-
Notifications
You must be signed in to change notification settings - Fork 11.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snapshots: Fix deleting external snapshots when using RBAC #51897
Conversation
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/25403 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification comment! LGTM.
We discussed this with @sakjur, do you think it would make sense to create these snapshots with an ID, so that we can still perform RBAC on them? Some customers might want to prevent editors from deleting external snapshots? (=> Should we create an issue to keep track of this?)
I think so, yes! It seems like an oversight that that was not done already |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-51897-to-v9.0.x origin/v9.0.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x ee88b44458f525914a39aacb24a08acac513184d
# Push it to GitHub
git push --set-upstream origin backport-51897-to-v9.0.x
git switch main
# Remove the local backport branch
git branch -D backport-51897-to-v9.0.x Then, create a pull request where the |
@idafurjes I'll open an issue for adding the ID to external dashboard snapshots and can take care of the backport to v9.0.x 🙂 |
@sakjur I am already taking care of the backport, but thanks for opening the ticket |
(cherry picked from commit ee88b44)
Hi @idafurjes , I am still seeing the issue on 9.0.3 Cloud for the customer in https://github.com/grafana/support-escalations/issues/3139 "runningVersion": "9.0.3-0dc0087e (commit: 0dc0087e0, branch: HEAD)", I can see this 51897 in https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/ Could you take a look ? |
@JayEkin 9.0.3-0dc0087e looks like a prerelease for 9.0.3 |
What this PR does / why we need it:
When creating an external snapshot, its dashboard content is empty. This means that the mustInt here returns a 0, which before RBAC would result in a dashboard which has no ACL. A dashboard without an ACL would fallback to the user’s org role, which for editors and admins would essentially always be allowed here. With RBAC, all permissions must be explicit, so the lack of a rule for dashboard 0 means the guardian will reject.
Which issue(s) this PR fixes:
Fixes https://github.com/grafana/support-escalations/issues/3139
Special notes for your reviewer: