Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alerting: Make silence authz service check rule group permissions #86470

Closed
wants to merge 2 commits into from
Closed

Alerting: Make silence authz service check rule group permissions #86470

wants to merge 2 commits into from

Conversation

yuri-tceretian
Copy link
Contributor

@yuri-tceretian yuri-tceretian commented Apr 17, 2024
edited

What is this feature?
This PR updates silence authorization service to tighten up the security and check if user can read rules for which it tries to read or write a silence.
To check that permission, the service has to fetch all rules in the group and check the user's permissions.

Why do we need this feature?
Silences are protected by folder UID scope only. Rules are protected by intersection of folder UID and Data source UID. Therefore, in GE there is a possibility that a user can see and manage silences for rules that it cannot see due to lack of data source permissions.

Who is this feature for?
Grafana Enterprise users

Special notes for your reviewer:
The pattern I chose is similar to what we do elsewhere (e.g. folders): I gather the list of rule UIDs and then resolve them to rule groups. Performance-wise it's ok because we have an index that meets the filter requirement. However, the weak spot here is that with a big number of rule-specific silences, this could exceed limits on SQL queries.

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@grafana-delivery-bot grafana-delivery-bot bot added this to the 11.1.x milestone Apr 17, 2024
@yuri-tceretian yuri-tceretian marked this pull request as ready for review April 19, 2024 16:27
@yuri-tceretian yuri-tceretian requested a review from a team as a code owner April 19, 2024 16:27
@yuri-tceretian yuri-tceretian requested review from rwwiv, JacobsonMT and grobinson-grafana and removed request for a team April 19, 2024 16:27
@yuri-tceretian yuri-tceretian force-pushed the yuri-tceretian/silence+rules-fgac branch from a3a6fbb to c4a1a12 Compare April 19, 2024 16:38
@yuri-tceretian yuri-tceretian self-assigned this Apr 19, 2024
@yuri-tceretian yuri-tceretian added area/alerting Grafana Alerting area/auth/rbac Grafana role-based access control no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes and removed area/auth/rbac Grafana role-based access control labels Apr 19, 2024
@yuri-tceretian yuri-tceretian marked this pull request as draft April 23, 2024 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwwiv rwwiv Awaiting requested review from rwwiv rwwiv is a code owner automatically assigned from grafana/alerting-backend-product

@JacobsonMT JacobsonMT Awaiting requested review from JacobsonMT JacobsonMT is a code owner automatically assigned from grafana/alerting-backend-product

@grobinson-grafana grobinson-grafana Awaiting requested review from grobinson-grafana grobinson-grafana is a code owner automatically assigned from grafana/alerting-backend-product

Assignees

@yuri-tceretian yuri-tceretian

Labels
area/alerting Grafana Alerting area/backend no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes
Projects
Alerting
Status: Done
Milestone
11.1.x
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@yuri-tceretian