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)"
This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834.
* Revert "refactor replCfg to look more like plugins/plugin config (#91142)"
This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d.
* Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)"
This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e.
* Revert "Chore (sqlstore): add validation and testing for repl config (#90683)"
This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d.
* Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)"
This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46.
* Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)"
This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58.
* Revert "accesscontrol service read replica (#89963)"
This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d.
* Revert "Fix: add mapping for the new mysqlRepl driver (#89551)"
This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498.
* Revert "fix: sql instrumentation dual registration error (#89508)"
This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50.
* Revert "Experimental Feature Toggle: databaseReadReplica (#89232)"
This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
* Access control: Use composite cache key for team permissions
* use composite key for teams
* use cache for hotpath (getCachedUserPermissions)
* don't cache empty teams set
* don't pass permissions as argument
* early return if no teams found
* reload cache correctly
* optimize allocations
* Clear user's teams cache
* remove composite cache for teams
* fix linter
* don't clear teams permissions
* pre-allocate memory for basic roles permissions
* Access control: Use composite cache key for team permissions
* use composite key for teams
* use cache for hotpath (getCachedUserPermissions)
* fix linter
* fix sorting
---------
Co-authored-by: Jeff Levin <jeff@levinology.com>
* Refactor identity struct to store type in separate field
* Update ResolveIdentity to take string representation of typedID
* Add IsIdentityType to requester interface
* Use IsIdentityType from interface
* Remove usage of TypedID
* Remote typedID struct
* fix GetInternalID
* Cfg: Move rbac settings to own struct
* Cfg: Add setting to control if resource should generate managed permissions when created
* Dashboards: Check if we should generate default permissions when dashboard is created
* Folders: Check if we should generate default permissions when folder is created
* Datasource: Check if we should generate default permissions when datasource is created
* ServiceAccount: Check if we should generate default permissions when service account is created
* Cfg: Add option to specify resources for wich we should default seed
* ManagedPermissions: Move providers to their own files
* Dashboards: Default seed all possible managed permissions if configured
* Folders: Default seed all possible managed permissions if configured
* Cfg: Remove service account from list
* RBAC: Move utility function
* remove managed permission settings from the config file examples, change the setting names
* remove ini file changes from the PR
* fix setting reading
* fix linting errors
* fix tests
* fix wildcard role seeding
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: jguer <me@jguer.space>
Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing.
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
* include and resolve action sets when fetching user's permissions
* expand both action and action prefix (returns an empty set for the one that isn't specified)
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* if action is specified, check for exact match; also extend tests
* logic to expand action set to the underlying actions when permissions are fetched from the DB
* updates needed for dependency injection
* clean up some code, also deduplicate scopes when grouping scopes and actions
* expand on a comment
* rename a method
* reenable ext-jwt-client
* fixup settings struct
* add user and service auth
* lint up
* add user auth to grafana ext
* fixes
* Populate token permissions
Co-authored-by: jguer <joao.guerreiro@grafana.com>
* fix tests
* fix lint
* small prealloc
* small prealloc
* use special namespace for access policies
* fix access policy auth
* fix tests
* fix uncalled settings expander
* add feature toggle
* small feedback fixes
* rename entitlements to permissions
* add authlibn
* allow viewing the signed in user info for non user namespace
* fix invalid namespacedID
* use authlib as verifier for tokens
* Update pkg/services/authn/clients/ext_jwt.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/authn/clients/ext_jwt_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* fix parameter names
* change asserts to normal package
* add rule for assert
* fix ownerships
* Local diff
* test and lint
* Fix test
* Fix ac test
* Fix pluginproxy test
* Revert testdata changes
* Force revert on test data
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Access control: Extend GetUserPermissions() to query permissions in specific org
* Use db query to fetch permissions in org
* refactor
* refactor
* use conditional join
* minor refactor
* Add test cases
* Search permissions correctly in OSS vs Enterprise
* Get permissions from memory
* Refactor
* remove unused func
* Add tests for GetUserPermissionsInOrg
* fix linter
* RBAC: Remove team permissions on delete
* Remove unecessary deletes from store function
* Nit on mock
* Add test to the database
* Nit on comment
* Add another test to check that other permissions remain
* AuthN: Remove embedded oauth server
* Restore main
* go mod tidy
* Fix problem
* Remove permission intersection
* Fix test and lint
* Fix TestData test
* Revert to origin/main
* Update go.mod
* Update go.mod
* Update go.sum
* RBAC: Search add user login filter
* Switch to a userService resolving instead
* Remove unused error
* Fallback to use the cache
* account for userID filter
* Account for the error
* snake case
* Add test cases
* Add api tests
* Fix return on error
* Re-order imports
