-
Notifications
You must be signed in to change notification settings - Fork 11.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Remove the option to disable RBAC and add automated permission migrations for instances that had RBAC disabled #66652
Conversation
was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state
…it from the in-memory stored logs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks good to me. I double checked the list of migrations to re-run and it seems correct as well.
I only tested it on latest main with a DB populated with some dashboards (since I didn't have legacy permissions it reset permissions on these to the default set) and an empty DB.
Do you need me to test more things?
…migrations for instances that had RBAC disabled (#66652) * RBAC: Stop reading enabeld from ini file and always set to true * Migrations: Add a migration for rbac to reset data migrations if rbac was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state * Migrator: Store migration logs on migrator and add function to clear it from the in-memory stored logs * update tests --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
…migrations for instances that had RBAC disabled (#66652) * RBAC: Stop reading enabeld from ini file and always set to true * Migrations: Add a migration for rbac to reset data migrations if rbac was disabled * If rbac was disabled we reset the data and data migrations that rbac has to perform to get it to a correct state * Migrator: Store migration logs on migrator and add function to clear it from the in-memory stored logs * update tests --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
What is this feature?
Why do we need this feature?
We're switching all instances over to RBAC and removing legacy AC. Running two access control logics in parallel is error prone and increasingly difficult to maintain, so with Grafana 10 we're fully switching over to RBAC.
We're automatically rerunning managed permissions migrations to bring RBAC permissions up to date with legacy AC permissions.
Who is this feature for?
This PR will only impact instances that had RBAC disabled. This was an undocumented option, so should only impact a very small number of users.
Which issue(s) does this PR fix?:
Fixes https://github.com/grafana/grafana-authnz-team/issues/198
Related enterprise PR:
https://github.com/grafana/grafana-enterprise/pull/4918