Commit Graph

50 Commits

Author SHA1 Message Date
Karl Persson
ae95a6158f
Zanana: Remove opefga from client and implement compile (#96275)
Zanana: Remove opefga from client and implement Compile
2024-11-12 15:30:34 +01:00
Gabriel MABILLE
cc9cdbe82d
Authz: Move extension proto up a layer (#96254)
* Authz: Move extension proto up a layer

* Lint
2024-11-12 10:19:12 +01:00
Alexander Zobnin
b1fb581ab1
Zanzana: Evaluate access with Check request (server-side) (#96213)
* Zanzana: Evaluate access with Check request (server-side)

* Pass parent folder for checking access

* Review suggestions

* remove fixme comment
2024-11-11 16:39:21 +01:00
Karl Persson
9f66843915
Zanzana: use namespace when performing reconciliation (#96205)
* Special handling for zanzana reconciliation if stack id is configured

* remove sync call
2024-11-11 13:48:49 +01:00
Karl Persson
acf119a12c
Zanzana: resource sets on folder grants read on all children (#96127)
* resource sets on folder grants read on all children

* remove comment

* Add type for consistency
2024-11-08 16:53:51 +01:00
Alexander Zobnin
910ec7e7dc
Zanzana: Use separate store for each org (#96015)
* Move server init into server package

* map store name to id

* refactor model loading

* pass namespace into reconcilers and collectors

* refactor

* Extend authz server with Read and Write methods

* use new read/write in reconciler

* implement server side read and write

* Sync permissions for every org

* handle namespace in check and list

* split read and write

* provide conditions

* Fix client implementation

* fix nil conditions

* remove unused client code

* use lock for store access

* move type translators to common package

* fix folder collector

* fix store creation

* remove unused AuthorizationModelId

* fix server tests

* fix linter
2024-11-08 14:54:36 +01:00
Karl Persson
f0a5b444e3
Zanzana: generic resource only (#96019)
* Remove collectors

* Remove zanzana search check, we need to rewrite that part to the new schema

* Only use generic resource schema and cleanup code we don't want to keep / need to re-write
2024-11-08 09:30:41 +01:00
Zoltán Bedi
85c696c4ad
SQL: Add macro support in select case (#88514)
* Feat: timeGroup macro handling in VQB

* Add tests

* Add functions to SQL ds

* Fix lint errors

* Add feature toggle

* Add rendering based on object

* Fix lint

* Fix CI failures

* Fix tests

* Address review comments

* Add docs

* Fix JSX runtime warnings

* Remove docs part that mentions suggest more macros

* Update docs/sources/shared/datasources/sql-query-builder-macros.md

Co-authored-by: Jack Baldry <jack.baldry@grafana.com>

* Add smoke test for this feature

* lint

* Add supported macros to influx

* Add setupTests.ts to include in tsconfig.json

* Import jest-dom instead of setupTests.ts

---------

Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
2024-11-04 17:13:35 +01:00
owensmallwood
0eb7b755e2
Unified Storage Indexer: Add integration tests (#95687)
* indexer integration tests WIP

* make protobuf

* Adds a few more integration test cases to cover the basics. Use Limit instead of Size param from SearchRequest.

* skip if testing.Short()

* adds test comments
2024-11-01 07:58:10 -06:00
Karl Persson
dfa8f786d2
Zanzana: fix generic schema (#95648)
* Change schema so that resource checks on a folder walks the tree
2024-10-31 14:34:48 +01:00
Karl Persson
e0163c93c2
Zanzana: reconcile generic schema (#95492)
* Rename to CheckObject

* Implement authz.AccessClient

* Move folder tree to reconciler and use new schema

* Move shared functionality to common package

* Add reconciler for managed permissions and resource translations

* Add support for folder resources
2024-10-28 16:32:16 +01:00
Gabriel MABILLE
2788817107
AuthZ: Implement Check (#95162)
* AuthZ: Implement Check


---------

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2024-10-25 14:57:39 +02:00
Karl Persson
bdbe12e980
Zanzana: Implement initial check and list with schema for generic resources (#95056)
* Implement initial check with schema for generic resources

* Implement List and add tests

* Add namespace type and change to folder_resource name

* Handle namespace grants for typed resources

* Run tests as integration tests

* Add support for verb in list requests
2024-10-25 14:19:11 +02:00
Karl Persson
beaac3c885
Zanzana: Remove model and store initiation from client (#95328)
* Remove model and store initiation from client
2024-10-25 09:31:27 +02:00
Alexander Zobnin
e709de603d
Chore: Init auth model on server side (#95142)
* Chore: Init auth model on server side

* fix linter
2024-10-22 14:50:52 +02:00
Gabriel MABILLE
0704ae734f
AuthZ: Refactor authentication modes for the Authz package (#95120)
* AuthZ: Fix authentication modes for the Authz package

Co-Authored-By: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com>
2024-10-22 13:38:59 +02:00
Karl Persson
b4366ebed2
Zanzana: bootstrap authz server (#95036)
Bootstrap authz extended server
2024-10-21 14:58:57 +02:00
Alexander Zobnin
2baf4883cc
Zanzana: add action sets to dashboard and folder schema (#94602) 2024-10-18 16:58:30 +02:00
Karl Persson
a82d01214d
Auth: Update authlib (#94947)
* Update authlib
2024-10-18 13:36:21 +02:00
Karl Persson
4083b2208e
Zanzana: periodic sync of team members (#94752)
* Rewrite zanzana collector to fetch all available pages

* Register access control as a background service

* If zanzana is enabled we run Syncs and start Reconciliation job

* Update pkg/services/authz/zanzana/client/client.go

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

* Use server lock when doing performing reconciliation
2024-10-17 15:28:33 +02:00
Alexander Zobnin
9f1b584c85
Chore: Update authlib version (#94714)
* Chore: Update authlib version

* update workspace

* use ParseNamespace()
2024-10-15 16:58:46 +02:00
Alexander Zobnin
fcfa4aa777
Zanzana: Add config options for Check and ListObjects queries (#94619)
* Zanzana: Add config options for Check and ListObjects queries

* remove fixme

* pass only zanzana settings
2024-10-14 14:44:47 +03:00
Alexander Zobnin
e642e1a804
Zanzana: Pass parent folder for the checks in search queries (#94541)
* Pass parent folder as a contextual tuple in Check request

* Search by listing folders and dashboards

* skip dashboards listing if limit reached

* remove unused

* add some comments

* only add ContextualTuples if parent provided

* Remove parent relation for dashboards from schema and perform separate checks
2024-10-10 17:38:15 +02:00
Karl Persson
9ece88d585
Zanzana: bump openfga version (#94485)
* Bump openfga

* Remove internall sqlite implementation for openfga

* Use sqlite implementation from openfga
2024-10-10 09:07:40 +02:00
Alexander Zobnin
5d724c2482
Zanzana: Initial dashboard search (#93093)
* Zanzana: Search in a background and compare results

* refactor

* Search with check

* instrument zanzana client

* add single_read option

* refactor

* refactor move check into separate function

* Fix tests

* refactor

* refactor getFindDashboardsFn

* add resource type to span attributes

* run ListObjects concurrently

* Use list and search in less cases

* adjust metrics buckets

* refactor: move Check and ListObjects to AccessControl implementation

* Revert "Fix tests"

This reverts commit b0c2f072a2.

* refactor: use own types for Check and ListObjects inside accesscontrol package

* Fix search scenario with low limit and empty query string

* more accurate search with checks

* revert

* fix linter

* Revert "revert"

This reverts commit ee5f14eea8.

* add search errors metric

* fix query performance under some conditions

* simplify check strategy

* fix pagination

* refactor findDashboardsZanzanaList

* Iterate over multiple pages while making check request

* refactor listUserResources

* avoid unnecessary db call

* remove unused zclient

* Add notes for SkipAccessControlFilter

* use more accurate check loop

* always use check for search with provided UIDs

* rename single_read to zanzana_only_evaluation

* refactor

* update go workspace

* fix linter

* don't use deprecated fields

* refactor

* fail if no org specified

* refactor

* initial integration tests

* Fix tests

* fix linter errors

* fix linter

* Fix tests

* review suggestions

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix limit

* refactor

* refactor tests

* fix db config in tests

* fix migrator (postgres)

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-10-04 12:27:10 +02:00
Charandas
af2e79aa83
K8s: namespace mapper should use authlib's util (#92332) 2024-08-27 15:01:42 -07:00
Alexander Zobnin
0e0c877609
Zanzana: Model fixed roles as a part of schema (#92364)
* model fixed roles for dashboards and folders

* Correctly translate fixed role assignments

* minor refactor

* assign fixed roles to teams

* fix linter errors

* Migrate general folder permissions for fixed roles

* fix dashboards:create permission
2024-08-27 15:39:22 +02:00
Dave Henderson
df3d8915ba
Chore: Bump Go to 1.23.0 (#92105)
* chore: Bump Go to 1.23.0

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

* update swagger files

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

* chore: update .bingo/README.md formatting to satisfy prettier

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

* chore(lint): Fix new lint errors found by golangci-lint 1.60.1 and Go 1.23

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

* keep golden file

* update openapi

* add name to expected output

* chore(lint): rearrange imports to a sensible order

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

---------

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Ryan McKinley <ryantxu@gmail.com>
2024-08-21 11:40:42 -04:00
Alexander Zobnin
87c4f2448c
Zanzana: Use modular schema (#92001)
* Zanzana: Use modular schema

* Fix tests

* Add module transform tests
2024-08-19 11:10:51 +02:00
Alexander Zobnin
aaf33c7923
Zanzana: Migrate basic, fixed and custom roles (#91814)
* Zanzana: Migrate basic roles permissions

* add basic roles assignments

* refactor

* Sync basic roles permissions in all orgs

* migrate fixed roles

* map root folders to orgs

* fix basic role assignments in orgs

* migrate other roles

* migrate team roles assignments

* add notes about authorization schema

* don't migrate fixed roles
2024-08-15 16:13:27 +02:00
Karl Persson
8bcd9c2594
Identity: Remove typed id (#91801)
* Refactor identity struct to store type in separate field

* Update ResolveIdentity to take string representation of typedID

* Add IsIdentityType to requester interface

* Use IsIdentityType from interface

* Remove usage of TypedID

* Remote typedID struct

* fix GetInternalID
2024-08-13 10:18:28 +02:00
Ryan McKinley
243c0935fc
Auth: Use claims.AuthInfo in requester (#91739) 2024-08-09 19:46:56 +03:00
Alexander Zobnin
1cc438a56c
Zanzana: Evaluate dashboard and folder permissions (#91539)
* Zanzana: basic folder permissions checks

* Fix managed permissions for teams

* fix sync batch size

* add dashboards actions translations

* migrate folder tree

* migrate dashboard folders

* remove action sets from schema

* Adding more dashboard and folder-related permissions

* refactor

* Correctly translate dashboard permissions in folders

* fix dashboard parent permissions
2024-08-09 13:48:56 +02:00
Gabriel MABILLE
c76d1e04e8
Authz: Fix on-prem grpc authentication (#91341)
* Authz: Fix on-prem grpc authentication

Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>

* Remove noAuth override

---------

Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
2024-08-01 16:30:13 +03:00
Claudiu Dragalina-Paraipan
cf55ac5813
authz: set authzv1.ReadResponse.Found (#91212)
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
2024-07-30 18:26:54 +03:00
Claudiu Dragalina-Paraipan
05ab4cdd1f
[authz]: use authlib client (#91205)
authz: use authlib client

Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
2024-07-30 17:49:46 +03:00
Ryan McKinley
9db3bc926e
Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 12:52:14 +03:00
Karl Persson
c04be62b65
Zanzana: client integration test (#89997)
* Restructure

* Zanzana: Add integration tests for client

* skip mysql 5.7 integration tests
2024-07-04 11:23:48 +02:00
Karl Persson
cbbc12a31b
Zanzana: Sync team memberships (#89983)
* Zanzana: Use uid for users and teams

* Zanzana: Team membership migrator

---------

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2024-07-03 13:37:26 +02:00
Karl Persson
e568b86ac0
Zanzana: Initial work to allow partial data migrations (#89919)
* Zanana: Add Write method to interface

* Zanzana: Add utilities for translating RBAC to openFGA tuple keys

* RBAC: Add zanzana synchronizer

* Run zanzana sync in access controll provider
2024-07-02 14:45:25 +02:00
Alexander Zobnin
f1968bbcbb
Zanzana: Run OpenFGA HTTP server in standalone mode (#89914)
* Zanzana: Listen http to handle fga cli requests.

* make configurable

* start http server during service run

* wait for GRPC server is ready

* remove unnecessary logs

* fix linter errors

* run only in devenv

* make address configurable
2024-07-02 11:14:09 +02:00
Alexander Zobnin
190892bc88
Zanzana: Initial schema loading (#89492)
* Zanzana: Dummy schema loading

* Load authorzation model for client

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2024-06-27 13:57:06 +02:00
Karl Persson
eea7319a67
Zanzana: sqlite data store (#89486)
* Zanzana: Add sqlite3 store

* Zanzana: Initilize sqlite store with migrations
2024-06-25 09:52:33 +02:00
Ryan McKinley
5e95c1bdf8
Storage: Move grpc helper from entity store to resource store (#89490) 2024-06-20 22:32:19 +03:00
Alexander Zobnin
ba16c37126
Zanzana: Simple openfga client wrapper (#89430) 2024-06-20 10:37:16 +02:00
Karl Persson
3fe29809be
Zanzana: database migrations (#89390)
* Zanana: Use grafana migrations to run openFGA migration files and initilize store.

* Add feature toggle

* Zanzana: return noop client if feature toggle is disabled
2024-06-19 15:59:47 +02:00
Alexander Zobnin
b3907ca5ec
Zanzana: Simple logger wrapper for openfga (#89396)
* Zanzana: Simple logger wrapper for openfga

* don't export
2024-06-19 13:55:31 +02:00
Karl Persson
606a74d0af
Zanzana: Initial work to run openFGA as embedded or standalone service (#89211)
* Zanana: Initial work to run zanana as ebeddedn or standalone

* Add addr settings for when remote client is used.

* sync dependencies

* Lock mysql driver version
---------

Co-authored-by: Dan Cech <dcech@grafana.com>
2024-06-18 10:04:18 +02:00
Gabriel MABILLE
5f83fdef2c
AuthZ: GRPC client init and config options (#89161) 2024-06-18 06:13:24 +02:00
Gabriel MABILLE
afcb5a855c
AuthZ: embed an authorization server (#89018)
* AuthZ: embed an authorization server

* CODEOWNERS

* Remove swagger

* WIP

* Flatten structure and inject wireset

* sync mod files

* Rename authorization package

* Fix swagger gen

* CODEOWNERS

* Use itf instead of impl

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2024-06-13 11:41:35 +02:00