* AccessControl: Change teams permissions page when frontend is hit
* Implement frontend changes for group sync
* Changing the org/teams/edit permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Fixing routes
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Use props straight away no need to go through the state
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Update public/app/features/teams/TeamPages.tsx
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* moving resourceservice to the main wire file pt2
* move team related actions so that they can be reused
* PR feedback
* fix
* typo
* Access Control: adding hooks for team member endpoints (#43991)
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* add access control to list and add team member endpoint, and hooks for adding team members
* member permission type is 0
* add ID scope for team permission checks
* add more team actions, use Member for member permission name
* protect team member update endpoint with FGAC permissions
* update SQL functions for teams and the corresponding tests
* also protect team member removal endpoint with FGAC permissions and add a hook to permission service
* a few small fixes, provide team permission service to test setup
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* remove resource services from wireexts
* remove unneeded actions
* linting fix
* remove comments
* feedback fixes
* feedback
* simplifying
* remove team member within the same transaction
* fix a mistake with the error
* call the correct sql fction
* linting
* Access control: tests for team member endpoints (#44177)
* tests for team member endpoints
* clean up and fix the tests
* fixing tests take 2
* don't import enterprise test license
* don't import enterprise test license
* remove unused variable
Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Separate Tracer interface to TracerService and Tracer
* Fix lint
* Fix:Make it possible to start spans for both opentracing and opentelemetry in ds proxy
* Add span methods, use span interface for rest of tracing
* Fix logs in tracing
* Fix tests that are related to tracing
* Fix resourcepermissions test
* Fix some tests
* Fix more tests
* Add TracingService to wire cli runner
* Remove GlobalTracer from bus
* Renaming test function
* Remove GlobalTracer from TSDB
* Replace GlobalTracer in api
* Adjust tests to the InitializeForTests func
* Remove GlobalTracer from services
* Remove GlobalTracer
* Remove bus.NewTest
* Remove Tracer interface
* Add InitializeForBus
* Simplify tests
* Clean up tests
* Rename TracerService to Tracer
* Update pkg/middleware/request_tracing.go
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Initialize tracer before passing it to SQLStore initialization in commands
* Remove tests for opentracing
* Set span attributes correctly, remove unnecessary trace initiliazation form test
* Add tracer instance to newSQLStore
* Fix changes due to rebase
* Add modified tracing middleware test
* Fix opentracing implementation tags
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Chore: Refactor api handlers to use web.Bind
* fix comments
* fix comment
* trying to fix most of the tests and force routing.Wrap type check
* fix library panels tests
* fix frontend logging tests
* allow passing nil as a response to skip writing
* return nil instead of the response
* rewrite login handler function types
* remove handlerFuncCtx
* make linter happy
* remove old bindings from the libraryelements
* restore comments
* AccessControl: Check permissions in target org
* Remove org scopes and add an authorizeInOrg middleware
* Use query result org id and perform users permission check globally for GetOrgByName
* Remove scope translation for orgs current
* Suggestion from Ieva
* Extract search users to a new service
* Fix wire provider
* Fix common_test and remove RouteRegister
* Remove old endpoints
* Fix test
* Create search filters using interfaces
* Move Enterprise filter, rename filter for filters and allow use filters with params
* Each filter has unique key
* Back activeLast30Days filter to OSS
* Fix tests
* Delete unusued param
* Move filters to searchusers service and small refactor
* Fix tests
* Extract search users to a new service
* Fix wire provider
* Fix common_test and remove RouteRegister
* Remove old endpoints
* Fix test
* Add indexes to dashboards and orgs tables
* Fix lint
* AccessControl: add one-dimensional permissions to datasources in the backend
* AccessControl: add one-dimensional permissions to datasources in the frontend (#38080)
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Fixes#30144
Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* add a more flexible way to create permissions
* update interface for accesscontrol to use new eval interface
* use new eval interface
* update middleware to use new eval interface
* remove evaluator function and move metrics to service
* add tests for accesscontrol middleware
* Remove failed function from interface and update inejct to create a new
evaluator
* Change name
* Support Several sopes for a permission
* use evaluator and update fakeAccessControl
* Implement String that will return string representation of permissions
for an evaluator
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* AccessControl: Implement a way to register fixed roles
* Add context to register func
* Use FixedRoleGrantsMap instead of FixedRoleGrants
* Removed FixedRoles map to sync.map
* Wrote test for accesscontrol and provisioning
* Use mutexes+map instead of sync maps
* Create a sync map struct out of a Map and a Mutex
* Create a sync map struct for grants as well
* Validate builtin roles
* Make validation public to access control
* Handle errors consistently with what seeder does
* Keep errors consistant amongst accesscontrol impl
* Handle registration error
* Reverse the registration direction thanks to a RoleRegistrant interface
* Removed sync map in favor for simple maps since registration now happens during init
* Work on the Registrant interface
* Remove the Register Role from the interface to have services returning their registrations instead
* Adding context to RegisterRegistrantsRoles and update descriptions
* little bit of cosmetics
* Making sure provisioning is ran after role registration
* test for role registration
* Change the accesscontrol interface to use a variadic
* check if accesscontrol is enabled
* Add a new test for RegisterFixedRoles and fix assign which was buggy
* Moved RegistrationList def to roles.go
* Change provisioning role's description
* Better comment on RegisterFixedRoles
* Correct comment on ValidateFixedRole
* Simplify helper func to removeRoleHelper
* Add log to saveFixedRole and assignFixedRole
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
* add accesscontrol action for stats read
* use accesscontrol middleware for stats route
* add fixed role with permissions to read sever stats
* add accesscontrol action for settings read
* use accesscontrol middleware for settings route
* add fixed role with permissions to read settings
* add accesscontrol tests for AdminGetSettings and AdminGetStats
* add ability to scope settings
* add tests for AdminGetSettings
* Add new accesscontrol action for ldap config reload
* Update ldapAdminEditRole with new ldap config reload permission
* wrap /ldap/reload with accesscontrol authorize middleware
* document new action and update fixed:ldap:admin:edit with said action
* add fake accesscontrol implementation for tests
* Add accesscontrol tests for ldap handlers
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
* Chore: moves common and response into separate packages
* Chore: moves common and response into separate packages
* Update pkg/api/utils/common.go
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* Chore: changes after PR comments
* Chore: move wrap to routing package
* Chore: move functions in common to response package
* Chore: move functions in common to response package
* Chore: formats imports
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* middleware: Move context handler to own service
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
* Add an option to hide certain users in the UI
* revert changes for admin users routes
* fix sqlstore function name
* Improve slice management
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Hidden users: convert slice to map
* filter with user logins instead of IDs
* put HiddenUsers in Cfg struct
* hide hidden users from dashboards/folders permissions list
* Update conf/defaults.ini
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
* fix params order
* fix tests
* fix dashboard/folder update with hidden user
* add team tests
* add dashboard and folder permissions tests
* fixes after merge
* fix tests
* API: add test for org users endpoints
* update hidden users management for dashboard / folder permissions
* improve dashboard / folder permissions tests
* fixes after merge
* Guardian: add hidden acl tests
* API: add team members tests
* fix team sql syntax for postgres
* api tests update
* fix linter error
* fix tests errors after merge
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* Chore: Convert tests to standard Go lib
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
By storing render key in remote cache it will enable
image renderer to use public facing url or load
balancer url to render images and thereby remove
the requirement of image renderer having to use the
url of the originating Grafana instance when running
HA setup (multiple Grafana instances).
Fixes#17704
Ref grafana/grafana-image-renderer#91
* Add tests for login view
* Fix OAuth auto login redirect loop
login_error cookie is only set when the OAuth login fails
for some reason. Therefore, the login view should return
immediately if a login_error cookie exists before trying
to login the user using OAuth again.
* Fix test
Use 'index-template' instead of 'index' for testing
* Add some comments
