root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 137 Packages Projects Releases Wiki Activity

Authz: Remove legacy API Key permissions (#110860) 

* remove API key roles

* remove API key gen

* remove frontend and doc mentions

* restore legacy keygen

* restore codeowners

* prettier

* update swagger

* remove permissions including apikeys

* add migrator for removing deprecated permissions

* add tracing

* update openapi3

* simplify migrator for now

* accesscontrol/migrator: remove batching for deprecated permissions deletion
This commit is contained in:
Jo 2025-09-12 12:59:37 +01:00 committed by GitHub
parent 1f7afc6b6a
commit edcd113054
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 346 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md
View File

@ -69,8 +69,6 @@ The following list contains role-based access control actions.
| `annotations:delete` | <ul><li>`annotations:*`</li><li>`annotations:type:*`</li><li>`dashboards:*`</li><li>`dashboards:uid:*`</li><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Delete annotations. |
| `annotations:read` | <ul><li>`annotations:*`</li><li>`annotations:type:*`</li><li>`dashboards:*`</li><li>`dashboards:uid:*`</li><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Read annotations and annotation tags. |
| `annotations:write` | <ul><li>`annotations:*`</li><li>`annotations:type:*`</li><li>`dashboards:*`</li><li>`dashboards:uid:*`</li><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Update annotations. |
| `apikeys:read` | <ul><li>`apikeys:*`</li><li>`apikeys:id:*`</li></ul> | Read API keys. |
| `apikeys:delete` | <ul><li>`apikeys:*`</li><li>`apikeys:id:*`</li></ul> | Delete API keys. |
| `banners:write` | None | Create [announcement banners](/docs/grafana-cloud/whats-new/2024-09-10-announcement-banner/). |
| `dashboards:create` | <ul><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Create dashboards in one or more folders and their subfolders. |
| `dashboards:delete` | <ul><li>`dashboards:*`</li><li>`dashboards:uid:*`</li><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Delete one or more dashboards. |
@ -268,7 +266,6 @@ The following list contains role-based access control scopes.
| Scopes | Descriptions |
| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <ul><li>`annotations:*`</li><li>`annotations:type:*`</li></ul> | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. |
| <ul><li>`apikeys:*`</li><li>`apikeys:id:*`</li></ul> | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. |
| <ul><li>`dashboards:*`</li><li>`dashboards:uid:*`</li></ul> | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. |
| <ul><li>`datasources:*`</li><li>`datasources:uid:*`</li></ul> | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. |
| <ul><li>`folders:*`</li><li>`folders:uid:*`</li></ul> | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. Note that permissions granted to a folder cascade down to subfolders located under it. |

14
docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
View File

@ -54,14 +54,14 @@ The following tables list permissions associated with basic and fixed roles. Thi
## Basic role assignments
| Basic role | UID | Associated fixed roles | Description |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
| Basic role | UID | Associated fixed roles | Description |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
| Grafana Admin | `basic_grafana_admin` |
| `fixed:authentication.config:writer`<br>`fixed:general.auth.config:writer`<br>`fixed:ldap:writer`<br>`fixed:licensing:writer`<br>`fixed:migrationassistant:migrator`<br>`fixed:org.users:writer`<br>`fixed:organization:maintainer`<br>`fixed:plugins:maintainer`<br>`fixed:provisioning:writer`<br>`fixed:roles:writer`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:stats:reader`<br>`fixed:support.bundles:writer`<br>`fixed:usagestats:reader`<br>`fixed:users:writer` | Default [Grafana server administrator](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/#grafana-server-administrators) assignments. |
| Admin | `basic_admin` | All roles assigned to Editor and `fixed:reports:writer` <br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:apikeys:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:writer`<br>`fixed:plugins:writer`<br>`fixed:library.panels:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
| Editor | `basic_editor` | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer` | Default [Editor](ref:rbac-basic-roles) assignments. |
| Viewer | `basic_viewer` | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:folders.general:reader`<br>`fixed:datasources.builtin:reader` | Default [Viewer](ref:rbac-basic-roles) assignments. |
| No Basic Role | n/a | | Default [No Basic Role](ref:rbac-basic-roles) |
| Admin | `basic_admin` | All roles assigned to Editor and `fixed:reports:writer` <br>`fixed:datasources:writer`<br>`fixed:organization:writer`<br>`fixed:datasources.permissions:writer`<br>`fixed:teams:writer`<br>`fixed:dashboards:writer`<br>`fixed:dashboards.permissions:writer`<br>`fixed:dashboards.public:writer`<br>`fixed:folders:writer`<br>`fixed:folders.permissions:writer`<br>`fixed:alerting:writer`<br>`fixed:alerting.provisioning.secrets:reader`<br>`fixed:alerting.provisioning:writer`<br>`fixed:datasources.caching:writer`<br>`fixed:plugins:writer`<br>`fixed:library.panels:writer` | Default [Grafana organization administrator](ref:rbac-basic-roles) assignments. |
| Editor | `basic_editor` | All roles assigned to Viewer and `fixed:datasources:explorer` <br>`fixed:dashboards:creator`<br>`fixed:folders:creator`<br>`fixed:annotations:writer`<br>`fixed:alerting:writer`<br>`fixed:library.panels:creator`<br>`fixed:library.panels:general.writer`<br>`fixed:alerting.provisioning.status:writer` | Default [Editor](ref:rbac-basic-roles) assignments. |
| Viewer | `basic_viewer` | `fixed:datasources.id:reader`<br>`fixed:organization:reader`<br>`fixed:annotations:reader`<br>`fixed:annotations.dashboard:writer`<br>`fixed:alerting:reader`<br>`fixed:plugins.app:reader`<br>`fixed:dashboards.insights:reader`<br>`fixed:datasources.insights:reader`<br>`fixed:library.panels:general.reader`<br>`fixed:folders.general:reader`<br>`fixed:datasources.builtin:reader` | Default [Viewer](ref:rbac-basic-roles) assignments. |
| No Basic Role | n/a | | Default [No Basic Role](ref:rbac-basic-roles) |
## Fixed role definitions
@ -90,8 +90,6 @@ To learn how to use the roles API to determine the role UUIDs, refer to [Manage
| `fixed:annotations:reader` | `fixed_hpZnoizrfAJsrceNcNQqWYV-xNU` | `annotations:read` for scopes `annotations:type:*` | Read all annotations and annotation tags. |
| `fixed:annotations:writer` | `fixed_ZVW-Aa9Tzle6J4s2aUFcq1StKWE` | All permissions from `fixed:annotations:reader` <br>`annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:*` | Read, create, update and delete all annotations and annotation tags. |
| `fixed:annotations.dashboard:writer` | `fixed_8A775xenXeKaJk4Cr7bchP9yXOA` | `annotations:write` <br>`annotations.create`<br> `annotations:delete` for scope `annotations:type:dashboard` | Create, update and delete dashboard annotations and annotation tags. |
| `fixed:apikeys:reader` | `fixed_kYZ7UEkwEvGmCCjTrq07cFAVFws` | `apikeys:read` for scope `apikeys:*` | Read all api keys. |
| `fixed:apikeys:writer` | `fixed_anTrcpRkm21NBO1Q2CsX8y0fiCQ` | All permissions from `fixed:apikeys:reader` and <br> `apikeys:create` <br> `apikeys:delete` for scope `apikeys:*` | Read, create, delete all api keys. |
| `fixed:authentication.config:writer` | `fixed_0rYhZ2Qnzs8AdB1nX7gexk3fHDw` | `settings:read` for scope `settings:auth.saml:*` <br> `settings:write` for scope `settings:auth.saml:*` | Read and update authentication and SAML settings. |
| `fixed:general.auth.config:writer` | `fixed_QFxIT_FGtBqbIVJIwx1bLgI5z6c` | `settings:read` for scope `settings:auth:oauth_allow_insecure_email_lookup` <br> `settings:write` for scope `settings:auth:oauth_allow_insecure_email_lookup` | Read and update the Grafana instance's general authentication configuration settings. |
| `fixed:dashboards:creator` | `fixed_ZorKUcEPCM01A1fPakEzGBUyU64` | `dashboards:create`<br>`folders:read` | Create dashboards. |

37
pkg/api/accesscontrol.go
View File

@ -176,41 +176,6 @@ func (hs *HTTPServer) declareFixedRoles() error {
Grants: []string{string(org.RoleViewer)},
}
apikeyReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:apikeys:reader",
DisplayName: "Reader",
Description: "Gives access to read api keys.",
Group: "API Keys",
Permissions: []ac.Permission{
{
Action: ac.ActionAPIKeyRead,
Scope: ac.ScopeAPIKeysAll,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
apikeyWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:apikeys:writer",
DisplayName: "Writer",
Description: "Gives access to add and delete api keys.",
Group: "API Keys",
Permissions: ac.ConcatPermissions(apikeyReaderRole.Role.Permissions, []ac.Permission{
{
Action: ac.ActionAPIKeyCreate,
},
{
Action: ac.ActionAPIKeyDelete,
Scope: ac.ScopeAPIKeysAll,
},
}),
},
Grants: []string{string(org.RoleAdmin)},
}
orgReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:organization:reader",
@ -649,7 +614,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, teamsReaderRole, datasourcesExplorerRole,
annotationsReaderRole, dashboardAnnotationsWriterRole, annotationsWriterRole,
dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
foldersCreatorRole, foldersReaderRole, generalFolderReaderRole, foldersWriterRole, apikeyReaderRole, apikeyWriterRole,
foldersCreatorRole, foldersReaderRole, generalFolderReaderRole, foldersWriterRole,
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole, libraryPanelsCreatorRole,
libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole,
snapshotsCreatorRole, snapshotsDeleterRole, snapshotsReaderRole}

1
pkg/api/api.go
View File

@ -107,7 +107,6 @@ func (hs *HTTPServer) registerRoutes() {
r.Get("/org/teams/new", authorize(ac.EvalPermission(ac.ActionTeamsCreate)), hs.Index)
r.Get("/org/serviceaccounts", authorize(ac.EvalPermission(serviceaccounts.ActionRead)), hs.Index)
r.Get("/org/serviceaccounts/:serviceAccountId", authorize(ac.EvalPermission(serviceaccounts.ActionRead)), hs.Index)
r.Get("/org/apikeys/", authorize(ac.EvalPermission(ac.ActionAPIKeyRead)), hs.Index)
r.Get("/dashboard/import/", reqSignedIn, hs.Index)
r.Get("/configuration", reqGrafanaAdmin, hs.Index)
r.Get("/admin", reqOrgAdmin, hs.Index)

1
pkg/api/dtos/apikey.go
View File

@ -1,6 +1,5 @@
package dtos
// swagger:model
type NewApiKeyResult struct {
// example: 1
ID int64 `json:"id"`

8
pkg/components/apikeygen/apikeygen.go
View File

@ -3,13 +3,11 @@ package apikeygen
import (
"encoding/base64"
"encoding/json"
"errors"
"github.com/grafana/grafana/pkg/components/satokengen"
"github.com/grafana/grafana/pkg/util"
)
var ErrInvalidApiKey = errors.New("invalid API key")
type KeyGenResult struct {
HashedKey string
ClientSecret string
@ -50,13 +48,13 @@ func New(orgId int64, name string) (KeyGenResult, error) {
func Decode(keyString string) (*ApiKeyJson, error) {
jsonString, err := base64.StdEncoding.DecodeString(keyString)
if err != nil {
return nil, ErrInvalidApiKey
return nil, satokengen.ErrInvalidApiKey
}
var keyObj ApiKeyJson
err = json.Unmarshal(jsonString, &keyObj)
if err != nil {
return nil, ErrInvalidApiKey
return nil, satokengen.ErrInvalidApiKey
}
return &keyObj, nil

14
pkg/components/satokengen/errors.go
View File

@ -1,14 +0,0 @@
package satokengen
import "github.com/grafana/grafana/pkg/components/apikeygen"
type ErrInvalidApiKey struct {
}
func (e *ErrInvalidApiKey) Error() string {
return "invalid API key"
}
func (e *ErrInvalidApiKey) Unwrap() error {
return apikeygen.ErrInvalidApiKey
}

9
pkg/components/satokengen/tokengen.go
View File

@ -2,6 +2,7 @@ package satokengen
import (
"encoding/hex"
"errors"
"hash/crc32"
"strings"
@ -10,6 +11,8 @@ import (
const GrafanaPrefix = "gl"
var ErrInvalidApiKey = errors.New("invalid API key")
type KeyGenResult struct {
HashedKey string
ClientSecret string
@ -72,12 +75,12 @@ func New(serviceID string) (KeyGenResult, error) {
func Decode(keyString string) (*PrefixedKey, error) {
if !strings.HasPrefix(keyString, GrafanaPrefix) {
return nil, &ErrInvalidApiKey{}
return nil, ErrInvalidApiKey
}
parts := strings.Split(keyString, "_")
if len(parts) != 3 {
return nil, &ErrInvalidApiKey{}
return nil, ErrInvalidApiKey
}
key := &PrefixedKey{
@ -86,7 +89,7 @@ func Decode(keyString string) (*PrefixedKey, error) {
Checksum: parts[2],
}
if key.CalculateChecksum() != key.Checksum {
return nil, &ErrInvalidApiKey{}
return nil, ErrInvalidApiKey
}
return key, nil

7
pkg/services/accesscontrol/acimpl/service.go
View File

@ -81,6 +81,11 @@ func ProvideService(
return nil, err
}
// Migrating to remove deprecated permissions from the database
if err := migrator.MigrateRemoveDeprecatedPermissions(db, service.log); err != nil {
return nil, err
}
return service, nil
}
@ -699,7 +704,7 @@ func PermissionMatchesSearchOptions(permission accesscontrol.Permission, searchO
if searchOptions.Scope != "" {
// Permissions including the scope should also match
scopes := append(searchOptions.Wildcards(), searchOptions.Scope)
if !slices.Contains[[]string, string](scopes, permission.Scope) {
if !slices.Contains(scopes, permission.Scope) {
return false
}
}

87
pkg/services/accesscontrol/migrator/migrator.go
View File

@ -4,8 +4,11 @@ import (
"context"
"time"
"go.opentelemetry.io/otel/attribute"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/sqlstore/session"
@ -120,6 +123,90 @@ func batch(count, batchSize int, eachFn func(start, end int) error) error {
return nil
}
// MigrateRemoveDeprecatedPermissions removes deprecated permissions from the database
func MigrateRemoveDeprecatedPermissions(db db.DB, log log.Logger) error {
ctx := context.Background()
ctx, span := tracing.Start(ctx, "migrator.removeDeprecatedPermissions",
attribute.String("migration.type", "removeDeprecatedPermissions"))
defer span.End()
t := time.Now()
// Define the deprecated permissions to remove
deprecatedPermissions := []string{
"apikeys:", // remove this line in 2026/03, no apikeys:read/write/create should exist by then and downgrade/upgrade scenarios are less likely
}
if len(deprecatedPermissions) == 0 {
span.SetAttributes(attribute.Bool("migration.skipped", true))
log.Debug("No deprecated permissions to remove", "migration", "removeDeprecatedPermissions")
return nil
}
span.SetAttributes(attribute.Int("deprecated.patterns.count", len(deprecatedPermissions)))
log.Info("Starting migration to remove deprecated permissions", "migration", "removeDeprecatedPermissions")
// Find and remove permissions matching the deprecated patterns
var totalRemoved int
for _, permPattern := range deprecatedPermissions {
patternCtx, patternSpan := tracing.Start(ctx, "migrator.removeDeprecatedPermissions.pattern",
attribute.String("pattern", permPattern))
patternSpan.SetAttributes(attribute.String("migration.type", "removeDeprecatedPermissions"))
var permissions []ac.Permission
if errFind := db.WithTransactionalDbSession(patternCtx, func(sess *sqlstore.DBSession) error {
return sess.SQL("SELECT id FROM permission WHERE action LIKE ?", permPattern+"%").Find(&permissions)
}); errFind != nil {
log.Error("Could not search for deprecated permissions to remove", "migration", "removeDeprecatedPermissions", "pattern", permPattern, "error", errFind)
patternSpan.RecordError(errFind)
patternSpan.End()
return errFind
}
patternSpan.SetAttributes(attribute.Int("permissions.found", len(permissions)))
if len(permissions) == 0 {
log.Debug("No permissions found for pattern", "migration", "removeDeprecatedPermissions", "pattern", permPattern)
patternSpan.End()
continue
}
// Remove permissions by the exact IDs we found
if errDel := db.GetSqlxSession().WithTransaction(patternCtx, func(tx *session.SessionTx) error {
delQuery := "DELETE FROM permission WHERE id IN ("
delArgs := make([]any, 0, len(permissions))
for i := range permissions {
delQuery += "?,"
delArgs = append(delArgs, permissions[i].ID)
}
// close the IN clause
delQuery = delQuery[:len(delQuery)-1] + ")"
_, err := tx.Exec(patternCtx, delQuery, delArgs...)
return err
}); errDel != nil {
log.Error("Error deleting deprecated permissions", "migration", "removeDeprecatedPermissions", "pattern", permPattern, "error", errDel)
patternSpan.RecordError(errDel)
patternSpan.End()
return errDel
}
// We previously fetched matching permissions; count them as removed
totalRemoved += len(permissions)
patternSpan.SetAttributes(attribute.Int("permissions.removed", len(permissions)))
log.Info("Removed deprecated permissions for pattern", "migration", "removeDeprecatedPermissions", "pattern", permPattern, "count", len(permissions))
patternSpan.End()
}
span.SetAttributes(
attribute.Int("permissions.total.removed", totalRemoved),
attribute.Int("migration.duration.ms", int(time.Since(t).Milliseconds())),
)
log.Info("Completed migration to remove deprecated permissions", "migration", "removeDeprecatedPermissions", "totalRemoved", totalRemoved, "duration", time.Since(t))
return nil
}
func trimToMaxLen(s string, maxLen int) string {
if len(s) > maxLen {
return s[:maxLen]

213
pkg/services/accesscontrol/migrator/migrator_test.go
View File

@ -88,3 +88,216 @@ func TestIntegrationMigrateScopeSplitTruncation(t *testing.T) {
}
}
}
// batchInsertTestPermissions inserts test permissions for migration testing
func batchInsertTestPermissions(cnt int, sqlStore db.DB, actionPrefix string) error {
now := time.Now()
suffixes := []string{"read", "write", "delete"}
return batch(cnt, batchSize, func(start, end int) error {
n := end - start
permissions := make([]ac.Permission, 0, n)
for i := start; i < end; i++ {
suffix := suffixes[i%len(suffixes)]
permissions = append(permissions, ac.Permission{
RoleID: 1,
Action: fmt.Sprintf("%s:%s", actionPrefix, suffix),
Scope: fmt.Sprintf("%s:uid:%v", actionPrefix, i+1),
Created: now,
Updated: now,
})
}
return sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
_, err := sess.Insert(permissions)
return err
})
})
}
// TestIntegrationMigrateRemoveDeprecatedPermissions tests the deprecated permissions removal migration
func TestIntegrationMigrateRemoveDeprecatedPermissions(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
sqlStore := db.InitTestDB(t)
logger := log.New("accesscontrol.migrator.test")
// Test 1: Basic functionality - remove deprecated permissions
t.Run("removes deprecated permissions", func(t *testing.T) {
// Insert deprecated permissions (apikeys: pattern)
require.NoError(t, batchInsertTestPermissions(5, sqlStore, "apikeys"), "could not insert deprecated permissions")
// Insert non-deprecated permissions
require.NoError(t, batchInsertTestPermissions(3, sqlStore, "dashboards"), "could not insert non-deprecated permissions")
// Count permissions before migration
var permissionsBefore []ac.Permission
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsBefore)
})
require.NoError(t, err, "could not count permissions before migration")
assert.Equal(t, 8, len(permissionsBefore), "expected 8 permissions before migration")
// Run migration
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
// Count permissions after migration
var permissionsAfter []ac.Permission
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsAfter)
})
require.NoError(t, err, "could not count permissions after migration")
assert.Equal(t, 3, len(permissionsAfter), "expected 3 permissions after migration")
// Verify only non-deprecated permissions remain
for _, perm := range permissionsAfter {
assert.NotContains(t, perm.Action, "apikeys:", "deprecated permission should have been removed")
}
})
}
// TestIntegrationMigrateRemoveDeprecatedPermissionsEmptyDB tests migration with empty database
func TestIntegrationMigrateRemoveDeprecatedPermissionsEmptyDB(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
sqlStore := db.InitTestDB(t)
logger := log.New("accesscontrol.migrator.test")
// Run migration on empty database
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
// Verify no permissions exist
var permissions []ac.Permission
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissions)
})
require.NoError(t, err, "could not query permissions")
assert.Empty(t, permissions, "expected no permissions in empty database")
}
// TestIntegrationMigrateRemoveDeprecatedPermissionsBatchProcessing tests batch processing with large dataset
func TestIntegrationMigrateRemoveDeprecatedPermissionsBatchProcessing(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
sqlStore := db.InitTestDB(t)
logger := log.New("accesscontrol.migrator.test")
// Set small batch size for testing
originalBatchSize := batchSize
batchSize = 3
defer func() { batchSize = originalBatchSize }()
// Insert more deprecated permissions than batch size
require.NoError(t, batchInsertTestPermissions(10, sqlStore, "apikeys"), "could not insert deprecated permissions")
// Insert some non-deprecated permissions
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "folders"), "could not insert non-deprecated permissions")
// Count permissions before migration
var permissionsBefore []ac.Permission
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsBefore)
})
require.NoError(t, err, "could not count permissions before migration")
assert.Equal(t, 12, len(permissionsBefore), "expected 12 permissions before migration")
// Run migration
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
// Count permissions after migration
var permissionsAfter []ac.Permission
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsAfter)
})
require.NoError(t, err, "could not count permissions after migration")
assert.Equal(t, 2, len(permissionsAfter), "expected 2 permissions after migration")
// Verify only non-deprecated permissions remain
for _, perm := range permissionsAfter {
assert.NotContains(t, perm.Action, "apikeys:", "deprecated permission should have been removed")
assert.Contains(t, perm.Action, "folders:", "non-deprecated permission should remain")
}
}
// TestIntegrationMigrateRemoveDeprecatedPermissionsNoDeprecated tests when no deprecated permissions exist
func TestIntegrationMigrateRemoveDeprecatedPermissionsNoDeprecated(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
sqlStore := db.InitTestDB(t)
logger := log.New("accesscontrol.migrator.test")
// Insert only non-deprecated permissions
require.NoError(t, batchInsertTestPermissions(5, sqlStore, "users"), "could not insert non-deprecated permissions")
// Count permissions before migration
var permissionsBefore []ac.Permission
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsBefore)
})
require.NoError(t, err, "could not count permissions before migration")
assert.Equal(t, 5, len(permissionsBefore), "expected 5 permissions before migration")
// Run migration
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
// Count permissions after migration
var permissionsAfter []ac.Permission
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsAfter)
})
require.NoError(t, err, "could not count permissions after migration")
assert.Equal(t, 5, len(permissionsAfter), "expected 5 permissions after migration (none should be removed)")
// Verify all permissions remain unchanged
for _, perm := range permissionsAfter {
assert.NotContains(t, perm.Action, "apikeys:", "no deprecated permissions should exist")
assert.Contains(t, perm.Action, "users:", "non-deprecated permissions should remain")
}
}
// TestIntegrationMigrateRemoveDeprecatedPermissionsMixedPatterns tests mixed deprecated and non-deprecated patterns
func TestIntegrationMigrateRemoveDeprecatedPermissionsMixedPatterns(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
sqlStore := db.InitTestDB(t)
logger := log.New("accesscontrol.migrator.test")
// Insert deprecated permissions
require.NoError(t, batchInsertTestPermissions(3, sqlStore, "apikeys"), "could not insert deprecated permissions")
// Insert various non-deprecated permissions
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "dashboards"), "could not insert dashboard permissions")
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "folders"), "could not insert folder permissions")
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "datasources"), "could not insert datasource permissions")
// Count permissions before migration
var permissionsBefore []ac.Permission
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsBefore)
})
require.NoError(t, err, "could not count permissions before migration")
assert.Equal(t, 9, len(permissionsBefore), "expected 9 permissions before migration")
// Run migration
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
// Count permissions after migration
var permissionsAfter []ac.Permission
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
return sess.Find(&permissionsAfter)
})
require.NoError(t, err, "could not count permissions after migration")
assert.Equal(t, 6, len(permissionsAfter), "expected 6 permissions after migration")
// Verify deprecated permissions are removed and others remain
deprecatedCount := 0
validCount := 0
for _, perm := range permissionsAfter {
if strings.HasPrefix(perm.Action, "apikeys:") {
deprecatedCount++
} else {
validCount++
}
}
assert.Equal(t, 0, deprecatedCount, "no deprecated permissions should remain")
assert.Equal(t, 6, validCount, "expected 6 valid permissions to remain")
}

12
pkg/services/accesscontrol/models.go
View File

@ -328,12 +328,6 @@ const (
K6FolderUID = "k6-app"
RoleGrafanaAdmin = "Grafana Admin"
// Permission actions
ActionAPIKeyRead = "apikeys:read"
ActionAPIKeyCreate = "apikeys:create"
ActionAPIKeyDelete = "apikeys:delete"
// Users actions
ActionUsersRead = "users:read"
ActionUsersWrite = "users:write"
@ -391,9 +385,6 @@ const (
// Global Scopes
ScopeGlobalUsersAll = "global.users:*"
// APIKeys scope
ScopeAPIKeysAll = "apikeys:*"
// Users scope
ScopeUsersAll = "users:*"
ScopeUsersPrefix = "users:id:"
@ -587,9 +578,6 @@ var OrgsCreateAccessEvaluator = EvalAll(
EvalPermission(ActionOrgsCreate),
)
// ApiKeyAccessEvaluator is used to protect the "Configuration > API keys" page access
var ApiKeyAccessEvaluator = EvalPermission(ActionAPIKeyRead)
type QueryWithOrg struct {
OrgId *int64 `json:"orgId"`
Global bool `json:"global"`

1
pkg/services/accesscontrol/permreg/permreg.go
View File

@ -82,7 +82,6 @@ func newPermissionRegistry() *permissionRegistry {
"dashboards": "dashboards:uid:",
"folders": "folders:uid:",
"annotations": "annotations:type:",
"apikeys": "apikeys:id:",
"orgs": "orgs:id:",
"plugins": "plugins:id:",
"provisioners": "provisioners:",

21
pkg/services/apikey/apikeyimpl/store_test.go
View File

@ -56,6 +56,9 @@ func seedApiKeys(t *testing.T, store store, num int) {
}
func testIntegrationApiKeyDataAccess(t *testing.T, fn getStore) {
if testing.Short() {
t.Skip("skipping integration test")
}
t.Helper()
mockTimeNow()
@ -188,24 +191,18 @@ func testIntegrationApiKeyDataAccess(t *testing.T, fn getStore) {
t.Run("Testing Get API keys", func(t *testing.T) {
tests := []getApiKeysTestCase{
{
desc: "expect all keys for wildcard scope",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{
1: {"apikeys:read": {"apikeys:*"}},
}},
desc: "expect all keys for wildcard scope",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{}},
expectedAllNumKeys: 10,
},
{
desc: "expect only api keys that user have scopes for",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{
1: {"apikeys:read": {"apikeys:id:1", "apikeys:id:3"}},
}},
desc: "expect only api keys that user have scopes for",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{}},
expectedAllNumKeys: 10,
},
{
desc: "expect no keys when user have no scopes",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{
1: {"apikeys:read": {}},
}},
desc: "expect no keys when user have no scopes",
user: &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{}},
expectedAllNumKeys: 10,
},
}

1
pkg/services/apikey/model.go
View File

@ -31,7 +31,6 @@ type APIKey struct {
func (k APIKey) TableName() string { return "api_key" }
// swagger:model AddAPIKeyCommand
type AddCommand struct {
Name string `json:"name" binding:"Required"`
Role org.RoleType `json:"role" binding:"Required"`

4
pkg/services/authn/clients/api_key.go
View File

@ -60,7 +60,7 @@ func (s *APIKey) Authenticate(ctx context.Context, r *authn.Request) (*authn.Ide
defer span.End()
key, err := s.getAPIKey(ctx, getTokenFromRequest(r))
if err != nil {
if errors.Is(err, apikeygen.ErrInvalidApiKey) {
if errors.Is(err, satokengen.ErrInvalidApiKey) {
return nil, errAPIKeyInvalid.Errorf("API key is invalid")
}
return nil, err
@ -141,7 +141,7 @@ func (s *APIKey) getFromTokenLegacy(ctx context.Context, token string) (*apikey.
return nil, err
}
if !isValid {
return nil, apikeygen.ErrInvalidApiKey
return nil, satokengen.ErrInvalidApiKey
}
return key, nil

9
pkg/services/authn/clients/api_key_test.go
View File

@ -10,7 +10,6 @@ import (
"github.com/stretchr/testify/assert"
claims "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/components/apikeygen"
"github.com/grafana/grafana/pkg/components/satokengen"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/services/apikey"
@ -22,7 +21,7 @@ import (
var (
revoked = true
secret, hash = genApiKey(false)
secret, hash = genApiKey()
)
func TestAPIKey_Authenticate(t *testing.T) {
@ -188,11 +187,7 @@ func boolPtr(b bool) *bool {
return &b
}
func genApiKey(legacy bool) (string, string) {
if legacy {
res, _ := apikeygen.New(1, "test")
return res.ClientSecret, res.HashedKey
}
func genApiKey() (string, string) {
res, _ := satokengen.New("test")
return res.ClientSecret, res.HashedKey
}

6
pkg/services/grpcserver/interceptors/auth_test.go
View File

@ -102,8 +102,8 @@ func TestAuthenticator_Authenticate(t *testing.T) {
}, nil)
permissions := []accesscontrol.Permission{
{
Action: accesscontrol.ActionAPIKeyRead,
Scope: accesscontrol.ScopeAPIKeysAll,
Action: accesscontrol.ActionUsersWrite,
Scope: accesscontrol.ScopeUsersAll,
},
}
ac := accesscontrolmock.New().WithPermissions(permissions)
@ -114,7 +114,7 @@ func TestAuthenticator_Authenticate(t *testing.T) {
require.NoError(t, err)
signedInUser := grpccontext.FromContext(ctx).SignedInUser
require.Equal(t, serviceAccountId, signedInUser.UserID)
require.Equal(t, []string{accesscontrol.ScopeAPIKeysAll}, signedInUser.Permissions[1][accesscontrol.ActionAPIKeyRead])
require.Equal(t, []string{accesscontrol.ScopeUsersAll}, signedInUser.Permissions[1][accesscontrol.ActionUsersWrite])
})
}

10
pkg/services/serviceaccounts/database/token_store_test.go
View File

@ -6,7 +6,7 @@ import (
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/components/apikeygen"
"github.com/grafana/grafana/pkg/components/satokengen"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
"github.com/grafana/grafana/pkg/services/serviceaccounts/tests"
"github.com/grafana/grafana/pkg/util/testutil"
@ -29,7 +29,7 @@ func TestIntegration_Store_AddServiceAccountToken(t *testing.T) {
for _, tc := range testCases {
t.Run(tc.desc, func(t *testing.T) {
keyName := t.Name()
key, err := apikeygen.New(user.OrgID, keyName)
key, err := satokengen.New(keyName)
require.NoError(t, err)
cmd := serviceaccounts.AddServiceAccountTokenCommand{
@ -84,7 +84,7 @@ func TestIntegration_Store_AddServiceAccountToken_WrongServiceAccount(t *testing
sa := tests.SetupUserServiceAccount(t, db, store.cfg, saToCreate)
keyName := t.Name()
key, err := apikeygen.New(sa.OrgID, keyName)
key, err := satokengen.New(keyName)
require.NoError(t, err)
cmd := serviceaccounts.AddServiceAccountTokenCommand{
@ -106,7 +106,7 @@ func TestIntegration_Store_RevokeServiceAccountToken(t *testing.T) {
sa := tests.SetupUserServiceAccount(t, db, store.cfg, userToCreate)
keyName := t.Name()
key, err := apikeygen.New(sa.OrgID, keyName)
key, err := satokengen.New(keyName)
require.NoError(t, err)
cmd := serviceaccounts.AddServiceAccountTokenCommand{
@ -148,7 +148,7 @@ func TestIntegration_Store_DeleteServiceAccountToken(t *testing.T) {
sa := tests.SetupUserServiceAccount(t, db, store.cfg, userToCreate)
keyName := t.Name()
key, err := apikeygen.New(sa.OrgID, keyName)
key, err := satokengen.New(keyName)
require.NoError(t, err)
cmd := serviceaccounts.AddServiceAccountTokenCommand{

2
pkg/services/serviceaccounts/extsvcaccounts/service.go
View File

@ -350,7 +350,7 @@ func (esa *ExtSvcAccountsService) getExtSvcAccountToken(ctx context.Context, org
// Get credentials from store
credentials, err := esa.GetExtSvcCredentials(ctx, orgID, extSvcSlug)
if err != nil && !errors.Is(err, ErrCredentialsNotFound) {
if !errors.Is(err, &satokengen.ErrInvalidApiKey{}) {
if !errors.Is(err, satokengen.ErrInvalidApiKey) {
return "", err
}
ctxLogger.Warn("Invalid token found in store, recovering...", "service", extSvcSlug, "orgID", orgID)

21
public/api-enterprise-spec.json
View File

@ -2475,27 +2475,6 @@
}
}
},
"AddAPIKeyCommand": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"role": {
"type": "string",
"enum": [
"None",
"Viewer",
"Editor",
"Admin"
]
},
"secondsToLive": {
"type": "integer",
"format": "int64"
}
}
},
"AddDataSourceCommand": {
"description": "Also acts as api DTO",
"type": "object",

21
public/api-merged.json
View File

@ -12622,27 +12622,6 @@
}
}
},
"AddAPIKeyCommand": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"role": {
"type": "string",
"enum": [
"None",
"Viewer",
"Editor",
"Admin"
]
},
"secondsToLive": {
"type": "integer",
"format": "int64"
}
}
},
"AddDataSourceCommand": {
"description": "Also acts as api DTO",
"type": "object",

7
public/app/core/reducers/navModel.test.ts
View File

@ -49,31 +49,28 @@ describe('navModelReducer', () => {
const teams = { id: 'teams', text: 'Teams' };
const plugins = { id: 'plugins', text: 'Plugins' };
const orgsettings = { id: 'org-settings', text: 'Preferences' };
const apikeys = { id: 'apikeys', text: 'API Keys' };
const initialState = {
cfg: { ...originalCfg, children: [datasources, users, teams, plugins, orgsettings, apikeys] },
cfg: { ...originalCfg, children: [datasources, users, teams, plugins, orgsettings] },
datasources: { ...datasources, parentItem: originalCfg },
correlations: { ...correlations, parentItem: originalCfg },
users: { ...users, parentItem: originalCfg },
teams: { ...teams, parentItem: originalCfg },
plugins: { ...plugins, parentItem: originalCfg },
'org-settings': { ...orgsettings, parentItem: originalCfg },
apikeys: { ...apikeys, parentItem: originalCfg },
};
const newOrgName = 'Org 2';
const subTitle = `Organization: ${newOrgName}`;
const newCfg = { ...originalCfg, subTitle };
const expectedState = {
cfg: { ...newCfg, children: [datasources, users, teams, plugins, orgsettings, apikeys] },
cfg: { ...newCfg, children: [datasources, users, teams, plugins, orgsettings] },
datasources: { ...datasources, parentItem: newCfg },
correlations: { ...correlations, parentItem: newCfg },
users: { ...users, parentItem: newCfg },
teams: { ...teams, parentItem: newCfg },
plugins: { ...plugins, parentItem: newCfg },
'org-settings': { ...orgsettings, parentItem: newCfg },
apikeys: { ...apikeys, parentItem: newCfg },
};
reducerTester<NavIndex>()

1
public/app/core/reducers/navModel.ts
View File

@ -122,7 +122,6 @@ export const navIndexReducer = (state: NavIndex = initialState, action: AnyActio
teams: getItemWithNewSubTitle(state.teams, subTitle),
plugins: getItemWithNewSubTitle(state.plugins, subTitle),
'org-settings': getItemWithNewSubTitle(state['org-settings'], subTitle),
apikeys: getItemWithNewSubTitle(state.apikeys, subTitle),
};
} else if (removeNavIndex.match(action)) {
delete state[action.payload];

4
public/app/types/accessControl.ts
View File

@ -155,10 +155,6 @@ export enum AccessControlAction {
AlertingTemplatesWrite = 'alert.notifications.templates:write',
AlertingTemplatesDelete = 'alert.notifications.templates:delete',
ActionAPIKeysRead = 'apikeys:read',
ActionAPIKeysCreate = 'apikeys:create',
ActionAPIKeysDelete = 'apikeys:delete',
PluginsInstall = 'plugins:install',
PluginsWrite = 'plugins:write',

21
public/openapi3.json
View File

@ -2150,27 +2150,6 @@
},
"type": "object"
},
"AddAPIKeyCommand": {
"properties": {
"name": {
"type": "string"
},
"role": {
"enum": [
"None",
"Viewer",
"Editor",
"Admin"
],
"type": "string"
},
"secondsToLive": {
"format": "int64",
"type": "integer"
}
},
"type": "object"
},
"AddDataSourceCommand": {
"description": "Also acts as api DTO",
"properties": {