* Add getter to FolderAPIBuilder so that we can access it in admission
* Remove deprecated return
* Fix test
* Update pkg/registry/apis/folders/register_test.go
Co-authored-by: maicon <maiconscosta@gmail.com>
* Fix maxNested folder test
* Remove log
---------
Co-authored-by: maicon <maiconscosta@gmail.com>
* add user ID API translation
* add uid to user frontend
* use users' UIDs in admin pages
* fix ldapSync page
* use global user search for user by UID
* remove active org filtering
* remove orgID params
* Improves initial indexing speed. Makes params configurable.
* fix linter errors
* removes kind param
* updates index test
* remove println from test
* removes error check in test
* adds log for high index latency ands updates max goroutine var with workers config var
* fix test timing out - set worker limit
* set the batch size
---------
Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
* Rename to CheckObject
* Implement authz.AccessClient
* Move folder tree to reconciler and use new schema
* Move shared functionality to common package
* Add reconciler for managed permissions and resource translations
* Add support for folder resources
* Fix folder status error message
* Add test for folder creation response message
* Add TestFoldersCreateAPIEndpointK8S fixes
* Fix message returned when user has no permissions
* WIP: setup to test folders GetAuthorizer
* Setup test
* Extract authorizer fn for tests
* Setup internal test fn
* Better define test inputs
* Add FolderAPI builder to the test
* First test passing
* Test getAuthorize for the create method
* Change authorizerFunc's signature
* [REVIEW] code readability
* Name error
* [REVIEW] add one more test case. Lint
* Remove empty line
* Implement initial check with schema for generic resources
* Implement List and add tests
* Add namespace type and change to folder_resource name
* Handle namespace grants for typed resources
* Run tests as integration tests
* Add support for verb in list requests
* FIX: Remove the checks for lbac rules inside of datasources
* Remove json validation for lbac rules
* Preserve lbac rules in updates
* Refactored test to remove the table structure
* refactor: change to allow naming and concise override instead of complex branching
* refactor to make sure we set an empty field for updates
* bugfix
* check for datasources.JsonData
* fix merge
* add datasource to check for field presence only
* add function call for readability
* Introduce new models RoutingTree, RouteDefaults and Route and api-server to serve them that is backed by provisioning notification policy service.
* update method UpdatePolicyTree of notification policy service to return route and new version
* declare new actions alert.notifications.routes:read and alert.notifications.routes:write and two corresponding fixed roles.
---------
Co-authored-by: Tom Ratcliffe <tom.ratcliffe@grafana.com>
Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>
* UniStore: add FoldersCreate Endpoint test
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
---------
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* extracted in-proc mode to #93124
* allow insecure conns in dev mode + refactoring
* removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud
* remove the NamespaceAuthorizer would fail in legacy mode. It will be added back in the future.
* use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy
* extracted authz package changes in #95120
* extracted server side changes in #95086
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: gamab <gabriel.mabille@grafana.com>
Co-authored-by: Dan Cech <dcech@grafana.com>
* fix: Change users permissions search to use a consistent key without collisions
* Move HashString to cacheutils
* Change error handling logic for what to do with a cache key
* Add a test that confirms search cache key consistency
* ds-querier: return QDR instead of k8s error
After parseQuery we know the request is a valid k8s request but we don't
know if the query is valid, therefore this change returns a QDR that
other systems, e.g. alerting ruler, can de-serialize properly.
Co-authored-by: Gábor Farkas <gabor.farkas@gmail.com>
* ds-querier: fix tests
Co-authored-by: Sarah Zinger <sarah.zinger@grafana.com>
* tweak status
* refactor refID to empty
---------
Co-authored-by: Gábor Farkas <gabor.farkas@gmail.com>
Co-authored-by: Sarah Zinger <sarah.zinger@grafana.com>
* no orgname
* format code
* update unit test
* delete contextSrv
* fix unit test
* run prettier
---------
Co-authored-by: Laura Benz <laura.benz@grafana.com>
* add admin permissions upon creation of a folder w. SA
* Update pkg/services/folder/folderimpl/folder.go
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Grant service account permissions for creation of dashboards
* Grant service account admin permissions upon creating a datasource
* fetch user using the userservice with the userid
* Revert "fetch user using the userservice with the userid"
This reverts commit 23cba78752.
* revert back to original datasource creation
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* All objects should have an UID
* Now with a different error message
* Simplify create on DW 2: use the same object to write to both storages
* Run only one test
* Add check for status code
* Add name if it's not present in mode2
* Populate UID in legacy
* Remove logs and commented code
* Change dualwriter1
* Remove commented code
* Fix list test
* remove get on update from dualwriter 2
* Get object before updating. Better var renaming
* Finish rebasing
* Comment test
* Uncomment tests
* Update legacy first. Add preconditions
* Remove preconditions
* Fix update test
* copy RV from unified to legacy objects
* revert changes to playlist xorm store
* Improve logging. Add go routines for mode3
* Add tests for async funcs in mode3
* Lint
* Lint
* Lint. Start to fix tests
* Fix watcher tests
* Fix store tests
* Fiinish fixing watcher tests
* Fix server tests
* add name check
* Update pkg/apiserver/rest/dualwriter_mode1.go
Co-authored-by: Bruno Abrantes <bruno.abrantes@grafana.com>
* All objects should have an UID
* Now with a different error message
* Simplify create on DW 2: use the same object to write to both storages
* Run only one test
* Add check for status code
* Add name if it's not present in mode2
* Populate UID in legacy
* Remove logs and commented code
* Change dualwriter1
* Remove commented code
* Fix list test
* remove get on update from dualwriter 2
* Get object before updating. Better var renaming
* Finish rebasing
* Comment test
* Uncomment tests
* Fix update test
* revert changes to playlist xorm store
* Improve logging. Add go routines for mode3
* Lint
* Fix watcher tests
* Fiinish fixing watcher tests
* Add mode 5 with etcd test case. Add early check to fail on populated RV in payload
* we can't set RV to the found object when updating
* Lint
* Don't fail on update playlists
* Name should not be different when updating and it should be not empty on creating
* Fix tests
* Update pkg/apiserver/rest/dualwriter_mode2.go
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
* Lint
* Fix mode 5 tests
* Lint
* Add generateName condition on every mode. Fix tests
* Lint
* Add condition on where name or generate name have to be set
* Fix test
* Lint
* Fix folders test
* We dont need to send name for mode1
* Fail if UID is not present
* Remove change from not running test
* Remove unused line
* Lint
* Update pkg/storage/unified/apistore/store.go
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
* Improve error message
* Fix broken watcher test
* Fail on name mismatch on update
* Remove log
* Make sure UIDs match on create in both stores
* Lint
* Write first to unified storage
* Remove uid setting
* Remove RV only in mode2
* Fix test. Remove log line
* test
* No need to asser on RV in mode3
* Remove RV check due to race condition
* Update dualwriter.go
Co-authored-by: Georges Chaudy <chaudyg@gmail.com>
* Update pkg/storage/unified/client.go
* remove unused parameter
* log an error for object is missing UID instead of returning an error
* remove obj.SetResourceVersion("")
* log an error for object is missing UID instead of returning an error
* FInalise merge
* Move RV check to where it was
* Remove name check
* Remove server check for backwards compatibility
* Remove unused fn
* Move test checks for another PR
* Dont commit go work sum changes
* Only log error if RV is present for now.
---------
Co-authored-by: Todd Treece <todd.treece@grafana.com>
Co-authored-by: Bruno Abrantes <bruno.abrantes@grafana.com>
Co-authored-by: Todd Treece <360020+toddtreece@users.noreply.github.com>
Co-authored-by: Georges Chaudy <chaudyg@gmail.com>
Previously all receiver modifications were denied with alertingApiServer
enabled. This allows pure creates and deletes through as these specific
cases can be handled simply and without risk of rbac shenanigans.
* Fix: Fix panic when json data are nil
* Use Interface()
* Feedback
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
* Need to check inside the if statement
---------
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
* Implement uidToResourceID
* add middleware
* Move uidToResourceID to alerting package
* Only hash uid if it's too long
* Use hashed uid in access control
* Move ReceiverUidToResourceId to ScopeProvider
* resolve uid in middleware only if param exists
* Tests
* Linting
---------
Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>
* adds metric for watch latency
* registers storage metrics when creating a new ResourceServer
* defines the latency (in milliseconds) as the diff between now and the RV. Still need to wait until PR for switching RV to millisecond timestamp is rolled out.
* should be micro seconds not milli
* for watch latency, use diff between now and resource version and convert to seconds
* fix typo
* Transforms raw US resource into an intermediate IndexableResource and indexes that. Pulls index mapping code out into different file. For now, we will hardcode which spec fields are indexed, per resource.
* Fixes a few bugs with field casing and timestamps not being formatted right (or not existing).
* adds readme section for using search with US
* extracts to function to transform from search hit to IndexedResource
* get folders when building index
* Remove SettingProvider settings from SSO interactions
* Mock Settings Provider for SSO Settings test
* Ignore error from SettingsProvider
* Add test for backend
* start on tokens
* more error messages
* more handling
* rephrased with suggestions from Daniel
* separate gms parse method
* use translation
* refactor initial idea to use error obj
* use error dto result
* handle gms client
* clean logs and comments
* fix tests
* tests for gms
* test and lint
* lint
* one more handling from gms
* typing in fe
* use error interface
* use validation error
* remove unused gms error
* use errorlib and helper function in fe
* regen api
* use same error util
* one more error to handle
* Also validate folder on provisioning update
* Move folder check before auth check
When checking for the existence of a folder we go through the folder
service which requires auth. Doing so prevents an unprivileged user from
accessing information about whether a particular folder exists or not.
