95 Commits

Author SHA1 Message Date
10411361e7 Team: Add columns external_uid and is_provisioned to the team table (#103285)
* add columns external_id and is_provisioned to the team table

* generate openapi specs

* rename column to external_uid

* generate open api specs

* increase limit for external_uid to 256
2025-04-04 11:00:14 +03:00
fd6a4908f1 Support Spanner's UNION syntax, which needs to be UNION DISTINCT or UNION ALL. (#101768)
* Support Spanner's UNION syntax, which needs to be UNION DISTINCT or UNION ALL.
2025-03-10 12:33:52 +01:00
e4fbae03a1 RBAC: remove dead code (#97234)
This code is unused and always have been
2024-12-02 16:23:51 +01:00
cc0ec349a4 RBAC: Allow passing in user UID when searching for user's permissions (#97125)
* allow passing in user UID instead of ID when searching for user's permissions

* fix tests
2024-11-28 16:36:26 +00:00
f2b96593ea SQL: close rows to release connection (#97147)
* SQL: close rows to release connection

* dont return err from rows.Close()
2024-11-28 14:28:55 +01:00
3990637af9 IAM: remove duplicated functions (#96989)
* Remove duplicated function and use the one provided by claims package
2024-11-26 09:22:45 +01:00
a21a232a8e Revert read replica POC (#93551)
* Revert "chore: add replDB to team service (#91799)"

This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83.

* Revert "experiment: use read replica for Get and Find Dashboards (#91706)"

This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982.

* Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)"

This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834.

* Revert "refactor replCfg to look more like plugins/plugin config (#91142)"

This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d.

* Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)"

This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e.

* Revert "Chore (sqlstore): add validation and testing for repl config (#90683)"

This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d.

* Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)"

This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46.

* Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)"

This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58.

* Revert "accesscontrol service read replica (#89963)"

This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d.

* Revert "Fix: add mapping for the new mysqlRepl driver (#89551)"

This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498.

* Revert "fix: sql instrumentation dual registration error (#89508)"

This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50.

* Revert "Experimental Feature Toggle: databaseReadReplica (#89232)"

This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
2024-09-25 15:21:39 -08:00
8d84517103 AuthN: Introduce DefaultOrgID function for managed service accounts (#93432)
* Managed Service Accounts: Use AutoAssignOrgID

* Fix the IsExternalServiceAccount function

* Reassign service account role

* Account for AutoAssignOrg

* Update pkg/services/serviceaccounts/models.go

* Simplify IsExternalServiceAccount function

* Add tests

* Easier to understand test

* Revert small change
2024-09-20 14:43:29 +02:00
ddee95cb6d Team: Create permission type for team membership (#92352)
* Create permission type enum for team and remove usage of dashboard permission type
2024-08-23 12:34:34 +02:00
028e8ac59e Instrument tracing across accesscontrol (#91864)
Instrument tracing across accesscontrol 

---------

Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
2024-08-16 14:08:19 -08:00
8bcd9c2594 Identity: Remove typed id (#91801)
* Refactor identity struct to store type in separate field

* Update ResolveIdentity to take string representation of typedID

* Add IsIdentityType to requester interface

* Use IsIdentityType from interface

* Remove usage of TypedID

* Remote typedID struct

* fix GetInternalID
2024-08-13 10:18:28 +02:00
21d4a4f49e Auth: use IdentityType from authlib (#91763) 2024-08-12 09:26:53 +03:00
9db3bc926e Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 12:52:14 +03:00
77a4869fca accesscontrol service read replica (#89963)
* accesscontrol service read replica
* now using the ReplDB interface
* ReadReplica for GetUser
2024-07-08 10:00:13 -04:00
99d8025829 Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
34c40f959f RBAC: Add and resolve action sets when searching user's permissions (#88694)
* include and resolve action sets when fetching user's permissions

* expand both action and action prefix (returns an empty set for the one that isn't specified)
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* if action is specified, check for exact match; also extend tests
2024-06-12 11:20:19 +03:00
910553df20 Actionsets: Add cfg option for only writing actionsets (#88367)
* test

* test

* missed test

* fix review comments
2024-05-28 16:32:23 +01:00
105313f5c2 RBAC: Adding action set resolver for RBAC evaluation (#86801)
* add action set resolver

* rename variables

* some fixes and some tests

* more tests

* more tests, and put action set storing behind a feature toggle

* undo change from cfg to feature mgmt - will cover it in a separate PR due to the amount of test changes

* fix dependency cycle, update some tests

* add one more test

* fix for feature toggle check not being set on test configs

* linting fixes

* check that action set name can be split nicely

* clean up tests by turning GetActionSetNames into a function

* undo accidental change

* test fix

* more test fixes
2024-05-09 10:18:03 +01:00
82dea4b3e5 Access control: Cache basic roles and teams permissions (#87043)
* RBAC: Cache basic roles permissions

* Cache teams permissions

* Set cache TTL to 1 minute

* Add OSS implementation

* Fetch basic role permissions correctly

* fix conflict_user_command

* Fix teams permissions query

* Add traces for GetUserPermissions

* Fix folders tests

* Fix colflict user command

* Update store mock

* Fix linter error

* Reuse GetUserPermissions for fetching basic roles

* tests for GetTeamsPermissions

* pre-allocate slice capacity

* Fix linter
2024-05-07 15:23:11 +02:00
41bee274fd Chore: Fix error handling in postDashboard, remove UserDisplayDTO, fix live redis client initialization (#87206)
* clean up error handling in postDashboard and remove UserDisplayDTO

* replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type

* lint fix

* lint fix

* more lint fixes
2024-05-06 14:17:34 -04:00
a2cba3d0b5 User: Add tracing (#87028)
* Inject tracer in tests

* Annotate with traces

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-04-30 13:15:56 +02:00
cee713e34c Chore: Add tracing to team service (#86999)
* add tracing to team service

* another test fix

* pass in context for team creation and membership checking
2024-04-29 11:32:03 +01:00
8028d1c3e1 Chore: Update tests to use team membership hooks (#86846)
* update tests to use team membership hooks

* linting
2024-04-24 16:55:42 +01:00
522a98c126 Chore: Make Cfg field private in SQLStore (#85593)
* make cfg private in sqlstore

* fix db init in tests

* fix case

* fix folder test init

* fix imports

* make another Cfg private

* remove another Cfg

* remove unused variable

* use store cfg, it has side-effects

* fix mutated cfg in tests
2024-04-24 10:38:40 +02:00
ddabef9895 RBAC: Add actionsets struct and write path (#86108)
* Add actionsets struct and failing test

* update from review

* review comments

* review comments update

* refactor: create interface

* actionset service

* fix tests

* move from wireoss to wire

* Apply suggestions from code review

remove unnecessary comments

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* nil for the actionsetservice

* Revert "nil for the actionsetservice"

This reverts commit e3d3cc817180c1927dea430191f1e940f5c01272.

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-04-19 15:38:14 +01:00
5e48804364 RBAC: Fix slow user permission search query on MySQL (#85058)
* Bench testing search user perm

* Add BenchmarkSearchUsersPermissions_1K_1K

* Clarify benchmark searches by action prefix

* Make MySQL more efficient

* Move all filter options

* Expand after assignments union

* update comments
2024-03-25 19:11:17 +01:00
82a88cc83f Access control: Extend GetUserPermissions() to query permissions in org (#83392)
* Access control: Extend GetUserPermissions() to query permissions in specific org

* Use db query to fetch permissions in org

* refactor

* refactor

* use conditional join

* minor refactor

* Add test cases

* Search permissions correctly in OSS vs Enterprise

* Get permissions from memory

* Refactor

* remove unused func

* Add tests for GetUserPermissionsInOrg

* fix linter
2024-03-04 13:29:13 +01:00
8d9921a5ba RBAC: Fix delete team permissions on team delete (#83442)
* RBAC: Remove team permissions on delete

* Remove unecessary deletes from store function

* Nit on mock

* Add test to the database

* Nit on comment

* Add another test to check that other permissions remain
2024-02-27 12:21:26 +01:00
Jo
cc3b088b6c Teams: Fix missing context in team service (#83327)
fix missing context in team service
2024-02-27 11:10:54 +01:00
846eadff63 RBAC Search: Replace userLogin filter by namespacedID filter (#81810)
* Add namespace ID

* Refactor and add tests

* Rename maxOneOption -> atMostOneOption

* Add ToDo

* Remove UserLogin & UserID for NamespaceID

Co-authored-by: jguer <joao.guerreiro@grafana.com>

* Remove unecessary import of the userSvc

* Update pkg/services/accesscontrol/acimpl/service.go

* fix 1 -> userID

* Update pkg/services/accesscontrol/accesscontrol.go

---------

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2024-02-16 11:42:36 +01:00
1315c67c8b Team/User: UID migrations (#82298)
* Add user uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario

* Add team uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario

* Run team uid migration
2024-02-12 14:48:29 +01:00
790e1feb93 Chore: Update test database initialization (#81673)
* streamline initialization of test databases, support on-disk sqlite test db

* clean up test databases

* introduce testsuite helper

* use testsuite everywhere we use a test db

* update documentation

* improve error handling

* disable entity integration test until we can figure out locking error
2024-02-09 09:35:39 -05:00
dce9d1e87c RBAC: Search endpoint support wildcards (#80383)
* RBAC: Search endpoint support wildcards

* Allow wildcard filter with RAM permissions as well
2024-01-17 17:07:47 +01:00
72d32eed27 ExtSvcAuth: Assign roles locally (#78669)
* ExtSvcAuth: Assign roles locally

* Fix test

* HandlePluginStateChanged in the OrgID

* Remove Global from command

* Use AssignmentOrgID instead of OrgID

* Remove unecessary test case
2023-11-29 12:12:30 +01:00
Jo
0de66a8099 Authz: Remove use of SignedInUser copy for permission evaluation (#78448)
* remove use of SignedInUserCopies

* add extra safety to not cross assign permissions

unwind circular dependency

dashboardacl->dashboardaccess

fix missing import

* correctly set teams for permissions

* fix missing inits

* nit: check err

* exit early for api keys
2023-11-22 14:20:22 +01:00
ae5e03034b RBAC: generated prefixed uids for external service role (#76601)
* Replace FixedRoleUID function with a common function to generate these prefixes

* Use common function to generate prefixed uid for external service accounts

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>

---------

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
2023-10-16 13:12:16 +02:00
729f9a01a0 RBAC: Fix search user permissions (#74729)
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2023-09-13 15:19:19 +02:00
025b2f3011 Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
cfa1a2c55f RBAC: Split non-empty scopes into kind, attribute and identifier fields for better search performance (#71933)
* add a feature toggle

* add the fields for attribute, kind and identifier to permission

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* set the new fields when new permissions are stored

* add migrations

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* remove comments

* Update pkg/services/accesscontrol/migrator/migrator.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split

* PR feedback: add a comment and revert an accidentally changed file

* PR feedback: handle the case with : in resource identifier

* switch from checking feature toggle through cfg to checking it through featuremgmt

* don't put the column migrations behind a feature toggle after all - this breaks permission queries from db

---------

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-07-21 15:23:01 +01:00
607670a9fa Auth: Use SHA-1 for generating an ID for External Service Role (#71079)
* Use sha1 (160 bit hash)

* Update pkg/services/accesscontrol/database/externalservices.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Satisfy linter, clean up

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-07-10 09:47:33 +02:00
e7da2a179e Schema: Add schema for role+access policies (#68047) 2023-05-24 10:31:57 -07:00
d7eea0d207 RBAC: Add a function to delete external service roles (#68317)
* RBAC: Add function to delete external service roles

* Adding a test to the service

* Update pkg/services/accesscontrol/acimpl/service_test.go

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-05-16 15:01:27 +02:00
8c6b5a4319 RBAC: Add a function to save external service roles (#66299)
* AuthN: Save external services RBAC roles

* Add missing test

* Placing roles in the same group

* Split function to gen role and assignment

* add test case and comments

* Ensure we check external service roles are assigned once only

* Update pkg/services/accesscontrol/models_test.go

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>

---------

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
2023-05-09 13:19:38 +02:00
Jo
c8db771939 Users: Fix org user always getting org id = 1 on auto assign false (#63708)
* fix org user always getting org id = 1 on auto assign false

* make tests explicit

* use correct cfg in service accounts

* fix api tests

* fix database test of ac

* fix InsertOrgUser returning affected rows as orgID
2023-02-24 18:08:44 +01:00
Jo
f9163351fd Support bundles: Refactor registry into separate service (#62945)
* add bundle registry service to avoid dependency cycles

* move user support bundle collector to user service

* move usage stat bundle implementation to usage stats

* add info for background service

* fix remaining imports

* whitespace
2023-02-06 17:50:03 +01:00
e8b8a9e276 chore: move dashboard_acl models into dashboard service (#62151) 2023-01-26 08:46:30 -05:00
f2ffce4351 Chore: Move team models to models pkg (#61262)
* Chore: Move team models to models pkg

* Fix ACL tests

* More ACL tests

* Change Id to ID in conflict user command test

* Remove team from models

* Fix ac test lint
2023-01-11 14:20:09 +01:00
6aa5a79cad Access control: endpoint for searching single user permissions (#59669)
* initial commit

* clean up

* fix a bug and add tests

* more tests

* undo some unintended changes

* undo some unintended changes

* linting

* PR feedback - add user ID to search options

* simplify the query

* Apply suggestions from code review

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* remove unneeded formatting changes

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-12-14 10:53:25 +00:00
6d1bcd9f40 DataSourcePermissions: Handle licensing properly for ds permissions (#59694)
* RBAC: add viewer grand if dspermissions enforcement is not enabled

* RBAC: Change permissions based on role prefix

* RBAC: Add option to for permission service to add a license middleware

* RBAC: Remove actions from query struct
2022-12-02 13:19:14 +01:00
bf49c20050 RBAC: Add an endpoint to list all user permissions (#57644)
* RBAC: Add an endpoint to see all user permissions

Co-authored-by: Joey Orlando <joey.orlando@grafana.com>

* Fix mock

* Add feature flag

* Fix merging

* Return normal permissions instead of simplified ones

* Fix test

* Fix tests

* Fix tests

* Create benchtests

* Split function to get basic roles

* Comments

* Reorg

* Add two more tests to the bench

* bench comment

* Re-ran the test

* Rename GetUsersPermissions to SearchUsersPermissions and prepare search options

* Remove from model unused struct

* Start adding option to get permissions by Action+Scope

* Wrong import

* Action and Scope

* slightly tweak users permissions actionPrefix query param validation logic

* Fix xor check

* Lint

* Account for suggeston

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add search

* Remove comment on global scope

* use union all and update test to make it run on all dbs

* Fix MySQL needs a space

* Account for suggestion.

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

Co-authored-by: Joey Orlando <joey.orlando@grafana.com>
Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-11-30 15:38:49 +01:00