* Add RBAC section to settings
* Default to RBAC enabled settings to true
* Update tests to respect RBAC
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* AccessControl: Make the built-in role definitions public
* Add context to RegisterFixedRoles
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Making BuiltInRolesWithParents public to the AccessControl package
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* AccessControl: Remove package variables for roles and grants
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Check for inheritance during role registration
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Moving back role definition to accessscontrol
* Make settings reader role public
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Nits
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Forgot to update this
* Account for declaration error
* Fixing pkg/api init ossac
* Account for error in tests
* Update test to verify inheritance
* Nits.
* Place br inheritance behind a feature toggle
* Parent -> Parents
* Nit.
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* AccessControl: Add endpoint to get user permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Fix SA tests
* Linter is wrong :p
* Wait I was wrong
* Adding the route for teams:creator too
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* AccessControl: POC scope attribute resolution
Refactor based on ScopeMutators
test errors and calls to cache
Add comments to tests
Rename logger
Create keywordMutator only once
* AccessControl: Add AttributeScopeResolver registration
Co-authored-by: gamab <gabriel.mabille@grafana.com>
* AccessControl: Add AttributeScopeResolver to datasources
Co-authored-by: gamab <gabriel.mabille@grafana.com>
* Test evaluation with translation
* fix imports
* AccessControl: Test attribute resolver
* Fix trailing white space
* Make ScopeResolver public for enterprise redefine
* Handle wildcard
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: jguer <joao.guerreiro@grafana.com>
* AccessControl: Check permissions in target org
* Remove org scopes and add an authorizeInOrg middleware
* Use query result org id and perform users permission check globally for GetOrgByName
* Remove scope translation for orgs current
* Suggestion from Ieva
Fixes#30144
Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* add a more flexible way to create permissions
* update interface for accesscontrol to use new eval interface
* use new eval interface
* update middleware to use new eval interface
* remove evaluator function and move metrics to service
* add tests for accesscontrol middleware
* Remove failed function from interface and update inejct to create a new
evaluator
* Change name
* Support Several sopes for a permission
* use evaluator and update fakeAccessControl
* Implement String that will return string representation of permissions
for an evaluator
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* AccessControl: Implement a way to register fixed roles
* Add context to register func
* Use FixedRoleGrantsMap instead of FixedRoleGrants
* Removed FixedRoles map to sync.map
* Wrote test for accesscontrol and provisioning
* Use mutexes+map instead of sync maps
* Create a sync map struct out of a Map and a Mutex
* Create a sync map struct for grants as well
* Validate builtin roles
* Make validation public to access control
* Handle errors consistently with what seeder does
* Keep errors consistant amongst accesscontrol impl
* Handle registration error
* Reverse the registration direction thanks to a RoleRegistrant interface
* Removed sync map in favor for simple maps since registration now happens during init
* Work on the Registrant interface
* Remove the Register Role from the interface to have services returning their registrations instead
* Adding context to RegisterRegistrantsRoles and update descriptions
* little bit of cosmetics
* Making sure provisioning is ran after role registration
* test for role registration
* Change the accesscontrol interface to use a variadic
* check if accesscontrol is enabled
* Add a new test for RegisterFixedRoles and fix assign which was buggy
* Moved RegistrationList def to roles.go
* Change provisioning role's description
* Better comment on RegisterFixedRoles
* Correct comment on ValidateFixedRole
* Simplify helper func to removeRoleHelper
* Add log to saveFixedRole and assignFixedRole
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
* Usage Stats: Rename service to use a more idiomatic name
* Usage Stats: Update MetricsFunc definition and implementations
* Revert "Usage Stats: Rename service to use a more idiomatic name"
This reverts commit 910ecce3e8.
* Usage Stats: Update MetricsFunc definition and implementations
Following discussion in grafana/grafana-enterprise#1292, removing
org-scoped users scopes to make it clear that the local organization is
the default and the alternative to that is a global scope (for a select
few endpoints)
* Move db package WIP
* Implement OSS access control
* Register OSS access control
* Fix linter error in tests
* Fix linter error in evaluator
* Simplify OSS tests
* Optimize builtin roles
* Chore: add comments to the exported functions
* Remove init from ossaccesscontrol package (moved to ext)
* Add access control as a dependency for http server
* Modify middleware to receive fallback function
* Middleware: refactor fallback function call
* Move unused models to enterprise
* Simplify AccessControl type
* Chore: use bool IsDisabled() method instead of CanBeDisabled interface
