Gabriel MABILLE
df8b6e6862
Fix: Close grpc_authenticator fallback trace ( #96009 )
...
Fix: Close grpc_authenticator trace
2024-11-07 11:29:25 +01:00
Gabriel MABILLE
5a0ef46280
Add tracing to the gRPC Authentication flow ( #94466 )
...
commit ad4df4b3f63bdf3e16423ac8c3fdb1a7fae5582e
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:24:04 2024 +0200
nit
commit eb8b9cf2f3e27cae258b3ae310f1584da5ba36b5
Author: gamab <gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:23:25 2024 +0200
miss
commit aab1aed204a5dedcc6dd187b2f636995bbe2c5c6
Merge: 5aafdec9233 7fe710b141gabriel.mabille@grafana.com >
Date: Thu Oct 24 10:22:05 2024 +0200
Merge remote-tracking branch 'origin/main' into gamab/resourcestore/tracing
commit 5aafdec9233d6824cba977b069d71eabc3d21a8d
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 18:03:56 2024 +0200
Did not fix the issue
commit 20522a7f64222fad27268ac640d4b4fb9259c748
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:42:35 2024 +0200
Test
commit b45199a341b6a57e93927c9eb7de8d7758ed7619
Merge: c0fbbdb95d4 e9e2b11ba2gabriel.mabille@grafana.com >
Date: Wed Oct 16 17:31:59 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit e9e2b11ba2claudiu.dragalina@grafana.com >
Date: Wed Oct 16 18:28:31 2024 +0300
PR feedback: simplified fallback implementation
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit b5209dba64drclau@users.noreply.github.com >
Date: Wed Oct 16 18:03:06 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit c0fbbdb95d4605f349b902ca8698e7b560433867
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:32:52 2024 +0200
Add traces to fallback
commit 75aa8dcbd49288f1dca53cdf6e9a7b41688dff38
Merge: d92fafcaf0d 562d499e85gabriel.mabille@grafana.com >
Date: Wed Oct 16 10:29:41 2024 +0200
Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing
commit 562d499e85claudiu.dragalina@grafana.com >
Date: Wed Oct 16 11:05:01 2024 +0300
switched to features.IsEnabledGlobally()
commit addc6aaca4claudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:21:31 2024 +0300
imports cleanup
commit 7c6d80f6aa64a5e55d619dc2ccdbfdclaudiu.dragalina@grafana.com >
Date: Wed Oct 16 10:18:54 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 64a5e55d61claudiu.dragalina@grafana.com >
Date: Tue Oct 15 11:01:54 2024 +0300
cleanup
commit 4fe2c03457claudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:31:06 2024 +0300
always enable FlagAppPlatformGrpcClientAuth for k8s int tests
commit c7e36759cdclaudiu.dragalina@grafana.com >
Date: Tue Oct 15 10:30:43 2024 +0300
use sync.Once as it's more idiomatic
commit f5c2c79981claudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:43:48 2024 +0300
remove client side namespace extractor
commit 742295c89aclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 20:04:11 2024 +0300
avoid double registration of metrics (fallbackCounter)
commit a45998c8d3claudiu.dragalina@grafana.com >
Date: Mon Oct 14 19:03:41 2024 +0300
use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
commit ffdc301718claudiu.dragalina@grafana.com >
Date: Mon Oct 14 18:37:22 2024 +0300
remove the NamespaceAuthorizer
The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
commit 4a03ed7d7dclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 15:59:08 2024 +0300
allow using the legacy resource client via
commit a2c30f5328ead390f6082f3c539d9bclaudiu.dragalina@grafana.com >
Date: Mon Oct 14 14:08:32 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit ead390f608claudiu.dragalina@grafana.com >
Date: Fri Oct 11 09:38:49 2024 +0300
added server side gRPC authn fallback-to-legacy mechanism
- brought back the old gRPC authenticator
- added `grpc_server_authentication.legacy_fallback` config option
- introduced `AuthenticatorWithFallback`
- added telemetry to track fallbacks
commit d92fafcaf0db9c8d97a5d071759fc21ede7d8848
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:58:25 2024 +0200
Fix test
commit 54f05ff0fecf3d696a0e98621db6991282503917
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:42:18 2024 +0200
Forgot the tracer 😁
commit 3948048880c7a0eb2360a35b0cc9f3686f2edfef
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 14:02:41 2024 +0200
Add traces to NamespaceAuthorizer
commit cc695bb77c37a097174556303721fbc48b9464a0
Author: gamab <gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:48 2024 +0200
Add traces to authentication flow
commit 8686c46be508c3d237dc4a3ce66193gabriel.mabille@grafana.com >
Date: Wed Oct 9 13:56:26 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 08c3d237dc33fd104cfd84d580179dgabriel.mabille@grafana.com >
Date: Wed Oct 9 12:41:57 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 33fd104cfd68af25fbc338f57d270agabriel.mabille@grafana.com >
Date: Wed Oct 9 12:13:25 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 68af25fbc3gamab@users.noreply.github.com >
Date: Mon Oct 7 16:31:09 2024 +0200
Update pkg/services/authz/config.go
commit 4fba5c9b32gabriel.mabille@grafana.com >
Date: Fri Oct 4 15:17:41 2024 +0200
PR Feedback
commit 86867a14cagamab@users.noreply.github.com >
Date: Fri Oct 4 15:13:06 2024 +0200
Update pkg/services/authn/grpcutils/config.go
Co-authored-by: Dan Cech <dcech@grafana.com >
commit c591631135c80c46ca6ae37b43117bgabriel.mabille@grafana.com >
Date: Fri Oct 4 13:07:48 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit c80c46ca6a3acada9d474224d05934gabriel.mabille@grafana.com >
Date: Thu Oct 3 14:58:51 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 3acada9d47claudiu.dragalina@grafana.com >
Date: Fri Sep 27 17:39:59 2024 +0300
introducing `mode` config for gRPC auth server & client side
commit 914ca237e2claudiu.dragalina@grafana.com >
Date: Thu Sep 26 20:47:57 2024 +0300
Fixed integration tests
commit 71c33dcbe352f248eebb920d79680dclaudiu.dragalina@grafana.com >
Date: Thu Sep 26 19:25:33 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 52f248eebbclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 18:44:38 2024 +0300
updated namespace extractor usage
commit a6c977ba4dfb7bbf743b8da1d78c92claudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:35:03 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit fb7bbf743bclaudiu.dragalina@grafana.com >
Date: Tue Sep 24 17:34:36 2024 +0300
unistor client side updates
commit a28440c40b79d9969aa8a8b07b0c81claudiu.dragalina@grafana.com >
Date: Tue Sep 24 10:45:09 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 79d9969aa8gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:14:02 2024 +0200
Rename NewResourceClient funcs
commit 36b37524908ce354bb06b89f3f8115gabriel.mabille@grafana.com >
Date: Mon Sep 9 16:00:54 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8ce354bb06gabriel.mabille@grafana.com >
Date: Mon Sep 9 10:40:06 2024 +0200
Align
commit bdf79f3b2f8f4df8973d8eb7e55f8fgabriel.mabille@grafana.com >
Date: Mon Sep 9 10:38:45 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 8f4df8973d2441cd8d539338e40dc3gabriel.mabille@grafana.com >
Date: Thu Sep 5 11:26:39 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 2441cd8d532904074a2f2bbce8a7f7claudiu.dragalina@grafana.com >
Date: Tue Sep 3 17:31:36 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 2904074a2fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:35:25 2024 +0300
refactoring
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 125cb3c834claudiu.dragalina@grafana.com >
Date: Tue Sep 3 16:34:18 2024 +0300
refactoring (aesthetics)
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 499a31df53claudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:59:09 2024 +0300
update usage of ReadGprcServerConfig()
commit f5d383644dclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:44:09 2024 +0300
make update-workspace
commit 755485751egabriel.mabille@grafana.com >
Date: Tue Sep 3 14:43:22 2024 +0200
Fix trace
commit d09e14c26aclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 15:42:50 2024 +0300
removed WithIDTokenExtractorOption, and other PR feedback
commit 21220c2ccagabriel.mabille@grafana.com >
Date: Tue Sep 3 14:36:59 2024 +0200
Else statement
commit 6cf1efdcc4gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:35:02 2024 +0200
Mod update
commit 4b73a93883gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:32:20 2024 +0200
Add Auth func overrides
commit 6032ab3ae1gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:26:18 2024 +0200
Use NamespaceAuthorizer
commit 601beb5327gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:20:47 2024 +0200
Update authlib
commit a1b64081270d70225c1a1128c417d8gabriel.mabille@grafana.com >
Date: Tue Sep 3 14:18:49 2024 +0200
Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3
commit 0d70225c1adrclau@users.noreply.github.com >
Date: Tue Sep 3 15:15:54 2024 +0300
Update pkg/services/authn/grpcutils/grpc_authenticator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 62f165f6f9claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:55:45 2024 +0300
refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit bb5ee88d4fclaudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:39:11 2024 +0300
added stackIdExtractor for cloud mode
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 84866a8a51claudiu.dragalina@grafana.com >
Date: Tue Sep 3 10:38:19 2024 +0300
authz client cfg changes
- removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
- reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
commit 14a1021605claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:44:35 2024 +0300
make update-workspace
commit 84f8c9be94claudiu.dragalina@grafana.com >
Date: Mon Sep 2 21:36:10 2024 +0300
cleanup: refactoring leftover
commit 7fe8d62304claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:30:51 2024 +0300
update authlib version (small fix)
commit 7c2353ae25claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:17:11 2024 +0300
cleanup: remove unused `GrpcServerConfig.Mode`
commit 52b7cf8550claudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:06:59 2024 +0300
make update-workspace
commit 14ddfbd8fbclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:02:40 2024 +0300
finalize authlib grpc interceptors usage
commit 884c4a8c240fd1988beda1190b165bclaudiu.dragalina@grafana.com >
Date: Mon Sep 2 19:00:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0fd1988bedb766bfb24fe0950a1283claudiu.dragalina@grafana.com >
Date: Fri Aug 30 10:45:51 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit b766bfb24f6993f108a268751ed310claudiu.dragalina@grafana.com >
Date: Wed Aug 28 15:46:04 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6993f108a25f073b04d0f1ba609b34claudiu.dragalina@grafana.com >
Date: Tue Aug 27 12:51:07 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 5f073b04d00620891d45ac5ebe6e4dclaudiu.dragalina@grafana.com >
Date: Mon Aug 19 21:09:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 0620891d456a272e8e2a15f2b08f00claudiu.dragalina@grafana.com >
Date: Mon Aug 12 14:14:44 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 6a272e8e2aclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 18:53:43 2024 +0300
allow insecure conns in dev mode + refactoring
commit 31c7b030baclaudiu.dragalina@grafana.com >
Date: Thu Aug 8 10:31:13 2024 +0300
allow insecure connections (for testing purposes); remove audience checks
audience checks will still need to be done for Access tokens, but not for ID tokens
commit 0fdd2ff802763961210cf384759ad1claudiu.dragalina@grafana.com >
Date: Wed Aug 7 14:42:39 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 763961210cclaudiu.dragalina@grafana.com >
Date: Fri Aug 2 18:54:29 2024 +0300
wip
commit c46b42a59592aba937a90145b0fe70claudiu.dragalina@grafana.com >
Date: Fri Aug 2 14:44:06 2024 +0300
Merge branch 'main' into drclau/unistor/replace-authenticators-3
commit 92aba937a9claudiu.dragalina@grafana.com >
Date: Thu Aug 1 18:32:19 2024 +0300
authn: client side updates
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
2024-10-28 14:35:30 +02:00
Claudiu Dragalina-Paraipan
830600dab0
AuthN: Optionally use tokens for unified storage client authentication ( #91665 )
...
* extracted in-proc mode to #93124
* allow insecure conns in dev mode + refactoring
* removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
* remove the NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
* use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
* extracted authz package changes in #95120
* extracted server side changes in #95086
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
Co-authored-by: gamab <gabriel.mabille@grafana.com >
Co-authored-by: Dan Cech <dcech@grafana.com >
2024-10-24 09:12:37 +02:00
Gabriel MABILLE
b68b69c2b4
AuthN: Use tokens for unified storage server authentication ( #95086 )
...
* Extract server code
---------
Co-authored-by: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com >
2024-10-23 15:04:15 +02:00
Misi
50a635bc7e
Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service ( #94618 )
...
* wip
* possible solution
* Separate interface for SSO settings clients
* Rename interface
* Fix tests
* Rename
* Change GetClientConfig to comma ok idiom
2024-10-16 16:27:44 +02:00
linoman
21d26de4d8
Session Refactor: Add SAMLSession ( #94490 )
...
* add saml session struct
* resolve saml session
* Add NameID
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
2024-10-10 16:57:34 +02:00
Misi
c872cad879
OrgSync: Do not set default Organization for a user to a non-existent Organization ( #94537 )
...
Do not set default org for a user to a missing org
Co-authored-by: Karl Persson <kalle.persson@grafana.com >
2024-10-10 15:31:30 +02:00
Karl Persson
ace177f20a
AuthN: Set access token name ( #94471 )
...
* Set access token name
2024-10-09 17:08:11 +02:00
Misi
bd7850853e
Auth: Attach external session info to Grafana session ( #93849 )
...
* initial from poc changes
* wip
* Remove public external session service
* Update swagger
* Fix merge
* Cleanup
* Add backgroud service for cleanup
* Add auth_module to user_external_session
* Add tests for token revocation functions
* Add secret migration capabilities for user_external_session fields
* Cleanup, refactor to address feedback
* Fix test
2024-10-08 11:03:29 +02:00
Misi
0539ccf10d
Auth: Fix redirection when auto_login is enabled ( #94311 )
...
* Fix for SAML auto login
* Fix for OAuth auto login
2024-10-07 14:59:00 +02:00
Misi
d411ce2664
Auth: Use sessionStorage instead of cookie for automatic redirection ( #92759 )
...
* WIP: working as expected, has to be tested
* Rename query param, small changes
* Remove unused code
* Address feedback
* Cleanup
* Use the feature toggle to control the behaviour
* Use the toggle on the FE too
* Prevent the extra redirect/reload
Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com >
* Return to login if user is not authenticated
* Add tracking issue
* Align BE redirect constructor to locationSvc
2024-09-24 18:38:09 +02:00
Claudiu Dragalina-Paraipan
a8b07b0c81
[authn] use authlib client+interceptors for in-proc mode ( #93124 )
...
* Add authlib gRPC authenticators for in-proc mode
* implement `StaticRequester` signing in the unified resource client
- [x] when the `claims.AuthInfo` value type is `identity.StaticRequester`, and there's no ID token set, create an internal token and sign it with symmetrical key. This is a workaround for `go-jose` not offering the possibility to create an unsigned token.
- [x] update `IDClaimsWrapper` to support the scenario above
- [x] Switch to using `claims.From()` in `dashboardSqlAccess.SaveDashboard()`
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com >
2024-09-24 09:03:48 +03:00
Gabriel MABILLE
7714b65f32
Cfg: Deduplicate DefaultOrgID code ( #93588 )
...
Cfg: Expose DefaultOrgID function
2024-09-23 16:50:11 +02:00
Gabriel MABILLE
7ef13497a8
AuthN: Ext JWT support actions ( #92486 )
2024-09-19 14:25:43 +02:00
Karl Persson
56487d37db
Authn: No longer hash service account token twice during authentication ( #92598 )
...
* APIKey: Only decode and hash token once during authentication
* Only update last used every 5 minutes
2024-08-29 09:56:23 +02:00
Charandas
4f024d94d8
Authn: resolve issues with setting up a nil identity ( #92620 )
2024-08-29 00:49:41 +03:00
Charandas
af2e79aa83
K8s: namespace mapper should use authlib's util ( #92332 )
2024-08-27 15:01:42 -07:00
Ryan McKinley
2e60f28044
Auth: remove id token flag ( #92209 )
2024-08-21 16:30:17 +03:00
Dan Cech
9020eb4b17
Auth: Update oauthtoken service to use remote cache and server lock ( #90572 )
...
* update oauthtoken service to use remote cache and server lock
* remove token cache
* retry is lock is held by an in-flight refresh
* refactor token renewal to avoid race condition
* re-add refresh token expiry cache, but in SyncOauthTokenHook
* Add delta to the cache ttl
* Fix merge
* Change lockTimeConfig
* Always set the token from within the server lock
* Improvements
* early return when user is not authed by OAuth or refresh is disabled
* Allow more time for token refresh, tracing
* Retry on Mysql Deadlock error 1213
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com >
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com >
* Add settings for configuring min wait time between retries
* Add docs for the new setting
* Clean up
* Update docs/sources/setup-grafana/configure-grafana/_index.md
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
2024-08-19 18:57:37 +02:00
Karl Persson
5105fb7f3a
Identity: remove GetIDClaims ( #91901 )
...
remove GetIDClaims
2024-08-15 11:39:13 +02:00
Karl Persson
8bcd9c2594
Identity: Remove typed id ( #91801 )
...
* Refactor identity struct to store type in separate field
* Update ResolveIdentity to take string representation of typedID
* Add IsIdentityType to requester interface
* Use IsIdentityType from interface
* Remove usage of TypedID
* Remote typedID struct
* fix GetInternalID
2024-08-13 10:18:28 +02:00
Ryan McKinley
21d4a4f49e
Auth: use IdentityType from authlib ( #91763 )
2024-08-12 09:26:53 +03:00
Ryan McKinley
243c0935fc
Auth: Use claims.AuthInfo in requester ( #91739 )
2024-08-09 19:46:56 +03:00
Karl Persson
bcfb66b416
Identity: remove GetTypedID ( #91745 )
2024-08-09 18:20:24 +03:00
Claudiu Dragalina-Paraipan
e2435f92f1
[authn]: add GetIDClaims() to Requester ( #91387 )
...
* authn: add GetIDClaims() to Requester
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* authn: update StaticRequester
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* update auth/idtest/mock
Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com >
* Fix test
Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com >
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com >
Co-authored-by: gamab <gabriel.mabille@grafana.com >
2024-08-02 12:36:02 +03:00
Charandas
a3d3f9a1e4
Revert "Identity: Remove id token from extra info ( #91169 )" ( #91350 )
...
This reverts commit 10170cb839
2024-07-31 21:27:46 +03:00
Ryan McKinley
10170cb839
Identity: Remove id token from extra info ( #91169 )
2024-07-31 09:14:13 +03:00
Vardan Torosyan
e20f8c566d
RBAC sync: Fix removal of roles which need to be added ( #91152 )
...
* RBAC sync: Fix removal of roles which need to be added
* Optimize code
* cleanup: appease the linter
---------
Co-authored-by: Victor Cinaglia <victor@grafana.com >
2024-07-30 09:00:47 +02:00
Ryan McKinley
728150bdbd
Identity: extend k8s user.Info ( #90937 )
2024-07-30 08:27:23 +03:00
Ryan McKinley
9db3bc926e
Identity: Rename "namespace" to "type" in the requester interface ( #90567 )
2024-07-25 12:52:14 +03:00
Vardan Torosyan
82236976ae
Add support ticket fixed roles to cloud role sync ( #90864 )
...
* Add support ticket fixed roles to cloud role sync
* Adding tests
* Fix the linter
2024-07-24 17:58:21 +02:00
Charandas
4abb4d1662
ExtJwt: don't log verify errors as they spam for grafana-agent ( #90351 )
...
* ExtJwt: don't log verify errors as they spam for grafana-agent
* remove dead code
* revert unintended change
* revert unintended change
2024-07-11 18:23:43 -07:00
Mihai Doarna
bbd1611265
SSO: Register LDAP service if LDAP is enabled in SSO settings ( #90228 )
...
register LDAP service if LDAP is enabled in SSO settings
2024-07-11 13:53:43 +03:00
Charandas
c210617735
K8s: use contexthandler in standalone handler chain ( #90102 )
2024-07-08 12:22:10 -07:00
Karl Persson
7a78ad3893
Authn: Remove response writer from auth req ( #90110 )
...
Authn: Remove response writer from request
2024-07-05 11:42:12 +02:00
Misi
f337da8e57
Chore: Add more context to logs of OAuthToken and OAuthTokenSync ( #90071 )
...
Chore: Add more context to oauth token sync
2024-07-05 09:37:36 +02:00
Jeff Levin
cfe8317d45
Add auth spans and remove deduplication code for scopes ( #89804 )
...
Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com >
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com >
2024-07-02 22:08:57 -08:00
Jeff Levin
ed13959e33
Optimize memory allocations in permissions cache ( #89645 )
...
This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing.
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com >
Co-authored-by: Dave Henderson <dave.henderson@grafana.com >
2024-06-26 23:03:13 +03:00
Karl Persson
7f4faaa45b
ExtJWT: Remove test ( #89665 )
...
Remove test
2024-06-26 17:25:26 +02:00
Ryan McKinley
99d8025829
Chore: Move identity and errutil to apimachinery module ( #89116 )
2024-06-13 07:11:35 +03:00
Misi
2e811c5438
Chore: Use OrgRoleMapper in Grafana.com client ( #89013 )
...
* Use OrgRoleMapper in Grafana.com client
* Clean up
2024-06-11 14:53:05 +02:00
Misi
9a44296bc2
Auth: Add org to role mappings support to AzureAD/Entra integration ( #88861 )
...
* Added implementation and tests
* Add docs, simplify implementation
* Remove unused func
* Update docs
2024-06-10 12:08:30 +02:00
Karl Persson
f3efd95bb4
Auth: Add org to role mappings support to Google integration ( #88891 )
...
* Auth: Implement org role mapping for google oauth provider
* Update docs
* Remove unused function
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com >
2024-06-07 14:07:35 +02:00
Misi
4f2a9a47f3
Auth: Add org to role mappings support to Okta integration ( #88770 )
...
* Add org mapping support to Okta
* Update docs and configs
* Prettier docs
* Apply suggestions from code review
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
* Improve tests
---------
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
2024-06-06 10:35:06 +02:00
Karl Persson
f28905f8c4
Auth: Add org to role mappings support to Gitlab integration ( #88751 )
...
* Conf: Add org_mapping and org_attribute_path to github and gitlab conf
* Gitlab: Implement org role mapping
* Update docs
---------
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com >
2024-06-05 16:15:53 +02:00
Misi
eacf6e0a4d
Auth: Add org to role mappings support to GitHub integration ( #88537 )
...
* wip: add extra tests for verifying current logic
* Add OrgRole mapping and tests
* Update docs
* Clean up
* Update docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md
Co-authored-by: Mihai Doarna <mihai.doarna@grafana.com >
* Update docs with None role
* Apply suggestions from code review
Co-authored-by: Jack Baldry <jack.baldry@grafana.com >
* Fix
* Prettier docs
* Cleanup tests
---------
Co-authored-by: Mihai Doarna <mihai.doarna@grafana.com >
Co-authored-by: Jack Baldry <jack.baldry@grafana.com >
2024-06-03 14:24:58 +02:00
Misi
ed6b3e9e7c
Auth: Introduce pre-logout hooks + add GCOM LogoutHook ( #88475 )
...
* Introduce preLogoutHooks in authn service
* Add gcom_logout_hook
* Config the api token from the Grafana config file
* Simplify
* Add tests for logout hook
* Clean up
* Update
* Address PR comment
* Fix
2024-05-30 15:52:16 +02:00
Carl Bergquist
6c79f63c04
Auth: Pass ctx when updating last seen ( #88496 )
...
Signed-off-by: bergquist <carl.bergquist@gmail.com >
2024-05-30 14:25:54 +02:00
Mathieu Parent
b8c9ae0eb7
OIDC: Support Generic OAuth org to role mappings ( #87394 )
...
* Social: link to OrgRoleMapper
* OIDC: support Generic Oauth org to role mappings
Fixes : #73448
Signed-off-by: Mathieu Parent <math.parent@gmail.com >
* Handle when getAllOrgs fails in the org_role_mapper
* Add more tests
* OIDC: ensure orgs are evaluated from API when not from token
Signed-off-by: Mathieu Parent <math.parent@gmail.com >
* OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict
Signed-off-by: Mathieu Parent <math.parent@gmail.com >
* Extend docs
* Fix test, lint
---------
Signed-off-by: Mathieu Parent <math.parent@gmail.com >
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com >
2024-05-23 09:55:45 +02:00
Kristin Laemmert
16b1e285ea
Chore: Use cache for all signed in user lookups ( #88133 )
...
* GetSignedInUser unexported (renamed to getSignedInUser)
* GetSignedInUserWithCacheCtx renamed to GetSignedInUser
* added a check for a nil cacheservice (as defensive programming / test convenience)
2024-05-22 08:58:16 -04:00
