* Fix migration of custom dashboard permissions
Dashboard alert permissions were determined by both its dashboard and
folder scoped permissions, while UA alert rules only have folder
scoped permissions.
This means, when migrating an alert, we'll need to decide if the parent folder
is a correct location for the newly created alert rule so that users, teams,
and org roles have the same access to it as they did in legacy.
To do this, we translate both the folder and dashboard resource
permissions to two sets of SetResourcePermissionCommands. Each of these
encapsulates a mapping of all:
OrgRoles -> Viewer/Editor/Admin
Teams -> Viewer/Editor/Admin
Users -> Viewer/Editor/Admin
When the dashboard permissions (including those inherited from the parent
folder) differ from the parent folder permissions alone, we need to create a
new folder to represent the access-level of the legacy dashboard.
Compromises:
When determining the SetResourcePermissionCommands we only take into account
managed and basic roles. Fixed and custom roles introduce significant complexity
and synchronicity hurdles. Instead, we log a warning they had the potential to
override the newly created folder permissions.
Also, we don't attempt to reconcile datasource permissions that were
not necessary in legacy alerting. Users without access to the necessary
datasources to edit an alert rule will need to obtain said access separate from
the migration.
* Manage service account secrets
* Wip
* WIP
* WIP
* Revert to keep a light interface
* Implement SaveExternalService
* Remove unecessary functions from the interface
* Remove unused field
* Better log
* Leave ext svc credentials out of the extsvcauth package for now
* Remove todo
* Add tests to SaveExternalService
* Test that secret has been removed from store
* Lint
* Nit.
* Rename commands and structs
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* Account for PR feedback
Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
* Linting
* Add nosec comment G101 - this is not a hardcoded secret
* Lowercase kvStoreType
---------
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
* Update origin annotation names
k8s does not support annotation names with multiple slashes in them, so this PR updates the origin annotations to match the format for updated and created annotations.
* fix tests
This PR replaces the vendored models in the migration with their equivalent ngalert models. It also replaces the raw SQL selects and inserts with service calls.
It also fills in some gaps in the testing suite around:
- Migration of alert rules: verifying that the actual data model (queries, conditions) are correct 9a7cfa9
- Secure settings migration: verifying that secure fields remain encrypted for all available notifiers and certain fields migrate from plain text to encrypted secure settings correctly e7d3993
Replacing the checks for custom dashboard ACLs will be replaced in a separate targeted PR as it will be complex enough alone.
* Move errors to error file
* Move check for both empty username and email to user service
* Move check for empty email and username to user service Update
* Wrap inner error
* Set username in test
* support google oauth allowed_groups. unify allowed groups logic
* add role mapping for google oauth
* add documentation
* add addendums
* remove extra isGroupMember
* add to sample ini
* Apply suggestions from code review
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* extend threshold command with second evaluator called `unloadEvaluator`
* Introduce a new expression command Hysteresis and update Threshold unmarshaller to create the HysteresisCommand if the second eval
* add feature flag `recoveryThreshold`
* update unmarshal threshold command to not re-marshall because it breaks frame definition by shuffling the schema and data fields
* Add fixed role UID
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Use base64 url encoding
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Create a state for dockedMegaMenu and the function to manage it
* Add the dockedMenu icon and handle the status when clicking it
* Add Megamenu to section nav area when it is docked
* get logic working
* fix mobile
* refactor state + persist in localStorage
* adjust icon and don't use position absolute
* restore old rudderstack tracking
* use Flex instead
* adjust feature toggle to be experimental
* extract out localStorage handling into utils
* don't need separate file
* use store.set/get instead
---------
Co-authored-by: eledobleefe <laura.fernandez@grafana.com>
* IDForwarding: change audience to be prefixed by org and remove JTI
* IDForwarding: Construct new signer each time we want to sign a token.
* SigningKeys: Simplify storage layer and move logic to service
* SigningKeys: Add private key to local cache
* Extract code to manage service accounts
* Add test with client credentials grants
* Fix test with the changed interface
* Wire
* Fix HandleTokenRequest
* Add tests to extsvcaccounts
* Rename Retrieve function
* Document the interface
* Unfurl OrgRole in pkg/api to allow using identity.Requester interface
* Unfurl Email in pkg/api to allow using identity.Requester interface
* Update UserID in pkg/api to allow using identity.Requester interface
* fix authed test
* fix datasource tests
* guard login
* fix preferences anon testing
* fix anonymous index rendering
* do not error with user id 0
* Only call preventDefault if it exists
* Change "View Traces" link to use traceQLSearch instead of the deprecated nativeSearch
* Thank you again test. Update tests
* Update test
* Update betterer
* Type fix
* Small type change
* Update betterer
