* AuthnSync: Rename files and structures
* AuthnSync: register rbac cloud role sync if feature toggle is enabled
* RBAC: Add new sync function to service interface
* RBAC: add common prefix and role names for cloud fixed roles
* AuthnSync+RBAC: implement rbac cloud role sync
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
There were a few errors that prevented these endpoints (which are the most up-to-date ones) from being present in the openapi spec:
- The `enterprise` tag excluded the endpoints from being generated
- `okRespoonse` typo
- Invalid templating on the parameters
- Missing parameter structs
* `accesscontrol` swagger: Add `global` field to `RoleDTO` type
The field is currently added in the MarshalJSON function so it isn't reflected in the spec
This PR sets the "static" version of the RoleDTO, that has the global field, as the swagger model
* Revert the marshalling logic
* Folders: Show folders user has access to at the root level
* Refactor
* Refactor
* Hide parent folders user has no access to
* Skip expensive computation if possible
* Fix tests
* Fix potential nil access
* Fix duplicated folders
* Fix linter error
* Fix querying folders if no managed permissions set
* Update benchmark
* Add special shared with me folder and fetch available non-root folders on demand
* Fix parents query
* Improve db query for folders
* Reset benchmark changes
* Fix permissions for shared with me folder
* Simplify dedup
* Add option to include shared folder permission to user's permissions
* Fix nil UID
* Remove duplicated folders from shared list
* Folders: Fix fetching empty folder
* Nested folders: Show dashboards with directly assigned permissions
* Fix slow dashboards fetch
* Refactor
* Fix cycle dependencies
* Move shared folder to models
* Fix shared folder links
* Refactor
* Use feature flag for permissions
* Use feature flag
* Review comments
* Expose shared folder UID through frontend settings
* Add frontend type for sharedWithMeFolderUID option
* Refactor: apply review suggestions
* Fix parent uid for shared folder
* Fix listing shared dashboards for users with access to all folders
* Prevent creating folder with "shared" UID
* Add tests for shared folders
* Add test for shared dashboards
* Fix linter
* Add metrics for shared with me folder
* Add metrics for shared with me dashboards
* Fix tests
* Tests: add metrics as a dependency
* Fix access control metadata for shared with me folder
* Use constant for shared with me
* Optimize parent folders access check, fetch all folders in one query.
* Use labels for metrics
* ExtSvcAuth: Assign roles locally
* Fix test
* HandlePluginStateChanged in the OrgID
* Remove Global from command
* Use AssignmentOrgID instead of OrgID
* Remove unecessary test case
* remove use of SignedInUserCopies
* add extra safety to not cross assign permissions
unwind circular dependency
dashboardacl->dashboardaccess
fix missing import
* correctly set teams for permissions
* fix missing inits
* nit: check err
* exit early for api keys
* inital changes, db migration
* changes
* Implement basic GetAll, Delete
* Add first batch of tests
* Add more tests
* Add service tests for GetForProvider, List
* Update http_server.go + wire.go
* Lint + update fixed role
* Update CODEOWNERS
* Change API init
* Change roles, rename
* Review with @kalleep
* Revert a mistakenly changed part
* Updates based on @dmihai 's feedback
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* correctly check permissions to list dashboards on the root
* correctly display the access inherited from general folder for dashboards
* Update pkg/services/sqlstore/permissions/dashboard.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update dashboard_filter_no_subquery.go
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update cue to have an AuthProvider entry
* Cable the new auth provider
* Add feature flag check to the accesscontrol service
* Fix test
* Change the structure of externalServiceRegistration (#76673)
* Replace FixedRoleUID function with a common function to generate these prefixes
* Use common function to generate prefixed uid for external service accounts
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
---------
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
fetch fresh permissions for global in AuthorizeInOrgMiddleware
Update pkg/services/accesscontrol/authorize_in_org_test.go
do not load viewer permissions in global ID
* Add fixed role UID
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Use base64 url encoding
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* move access control api to SignedInUser interface
* remove unused code
* add logic for reading perms from a specific org
* move the specific org logic to org_user.go
* add a comment
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
