Commit Graph

24 Commits

Author SHA1 Message Date
Gabriel MABILLE
818b8739c0
AccessControl: Remove scopes from orgs endpoints (#41709)
* AccessControl: Check permissions in target org

* Remove org scopes and add an authorizeInOrg middleware

* Use query result org id and perform users permission check globally for GetOrgByName

* Remove scope translation for orgs current

* Suggestion from Ieva
2021-11-17 10:12:28 +01:00
Jeremy Price
69c5370e94
Accesscontrol: Add additional API keys to service account, move cloneserviceaccount to sqlstore (#41189)
* Add additional api key, move cloneserviceaccount

* Remove TODOs, for now

* Error messages

* Linter

* Security check

* Add comments

* Take service account id from correct variable

* Update user.go
2021-11-11 10:42:21 +00:00
ying-jeanne
54de1078c8
remove the global log error/warn etc functions (#41404)
* remove the global log error/warn etc functions and use request context logger whenever possible
2021-11-08 17:56:56 +01:00
idafurjes
9340430723
Chore: Add alert ctx (#41161)
* Add context for alert

* Remove context.TODO

* Remove xorm

* Remove context.TODO

* Fix UsageStatsQuerier interface
2021-11-03 14:10:39 +01:00
ying-jeanne
681218275e
remove crit and trace (#40320) 2021-10-26 17:36:24 +02:00
Jeremy Price
6dbb6408d4
Access Control: Add service accounts (#38994)
* Add extra fields to OSS types to support enterprise

* Create a service account at the same time as the API key

* Use service account credentials when accessing API with APIkey

* Add GetRole to service, merge RoleDTO and Role structs

This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons:

1.  Makes switching between OSS and Enterprise easier
2.  Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise

* If API key is not linked to a service account, continue login as usual

* Fallback to old auth if no service account linked to key

* Add CloneUserToServiceAccount

* Adding LinkAPIKeyToServiceAccount

* Handle api key link error

* Better error messages for OSS accesscontrol

* Set an invalid user id as default

* Re-arrange field names

* ServiceAccountId is integer

* Better error messages

Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2021-10-20 14:36:11 +02:00
Gabriel MABILLE
fbc6febb0e
AccessControl: keyword scope resolution (#40229) 2021-10-19 14:40:21 +02:00
Tania B
990911a3b9
Chore: Cleanup usageStatsMock duplication (#39710)
* Chore: Cleanup usageStatsMock duplication

* Remove making a new slice for UsageStatsMock
2021-09-29 09:59:02 +03:00
Tania B
b9acdce837
Chore: Fix grafana live stats reset when sending usage stats (#39558) 2021-09-23 12:55:00 +03:00
Joan López de la Franca Beltran
a680162792
Usage Stats: Split domain & service packages (#39488) 2021-09-21 20:50:37 +02:00
Arve Knudsen
78596a6756
Migrate to Wire for dependency injection (#32289)
Fixes #30144

Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
2021-08-25 15:11:22 +02:00
Karl Persson
7ebf4027a7
Access Control: refactor permission evaluator to be more flexible (#35996)
* add a more flexible way to create permissions

* update interface for accesscontrol to use new eval interface

* use new eval interface

* update middleware to use new eval interface

* remove evaluator function and move metrics to service

* add tests for accesscontrol middleware

* Remove failed function from interface and update inejct to create a new
evaluator

* Change name

* Support Several sopes for a permission


* use evaluator and update fakeAccessControl

* Implement String that will return string representation of permissions
for an evaluator

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
Jeremy Price
e8e1a0b50b
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535)
This reverts commit 55efeb0c02.
2021-08-04 14:44:37 +02:00
Emil Tullstedt
55efeb0c02
Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)
This reverts commit 88c11f1cc0.
2021-07-30 13:58:49 +02:00
Gabriel MABILLE
88c11f1cc0
AccessControl: Implement a way to register fixed roles (#35641)
* AccessControl: Implement a way to register fixed roles

* Add context to register func

* Use FixedRoleGrantsMap instead of FixedRoleGrants

* Removed FixedRoles map to sync.map


* Wrote test for accesscontrol and provisioning

* Use mutexes+map instead of sync maps

* Create a sync map struct out of a Map and a Mutex

* Create a sync map struct for grants as well

* Validate builtin roles

* Make validation public to access control

* Handle errors consistently with what seeder does

* Keep errors consistant amongst accesscontrol impl

* Handle registration error

* Reverse the registration direction thanks to a RoleRegistrant interface

* Removed sync map in favor for simple maps since registration now happens during init

* Work on the Registrant interface

* Remove the Register Role from the interface to have services returning their registrations instead

* Adding context to RegisterRegistrantsRoles and update descriptions

* little bit of cosmetics

* Making sure provisioning is ran after role registration

* test for role registration

* Change the accesscontrol interface to use a variadic

* check if accesscontrol is enabled

* Add a new test for RegisterFixedRoles and fix assign which was buggy

* Moved RegistrationList def to roles.go

* Change provisioning role's description

* Better comment on RegisterFixedRoles

* Correct comment on ValidateFixedRole

* Simplify helper func to removeRoleHelper

* Add log to saveFixedRole and assignFixedRole

Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
2021-07-30 09:52:09 +02:00
Joan López de la Franca Beltran
d9e500b654
UsageStats: Expose what ds types should be reported (#35916) 2021-07-07 23:12:00 +02:00
Joan López de la Franca Beltran
f601921670
Usage Stats: Make the UsageStatsService extension point more flexible (#34778)
* Usage Stats: Rename service to use a more idiomatic name

* Usage Stats: Update MetricsFunc definition and implementations

* Revert "Usage Stats: Rename service to use a more idiomatic name"

This reverts commit 910ecce3e8.

* Usage Stats: Update MetricsFunc definition and implementations
2021-05-27 10:53:10 +02:00
Emil Tullstedt
0f4806db8a
Access control: Rename predefined roles to fixed roles (code) (#34469)
* s/grafana:roles:/fixed:/

* Update free text references to predefined roles
2021-05-25 15:36:01 +02:00
Vardan Torosyan
1e566e7783
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107)
* Access control: Add phone-home metrics to check if fine-grained access control is enabled or not

* Apply suggestions from code review
2021-05-17 16:33:38 +02:00
donomii
fc451cf277
Access Control: Add histograms for evaluator and permissions checks (#34026)
This patch adds metrics to support instrumenting the accesscontrols package.
It also instruments the accesscontrol evaluator and the permissions function.

Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2021-05-17 13:52:16 +02:00
Emil Tullstedt
4496ae496e
Access control: Clean up users scopes (#33532)
Following discussion in grafana/grafana-enterprise#1292, removing
org-scoped users scopes to make it clear that the local organization is
the default and the alternative to that is a global scope (for a select
few endpoints)
2021-05-03 10:27:12 +02:00
Vardan Torosyan
9f82eac833
Access control: Add access control based permissions to admins/users (#32409)
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 16:31:27 +02:00
Alexander Zobnin
7ea58f9cf5
Access Control: Move database-related models to enterprise (#32907)
* Move database-related models to enterprise

* Chore: use GetUserBuiltInRoles() method

* Rename permission to action
2021-04-13 16:28:11 +03:00
Alexander Zobnin
823f0bc460
Access Control: move features to Enterprise (#32640)
* Move db package WIP

* Implement OSS access control

* Register OSS access control

* Fix linter error in tests

* Fix linter error in evaluator

* Simplify OSS tests

* Optimize builtin roles

* Chore: add comments to the exported functions

* Remove init from ossaccesscontrol package (moved to ext)

* Add access control as a dependency for http server

* Modify middleware to receive fallback function

* Middleware: refactor fallback function call

* Move unused models to enterprise

* Simplify AccessControl type

* Chore: use bool IsDisabled() method instead of CanBeDisabled interface
2021-04-06 16:49:09 +03:00