* PermissionFilter: Handle all search type and only check one action for dashboards
* PermissionFilter: Still handle multiple action but take short cut when
only one action is required
* Add auth labels and access control metadata to org users search results
* Fix search result JSON model
* Org users: Use API for pagination
* Fix default page size
* Refactor: UsersListPage to functional component
* Refactor: update UsersTable component code style
* Add pagination to the /orgs/{org_id}/users endpoint
* Use pagination on the AdminEditOrgPage
* Add /orgs/{org_id}/users/search endpoint to prevent breaking API
* Use existing search store method
* Remove unnecessary error
* Remove unused
* Add query param to search endpoint
* Fix endpoint docs
* Minor refactor
* Fix number of pages calculation
* Use SearchOrgUsers for all org users methods
* Refactor: GetOrgUsers as a service method
* Minor refactor: rename orgId => orgID
* Fix integration tests
* Fix tests
* protect /connection url paths with permissions
These permissions match the original ones at /datasources and /plugins
* add Connections section to navtree only if user has permissions
This commit works only when the easystart plugin is not present.
I'll see what I can do when it is present in the next commit(s).
* update datasources page permissions
The datasources page have Explore buttons on datasource entries,
therefore it makes sense to show this page for those, who can't edit or
create datasources but have explore permissions.
This applies for the traditional Editor role.
* DataSourcesList: link to edit page only if has right to write
If the user doesn't have rights to write datasources, then it's better
to not create a link from cards to the edit page. This way they won't
see the configuration of the data sources either, which is a desirable
outcome.
Also, I moved the query for DataSourcesExplore permission out from the
DataSourcesListView component in the DataSourcesList component, next to
the other permission queries - for the sake of consistency.
* fix permissions for connect data
This way it matches the permissions of the "Plugins" page.
* fix applinks test
This commit adds a customizable timeout for screenshots called
capture_timeout. The default value is 10 seconds, and the maximum
value is 30 seconds. This timeout should be less than the minimum
Interval of all Evaluation Groups to avoid back pressure on alert
rule evaluation.
* Update config store to split between active and history tables
* Migrations to fix up indexes
* Implement migration from old format to new
* Move add migrations call
* Delete duplicated rows
* Explicitly map fields
* Quote the column name because it's a reserved word
* Lift migrations to top
* Use XORM for nearly everything, avoid any non trivial raw SQL
* Touch up indexes and zero out IDs on move
* Drop TODO that's already completed
* Fix assignment of IDs
* AuthN: Add boilderplate for render auth client
* AuthN: Implement test function for render auth client
* AuthN: Implement Authenticate for render arender auth client
* ContextHandler: Perform render auth if flag is enabled
* AuthN: Add basic auth client boilerplate
* AuthN: Implement test function for basic auth client
* AuthN: Implement the authentication method for basic auth
* AuthN: Add tests for basic auth authentication
* ContextHandler: perform basic auth authentication through authn service
if feature toggle is enabled
* AuthN: Add providers for sync services and pass required dependencies
* Alerting: Prevent short uid collision in legacy migration when db is case-insensitive
Two factors come into play that cause sporadic uid conflicts during legacy alert migration:
- MySQL and MySQL-compatible backends use case-insensitive collation.
- Our short uid generator is not a uniform RNG and generates uids in such a way that generations in quick succession have a higher probability of creating similar uids.
Normally we would be guaranteed unique short uid generation, however if the source alphabet contains
duplicate characters (for example, if we use case-insensitive comparison) this guarantee is void.
Generating even ~1000 uids in quick succession is nearly guaranteed to create a case-insensitive
duplicate.
chore (dashboardversion service): remove (one) join from store implementations
We return the userID from the dashboardservice store; the service (or api) layer can use that to get the user's login when needed.
The DashboardVersion struct is the database object; the DashboardVersionDTO is the object that should be sent to the API layer.
In the future I'd like to move DashboardVersion to dashverimpl and un-export it, but there are a few places that Insert directly into that table, not all of which are test fixtures, so that should wait until we clean up at least the DashboardService's use of it.
`X-Dashboard-Uid`, `X-Datasource-Uid`, `X-Grafana-Org-Id`, `X-Panel-Id` are very useful headers set
by Grafana front-end that we would like to see on the data source as
well. This is so that it would be possible to pinpoint from where slow
queries are coming in Mimir/Thanos/Cortex/etc., for example. Relevant
Mimir code lines:
0a94f26203/pkg/frontend/transport/handler.go (L182-L184)
Tested manually that with these changes the headers are visible.
Automatically forward core plugin request HTTP headers in outgoing HTTP requests.
Core datasource plugin authors don't have to specifically handle forwarding of HTTP
headers, e.g. do not have to "hardcode" the header-names in the datasource plugin,
if not having custom needs.
Fixes#57065
* refactor email to not use simplejson
* add tests
* split integration test and unit test + more unit-tests
* Remove outdated comment
Co-authored-by: Armand Grillet <2117580+armandgrillet@users.noreply.github.com>
* AuthN: Replicate functionallity to get org id for request
* Authn: parse org id for the request and populate the auth request with
it
* AuthN: add simple mock for client to use in test
* AuthN: add tests to verify that authentication is called with correct
org id
* AuthN: Add ClientParams to mock
* AuthN: Fix flaky org id selection
* add user sync
* add org user sync
* add client params
* merge remaining conflicts
* remove change to report.go
* update comments
* add basic tests for user ID population
* add tests for auth ID find
* add tests for user sync create and update
* add tests for orgsync
* satisfy lint
* add userID guards
Time range added for public dashboard:
- Enable/Disable switch added in public dashboard configuration.
- Time range picker shown in public dashboard for viewer user
* RBAC: Add fake for permissions service
* ServiceAccount: Rewrite create api tests
* ServiceAccount: Rewrite api delete tests
* ServiceAccount: Rewrite api test for RetriveServiceAccount
* ServiceAccount: Refactor UpdateServiceAccount api test
* ServiceAccount: Refactor CreateToken api test
* ServiceAccount: refactor delete token api tests
* ServiceAccount: rewrite list tokens api test
* Remove test helper that is not used any more
* ServiceAccount: remove unused test helpers
* AuthN: Add functionallity to test if auth client should be used
* AuthN: Add bolierplate client for api keys and register it
* AuthN: Add tests for api key client
* Inject service
* AuthN: Update client names
* ContextHandler: Set authn service
* AuthN: Implement authentication for api key client
* ContextHandler: Use authn service for api keys if flag is enabled
* AuthN: refactor authentication method to return additional value to
indicate if client could perform authentication
* update prefixes
* Add namespaced id to identity
* AuthN: Expand the Identity struct to include required fields from signed
in user
* Add error for disabled service account
* Add function to write error response based on errutil.Error
* Add error to log
* Return errors based on errutil.Error
* pass error
* update log message
* Fix namespaced ids
* Add tests
* Lint
* introduce alias for json.RawMessage with name RawMessage. This is needed to keep raw JSON and implement a marshaler for YAML, which does not seem to be used but there are tests that fail.
* replace usage of simplejson with RawMessage in NotificationChannelConfig
* remove usage of simplejson in tests
* change migration code to convert simplejson to raw message
* chore: remove unused test helper from sqlstore
TimeNow() is no longer used in any tests in this package.
* chore: move sqlstore.SQLBuilder to the infra/db package
This required some minor refactoring; we need to be a little more explicit about passing around the dialect and engine. On the other hand, that's a few fewer uses of the `dialect` global constant!
* chore: move UserDeletions into the only package using it
* cleanup around moving sqlbuilder
* remove dialect and sqlog global vars
* rename userDeletions to serviceAccountDeletions
* Set Dashboard and Panel IDs on rule group replacement
* fix comments and abbreviate test variable name
* Update pkg/services/ngalert/provisioning/alert_rules.go
Co-authored-by: Jean-Philippe Quéméner <JohnnyQQQQ@users.noreply.github.com>
Co-authored-by: Jean-Philippe Quéméner <JohnnyQQQQ@users.noreply.github.com>
* Update config store to split between active and history tables
* Migrations to fix up indexes
* Implement migration from old format to new
* Move add migrations call
* Delete duplicated rows
* Explicitly map fields
* Quote the column name because it's a reserved word
* Lift migrations to top
* introduce Logger interface local to channles + implementaton that wraps the Grafana logger
* make NewFactoryConfig accept LoggerFactory
* add logger field to FactoryConfig
* update usages of log.Logger to internal interface
* Guardian: Use dashboard UID instead of ID
* Apply suggestions from code review
Introduce several guardian constructors and each time use
the most appropriate one.
Grafana would forward the X-Grafana-User header to backend plugin request when
dataproxy.send_user_header is enabled. In addition, X-Grafana-User will be automatically
forwarded in outgoing HTTP requests for core/builtin HTTP datasources.
Use grafana-plugin-sdk-go v0.147.0.
Fixes#47734
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
* Implement backtesting engine that can process regular rule specification (with queries to datasource) as well as special kind of rules that have data frame instead of query.
* declare a new API endpoint and model
* add feature toggle `alertingBacktesting`
* initial commit
* clean up
* fix a bug and add tests
* more tests
* undo some unintended changes
* undo some unintended changes
* linting
* PR feedback - add user ID to search options
* simplify the query
* Apply suggestions from code review
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* remove unneeded formatting changes
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Move truncation code to util to mirror upstream
* Resolve merge conflicts
* Align logging of alert key
* Update tests and fix field passing bug
* Remove superfluous newline in test now that we trim whitespace
* Uptake minor log changes from upstream
* RBAC: Add benchmarks to search all users given a specific permission
* Add missing time
* Inline benchmarks
* Make bench setup memory efficient
* fix user id
* comment
* Ran 10K_10k and got a better time this time
* change comment to pass linting
* change comment to pass linting
* Update pkg/services/accesscontrol/acimpl/service_bench_test.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* refactor: renaming of files from database to store
* refactor: make service account store private
- moves store interface to manager package
- adds an interface to the ProvideAPI constructor
- refactors tests to use the store when necessary
- adds mocks for the new interface implementations in the tests package
* wip
* refactor: make fakestore in service
* wip
* wip
* wip
* working tests
* trailing whitespaces
* Update pkg/services/serviceaccounts/api/api.go
* Update pkg/services/serviceaccounts/tests/common.go
* Update pkg/services/serviceaccounts/tests/common.go
* refactor: doc string for retriever
* fix import unused
* remove: serviceaccount from featuretoggle
* added: back legacy serviceaccounts feature toggle
* added: docs
* refactor: make query for the SearchQuery
* add: validation of service input fields
* add validation
* Remove TraceID tab when TraceQL is enabled. Use TraceQL editor to query for trace IDs by checking whether the content is an hex only string
* Highlight valid trace IDs in traceql editor
* Update trace and span links to use TraceQL tab when feature flag is enabled
* Remove traceqlEditor feature flag.
* Remove traceId query type from Tempo and replace it with traceQl
* Datasource settings: Add deprecation notice for database field
* SQL Datasources: Migrate from settings.database to settings.jsonData.database
* Check jsonData first
* Remove comment from docs
* add stats and licensing under admin -> general when topnav is enabled
* add ldap to users and access
* use ID instead of Id
* add enterprise licensing node
This change marks tests in the `sender` package that use an external
process as integration tests instead of unit tests. This speeds up the
package's unit tests by about 20 seconds.
This change also reduces the number of alert instances in the `store`
package's bulk write integration test from 20_000 to 10_000. This is
still enough to exercise the bulk-write code but speeds up the package
tests from about 250s to 130s.
Put together, integration tests go to about 160s while also speeding up
unit tests by 20s.
This commit better defines how we set states in resultNormal,
resultAlerting, resultError and resultNoData. It changes the existing
code to call methods such as SetAlerting, SetPending, SetNormal,
SetError and NoData instead of assigning values to each individual field
whenever the state is changed. This should make it easier to understand
what fields should be set for which states and avoid cases where states are
missing, or have additional unexpected fields.
Before this change, the alerting provisioning system incorrectly used
the QuotaTarget to check if alerting's request quota had been reached.
The quota service requires the QuotaTargetSrv, which is what's
registered with the service at startup time. This is leading to errors
in the provisioning system.
* block move operation that could introduce more than 8 level of depth, forbid circular reference
* move getHeight to store, mock store in service
* fix linter
* Auth: Session cache [v9.2.x] (#59907)
* add cache wrapper
only cache token if not to rotate
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
anticipate next rotation
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
(cherry picked from commit 07a4b2343d)
* FeatureToggle: for storing sessions in a Remote Cache
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
(cherry picked from commit b8a8c15148)
* use feature flag for session cache
* ensure ttl is minimum 1 second
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* ensure 2 ttl window to prevent caching of tokens near rotation
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* fix description of toggle
Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
(cherry picked from commit 2919588a82)
* fix broken quota test
* update pagerduty and opsgenie to deserialize settings using standard JSON library
* update pagerduty truncation to use a function from Alertamanger package
* update opsgenie to use payload model (same as in Alertmanager)
* RBAC: add viewer grand if dspermissions enforcement is not enabled
* RBAC: Change permissions based on role prefix
* RBAC: Add option to for permission service to add a license middleware
* RBAC: Remove actions from query struct
This commit makes a number of changes to how images work in Slack
notifications.
It adds support for uploading images to Slack via the files.upload
API when the contact point has a token. Images are no longer linked
via a URL if a token is present.
Each image uploaded to Slack is posted as a reply to the original
notification. Up to maxImagesPerThreadTs images can be posted as
replies before a final message is sent with:
There are no images than can be shown here. To see the panels for
all firing and resolved alerts please check Grafana
Incoming Webhooks cannot upload files via files.upload and so webhooks
require the image to be uploaded to cloud storage and linked via URL.
Adding support for backend plugin client middlewares. This allows headers in outgoing
backend plugin and HTTP requests to be modified using client middlewares.
The following client middlewares added:
Forward cookies: Will forward incoming HTTP request Cookies to outgoing plugins.Client
and HTTP requests if the datasource has enabled forwarding of cookies (keepCookies).
Forward OAuth token: Will set OAuth token headers on outgoing plugins.Client and HTTP
requests if the datasource has enabled Forward OAuth Identity (oauthPassThru).
Clear auth headers: Will clear any outgoing HTTP headers that was part of the incoming
HTTP request and used when authenticating to Grafana.
The current suggested way to register client middlewares is to have a separate package,
pluginsintegration, responsible for bootstrap/instantiate the backend plugin client with
middlewares and/or longer term bootstrap/instantiate plugin management.
Fixes#54135
Related to #47734
Related to #57870
Related to #41623
Related to #57065
* Fix deleting subfolder
It used to fail with beause of missing signed in user
* Add logging
* fixup
* Fail request if deleting nested folder has failed
Before we only used to log the error
* Fix failing test
During failed nested folder creation
call the dashboard store deletion instead of the service one.
