* Alerting: Add config disabled_labels to disable reserved labels
[unified_alerting.reserved_labels]
disabled_labels
* Replace IsGrafanaFolderDisabled with more generic IsReservedLabelDisabled
* Simplify SchedulerCfg by including UnifiedAlertingSettings
* I18n: Set default locale in server config and expose in grafanaBootData
* put default locale behind feature flag
* update tests now that default locale is behind feature flag
* little bit of PR feedback
* update sample.ini
* added troubleshooting for "origin not allowed" messages
* include in configuration.ini
* moved doc to security
* removed enterprise congiruation
* Update conf/sample.ini
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add RBAC section to settings
* Default to RBAC enabled settings to true
* Update tests to respect RBAC
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Expose option to disable help menu
* Expose option to disable profile menu
* Add Profile FeatureTogglePage
* Update public/app/features/profile/FeatureTogglePage.tsx
Uptake PR wording suggestion.
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Fix front end lint issue
* Fix back end lint issue
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* AzureAD OAuth: Add optional strict parsing of role_attribute_path for Azure AD
Fix casting issues
modify unit tests
Unit test fix
Add proper test args
* Return empty role when using strict attribute mode
* Raise error on empty role
* Fix UT for latest case
* Chore: add setting to skip org assignment for external users
Introduce 'skip_org_role_update_sync' setting to skip any kind of org assignment during the login of external users.
As a consequence manual organization assignments won't be overridden during the upsert of an external user.
Part of #22605
* Chore: Rename skip_org_role_update_sync to oauth_skip_org_role_update_sync and relocate it to auth section
* Chore: replace global setting access where possible
* Create config to enable/disable query history
* Create add to query history functionality
* Add documentation
* Add test
* Refactor
* Add test
* Fix built errors and linting errors
* Refactor
* Remove old tests
* Refactor, adjust based on feedback, add new test
* Update default value
* Add interface Tracer, add Opentelemetry
* Fix lint
* Fix failing tests and return error if config not parsed fo opentelemetry
* Update defaults.ini
Add comment with jaeger url
* go mod tidy
* Remove comments that are not needed
* Move OpentracingSpan to tracing.go
* Add opentelemetry to sample.ini
* update AlertingEnabled and UnifiedAlertingSettings.Enabled to be pointers
* add a pseudo migration to fix the AlertingEnabled and UnifiedAlertingSettings.Enabled if the latter is not defined
* update the default configuration file to make default value for both 'enabled' flags be undefined
Misc
* update Migrator to expose DB engine. This is needed for a ualert migration to access the database while the list of migrations is created.
* add more verbose failure when migrations do not match
Co-authored-by: gotjosh <josue@grafana.com>
Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
Co-authored-by: gillesdemey <gilles.de.mey@gmail.com>
* refactor(plugins): use routes specific to the new plugins/admin
* refactor(plugins): remove unused pages (PluginList, PluginItem)
* refactor(plugins): remove PluginPage
* refactor(plugins): remove UpdatePluginModal
* refactor(plugins): move AppConfigWrapper under plugins/admin
* refactor(plugins): move PluginDashboards under plugins/admin
* refactor(plugins): rename the "specs" folder to "tests"
* refactor(plugins): move test files to /tests folder
* refactor(plugins): move AppRootPage into a /components folder
* refactor(plugins): move PluginsErrorsInfo into a /plugins folder
* refactor(plugins): move PluginSettingsCache into a /components folder
* refactor(plugins): move PluginStateInfo into a /plugins folder
* refactor(plugins): move AppRootPage.test.tsx next to the tested component
* refactor(plugins): remove old snapshot tests
* fix(plugins): fix tests
* refactor(plugins/admin): move & rename PluginSettingsCache
* fix(plugins): fix a few rebase issues
* Plugins: remove deprecated code (state handling) (#41739)
* refactor(plugins): use the plugins/admin reducer only
* refactor(plugins): remove tests for the deprecated plugins reducer
* refactor(plugins): remove tests for the deprecated plugins selectors
* refactor(plugins/state): add a short comment note to selectors
* feat(plugins/state): add a selector for selecting errors
* feat(plugins/state): add a hook for getting plugin errors
* refactor(plugins): udpate the PluginsErrorsInfo component to use the new state selectors
* refactor(plugins/state): remove the old (deprecated) selectors
* refactor(plugins/state): use the new actions under /admin
* refactor(plugins/state): remove old (deprecated) reducers and actions
* refactor(plugins): update component definition
* fix(plugins): remove unnecessary {children} prop for PluginsErrorsInfo
* Plugins: show / hide install controls based on the `pluginAdminEnabled` flag (#41749)
* docs(plugins): update documentation for the `plugin_admin_enabled` flag
* refactor(InstallControls): move the main component to a named module
* feat(plugins): use the `pluginAdminEnable` flag to hide / show install controls in the UI
* test(plugins): add tests for enabling/disabling install controls
Adds a new setting dataproxy.row_limit that allows an operator to limit the
amount of rows being processed/accepted in response to database queries
originating from SQL data sources.
Closes#38975
Ref #39095
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Introduce response_limit for datasource responses
* Fix lint
* Fix tests
* Add case where limit <= 0 - added parametrized tests
* Add max_bytes_reader.go
* Use new httpclient.MaxBytesReader instead of net/http one
* Fixes according to reviewer's comments
* Add tests for max_bytes_reader
* Add small piece in configuration.md
* Further fixes according to reviewer's comments
* Fix linting - fix test
* Alerting: Expose discovered and dropped Alertmanagers
Exposes the API for discovered and dropped Alertmanagers.
* make admin config poll interval configurable
* update after rebase
* wordsmith
* More wordsmithing
* change name of the config
* settings package too
* Introduce dataproxy_max_idle_connections config var
* Fix according to reviewer's comments
* Fix according to reviewer's comments - round 2
* Remove unused const
* Bring back MaxIdleConnsPerHost
* Fixes according to reviewer's comments
Added group mapping to support team sync in the Generic OAuth provider.
Co-authored-by: Leonard Gram <leo@xlson.com>
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Dan Cech <dan@aussiedan.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Security: Update default content_security_policy_template
- Add 'strict-dynamic' back to script-src
- Add ws(s)://$ROOT_PATH to connect-src
- Change onEvent to on-event in angular templates to fix CSP issues in firefox.
- Add blob: to style-src
this should help Live to be enabled by default but still
do not affect setups with lots of simultenious users. To
properly handle many WS connections Grafana administrators
should tune infrastructure a bit - for example increase a
number of open files for a process. Will be in more details
in documentation.
* click out to gcom when config enabled
* set to false
* fix styling for uninstall
* remove advertising config + simplify callout URL
* add entry to configuration.md
* update config name
* update lingo
* HTTP Client: Add `ResponseHeaderTimeout` - split from `DialContext` timeout
* Fixes according to reviewer's comments
* Use grafana-plugin-sdk-go v0.100.0
Uses new httpclient package from grafana-plugin-sdk-go introduced
via grafana/grafana-plugin-sdk-go#328.
Replaces the GetHTTPClient, GetTransport, GetTLSConfig methods defined
on DataSource model.
Longer-term the goal is to migrate core HTTP backend data sources to use the
SDK contracts and using httpclient.Provider for creating HTTP clients and such.
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* CSP: Relax default template, due to nonces not working
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* CSP: Add back data: to img-src
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* add uninstall flow
* add install flow
* small cleanup
* smaller-footprint solution
* cleanup + make bp start auto
* fix interface contract
* improve naming
* accept version arg
* ensure use of shared logger
* make installer a field
* add plugin decommissioning
* add basic error checking
* fix api docs
* making initialization idempotent
* add mutex
* fix comment
* fix test
* add test for decommission
* improve existing test
* add more test coverage
* more tests
* change test func to use read lock
* refactoring + adding test asserts
* improve purging old install flow
* improve dupe checking
* change log name
* skip over dupe scanned
* make test assertion more flexible
* remove trailing line
* fix pointer receiver name
* update comment
* add context to API
* add config flag
* add base http api test + fix update functionality
* simplify existing check
* clean up test
* refactor tests based on feedback
* add single quotes to errs
* use gcmp in tests + fix logo issue
* make plugin list testing more flexible
* address feedback
* fix API test
* fix linter
* undo preallocate
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* fix linting issue in test
* add docs placeholder
* update install notes
* Update docs/sources/plugins/marketplace.md
Co-authored-by: Marcus Olsson <marcus.olsson@hey.com>
* update access wording
* add more placeholder docs
* add link to more info
* PR feedback - improved errors, refactor, lock fix
* improve err details
* propagate plugin version errors
* don't autostart renderer
* add H1
* fix imports
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Marcus Olsson <marcus.olsson@hey.com>
* add parameter empty_scopes to override scope parameter with empty value and thus be able to authenticate against IdPs without scopes. Issue #27503
Update docs/sources/auth/generic-oauth.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* updated check according to feedback
* Update generic-oauth.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* add isolation level db configuration parameter
* add isolation_level to default.ini and sample.ini
* add note that only mysql supports isolation levels for now
* mention isolation_level in the documentation
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Quota: Extend service to set limit on alerts
* Add test for applying quota to alert rules
* Apply suggestions from code review
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
* Get used alert quota only if naglert is enabled
* Set alert limit to zero if nglalert is not enabled
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
* OAuth: Add strict role mapping
By default the user is assigned the role Viewer if role_attribute_path
doesn't return a role, which is not always desirable. This commit adds a
strict mode, which deny the user access if a role isn't returned.
Fix#26626
* Update docs/sources/auth/generic-oauth.md
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Update docs/sources/auth/generic-oauth.md
* Update .gitignore file with WAN
* Removed WAN from .gitignore
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: achatterjee-grafana <aparajita.chatterjee@grafana.com>
* CDN: Initial poc support for serving assets over a CDN
* Minor fix
* added build path and test
* fix lint error
* Added edition to cdn path
* Move master builds to a separate path
* Added error handling for the url parsing, changed setting name, and added docs
* Updated sample.ini
* Some property renames
* updated
* Minor update to html
* index template improvements
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Update docs/sources/administration/configuration.md
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Added ContentDeliveryPrefix to Licence service
* updated docs
* Updated test mock
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* SQLStore: customise the limit of retrieved datasources per organisation
* update all suggestions regarding nil or 0 as default
* Apply suggestions from code review
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* correct default.ini description + adding unittest
* Apply suggestions from code review
Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
* modify unittest name
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
* Add an option to hide certain users in the UI
* revert changes for admin users routes
* fix sqlstore function name
* Improve slice management
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Hidden users: convert slice to map
* filter with user logins instead of IDs
* put HiddenUsers in Cfg struct
* hide hidden users from dashboards/folders permissions list
* Update conf/defaults.ini
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
* fix params order
* fix tests
* fix dashboard/folder update with hidden user
* add team tests
* add dashboard and folder permissions tests
* fixes after merge
* fix tests
* API: add test for org users endpoints
* update hidden users management for dashboard / folder permissions
* improve dashboard / folder permissions tests
* fixes after merge
* Guardian: add hidden acl tests
* API: add team members tests
* fix team sql syntax for postgres
* api tests update
* fix linter error
* fix tests errors after merge
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* expire with existng cleanup service
* expire with new temp user service
* make Drone happy :)
* add expiry status
* remove other approach
* cleanup
* add test for idempotency
* add migration from datetime to unix ts
* update cmd names
* change lifetime config to duration
* remove unnecessart formatting
* add comment
* update docs
* remove max bound and introduce min error
* simplify sql
* remove comment
* allow any outstanding to exist for at least 24 hours
* revert created ts change
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* add extra state check to cleanup step
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Add a default timezone that the administrator can set in the settings.
This setting is be used as default for the users timezone preference.
Can be used when creating Grafana instances without administrator
intervention, in order to give user the correct default timezone.
Fixes#25654
Allows login_maximum_inactive_lifetime_duration and
login_maximum_lifetime_duration to be configured using
time.Duration-compatible values while retaining backward compatibility.
Fixes#17554
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Add support for local time formats in graph panel
* Enfore 24h format for backward compatibility
* Use existing Intl.DateTimeFormatOptions
* Pre-generate time scale, add tests
* Move localTimeFormat, add local format to units
* updated default fallback
* #25602, use navigator.languages to enforce locale in formatting
* Making options
* Worked new system settings
* things are working
* Local browser time formats working
* Support parsing dates in different formats
* settings updated
* Settings starting to work
* Fixed graph issue
* Logs fix
* refactored settings a bit
* Updated and name change
* Progress
* Changed config names
* Updated
* Updated
* Updated test
* Synced description
* fixed ts issue
* Added version notice
* Ts fix
* Updated heatmap and test
* Updated snapshot
* Updated
* fixed ts issue
* Fixes
Co-authored-by: Alex Shpak <alex-shpak@users.noreply.github.com>
60s can be too short if the oauth provider is slow
for some reason and its defintly too slow if the
OAuth provider requires 2FA.
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
For backend data sources executing in the backend (not through data proxy) make
sure that the timeout applies to cached HTTP client.
Fixes#25863
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
* Settings: Add setting for hiding version number for anonymous users
Fixes#12925
* Hide version string from footer when unavailable
* Settings: Test frontend settings with hide version for anonymous users
* Settings: Add hide version variable to frontend settings
* Make AnonymousHideVersion non-global
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
* Settings: Improve test neighbor friendliness, reset state before and after
* Settings: Use T.Cleanup
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
grafana-plugin-model is legacy and is replaced by new backend
plugins SDK and architecture. Renderer is not part of SDK and
we want to keep it that way for now since it's highly unlikely there
will be more than one kind of renderer plugin.
So this PR adds support for renderer plugin v2.
Also adds support sending a Device Scale Factor parameter to the
plugin v2 remote rendering service and by that replaces #22474.
Adds support sending a Headers parameter to the plugin v2 and
remote rendering service which for now only include
Accect-Language header (the user locale in browser when using
Grafana), ref grafana/grafana-image-renderer#45.
Fixes health check json details response.
Adds image renderer plugin configuration settings in defaults.ini
and sample.ini.
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
* Cookie : Increase duration to avoid error
When using oauth2 authentication with multifactor, the 60s delay may be too short
* Introduce new setting for OAuth state cookie max age
Co-authored-by: Sofia Papagiannaki <sofia@grafana.com>
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
This feature would provide a way for administrators to limit the minimum
dashboard refresh interval globally.
Filters out the refresh intervals available in the time picker that are lower
than the set minimum refresh interval in the configuration .ini file
Adds the minimum refresh interval as available in the time picker.
If the user tries to enter a refresh interval that is lower than the minimum
in the URL, defaults to the minimum interval.
When trying to update the JSON via the API, rejects the update if the
dashboard's refresh interval is lower than the minimum.
When trying to update a dashboard via provisioning having a lower
refresh interval than the minimum, defaults to the minimum interval
and logs a warning.
Fixes#3356
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Implement Azure AD oauth
* Use go-jose and cleanup
* Update go-jose in go.mod
* cleanup
* Add unit tests
* Fix scopes
* Add documentation page
* Improve documentation
* Convert extract_role into function.
* Do not use upn and replace unique_name with preferred_username
* Configure login button
* Use official microsoft icon and color from branding guideline.
* Add Azure AD config section in sample.ini.
Breaking change: If disabled the cookie samesite cookie attribute
will not be set, but if none the attribute will be set and is a
breaking change compared to before where none did not render the
attribute. This was due to a known issue in Safari.
Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
Fixes#19847
* add min_interval_seconds setting to alerting config
It will let operator enforce a minimum time for the scheduler to enqueue evaluations
* Introduce UI modifications
* Update docs
Co-authored-by: Martin <uepoch@users.noreply.github.com>
* imguploader: add support for non-Amazon S3 endpoints and forcing of path-style S3 addressing
fixes#11240
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
Removes send_client_credentials_via_post oauth setting and
use auto-detect mechanism instead.
By these changes also fixes statichcheck errors
Ref #8968
Adds a new setting disable_admin_user and when true the default
admin user will not be created when Grafana starts for the first
time (or no users exists in the system).
Closes#19038
* AuthProxy: Can now login with auth proxy and get a login token
* added unit tests
* renamed setting and updated docs
* AuthProxy: minor tweak
* Fixed tests and namings
* spellfix
* fix
* remove unused setting, probably from merge conflict
* fix
Adds support for Generic OAuth role mapping. A new
configuration setting for generic oauth is added named
role_attribute_path which accepts a JMESPath expression.
Only Grafana roles named Viewer, Editor or Admin are
accepted.
Closes#9766
Adds a new "Image Rendering" page in Administration section.
Updates configuration page with rendering settings and also
default.ini and sample.ini.
Updates and cleanup pages that referencing image rendering.
Ref #18914
Don't update total stats metrics if reporting is disabled.
New setting disable_total_stats for turning off update
of total stats (stat_totals_*) metrics.
Ref #19137
* Update defaults.ini and sample.ini with the SAML assertion mapping
fields
* Document Grafana's ability to map ACS attributes while a Grafana user is created
* docs: Link to SAML docs and document configuration options
- Document configuration options `defaults.ini` and `sample.ini`
- Add the SAML documentation
- Link to the SAML documentation from "what's new in 6.3"
* LDAP:Docs: `active_sync_enabled` setting
Mention `active_sync_enabled` setting and enable it by default
* LDAP: move "disableExternalUser" method
Idea behind new design of the LDAP module is to minimise conflation
between other parts of the system, so it would decoupled as much as
possible from stuff like database, HTTP transport and etc.
Following "Do One Thing and Do It Well" Unix philosophy principal, other things
could be better fitted on the consumer side of things.
Which what this commit trying to archive
* LDAP: correct user/admin binding
The second binding was not happening, so if the admin login/password
in LDAP configuration was correct, anyone could had login as anyone using
incorrect password
* Add SAML configuration options
* Add crewjam/saml as a depdency
Needed as part of the enterprise SAML integration.
* Vendor github.com/stretchr/testify/require
The package require implements the same assertions as the `assert` package but stops test execution when a test fails.
* x_xss_protection
* strict_transport_security (HSTS)
* x_content_type_options
these are currently defaulted to false (off) until the next minor release.
fixes#17509
* wip: fix remote cache for redis
connstr parsing and non-negative expires for #17377
TODO: finish parse, check zero case, find out why negative duration in the first place
* finish parse.
Still TODO, find out negative value, and decide if would be better to make database specific entries in the .ini file
* update ini files
* remove accidental uncomment in defaults.ini
* auth_proxy: expiration non-negative so expiration is not in the past
* fix test, revert neg in redis
* review: use errutil