* remove use of SignedInUserCopies
* add extra safety to not cross assign permissions
unwind circular dependency
dashboardacl->dashboardaccess
fix missing import
* correctly set teams for permissions
* fix missing inits
* nit: check err
* exit early for api keys
* inital changes, db migration
* changes
* Implement basic GetAll, Delete
* Add first batch of tests
* Add more tests
* Add service tests for GetForProvider, List
* Update http_server.go + wire.go
* Lint + update fixed role
* Update CODEOWNERS
* Change API init
* Change roles, rename
* Review with @kalleep
* Revert a mistakenly changed part
* Updates based on @dmihai 's feedback
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* correctly check permissions to list dashboards on the root
* correctly display the access inherited from general folder for dashboards
* Update pkg/services/sqlstore/permissions/dashboard.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update dashboard_filter_no_subquery.go
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update cue to have an AuthProvider entry
* Cable the new auth provider
* Add feature flag check to the accesscontrol service
* Fix test
* Change the structure of externalServiceRegistration (#76673)
* Replace FixedRoleUID function with a common function to generate these prefixes
* Use common function to generate prefixed uid for external service accounts
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
---------
Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
fetch fresh permissions for global in AuthorizeInOrgMiddleware
Update pkg/services/accesscontrol/authorize_in_org_test.go
do not load viewer permissions in global ID
* move access control api to SignedInUser interface
* remove unused code
* add logic for reading perms from a specific org
* move the specific org logic to org_user.go
* add a comment
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* wip
* scope active user to 1 org
* remove TODOs
* add render auth namespace
* import cycle fix
* make condition more readable
* convert Evaluate to user Requester
* only use active OrgID for SearchUserPermissions
* add cache key to interface definition
* change final SignedInUsers to interface
* fix api key managed roles fetch
* fix anon auth id parsing
* Update pkg/services/accesscontrol/acimpl/accesscontrol.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader"
* update alerting API authorization layer to let the user read provisioning with the new action
* let new action use decrypt flag
* add action and role to docs
* RBAC: Make the SplitScope migration concurrent
* Benchmark multiple alternatives: (updates in a loop, batch update, concurrent batch update)
* Only keep batching since mysql 5.7 does not seem to support concurrent batching
* Update pkg/services/accesscontrol/migrator/migrator.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* add a feature toggle
* add the fields for attribute, kind and identifier to permission
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* set the new fields when new permissions are stored
* add migrations
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* remove comments
* Update pkg/services/accesscontrol/migrator/migrator.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split
* PR feedback: add a comment and revert an accidentally changed file
* PR feedback: handle the case with : in resource identifier
* switch from checking feature toggle through cfg to checking it through featuremgmt
* don't put the column migrations behind a feature toggle after all - this breaks permission queries from db
---------
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Use sha1 (160 bit hash)
* Update pkg/services/accesscontrol/database/externalservices.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Satisfy linter, clean up
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Allow setting role as None
Co-authored-by: gamab <gabi.mabs@gmail.com>
Seeking for places where role.None would be used
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Adding None role to the frontend
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
unify org role declaration and remove from add permission
fix backend test
fix backend lint
* remove role none from frontend
* Simplify checks
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* nits
---------
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* remove unused HasAdmin and HasEdit permission methods
* remove legacy AC from HasAccess method
* remove unused function
* update alerting tests to work with RBAC
