* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Migrate to Wire
* Refactor authinfoservice to use encryption service
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Apply suggestions from code review
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Migrate to Wire
* Undo non-desired changes
* Move Encryption bindings to OSS Wire set
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Fixes#30144
Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* Provide correct link for AGPL license
* Change LicenseURL to point go Grafana OSS page
* Keep utm_source query parameter
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Introduces org-level isolation for the Alertmanager and its components.
Silences, Alerts and Contact points are not separated by org and are not shared between them.
Co-authored with @davidmparrott and @papagian
* add a more flexible way to create permissions
* update interface for accesscontrol to use new eval interface
* use new eval interface
* update middleware to use new eval interface
* remove evaluator function and move metrics to service
* add tests for accesscontrol middleware
* Remove failed function from interface and update inejct to create a new
evaluator
* Change name
* Support Several sopes for a permission
* use evaluator and update fakeAccessControl
* Implement String that will return string representation of permissions
for an evaluator
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Make the evaluator prefix match only
* Handle empty scopes
* Bump version of settings read role
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Even without the ability to control the sort order or to filter, this notably improves usability for long lists of notification channels.
Partially fixes#20067.
This commit adds contact point testing to ngalerts via a new API
endpoint. This endpoint accepts JSON containing a list of
receiver configurations which are validated and then tested
with a notification for a test alert. The endpoint returns JSON
for each receiver with a status and error message. It accepts
a configurable timeout via the Request-Timeout header (in seconds)
up to a maximum of 30 seconds.
* Alerting: Expose discovered and dropped Alertmanagers
Exposes the API for discovered and dropped Alertmanagers.
* make admin config poll interval configurable
* update after rebase
* wordsmith
* More wordsmithing
* change name of the config
* settings package too
* Alerting: modify table and accessors to limit org access appropriately
* Update migration to create multiple Alertmanager configs
* Apply suggestions from code review
Co-authored-by: gotjosh <josue@grafana.com>
* replace mg.ClearMigrationEntry()
mg.ClearMigrationEntry() would create a new session.
This commit introduces a new migration for clearing an entry from migration log for replacing mg.ClearMigrationEntry() so that all dashboard alert migration operations will run inside the same transaction.
It adds also `SkipMigrationLog()` in Migrator interface for skipping adding an entry in the migration_log.
Co-authored-by: gotjosh <josue@grafana.com>
* Alerting: Send alerts to external Alertmanager(s)
Within this PR we're adding support for registering or unregistering
sending to a set of external alertmanagers. A few of the things that are
going are:
- Introduce a new table to hold "admin" (either org or global)
configuration we can change at runtime.
- A new periodic check that polls for this configuration and adjusts the
"senders" accordingly.
- Introduces a new concept of "senders" that are responsible for
shipping the alerts to the external Alertmanager(s). In a nutshell,
this is the Prometheus notifier (the one in charge of sending the alert)
mapped to a multi-tenant map.
There are a few code movements here and there but those are minor, I
tried to keep things intact as much as possible so that we could have an
easier diff.
* simplify toggle + add link to server admin
* feat(catalog): org admins can configure plugin apps, cannot install/uninstall plugins
* fix(catalog): dont show buttons if user doesn't have install permissions
* feat(catalog): cater for accessing catalog via /plugins and /admin/plugins
* feat(catalog): use location for list links and match.url to define breadcrumb links
* test(catalog): mock isGrafanaAdmin for PluginDetails tests
* test(catalog): preserve default bootdata in PluginDetails mock
* refactor(catalog): move orgAdmin check out of state and make easier to reason with
Co-authored-by: Will Browne <will.browne@grafana.com>
* AccessControl: Implement a way to register fixed roles
* Add context to register func
* Use FixedRoleGrantsMap instead of FixedRoleGrants
* Removed FixedRoles map to sync.map
* Wrote test for accesscontrol and provisioning
* Use mutexes+map instead of sync maps
* Create a sync map struct out of a Map and a Mutex
* Create a sync map struct for grants as well
* Validate builtin roles
* Make validation public to access control
* Handle errors consistently with what seeder does
* Keep errors consistant amongst accesscontrol impl
* Handle registration error
* Reverse the registration direction thanks to a RoleRegistrant interface
* Removed sync map in favor for simple maps since registration now happens during init
* Work on the Registrant interface
* Remove the Register Role from the interface to have services returning their registrations instead
* Adding context to RegisterRegistrantsRoles and update descriptions
* little bit of cosmetics
* Making sure provisioning is ran after role registration
* test for role registration
* Change the accesscontrol interface to use a variadic
* check if accesscontrol is enabled
* Add a new test for RegisterFixedRoles and fix assign which was buggy
* Moved RegistrationList def to roles.go
* Change provisioning role's description
* Better comment on RegisterFixedRoles
* Correct comment on ValidateFixedRole
* Simplify helper func to removeRoleHelper
* Add log to saveFixedRole and assignFixedRole
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
* wip
* Auth Info: refactored out into it's own service
* Auth: adds extension point where users are being mapped
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Auth: simplified code
* moved most authinfo stuff to its own package
* added back code
* linter
* simplified
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Alerting: Refactor `Run` of the scheduler
A bit of a refactor to make the diff easier to read for supporting
external Alertmanagers.
We'll introduce another routine that checks the database for
configuration and spawns other routines accordingly.
* Block the wait.
* Fix test
* initial attempt at automatic removal of stale states
* test case, need espected states
* finish unit test
* PR feedback
* still multiply by time.second
* pr feedback
* Pass role to Grafana using auth proxy
By default, the role will be applied to the default org of the user.
If the request uses the standard header "X-Grafana-Org-Id", the role will be applied to the specified org
Tested in both unit test and manually E2E
* Address comment: only allow the user role to be applied to the default org
Co-authored-by: Leonard Gram <leo@xlson.com>
* Alerting: deactivate an Alertmanager configuration
Implement DELETE /api/alertmanager/grafana/config/api/v1/alerts
by storing the default configuration which stops existing cnfiguration
from being in use.
* Apply suggestions from code review
* Expand the value of math and reduce expressions in annotations and labels
This commit makes it possible to use the values of reduce and math
expressions in annotations and labels via their RefIDs. It uses the
Stringer interface to ensure that "{{ $values.A }}" still prints the
value in decimal format while also making the labels for each RefID
available with "{{ $values.A.Labels }}" and the float64 value with
"{{ $values.A.Value }}"
* add macaron code to the code base
* remove unused secure cookies support from macaron
* clean up modules
* remove com dependency
* fix silly typos
* little cleanup, remove recovery middleware
* remove logger middleware
* remove static handler and remove unused context methods
* bring inject into macaron codebase
* remove unused applicator
* add back macaron license
* more cleanups in macaron code
* remove unused injector Set method
* remove unused context methods: param to int conversion, body helper type, cookie helpers
* remove action from context
* remove complex environment handling, we only use Env variable
* restore ReplaceAllParams to fix the tests
* Alerting: Refactor state manager as a dependency
Within the scheduler, the state manager was being passed around a
certain number of functions. I've introduced it as a dependency to keep
the "service" interfaces as clean and homogeneous as possible.
This is relevant, because I'm going to introduce live reload of these
components as part of my next PR and it is better if dependencies are
self-contained.
* remove unused functions
* Fix a few more tests
* Make sure the `stateManager` is declared before the schedule
* add fixed role for datasource read operations
* Add action for datasource explore
* add authorize middleware to explore index route
* add fgac support for explore navlink
* update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is
* add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default
* create function to evaluate permissions or using fallback if accesscontrol is disabled
* change hasAccess to prop and derive the value in mapStateToProps
* add test case to ensure buttons is not rendered when user does not have access
* Only hide return with changes button
* remove internal links if user does not have access to explorer
Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>
* Add IsFolder field into models.GetDashboardQuery
* Reverted folderId - return dummy success when calling get folder with id 0
* Moved condition to upper level - add test
* Alerting: Allow __value__ label in notifications
was being removed by removePrivateItems
discoverd in #36020, but issue is not about that specifically
* __value__ label to __value_string__ annotation
and .ValueString extended property for notifications
* Fix deleting labels and annotations
* Add test
* Keep no data and error start if not provided
* Allow setting interval and for to zero during rule updates
* Alerting: Implement /status for the notification system
Implements the necessary plumbing to have a /status endpoint on the
notification system.
* Add API examples
* Update API specs
* Update prometheus/common dependency
Co-authored-by: Sofia Papagiannaki <sofia@grafana.com>
* add accesscontrol action for stats read
* use accesscontrol middleware for stats route
* add fixed role with permissions to read sever stats
* add accesscontrol action for settings read
* use accesscontrol middleware for settings route
* add fixed role with permissions to read settings
* add accesscontrol tests for AdminGetSettings and AdminGetStats
* add ability to scope settings
* add tests for AdminGetSettings
* Add new accesscontrol action for ldap config reload
* Update ldapAdminEditRole with new ldap config reload permission
* wrap /ldap/reload with accesscontrol authorize middleware
* document new action and update fixed:ldap:admin:edit with said action
* add fake accesscontrol implementation for tests
* Add accesscontrol tests for ldap handlers
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
* Fix dashboard alert and nootifier migration for MySQL
* Fix POSTing Alertmanager configuration if no current configuration exists
in case the default configuration has not be stored yet
or has failed to get stored
* Change CreatedAt field type
* Alerting: Expand `{{$labels.xyz}}` template in labels and annotations
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
* Fix annotation not updating for same alert
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
* Alerting: Do not hard fail on templating errors in channels
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
* Fix review
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
When using mulit-dimensional Grafana managed alerts (e.g. SSE math) extract refIds values and labels so they can be shown in the notification and dashboards.
Threema Gateway supports two types of IDs: Basic IDs (where the
encryption is managed by the API server) and End-to-End IDs (where the
keys are managed by the user).
This plugin currently does not support End-to-End IDs (since it's much
more complex to implement, because the encryption needs to happen
locally). Add a few clarifications to the UI.
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
this should help Live to be enabled by default but still
do not affect setups with lots of simultenious users. To
properly handle many WS connections Grafana administrators
should tune infrastructure a bit - for example increase a
number of open files for a process. Will be in more details
in documentation.
* Usage Stats: Rename service to use a more idiomatic name
* Usage Stats: Update MetricsFunc definition and implementations
* Revert "Usage Stats: Rename service to use a more idiomatic name"
This reverts commit 910ecce3e8.
* Usage Stats: Update MetricsFunc definition and implementations
* starting to add eval logic.
* wip
* first version of test rule.
* reverted file.
* add info colum to result to show error or (with CC evalmatches)
* fix labels in evalmatch
* fix be test
* refactored using observables.
* moved widht/height div to outside panel rendere.
* adding docs api level.
* adding container styles to error div.
* increasing size of preview.
Co-authored-by: kyle <kyle@grafana.com>
* [Alerting]: forbid viewers for updating rules if viewers can edit
check for CanSave instead of CanEdit
* Clear ngalert tables when deleting the folder
* Apply suggestions from code review
* Log failure to check save permission
Co-authored-by: gotjosh <josue@grafana.com>
* Alerting: Opsgenie notification channel
This translate the opsgenie notification channel from the old alerting
system to the new alerting system with a few changes:
- The tag system has been replaced in favour of annotation.
- TBD
- TBD
Signed-off-by: Josue Abreu <josue@grafana.com>
* Fix template URL
* Bugfig: dont send resolved when autoClose is false
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
* Fix integration tests
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
* Fix URLs in all other channels
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
Co-authored-by: Ganesh Vernekar <ganeshvern@gmail.com>
Uses new httpclient package from grafana-plugin-sdk-go introduced
via grafana/grafana-plugin-sdk-go#328.
Replaces the GetHTTPClient, GetTransport, GetTLSConfig methods defined
on DataSource model.
Longer-term the goal is to migrate core HTTP backend data sources to use the
SDK contracts and using httpclient.Provider for creating HTTP clients and such.
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
* Add discord notifier channel and test
* Correct payload
* remove print statement
* PR feedback and update due to changes in main
* Add discord notifier channel and test
* Correct payload
* remove print statement
* PR feedback and update due to changes in main
* update constructor and tests
* group imports sensibly
* Fix lint
Signed-off-by: Ganesh Vernekar <ganeshvern@gmail.com>
Co-authored-by: Ganesh Vernekar <ganeshvern@gmail.com>
Rules/notifications/etc migration will now be activated with feature flag alone.
When the feature flag is enabled dashboard alerts are migrated into the system.
When the feature flag is removed, all migrated and newly created alerts in the new system are deleted.
* [Alerting]: Add sensugo notification channel
* Apply suggestions from code review
Co-authored-by: Ganesh Vernekar <15064823+codesome@users.noreply.github.com>
* Do not include labels with concatenated rule UID and names
* Modifications after syncing with main
Co-authored-by: Ganesh Vernekar <15064823+codesome@users.noreply.github.com>
When, and currently only when using a classic condition, evaluation information is added (which is like the EvalMatches from dashboard alerting).
This is returned via the API and can be included in notifications by reading the `__value__` label attached `.Alerts` in the template. It is a string.
* Alerting: Allow the notifier to log
The notifier upstream code uses go-kit as its logging library. The
grafana specific logger is not compatible with this API. In this PR, I
have created a wrapper that implements io.Writer to make them
compatible.
This patch adds metrics to support instrumenting the accesscontrols package.
It also instruments the accesscontrol evaluator and the permissions function.
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Instead put in package folder but with package name suffixed with _test
This enables code coverage within the pkg while still allow the tests to operate from external to package perspective (only exported things).
* Rendering: add CSV rendering support
* Rendering: save csv files into a separate folder
* add missing field
* Renderer: get filename from renderer plugin
* apply PR suggestions
* Rendering: remove old PhantomJS error
* Rendering: separate RenderCSV and Render functions
* fix alerting test
* Rendering: fix handling error in HTTP mode
* apply PR feedback
* Update pkg/services/rendering/http_mode.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* apply PR feedback
* Update rendering metrics with type label
* Rendering: return error if not able to parse header
* Rendering: update grpc generated file
* Rendering: use context.WithTimeout to render CSV too
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
