grafana/pkg/api
Nihal c1d9e793be
Metrics: Fix internal metrics endpoint not accessible from browser if basic auth is enabled (#86904)
* add WWW-Authenticate header in the http response of /metrics endpoint in case of wrong basic auth credentials

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

* added change log for the change fixing the issue https://github.com/grafana/grafana/issues/86902

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

* Update CHANGELOG.md

---------

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>
2024-07-11 14:55:48 +02:00
..
apierrors Alerting: Remove legacy alerting (#83671) 2024-03-14 15:36:35 +01:00
avatar Chore: Remove public vars in setting package (#81018) 2024-01-23 12:36:22 +01:00
datasource mssql: prepare logs-handling for decouple-datasource changes (#79214) 2023-12-11 09:14:06 +01:00
dtos Feat: Extending report interaction with static context that can be appended to all interaction events (#88927) 2024-07-08 16:37:45 +02:00
frontendlogging Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
pluginproxy Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
response Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
routing Grafana: Replace magic number with a constant variable in response status (#80132) 2024-02-27 18:39:51 +02:00
static API: Extract OpenAPI specification from source code using go-swagger (#40528) 2022-02-08 13:38:43 +01:00
webassets Frontend: Reload the browser when backend configuration/assets change (#79057) 2024-01-04 08:00:07 +01:00
accesscontrol.go Misc: Remove unused params and impossible logic (#83756) 2024-03-01 12:08:00 +01:00
admin_encryption.go Config: Add configuration option to define custom user-facing general error message for certain error types (#70023) 2023-06-16 10:46:47 -05:00
admin_provisioning_test.go Alerting: Remove legacy alerting (#83671) 2024-03-14 15:36:35 +01:00
admin_provisioning.go Alerting: Remove legacy alerting (#83671) 2024-03-14 15:36:35 +01:00
admin_test.go Auth: Add anonymous users view and stats (#78685) 2023-11-29 17:58:41 +01:00
admin_users_test.go User: use update function for password updates (#86419) 2024-04-17 15:24:36 +02:00
admin_users.go Identity: Use typed version of namespace id (#87257) 2024-05-08 14:03:53 +02:00
admin.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
alerting.go Alerting: Remove legacy alerting (#83671) 2024-03-14 15:36:35 +01:00
annotations_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
annotations.go Identity: Use typed version of namespace id (#87257) 2024-05-08 14:03:53 +02:00
api_test.go Chore: Update test database initialization (#81673) 2024-02-09 09:35:39 -05:00
api.go Restore dashboards: Add RBAC (#90270) 2024-07-11 13:20:04 +03:00
apikey.go Grafana: Replace magic number with a constant variable in response status (#80132) 2024-02-27 18:39:51 +02:00
basic_auth_test.go Macaron: remove custom Request type (#37874) 2021-09-01 11:18:30 +02:00
basic_auth.go Macaron: remove custom Request type (#37874) 2021-09-01 11:18:30 +02:00
common_test.go K8s: use contexthandler in standalone handler chain (#90102) 2024-07-08 12:22:10 -07:00
dashboard_permission_test.go authz: Clean up acl endpoints and dashboard guardian (#73746) 2023-08-24 15:37:54 +02:00
dashboard_permission.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
dashboard_snapshot_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
dashboard_snapshot.go K8s: Improve identity mapping setup (#89450) 2024-06-20 17:53:07 +03:00
dashboard_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
dashboard.go Optimize memory allocations in permissions cache (#89645) 2024-06-26 23:03:13 +03:00
dataproxy.go Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
datasources_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
datasources.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
ds_query_test.go Plugins: Remove datasourceQueryMultiStatus feature toggle (#90191) 2024-07-10 11:15:10 +02:00
ds_query.go Plugins: Remove datasourceQueryMultiStatus feature toggle (#90191) 2024-07-10 11:15:10 +02:00
fakes.go Plugins: Make it possible to support multiple plugin versions (#82116) 2024-02-12 12:47:49 +01:00
folder_bench_test.go accesscontrol service read replica (#89963) 2024-07-08 10:00:13 -04:00
folder_permission_test.go Remove deprecated FolderID from api tests (#79466) 2023-12-20 15:12:05 +01:00
folder_permission.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
folder_test.go Add auth spans and remove deduplication code for scopes (#89804) 2024-07-02 22:08:57 -08:00
folder.go Folders: Fix folder pagination for cloud instances with many folders (#90008) 2024-07-05 11:19:03 +01:00
frontend_logging_test.go Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
frontend_logging.go Plugins: Add context to StaticRouteResolver and ErrorResolver interfaces (#73121) 2023-08-10 10:32:12 +02:00
frontend_metrics.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
frontendsettings_test.go OIDC: Support Generic OAuth org to role mappings (#87394) 2024-05-23 09:55:45 +02:00
frontendsettings.go Feat: Extending report interaction with static context that can be appended to all interaction events (#88927) 2024-07-08 16:37:45 +02:00
grafana_com_proxy.go API: don't re-add /api suffix to grafana.com API URL (#62280) 2023-01-27 10:20:55 +01:00
health_test.go HealthCheck: show enterprise commit (#75242) 2023-09-22 08:17:10 -03:00
health.go Chore: Remove Store interface and use db.DB instead (#60160) 2022-12-13 11:03:36 +01:00
http_server_test.go Server: Reload TLS certs without a server restart (#83589) 2024-03-22 17:13:22 +02:00
http_server.go Metrics: Fix internal metrics endpoint not accessible from browser if basic auth is enabled (#86904) 2024-07-11 14:55:48 +02:00
index.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
login_oauth_test.go Auth: Remove auth broker flag and clean up login handlers (#73109) 2023-08-10 09:56:04 +02:00
login_oauth.go Authn: Remove response writer from auth req (#90110) 2024-07-05 11:42:12 +02:00
login_test.go AuthN: Use typed namespace id inside authn package (#86048) 2024-04-24 09:57:34 +02:00
login.go Authn: Remove response writer from auth req (#90110) 2024-07-05 11:42:12 +02:00
org_invite_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
org_invite.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
org_test.go Add auth spans and remove deduplication code for scopes (#89804) 2024-07-02 22:08:57 -08:00
org_users_test.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
org_users.go Authn: Add function to resolve identity from org and namespace id (#84555) 2024-03-15 15:08:15 +01:00
org.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
password.go User: use update function for password updates (#86419) 2024-04-17 15:24:36 +02:00
playlist.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
plugin_checks_test.go Chore: Evaluate if an app is disabled for API requests (#79564) 2023-12-15 16:37:39 +01:00
plugin_checks.go Chore: Evaluate if an app is disabled for API requests (#79564) 2023-12-15 16:37:39 +01:00
plugin_dashboards_test.go Chore: Evaluate if an app is disabled for API requests (#79564) 2023-12-15 16:37:39 +01:00
plugin_dashboards.go Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108) 2023-10-06 11:34:36 +02:00
plugin_metrics_test.go Chore: Refactor backend plugin errors (#74928) 2023-09-25 11:56:03 +02:00
plugin_metrics.go Chore: Refactor backend plugin errors (#74928) 2023-09-25 11:56:03 +02:00
plugin_proxy_test.go Plugins: Preserve trailing slash in plugin proxy (#86859) 2024-06-05 13:36:14 +02:00
plugin_proxy.go RBAC: Cover plugin routes (#80578) 2024-01-17 16:32:23 +01:00
plugin_resource_test.go Add auth spans and remove deduplication code for scopes (#89804) 2024-07-02 22:08:57 -08:00
plugin_resource.go Plugins: Fix colon in CallResource URL returning an error when creating plugin resource request (#79746) 2024-01-29 10:31:49 +01:00
plugins_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
plugins.go Chore: Remove provisional APIVersion from plugin info (#89831) 2024-07-01 10:53:16 +02:00
preferences_test.go Identity: Unfurl UserID and Email in pkg/api to user identity.Requester (#76112) 2023-10-09 16:07:28 +02:00
preferences.go Navigation: Backend to save navigation customization into preferences (#89783) 2024-07-03 10:40:51 +01:00
quota_test.go Add auth spans and remove deduplication code for scopes (#89804) 2024-07-02 22:08:57 -08:00
quota.go Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108) 2023-10-06 11:34:36 +02:00
README.md Chore: Fix Swagger/OpenAPI instructions (#86541) 2024-04-19 09:16:38 +03:00
render.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
search.go Restore dashboards: Add RBAC (#90270) 2024-07-11 13:20:04 +03:00
short_url_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
short_url.go Chore: Remove public vars in setting package (#81018) 2024-01-23 12:36:22 +01:00
signup.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
swagger_responses.go PublicDashboards: Add swagger documentation (#75318) 2023-10-30 10:32:07 -03:00
swagger_tags.json Browse Dashboards: Update docs to remove reference to General folder (#74528) 2023-09-08 03:57:16 +01:00
swagger.go Swagger: Show k8s APIs (#78091) 2023-11-15 06:42:35 -08:00
user_test.go Zanzana: Evaluate permissions alongside with RBAC engine (#90064) 2024-07-05 11:31:23 +02:00
user_token_test.go AuthToken: Remove client token rotation feature toggle (#82886) 2024-02-16 15:03:37 +01:00
user_token.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
user.go Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00
utils.go User: use update function for password updates (#86419) 2024-04-17 15:24:36 +02:00

OpenAPI specifications

Since version 8.4, HTTP API details are specified using OpenAPI v2. Starting from version 9.1, there is also an OpenAPI v3 specification (generated by the v2 one using this script).

OpenAPI annotations

The OpenAPI v2 specification is generated automatically from the annotated Go code using go-swagger which scans the source code for annotation rules. Refer to this getting started guide for getting familiar with the toolkit.

Developers modifying the HTTP API endpoints need to make sure to add the necessary annotations so that their changes are reflected into the generated specifications.

Example of endpoint annotation

The following route defines a PATCH endpoint under the /serviceaccounts/{serviceAccountId} path with tag service_accounts (used for grouping together several routes) and operation ID updateServiceAccount (used for uniquely identifying routes and associate parameters and response with them).


// swagger:route PATCH /serviceaccounts/{serviceAccountId} service_accounts updateServiceAccount
//
// # Update service account
//
// Required permissions (See note in the [introduction](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) for an explanation):
// action: `serviceaccounts:write` scope: `serviceaccounts:id:1` (single service account)
//
// Responses:
// 200: updateServiceAccountResponse
// 400: badRequestError
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError

The go-swagger can discover such annotations by scanning any code imported by pkg/server but by convention we place the endpoint annotations above the endpoint definition.

Example of endpoint parameters

The following struct defines the route parameters for the updateServiceAccount endpoint. The route expects:

  • a path parameter denoting the service account identifier and
  • a body parameter with the new values for the specific service account

// swagger:parameters updateServiceAccount
type UpdateServiceAccountParams struct {
	// in:path
	ServiceAccountId int64 `json:"serviceAccountId"`
	// in:body
	Body serviceaccounts.UpdateServiceAccountForm
}

Example of endpoint response

The following struct defines the response for the updateServiceAccount endpoint in case of a successful 200 response.


// swagger:response updateServiceAccountResponse
type UpdateServiceAccountResponse struct {
	// in:body
	Body struct {
		Message        string                                    `json:"message"`
		ID             int64                                     `json:"id"`
		Name           string                                    `json:"name"`
		ServiceAccount *serviceaccounts.ServiceAccountProfileDTO `json:"serviceaccount"`
	}
}

OpenAPI generation

Developers can re-create the OpenAPI v2 and v3 specifications using the following command:

make swagger-clean && make openapi3-gen

They can observe its output into the public/api-merged.json and public/openapi3.json files.

Finally, they can browser and try out both the OpenAPI v2 and v3 via the Swagger UI editor (served by the grafana server) by navigating to /swagger.

If there are any issues generating the specifications (e.g., diff containing unrelated changes to your PR or unusually large diff), please run the following two commands to ensure your Swagger version is up to date, then re-run the make commands.

  • go install github.com/bwplotka/bingo@latest
  • bingo get github.com/go-swagger/go-swagger/cmd/swagger@v0.30.2