RBAC: Remove the option to disable RBAC and add automated permission migrations for instances that had RBAC disabled #66652
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state
…it from the in-memory stored logs
IevaVasiljeva
requested review from
zserge,
mildwonkey and
suntala
and removed request for
a team
IevaVasiljeva
changed the title
Jguer
approved these changes
Apr 18, 2023
gamab
approved these changes
Apr 18, 2023
There was a problem hiding this comment.
The code looks good to me. I double checked the list of migrations to re-run and it seems correct as well.
I only tested it on latest main with a DB populated with some dashboards (since I didn't have legacy permissions it reset permissions on these to the default set) and an empty DB.
Do you need me to test more things?
ryantxu
pushed a commit
that referenced
this pull request
Apr 19, 2023
…migrations for instances that had RBAC disabled (#66652) * RBAC: Stop reading enabeld from ini file and always set to true * Migrations: Add a migration for rbac to reset data migrations if rbac was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state * Migrator: Store migration logs on migrator and add function to clear it from the in-memory stored logs * update tests --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
mdvictor
pushed a commit
that referenced
this pull request
Apr 21, 2023
…migrations for instances that had RBAC disabled (#66652) * RBAC: Stop reading enabeld from ini file and always set to true * Migrations: Add a migration for rbac to reset data migrations if rbac was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state * Migrator: Store migration logs on migrator and add function to clear it from the in-memory stored logs * update tests --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this feature?
Why do we need this feature?
We're switching all instances over to RBAC and removing legacy AC. Running two access control logics in parallel is error prone and increasingly difficult to maintain, so with Grafana 10 we're fully switching over to RBAC.
We're automatically rerunning managed permissions migrations to bring RBAC permissions up to date with legacy AC permissions.
Who is this feature for?
This PR will only impact instances that had RBAC disabled. This was an undocumented option, so should only impact a very small number of users.
Which issue(s) does this PR fix?:
Fixes https://github.com/grafana/grafana-authnz-team/issues/198
Related enterprise PR:
https://github.com/grafana/grafana-enterprise/pull/4918