Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC: Migration to remove the scope from permissions where action is alert.instances:read #82202

Merged
merged 4 commits into from
Feb 16, 2024
Merged

RBAC: Migration to remove the scope from permissions where action is alert.instances:read #82202

merged 4 commits into from
Feb 16, 2024

Conversation

IevaVasiljeva
Copy link
Contributor

@IevaVasiljeva IevaVasiljeva commented Feb 8, 2024
edited
Loading

What is this feature?

A migration to remove the scope for any permissions where the action alert.instances:read.

Why do we need this feature?

We initially introduced alert.instances:read action with a scope (here), however, we later realised that scope was not needed for this action and removed it (here).

However, this scope removal caused unanticipated side-effects. One of these side-effects is that if a user has created a custom role with action alert.instances:read and some scope, they now might not be able to edit this role (this is because we check that the user has all the permissions included in the role that they are editing before allowing them to edit it, and alert.instances:read is not granted to users with a scope anymore).

Who is this feature for?

Enterprise users who use custom roles, and have included a permission with scope alert.instances:read.

Which issue(s) does this PR fix?:

Fixes #

Release notice breaking change

If you use an automated provisioning (eg, Terraform) for custom roles, and have provisioned a role that includes permission with action alert.instances:read and some scope, you will need to update the permission in your provisioning files by removing the scope.

@IevaVasiljeva IevaVasiljeva requested review from mgyongyosi and a team February 8, 2024 18:46
@IevaVasiljeva IevaVasiljeva requested review from a team as code owners February 8, 2024 18:46
@IevaVasiljeva IevaVasiljeva requested review from diegommm, undef1nd and suntala and removed request for a team February 8, 2024 18:46
@grafana-delivery-bot grafana-delivery-bot bot added this to the 10.4.x milestone Feb 8, 2024
@IevaVasiljeva IevaVasiljeva modified the milestone: 10.4.x Feb 8, 2024
@IevaVasiljeva IevaVasiljeva added the breaking change Relevant for changelog generation label Feb 9, 2024
@IevaVasiljeva IevaVasiljeva merged commit 7343102 into main Feb 16, 2024
12 checks passed
@IevaVasiljeva IevaVasiljeva deleted the ieva/add-migration-to-remove-scope branch February 16, 2024 11:52
@aangelisc aangelisc modified the milestones: 10.4.x, 10.4.0 Mar 6, 2024
@BrewTestBot BrewTestBot mentioned this pull request Mar 6, 2024
Closed
@BrewTestBot BrewTestBot mentioned this pull request Mar 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jguer Jguer Jguer approved these changes

@mgyongyosi mgyongyosi Awaiting requested review from mgyongyosi

@diegommm diegommm Awaiting requested review from diegommm diegommm was automatically assigned from grafana/backend-platform

@undef1nd undef1nd Awaiting requested review from undef1nd undef1nd was automatically assigned from grafana/backend-platform

@suntala suntala Awaiting requested review from suntala suntala was automatically assigned from grafana/backend-platform

Assignees
No one assigned
Labels
add to changelog area/backend/db/migration area/backend breaking change Relevant for changelog generation
Projects
None yet
Milestone
10.4.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@IevaVasiljeva @Jguer @aangelisc