data.Frame (that can be series) are converted to as tsdb.TimeSeriesSlice - so new backend plugins can be shimmed into existing alerting
use sdk v0.31.0
* AlertNotifications: Translate notifications IDs to UIDs in alert Rule builder
* Avoid shadowing errors, raise validation error on non-existing notification id
* create a cache for notification Uids to minimize db overhead
* add cache usage test
* avoid caching empty notification Uids
* isolate db in alert notificationUid caching tests
* Hide plugins list from viewers
* Made /api/plugins only return core plugins for users with viewer role
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
* Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671)
This reverts commit 0e2d874ecf.
* Fix redirect validation (#22675)
* Chore: Add test for parse of app url and app sub url
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Fix redirect: prepend subpath only if it's missing (#22676)
* Validate redirect in login oauth (#22677)
* Fix invalid redirect for authenticated user (#22678)
* Login: Use correct path for OAuth logos
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Use v0.19.0 of SDK.
Support handling of streaming resource response.
Disable gzip/compression middleware for resources
to allow chunked/streaming response to clients the gzip
middleware had to be disabled since it buffers the full
response before sending it to the client.
Closes#22569
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
* Stats: add active user count query
* License: add info in settings
* Stats: Retrieve active users stats for different roles
+ Clean files and tests
* Stats: add dialect.Quote in queries
* Stats: improve tests (require instead of assert)
* Stats: improve tests (require instead of assert)
* Add fallback to search_base_dns if group_search_base_dns is undefined.
refs: #20862
* removed newline to make lint-go happy
* Added requested changes on ldap.md for last commit
Refs: #21263
Moves common request proxy utilities to proxyutil package with
support for removing X-Forwarded-Host, X-Forwarded-Port,
X-Forwarded-Proto headers, setting X-Forwarded-For header
and cleaning Cookie header.
Using the proxyutil package to prepare and clean request
headers before resource calls.
Closes#21512
* clean PR #17366
* udpate vendor
* [WIP] Implement projects management for stackdriver
* [WIP] Implement projects management for stackdriver
* [WIP] Implement projects management for stackdriver
* Implement projects management for stackdriver
* [WIP][Tests] Fix errors
* clean anonymous struct
* remove await
* don't store project list
* Add default project on query editor
* gofmt
* Fix tests
* Move test data source to backend
* Use segment instead of dropdown. remove ensure default project since it's not being used anymore.
* Fix broken annotation editor
* Load gceDefaultAccount only once when in the config page
* Reset error message on auth type change
* Add metric find query for projects
* Remove debug code
* Fix broken tests
* Fix typings
* Fix lint error
* Slightly different approach - now having a distiction between config page default project, and project that is selectable from the dropdown in the query editor.
* Fix broken tests
* Attempt to fix strict ts errors
* Prevent state from being set multiple times
* Remove noOptionsMessage since it seems to be obosolete in react select
* One more attempt to solve ts strict error
* Interpolate project template variable. Make sure its loaded correctly when opening variable query editor first time
* Implicit any fix
* fix: typescript strict null check fixes
* Return empty array in case project endpoint fails
* Rename project to projectName to prevent clashing with legacy query prop
* Fix broken test
* fix: Stackdriver - template replace on filter label
should have a regex format as that escapes the dots
in the label name which is not valid.
Co-authored-by: Labesse Kévin <kevin@labesse.me>
Co-authored-by: Elias Cédric Laouiti <elias@abtasty.com>
Co-authored-by: Daniel Lee <dan.limerick@gmail.com>
This feature would provide a way for administrators to limit the minimum
dashboard refresh interval globally.
Filters out the refresh intervals available in the time picker that are lower
than the set minimum refresh interval in the configuration .ini file
Adds the minimum refresh interval as available in the time picker.
If the user tries to enter a refresh interval that is lower than the minimum
in the URL, defaults to the minimum interval.
When trying to update the JSON via the API, rejects the update if the
dashboard's refresh interval is lower than the minimum.
When trying to update a dashboard via provisioning having a lower
refresh interval than the minimum, defaults to the minimum interval
and logs a warning.
Fixes#3356
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
By storing render key in remote cache it will enable
image renderer to use public facing url or load
balancer url to render images and thereby remove
the requirement of image renderer having to use the
url of the originating Grafana instance when running
HA setup (multiple Grafana instances).
Fixes#17704
Ref grafana/grafana-image-renderer#91
Suppresses stacktrace in recovery middleware if error is
http.ErrAbortHandler.
Skips writing response error in recovery middleware if
resoonse have already been written.
Skips try rotate of auth token if response have already
been written.
Skips adding default response headers if response have
already been written.
Fixes#15728
Ref #18082
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Put the cipher suites with Forward Secrecy at or nearer the top, keeping any TLS v1.3 suites at the top, following best practice guides for the ordering of the rest. There is no change to the selection of suites only reordering.
Now any errors logged by http.ReverseProxy are forwarded to
Grafana's logger and includes more contextual information like
level (error), user id, org id, username, proxy path, referer and
IP address.
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
if the client closes the connection we should not
rotate token since the client will never receive the
new token.
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* Start Angular migration
* Add SignupCtrl
* Change name signup
* Add backend call
* Put form in separate file
* Add form model
* Start using react-hook-forms
* Add FormModel to state
* Reduxify
* Connect nav with Redux
* Fix routing and navModel
* Fetch state options on mount
* Add default values and add button margin
* Add errror messages
* Fix title
* Remove files and cleanup
* Add Signup tests
* Add boot config assingnAutoOrg and verifyEmailEnabled
* Remove onmount call
* Remove ctrl and move everything to SignupForm
* Make routeParams optional for testing
* Remove name if it is empty
* Set username
* Make function component
* Fix subpath issues and add link button
* Move redux to SignupPage
* Implement Azure AD oauth
* Use go-jose and cleanup
* Update go-jose in go.mod
* cleanup
* Add unit tests
* Fix scopes
* Add documentation page
* Improve documentation
* Convert extract_role into function.
* Do not use upn and replace unique_name with preferred_username
* Configure login button
* Use official microsoft icon and color from branding guideline.
* Add Azure AD config section in sample.ini.
- Fix bug with NaN in alerting - Closes#21953
- Alert reducers (avg/max/etc) drop null values from their calculation. This change makes it so NaN values are handled in the same way as null values.
It was missing for ldap_login which means that the first signup failed
for users with LDAP+quota enabled. There's also potential cases where we
can't provide a request context (background jobs) which is also covered,
but needs a refactoring.
Drop indices and create new ones and rewrites annotation find query
to address performance issues when querying annotation table and
there is a large amount of rows.
Fixes#21902
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Kyle Brandt <kyle@kbrandt.com>
Add support for passing tags to Pagerduty and allow notification
on specific event categories such as Class, Group and Component.
Ref #19912, #19913
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
As part of the new improvements to JMESPath in #17149 a
commit ensuring Role and Email data could be queried from
id_token was lost.
This refactors and fixes extracting from both token and user
info api consistently where before only either token or
either user info api was used for extracting data/attributes.
Fixes#20243
Co-authored-by: Timo Wendt <timo@tjwendt.de>
Co-authored-by: twendt <timo@tjwendt.de>
Co-authored-by: henninge <henning@eggers.name>
Co-Authored-by: Henning Eggers <henning.eggers@inovex.de>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
6.2-beta1 changed so that data sources, dashboards and alert notifiers
are provisioned on service Init where's before only data sources and
alert notifiers was provisioned on service Init and dashboards was first
provisioned in service Run which happens after Grafana server have
started.
This change reverts so that dashboard provisioning are first happening
in service Run, after Grafana server have started.
Fixes#21133
* Calculate min period based on time range and no of queries
* Use hardcoded array of periods if period is not defined actively by the user
* Fix broken tests
* Use a smaller max period for auto interval
* Fix broken tests
* Test period calculation
* Test min retention period
* Fix broken test
* Rewrite angular segments for filter and group by in react
* wip: refactoring
* Update metric find queries
* Remove old maps used to create labels - use one map for all types instead
* Use value as label (again) for filters ang groupby
* Remove old filter
* Remove not used code
* Fixes after pr feedback
* Fix broken tests and add new metadata tests
* Add index file to make imports cleaner
* Cleanup. Remove old angular filter code
* Fix broken tests
* Use type switching instead of if statements
* Use globals for regex
* Updates after pr feedback
* Make sure it's possible to filter using the same key multiple times
* Replace metric select with segment component
* Pass template vars as props
* Refactor meta labels code
* Reorder template variables
* Fix broken tests
* Reset metric value when changing service
* Fix lint issue.
* Make tests independant of element order
* Include kubernetes.io in regex
* Add instruction in help section
* svc alerting - use a shorter ctx to upload the img
This will prevent timeout on img upload to cancel the notifications from being sent
* components img uploader - pass the ctx to aws lib
* make webdavuploader use the ctx
* make azureblobuploader use the ctx
* rename uploadImage() to renderAndUploadImage()
for better clarity about what this method work
* Use timeout + 2s for plugin renderer (same as service and phantomjs)
* Make sure that original EvalContext is updated after render and upload
* Verify notification sent even if render or image upload times out
* fix lint
* fixes after review
Co-authored-by: Edouard Hur <3418467+hekmon@users.noreply.github.com>
Fixes#21018
* wip: react rewrite
* Cleanup
* Break out non annontations specific fields
* Cleanup. Make annontations editor a functional component
* Remove redundant classnames
* Add paneldata to props
* Cleanup
* Fix rebase merge problem
* Updates after pr feedback
* Fix conflict with master
Adds support for collecting metrics from backend plugins and
exposing them thru Grafana's Prometheus metrics endpoint.
Enables to check health of backend plugin by using the route
`/api/plugins/<plugin id>/health`.
Uses sdk v0.6.0.
Closes#20984
By rotating the auth tokens at the end of the request we ensure
that there is minimum delay between a new token being generated
and the client receiving it.
Adds auth token slow load test which uses random latency for all
tsdb queries..
Cleans up datasource proxy response handling.
DefaultHandler in middleware tests should write a response, the
responseWriter BeforeFuncs wont get executed unless a response
is written.
Fixes#18644
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
#21350 introduced a bug regarding import of plugin dashboards.
This should fix this and add custom validation if not importing
plugin dashboard and dashboard property is missing.
Ref #21350
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Breaking change: If disabled the cookie samesite cookie attribute
will not be set, but if none the attribute will be set and is a
breaking change compared to before where none did not render the
attribute. This was due to a known issue in Safari.
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
Fixes#19847
* add min_interval_seconds setting to alerting config
It will let operator enforce a minimum time for the scheduler to enqueue evaluations
* Introduce UI modifications
* Update docs
Co-authored-by: Martin <uepoch@users.noreply.github.com>
OpsGenie's model works heavily off of the priority of an alert,
e.g. routing and escalation. Currently this plugin only supports
the default "P3".
Setting a tag og_priority to the correct P-value, e.g. P1, P2, P3,
P4 or P5, will call the OpsGenie API with the correct priority value
set.
Add fallbackText to Google Chat notifications.
Definition of fallbackText: A plain-text description of the message's
cards, used when the actual cards cannot be displayed,
e.g. mobile notifications.
Fixes#21463
When an alert is sent by e-mail, the process sends an e-mail to
each recipient separately. This PR is a single delivery to all recipients.
For companies that use e-mail extensively, this is necessary in order
not to overload the sending queue.
Replaces #18013Fixes#12650
Co-authored-by: Henrique Oliveira <holiiveira@users.noreply.github.com>
* Settings: supports env overrrides for dynamic settings
* Settings: makes it possible to explicitly get env override support for dynamic settings
* Make linter happy
* Refactor redirect_to cookie with secure flag in middleware
* Refactor redirect_to cookie with secure flag in api/login
* Refactor redirect_to cookie with secure flag in api/login_oauth
* Removed the deletion of 'Set-Cookie' header to prevent logout
* Removed the deletion of 'Set-Cookie' at top of api/login.go
* Add HttpOnly flag on redirect_to cookies where missing
* Refactor duplicated code
* Add tests
* Refactor cookie options
* Replace local function for deleting cookie
* Delete redundant calls
Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
* Footer: Single footer implementation for both react & angular pages
* Export type
* Updates
* Use footer links in help menu
* Updates & Fixes
* Updated snapshot
* updated snapshot
* added alert state validation before changing its state
* modified boolean condition
* converted most occurring string into const
* referred the const of alert models
* imguploader: add support for non-Amazon S3 endpoints and forcing of path-style S3 addressing
fixes#11240
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* Pagerduty notifier: configurable severity
Instead of hardcoding `critical` make it configurable per notification channel instance.
* fix html
* Add a test to ensure default severity is correct
* Notifications doc
* Add a non-default test
* Add err check on NewJson (all tests)
* Add default severity (critical) to AlertNotificationEditCtrl class
Adds support for region annotations in Postgres, MySQL and
MSSQL data sources by adding a column named timeend to
annotation query.
Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
Closes#20918
Ref #10589
Removes send_client_credentials_via_post oauth setting and
use auto-detect mechanism instead.
By these changes also fixes statichcheck errors
Ref #8968
Moving info log from phantomjs to rendering service
so it's logged for all kinds of renderers.
Add debug log for image renderer plugin and remote
renderer.
Profiling and tracing can now be enabled/disabled separately.
Adds argument for trace file path.
Support overriding profiling and tracing argument using
environment variables.
Update docs.
Fixes#20576
* refactor to multiple rows
* added name for org user struct
* added name getorgusers
* added user name to tableview
* made test pass
* updated userMocks to user name field
* added missing UsersTable snapshot
* added name on teammembers page, be able to search query for name, login and email
* added the updated snapshots
* conform to same sorting as output form
* conform to previous way of using it
* sort first by login and after by email, as it was before
Backend plugins is recommended to use hclog with json
formatting to get proper log output in grafana server log.
Old hclog-wrapper.go that I deleted while back is still in
the repo so deletes that.
* Remove highres flag since it's not being used
* Remove not used code. Init id field correctly
* Fix broken tests
* Remove GMS related calculations
* Rename period field
* Add breaking changes to changelog. Also update upgrading docs
* Update snapshot
* Update docs after feedback
* Changes after feedback
Problem was that yaml unmarshal returned nested maps as
map[interface{}]interface{} which are then not marshal-able
to json because of that interface{} key type. This adds explicit
casting of the keys in the yaml value types to string which
then makes the values marshal-able to JSON in DB.
Fixes: #11537
* Util: Optionally allow empty input in SplitHostPortDefault
Due to a recent change the SQL Server tests failed because passing an
empty datasource url in `util.SplitHostPortDefault` was no more allowed.
This fix contains the following modifications:
- Modifies the util.SplitHostPortDefault not to return an error for empty input.
- Modifies the util.SplitHostPort to return an error for empty input.
- Introduces an additional test for empty input.
The ordering of links in the navigation bar is currently based the order of the slice containing the navigation tree. Since Grafana supports adding more links to the navigation bar with `RunIndexDataHooks` which runs at the very end of the function this means that any link registered through a hook will be placed last in the slice and be displayed last in the menu. With this PR the ordering can be specified with a weight which allows for placing links created by extensions in a more intuitive place where applicable.
Stable sorting is used to ensure that the current FIFO ordering is preserved when either no weight is set or two items shares the same weight.
* CloudWatch: Datasource improvements
* Add statistic as template variale
* Add wildcard to list of values
* Template variable intercept dimension key
* Return row specific errors when transformation error occured
* Add meta feedback
* Make it possible to retrieve values without known metrics
* Add curated dashboard for EC2
* Fix broken tests
* Use correct dashboard name
* Display alert in case multi template var is being used for some certain props in the cloudwatch query
* Minor fixes after feedback
* Update dashboard json
* Update snapshot test
* Make sure region default is intercepted in cloudwatch link
* Update dashboards
* Include ec2 dashboard in ds
* Do not include ec2 dashboard in beta1
* Display actual region
* LDAP: last org admin (that's going to be removed) can login
Previously, if you tried to login with LDAP but were that last org admin
of an org that you would no longer be an admin of after sync (which
happens at login), you wouldn't be able to login due to an error.
Adds a new setting disable_admin_user and when true the default
admin user will not be created when Grafana starts for the first
time (or no users exists in the system).
Closes#19038
* AuthProxy: Can now login with auth proxy and get a login token
* added unit tests
* renamed setting and updated docs
* AuthProxy: minor tweak
* Fixed tests and namings
* spellfix
* fix
* remove unused setting, probably from merge conflict
* fix
The arching goal of this commit is to enable single user
synchronisation with LDAP. Also, it included minor fixes of style,
error messages and minor bug fixing.
The changes are:
- bug: The `multildap` package has its own errors when the user is
not found. We fixed the conditional branch on this error by asserting
on the `multildap` errors as opposed to the `ldap` one
- bug: The previous interface usage of `RevokeAllUserTokens` did not
work as expected. This replaces the manual injection of the service by
leveraging the service injected as part of the `server` struct.
- chore: Better error messages around not finding the user in LDAP.
- fix: Enable the single sync button and disable it when we receive an
error from LDAP. Please note, that you can enable it by dispatching
the error. This allows you to try again without having to reload the
page.
- fix: Move the sync info to the top, then move the sync button above
that information and clearfix to have more harmony with the UI.
* Renamed ttl config in code to be more consistent with behaviour
* Introduced new setting `sync_ttl` in .ini file
* Keeping the old setting `ldap_sync_ttl` in the .ini file as fallback and compatibility.
Adds support for Generic OAuth role mapping. A new
configuration setting for generic oauth is added named
role_attribute_path which accepts a JMESPath expression.
Only Grafana roles named Viewer, Editor or Admin are
accepted.
Closes#9766
* LDAP Debug: No longer shows incorrectly matching groups based on role
Org Role was used as a shortcut to figure out what groups were matching
and which weren't. That lead to too all groups matching a specific role
to show up for a user if that user got that role.
* LDAP Debug: Fixes ordering of matches
The order of groups in the ldap.toml file is important, only the first
match for an organisation will be used. This means we have to iterate
based on the config and stop matching when a match is found.
We might want to think about showing further matches as potential
matches that are shadowed by the first match. That would possibly make
it easier to understand why one match is used instead of another one.
* LDAP Debug: never display more than one match for the same LDAP group/mapping.
* LDAP Debug: show all matches, even if they aren't used
* Update public/app/features/admin/ldap/LdapUserGroups.tsx
Co-Authored-By: gotjosh <josue.abreu@gmail.com>
* Update public/app/features/admin/ldap/LdapUserGroups.tsx
Co-Authored-By: gotjosh <josue.abreu@gmail.com>
* Licensing: supplies a service to handle licensing information
* Licensing: uses the license service further
Uses the license service instead of settings.isEnterprise:
- external team members
- saml
- usage stats
* Licensing: fixes broken tests due to new Licensing service dependency
* Licensing: fixes linting errors
* Licensing: exposes license expiry information to the frontend
Fixes so that all notification channels configured for an alert should
try to send notification even if one notification channel fails to send
a notification.
Signed-off-by: Abhilash Gnan <abhilashgnan@gmail.com>
Fixes#19768
* pkg/cmd: Check errors
* pkg/cmd: Make sure server waits on services, even in case of error
* pkg/cmd: Inform of error to show help
* pkg/cmd: Only warn on failure to send systemd notification
* pkg/cmd: Don't log errors stemming from context cancelation
* pkg/cmd: Don't fail if unable to write to systemd
* Rename GrafanaServerImpl to Server
* Make flag dependencies explicit
* Extract method for building service graph
* Document and clarify methods
* Rename HttpServer to HTTPServer
fix pkg/services/search/service.go:52:3: s.bus undefined (type *SearchService has no field or method bus, but does have Bus)
fixes issue introduced by #19765
* Convert Azure Application Insights datasource to Go
Allows for alerting of Application Insights data source
Closes: #15153
* Fix timeGrainReset
* Default time interval for querys for alerts
* Fix a few rename related bugs
* Update readme to indicate App Insights alerting
* Fix typo and add tests to ensure migration is happening
* Address code review feedback (mostly typos and unintended changes)
* Chore: Upgrade to Go 1.13
Fixes: #18878
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* Chore: Upgrade lint tools in order to work with Go 1.13
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* Chore: Fix Go linting issues
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* Fix: Handle empty nested keys on YAML provisioning datasources
As we provision a datasource via a YAML file, we attempt to transform the
file into sensible Go types that the provisioning code can use.
While this happens, there is a chance some of the keys nested within
the YAML array are empty.
This fix allows the YAML parser to handle empty keys by null checking
the return of `reflect.TypeOf` which according to the documentation:
> TypeOf returns the reflection Type that represents the dynamic type of i. If i is a nil interface value, TypeOf returns nil.
Can return nil.
* Add tests
* API: Add `createdAt` and `updatedAt` to api/users/lookup
In the past, we have added both `updatedAt` (#19004) and `createdAt` (#19475) to /api/users/:id
Turns out, api/users/lookup uses the same DTO for both. This fixes the serialization of both `createdAt` and `updatedAt`for this endpoint.
Also, adds a test to ensure no further regressions.
* Updated API documentation
* use grafana-plugin-model dependency that uses go modules
* use grafana-plugin-model with updated hashicorp/go-plugin
* use grafana-plugin-model with re-compiled protos
* test using protoc-gen-go v1.2.0 tag
* use grafana-plugin-model with re-compiled protos
* chore: fix deprecation warning for lint
* use latest grafana-plugin-model
Fixes#19454
Only return certain mysql errors from backend.
The following errors is returned as is from backend:
error code 1064 (parse error)
error code 1054 (bad column/field selected)
error code 1146 (table not exists)
Any other errors is logged and returned as a generic
error.
Restrict use of certain functions:
Do not allow usage of the following in query:
system_user()
session_user()
current_user() or current_user
user()
show grants
Fixes#19360
* Multi-LDAP: Do not fail-fast on invalid credentials
When configuring LDAP authentication, it is very common to have multiple
servers configured. When using user bind (authenticating with LDAP using
the same credentials as the user authenticating to Grafana) we don't
expect all the users to be on all LDAP servers.
Because of this use-case, we should not fail-fast when authenticating on
multiple LDAP server configurations. Instead, we should continue to try
the credentials with the next LDAP server configured.
Fixes#19066
* Update README.md
Capitalized the G and S in "Getting Started," and moved "guide" to match the section title in the docs.
* Fixed sentence structure. Changed "download" to "grafana.com/get" and changed "get" to "download".
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* Docs: Replace "datasources" with "data sources" (#19111)
* LDAP: Show all LDAP groups
* Use the returned LDAP groups as the reference when debugging LDAP
We need to use the LDAP groups returned as the main reference for
assuming what we were able to match and what wasn't. Before, we were
using the configured groups in LDAP TOML configuration file.
* s/User name/Username
* Add a title to for the LDAP mapping results
* LDAP: UI Updates to debug view
* LDAP: Make it explicit when we weren't able to match teams
This reverts commit 2514209 from #18384. Reason is that it doesn't
work due to xorm 0.7.1 which doesn't support this new connectionstring
format.
Fixes#19189
Ref #18384
Ref #17665
* Add new query mode picker with different states for each query. Also really simple migration script
* Populate cross resource dropdowns
* Cleanup. Handle change events
* Add multi select picker for subscriptions
* Fix markup issue
* Prepare for new query mode
* More cleanup
* Handle multiple queries both in ds and backend
* Refactoring
* Improve migration
* Add support for multiselect display name
* Use multiselect also for locations and resources
* Add more typings
* Fix migrations
* Custom multiselect built for array of options instead of variables
* Add url builder test
* fix datasource tests
* UI fixes
* Improve query editor init
* Fix brokens tests
* Cleanup
* Fix tslint issue
* Change query mode display name
* Make sure alerting works for single queries
* Friendly error for multi resources
* Add temporary typings
Don't update total stats metrics if reporting is disabled.
New setting disable_total_stats for turning off update
of total stats (stat_totals_*) metrics.
Ref #19137
* Add items for navmodel and basic page
* add reducer and actions
* adding user mapping table component
* adding components for ldap tables
* add alert box on error
* close error alert box
* LDAP status page: connect APIs WIP
* LDAP debug: fetch connection status from API
* LDAP debug: fetch user info from API
* LDAP debug: improve connection error view
* LDAP debug: connection error tweaks
* LDAP debug: fix role mapping view
* LDAP debug: role mapping view tweaks
* LDAP debug: add bulk-sync button stub
* LDAP debug: minor refactor
* LDAP debug: show user teams
* LDAP debug: user info refactor
* LDAP debug: initial user page
* LDAP debug: minor refactor, remove unused angular wrapper
* LDAP debug: add sessions to user page
* LDAP debug: tweak user page
* LDAP debug: tweak view for disabled user
* LDAP debug: get sync info from API
* LDAP debug: user sync info
* LDAP debug: sync user button
* LDAP debug: clear error on page load
* LDAP debug: add user last sync info
* LDAP debug: actions refactor
* LDAP debug: roles and teams style tweaks
* Pass showAttributeMapping to LdapUserTeams
* LDAP debug: hide bulk sync button
* LDAP debug: refactor sessions component
* LDAP debug: fix loading user sessions
* LDAP debug: hide sync user button
* LDAP debug: fix fetching unavailable /ldap-sync-status endpoint
* LDAP debug: revert accidentally added fix
* LDAP debug: show error when LDAP is not enabled
* LDAP debug: refactor, move ldap components into ldap/ folder
* LDAP debug: styles refactoring
* LDAP debug: ldap reducer tests
* LDAP debug: ldap user reducer tests
* LDAP debug: fix connection error placement
* Text update
* LdapUser: Minor UI changes moving things around
* AlertBox: Removed icon-on-top as everywhere else it is centered, want to have it be consistent
* LDAP: Allow an user to be synchronised against LDAP
This PR introduces the /ldap/sync/:id endpoint. It allows a user to be synchronized against LDAP on demand.
A few things to note are:
LDAP needs to be enabled for the sync to work
It only works against users that originally authenticated against LDAP
If the user is the Grafana admin and it needs to be disabled - it will not sync the information
Includes a tiny refactor that favours the JSONEq assertion helper instead of manually parsing JSON strings.
* API: Add `updatedAt` to api/users/:id
This adds the timestamp of when a particular user was last updated to
the `api/users/:id` endpoint.
This helps our administrators understand when was the user information last
updated. Particularly when it comes from external systems e.g. LDAP
Adds the definition of `GetTeamsForLDAPGroupCommand` which handles the lookup of team information based on LDAP groupDNs.
This is an Enterprise only feature. To diferentiate,a response will contain the `team` key as `null` on OSS while on Enterprise the key will contain an empty array `[]` when no teams are found.
* LDAP: Add API endpoint to query the LDAP server(s) status|
This endpoint returns the current status(es) of the configured LDAP server(s).
The status of each server is verified by dialling and if no error is returned we assume the server is operational.
This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
* Move the ReloadLDAPCfg function to the debug file
Appears to be a better suite place for this.
* LDAP: Return the server information when we find a specific user
We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things:
- Understand in which server we found the user
- Have access the groups specified as part of the server configuration
* LDAP: Adds the /api/admin/ldap/:username endpoint
This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration.
No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
* Emails: resurrect template notification
* Phantomjs (oh yeah, there is another dev dep phantom :-) was failing for
the generation of the html templates so I had to update the dependencies
in order to fix it. While doing that I update the scripts field and docs
for it as well. yarn.lock is included
* Move splitting of the emails to separate helper function, since more services
coming up that would need to use this functionality
* Add support for enterprise specific email letters. Probably could
be done in the better way, but it's not a priority right now
* Auth: change the error HTTP status codes
* Use 407 HTTP status code for incorrect credentials error
* Improve proxy auth logs
* Remove no longer needed TODO comment
Fixes#18439
It seems `ldap` module introduced new error type of which
multildap module didn't know about.
This broke the multildap login logic
Fixes#18491
Ref #18587
* SQLite migrations
* cleanup
* migrate end times
* switch to update with a query
* real migration
* anno migrations
* remove old docs
* set isRegion from time changes
* use <> for is not
* add comment and fix index decleration
* single validation place
* add test
* fix test
* add upgrading docs
* use AnnotationEvent
* fix import
* remove regionId from typescript
Existing /api/alert-notifications now requires at least editor access.
Existing /api/alert-notifiers now requires at least editor access.
New /api/alert-notifications/lookup returns less information than
/api/alert-notifications and can be access by any authenticated user.
Existing /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than
/api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
UserPicker component now uses /api/org/users/lookup instead
of /api/org/users.
Fixes#17318
* Do not set SameSite login_error cookie attribute if cookie_samesite is none
* Do not set SameSite grafana_session cookie attribute if cookie_samesite is none
* Update middleware tests
* Fix CreateTeam api endpoint
No team member should be created for requests
authenticated by API tokens.
* Update middleware test
Assert that `isAnonymous` is set for `SignedInUser`
authenticated via API key.
* Add test for team creation
Assert that no team member is created if the signed in user
is anomymous.
* Revert "Fix CreateTeam api endpoint"
This reverts commit 9fcc4e67f5.
* Revert "Update middleware test"
This reverts commit 75f767e58d.
* Fix CreateTeam api endpoint
No team member should be created for requests
authenticated by API tokens.
* Update team test
* Change error to warning and update tests
This commit addresses half of #13749 by making sure GetMetricData
works for alerting. Math Expressions (compound metrics) will still not
work for alerting, this would require a bigger refactoring of Grafana's
alerting service. However, with this commit at least alerting for basic
metrics with non empty query Id will work.
Fixes half of #13749
* Auth: Do not search for the user twice
Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing
`GetUserByLoginQuery` only i.e. looking user in DB only, things changed when
this function started to check LDAP provider via `LoginUserQuery` (#6940),
however, this request was placed after `GetUserByLoginQuery`, so we first
looking in DB then in the LDAP - if LDAP user hasn't logged in we will
not find it in DB, so `LoginUserQuery` will never be reached.
`LoginUserQuery` request already performs `GetUserByLoginQuery`
request in correct sequence. So we can just remove redundant request.
* Correct sequence execution during authentification &
introduce tests for it
* Move basic auth tests to separate test file, since main test file already
pretty large
* Introduce `testing.go` for the middleware module
* Remove redundant test helper function
* Make handler names more explicit
Ref 5777f65d05Fixes#18329
* Auth: address review comment
* added alert rule tags in webhook notifications
* fix: don't include whole list of Tag objects but only key/value pairs in Webhook JSON
* marked webhook alerts to support alert rule tags
* Add tests for errors basic auth cases and moves tests to separate test-case.
Also names test cases consistently
* Add additional test helper
Ref 82661b9f69
* LDAP: nitpicks
* Add more tests
* Correct and clarify comment for Login() method
* Rename methods (hail consistency!)
* Uppercases first letter of the logs everywhere
* Moves method definitions around to more appropriate places
Fixes#18295
* Auth: consistently return same basic auth errors
* Put repeated errors in consts and return only those consts as error strings
* Add tests for errors basic auth cases and moves tests to separate test-case.
Also names test cases consistently
* Add more error logs and makes their messages consistent
* A bit of code style
* Add additional test helper
* Auth: do not expose even incorrect password
* Auth: address review comments
Use `Debug` for the cases when it's an user error
The `oauth_state` cookie used to be created with the SameSite value set
according to the `cookie_samesite` configuration.
However, due to a Safari bug SameSite=None or SameSite=invalid are treated
as Strict which results in "missing saved state" OAuth login failures
because the cookie is not sent with the redirect requests to the OAuth
provider.
This commit always creates the `oauth_state` cookie with SameSite=Lax
to compensate for this.
* Auth Proxy: Include additional headers as part of the cache key
Auth proxy has support to send additional user attributes as part of the
authentication flow. These attributes (e.g. Groups) need to be monitored
as part of the process in case of change.
This commit changes the way we compute the cache key to include all of the
attributes sent as part of the authentication request. That way, if we
change any user attributes we'll upsert the user information.
Allow non admins to see plugins list but only with readme. Any config tabs are hidden from the plugin page. Also plugin panel does not show action buttons (like Enable) for non admins.
* LDAP: improve POSIX support
* Correctly abtain DN attributes result
* Allow more flexibility with comparison mapping between POSIX group & user
* Add devenv for POSIX LDAP server
* Correct the docs
Fixes#18140
* Reapply MetricNamespace support
* Fixing tests
* refactor: move metricnamespace param to backend
* refactor: remove unused function
* azuremonitor: migration for new metric namespace field
* azuremonitor: add template query for metric namespace with a sub
* docs: template queries for azure monitor
Adds new lines for the metricnamespace template function and fixes
some messed up lines
Adds pulse waveform. Is predictable in the sense that the start of the waveform is aligned to epoch time (instead of the start of the query time). This makes a useful signal for manual testing of alerting in the devenv.
* Metrics: remove unused metrics
Metric `M_Grafana_Version` is not used anywhere, nor the mentioned
`M_Grafana_Build_Version`. Seems to be an artefact?
* Metrics: make the naming consistent
* Metrics: add comments to exported vars
* Metrics: use proper naming
Fixes#18110
* Add support for `is_disabled` to `CreateUser()`
* Add support for `is_disabled` to `SearchUsers()`
Had to add it as a `string` type not as `bool`, since if that's property
is omitted, we would have add it to SQL request, which might be dangerous
* Restructure desctructive tests and add more
* API: Duplicate API Key Name Handle With Useful HTTP Code
* 17447: make changes requested during review
- use dialect.IsUniqueContraintViolation
- change if statement to match others
- return error properly
* Revert "17447: make changes requested during review"
This reverts commit a4a674ea83.
* API: useful http code on duplicate api key error w/ tests
* API: API Key Duplicate Handling
fixed small typo associated with error
* Minor fix for nil pointer when trying to log error
* Do not return error if a dashboard is created
Only log the failures
* Do not return error if the folder is created
Only log the failures
* Users: show badges for each auth provider
* Chore: don't use functions in angular bindings
* Users: minor style changes to labels
* Chore: convert auth labels on the backed side, deduplicate frontend code
* Users: use authLabels everywhere instead of authModule
* User: fix edit user page style
* Users: minor fixes after review
* Add tests for login view
* Fix OAuth auto login redirect loop
login_error cookie is only set when the OAuth login fails
for some reason. Therefore, the login view should return
immediately if a login_error cookie exists before trying
to login the user using OAuth again.
* Fix test
Use 'index-template' instead of 'index' for testing
* Add some comments
* LDAP:Docs: `active_sync_enabled` setting
Mention `active_sync_enabled` setting and enable it by default
* LDAP: move "disableExternalUser" method
Idea behind new design of the LDAP module is to minimise conflation
between other parts of the system, so it would decoupled as much as
possible from stuff like database, HTTP transport and etc.
Following "Do One Thing and Do It Well" Unix philosophy principal, other things
could be better fitted on the consumer side of things.
Which what this commit trying to archive
* LDAP: correct user/admin binding
The second binding was not happening, so if the admin login/password
in LDAP configuration was correct, anyone could had login as anyone using
incorrect password
* Add SAML configuration options
* Add crewjam/saml as a depdency
Needed as part of the enterprise SAML integration.
* Vendor github.com/stretchr/testify/require
The package require implements the same assertions as the `assert` package but stops test execution when a test fails.
* feat: AzureMonitor implements legend key on backend
To be able to remove the duplicated query logic on the
frontend, the backend code needs to implement alias
patterns for legend keys as well as allowing the default
list of allowed time grains to be overridden. Some metrics
do not support all the time grains and the auto timegrain
calculation can be incorrect if the list is not overridden.
* feat: AzureMonitor - removes duplicate query logic on frontend
* AzureMonitor small refactoring
Extracted method and tidied up the auto time grain
code.
* azuremonitor: support for auto time grains for alerting
Converts allowed timegrains into ms and saves in dashboard json.
This makes queries for alerting with an auto time grain work in
the same way as the frontend.
* chore: typings -> implicitAny count down to 3413
* azuremonitor: add more typings
* LDAP: Divide the requests
Active Directory does indeed have a limitation with 1000 results
per search (default of course).
However, that limitation can be workaround with the pagination search feature,
meaning `pagination` number is how many times LDAP compatible server will be
requested by the client with specified amount of users (like 1000). That feature
already embeded with LDAP compatible client (including our `go-ldap`).
But slapd server has by default stricter settings. First, limitation is not 1000
but 500, second, pagination workaround presumably (information about it a bit
scarce and I still not sure on some of the details from my own testing)
cannot be workaround with pagination feature.
See
https://www.openldap.org/doc/admin24/limits.htmlhttps://serverfault.com/questions/328671/paging-using-ldapsearchhashicorp/vault#4162 - not sure why they were hitting the limit in
the first place, since `go-ldap` doesn't have one by default.
But, given all that, for me `ldapsearch` command with same request
as with `go-ldap` still returns more then 500 results, it can even return
as much as 10500 items (probably more).
So either there is some differences with implementation of the LDAP search
between `go-ldap` module and `ldapsearch` or I am missing a step :/.
In the wild (see serverfault link), apparently, people still hitting that
limitation even with `ldapsearch`, so it still seems to be an issue.
But, nevertheless, I'm still confused by this incoherence.
To workaround it, I divide the request by no more then
500 items per search
* Teams: show proper label for each auth provider
Teams: don't sore AuthModule in team_member table, use JOIN to get it instead
* Teams: fix AddTeamMember after last changes
* Teams: add more auth provider labels
* Teams: show external sync badge if LDAP is not enabled
* Teams: tests for getting auth module
