[v11.0.x] Alerting: Add two sets of provisioning actions for rules and notifications #87572

grafana-delivery-bot · 2024-05-09T17:20:46Z

Backport 356a295 from #87149

What is this feature?
This PR adds two new sets of permissions that let administrators create custom roles to grant access to provisioning alert rules and notification configurations separately.
It does not replace already existing permissions.

Why do we need this feature?
To allow Grafana Enterprise users to grant access to rules API but not notifications provisioning APIs

Who is this feature for?

Special notes for your reviewer:
The new actions are not exposed independently. To test, you need to create a new custom role.

Example API Call

curl --location 'http://localhost:3000/api/access-control/roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "version": 1,
    "name": "custom:alerting_rule_provisioner",
    "displayName": "Alert Rules Provisioner",
    "description": "Access only alert rule provisioning API",
    "group":"Alerting",
    "permissions": [
        {
            "action": "alert.rules.provisioning:read"
        },
        {
            "action": "alert.rules.provisioning:write"
        }
    ]
}
'

Then you can create a test user

Example API Call

curl --location 'http://localhost:3000/api/admin/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data-raw '{
    "name": "test",
    "email": "test@example.com",
    "login": "test",
    "password": "test"
}'

and then assign the new role to the user (user Id and role UID need to be replaced with values from responses)

Example API Call

curl --location --request PUT 'http://localhost:3000/api/access-control/users/2/roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{"orgId":1,"roleUids":["bdl6zemr9r9xcd"]}'

Please check that:

It works as expected from a user's perspective.
If this is a pre-GA feature, it is behind a feature toggle.
The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

…tions (#87149) (cherry picked from commit 356a295)

Alerting: Add two sets of provisioning actions for rules and notifica…

5d0cc5d

…tions (#87149) (cherry picked from commit 356a295)

grafana-delivery-bot bot requested review from a team as code owners May 9, 2024 17:20

grafana-delivery-bot bot requested review from rwwiv and removed request for a team May 9, 2024 17:20

grafana-delivery-bot bot added this to the 11.0.x milestone May 9, 2024

grafana-delivery-bot bot requested review from JacobsonMT, yuri-tceretian and grobinson-grafana May 9, 2024 17:20

grafana-delivery-bot bot added add to changelog area/alerting Grafana Alerting area/auth/rbac Grafana role-based access control area/backend backport A backport PR product-approved Pull requests that are approved by product/managers and are allowed to be backported labels May 9, 2024

yuri-tceretian approved these changes May 9, 2024

View reviewed changes

yuri-tceretian merged commit 0a2f239 into v11.0.x May 9, 2024
23 checks passed

yuri-tceretian deleted the backport-87149-to-v11.0.x branch May 9, 2024 18:25

fabrizio-grafana modified the milestones: 11.0.x, 11.0.0 May 14, 2024

BrewTestBot mentioned this pull request May 14, 2024

grafana 11.0.0 Homebrew/homebrew-core#171659

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v11.0.x] Alerting: Add two sets of provisioning actions for rules and notifications #87572

[v11.0.x] Alerting: Add two sets of provisioning actions for rules and notifications #87572

grafana-delivery-bot bot commented May 9, 2024

[v11.0.x] Alerting: Add two sets of provisioning actions for rules and notifications #87572

[v11.0.x] Alerting: Add two sets of provisioning actions for rules and notifications #87572

Conversation

grafana-delivery-bot bot commented May 9, 2024