* Add showPolicies prop
* Add manage permissions component for easier reuse within alerting
* Add method for checking whether to show access control within alerting
* Remove accidental console.log from main
* Tweak styling for contact point width and add manage permissions drawer
* Improve typing for access control type response
* Add basic test for manage permissions on contact points list
* Only show manage permissions if grafana AM and alertingApiServer is enabled
* Update i18n
* Add test utils for turning features on and back off
* Add access control handlers
* Update tests with new util
* Pass AM in and add tests
* Receiver OSS resource permissions
There is a complication that is not fully addressed: Viewer defaults to read:*
and Editor defaults to read+write+delete:*
This is different to other resource permissions where non-admin are not granted
any global permissions and instead access is handled solely by resource-specific
permissions that are populated on create and removed on delete.
This allows them to easily remove permission to view or edit a single resource
from basic roles.
The reason this is tricky here is that we have multiple APIs that can
create/delete receivers: config api, provisioning api, and k8s receivers api.
Config api in particular is not well-equipped to determine when creates/deletes
are happening and thus ensuring that the proper resource-specific permissions
are created/deleted is finicky.
We would also have to create a migration to populate resource-specific
permissions for all current receivers. This migration would need to be reset so
it can run again if the flag is disabled.
* Add access control permissions
* Pass in contact point ID to receivers form
* Temporarily remove access control check for contact points
* Include access control metadata in k8s receiver List & Get
GET: Always included.
LIST: Included by adding a label selector with value `grafana.com/accessControl`
* Include new permissions for contact points navbar
* Fix receiver creator fixed role to not give global read
* Include in-use metadata in k8s receiver List & Get
GET: Always included.
LIST: Included by adding a label selector with value `grafana.com/inUse`
* Add receiver creator permission to receiver writer
* Add receiver creator permission to navbar
* Always allow listing receivers, don't return 403
* Remove receiver read precondition from receiver create
Otherwise, Creator role will not be able to create their first receiver
* Update routes permissions
* Add further support for RBAC in contact points
* Update routes permissions
* Update contact points header logic
* Back out test feature toggle refactor
Not working atm, not sure why
* Tidy up imports
* Update mock permissions
* Revert more test changes
* Update i18n
* Sync inuse metadata pr
* Add back canAdmin permissions after main merge
* Split out check for policies navtree item
* Tidy up utils and imports and fix rules in use
* Fix contact point tests and act warnings
* Add missing ReceiverPermissionAdmin after merge conflict
* Move contact points permissions
* Only show contact points filter when permissions are correct
* Move to constants
* Fallback to empty array and remove labelSelectors (not needed)
* Allow `toAbility` to take multiple actions
* Show builtin alertmanager if contact points permission
* Add empty state and hide templates if missing permissions
* Translations
* Tidy up mock data
* Fix tests and templates permission
* Update message for unused contact points
* Don't return 403 when user lists receivers and has access to none
* Fix receiver create not adding empty uid permissions
* Move SetDefaultPermissions to ReceiverPermissionService
* Have SetDefaultPermissions use uid from string
Fixes circular dependency
* Add FakeReceiverPermissionsService and fix test wiring
* Implement resource permission handling in provisioning API and renames
Create: Sets to default permissions
Delete: Removes permissions
Update: If receiver name is modified and the new name doesn't exist, it copies
the permissions from the old receiver to the newly created one. If old receiver
is now empty, it removes the old permissions as well.
* Split contact point permissions checks for read/modify
* Generalise getting annotation values from k8s entities
* Proxy RouteDeleteAlertingConfig through MultiOrgAlertmanager
* Cleanup permissions on config api reset and restore
* Cleanup permissions on config api POST
note this is still not available with feature flag enabled
* Gate the permission manager behind FF until initial migration is added
* Sync changes from config api PR
* Switch to named export
* Revert unnecessary changes
* Revert Filter auth change and implement in k8s api only
* Don't allow new scoped permissions to give access without FF
Prevents complications around mixed support for the scoped permissions causing
oddities in the UI.
* Fix integration tests to account for list permission change
* Move to `permissions` file
* Add additional tests for contact points
* Fix redirect for viewer on edit page
* Combine alerting test utils and move to new file location
* Allow new permissions to access provisioning export paths with FF
* Always allow exporting if its grafana flavoured
* Fix logic for showing auto generated policies
* Fix delete logic for contact point only referenced by a rule
* Suppress warning message when renaming a contact point
* Clear team and role perm cache on receiver rename
Prevents temporarily broken UI permissions after rename when a user's source of
elevated permissions comes from a cached team or basic role permission.
* Debug log failed cache clear on CopyPermissions
---------
Co-authored-by: Matt Jacobson <matthew.jacobson@grafana.com>
* update eslint, tsconfig + esbuild to handle new jsx transform
* remove thing that breaks the new jsx transform
* remove react imports
* adjust grafana-icons build
* is this the correct syntax?
* try this
* well this was much easier than expected...
* change grafana-plugin-configs webpack config
* fixes
* fix lockfile
* fix 2 more violations
* use path.resolve instead of require.resolve
* remove react import
* fix react imports
* more fixes
* remove React import
* remove import React from docs
* remove another react import
* Grafana/ui: Add Space component
* Add responsive styles and prop docs
* Use the Box component
* Docs
* Replace the component from grafana/experimental
* Update story
* Tweak docs
* Adjust docs
* remove all the things
* fix OldFolderPicker tests
* i18n
* remove more unused code
* remove mutation of error object since it's now frozen in the redux state
* fix error handling
* grafana/ui: Move Stack out of unstable
* grafana/ui: Replace imports
* Replace the import from experimental
* Cleanup
* Remove invalid prop
* Add flexGrow
* Remove Stack used in Field
* Remove import
* create new feature toggle + start to put stuff behind it
* block move, tidy up interfaces
* fix new/folder actions buttons
* show warning when deleting library panels/alert rules + run i18n:extract
* pseudo
* update unit tests
* pass alert in description
* Allow setting role as None
Co-authored-by: gamab <gabi.mabs@gmail.com>
Seeking for places where role.None would be used
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Adding None role to the frontend
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
unify org role declaration and remove from add permission
fix backend test
fix backend lint
* remove role none from frontend
* Simplify checks
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* nits
---------
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* I18n:Mark up Permissions
* Mark up strings in Permissions file
* I18n:Mark up phrases for on Permissions drawer
* I18n:Mark up phrases for translation on Permissions page
* I18n:Mark up phrases for translation on Permissions page
* Made the changes based on suggestions received
* restore translations
* Run extract again
* Center align cell items
* Change empty folder message + style
* Use new Text components in TypeCell
* Use new components in Move and Delete modals
* fix test
* Change spinner in DescendantsCount to the same font size as the text to prevent layout shift
* move permissions to a drawer when nested folders is enabled
* only show count when resource is folder
* Extract descendant count out into its own component
* remove label
* Remove single member team restriction
* Add label when permissions list is empty
* Fix unit tests
* Add co-author.
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Revert "Service accounts: Add service account to teams (#51536)"
This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609.
* remove unneeded line
* fix test
* Revert "Serviceaccounts: #48995
Do not display service accounts assigned to team (#48995)"
This reverts commit cbf71fbd7fc444cf298ff39e5777ba24fe5a4210.
* fix: test to not include more actions than necessary
* adding service accounts to teams - backend and frontend changes
* also support SA addition through the old team membership endpoints
* fix tests
* tests
* serviceaccounts permission tests
* serviceaccounts permission service tests run
* added back test that was removed by accident
* lint
* refactor: add testoptionsTeams
* fix a bug
* service account picker change
* explicitly set SA managed permissions to false for dash and folders
* lint
* allow team creator to list service accounts
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove banner when missing permissions to list users
* For OSS allow users to list other users if they have permissions to
write either team, dashboard or folder permissions
* AccessControl: Show UserPicker based on canListUser
* Update public/app/core/components/AccessControl/AddPermission.tsx
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Setting default values for props
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Using table instead
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
