Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alerting: separate out silence auth service preconditions checks #87998

Merged
merged 2 commits into from
May 23, 2024
Merged

Alerting: separate out silence auth service preconditions checks #87998

merged 2 commits into from
May 23, 2024

Conversation

JacobsonMT
Copy link
Member

@JacobsonMT JacobsonMT commented May 16, 2024
edited

Will be useful for subsequent PR that adds metadata to silence response

What is this feature?

Separates out precondition checks from silence auth service AuthorizeXSilence methods.

Why do we need this feature?

This is so precondition checks can be used separately in a subsequent PR that will add permission metadata information to the GET silence responses.

Special notes for your reviewer:

This is mostly a no-op refactor but introduces a new short circuit for silence reads when a user has wildcard folder permissions.

@JacobsonMT JacobsonMT added area/alerting Grafana Alerting type/refactor area/backend no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes labels May 16, 2024
@JacobsonMT JacobsonMT added this to the 11.1.x milestone May 16, 2024
@JacobsonMT JacobsonMT requested a review from a team as a code owner May 16, 2024 16:48
@JacobsonMT JacobsonMT requested review from jtheory, rwwiv, yuri-tceretian and grobinson-grafana and removed request for a team May 16, 2024 16:48
@JacobsonMT
Alerting: separate out silence auth service preconditions checks
ed8d0ff 
Will be useful for subsequent PR that adds metadata to silence response
@JacobsonMT JacobsonMT force-pushed the jacobsonmt/silence-ac-refactor branch from 1e93a64 to ed8d0ff Compare May 16, 2024 16:55
JacobsonMT
JacobsonMT commented May 16, 2024
View reviewed changes
pkg/services/ngalert/accesscontrol/silences_test.go
user: newUser(),
expected: []*models.Silence{},
expectedErr: ErrAuthorizationBase,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not actually a change, previously it was caught by middleware.

yuri-tceretian
yuri-tceretian reviewed May 17, 2024
View reviewed changes
pkg/services/ngalert/accesscontrol/silences.go Show resolved Hide resolved
pkg/services/ngalert/accesscontrol/silences.go
hasAccess, err = s.HasAccess(ctx, user, readRuleSilenceEvaluator(ns))
if err != nil {
return nil, err
hasAccess = s.authorizeReadSilence(ctx, user, silWithFolder) == nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

creation of the authz error is a bit more costly than regular error, I wonder if we can have just bool here. This is not a blocker, though.

pkg/services/ngalert/accesscontrol/silences.go Show resolved Hide resolved
yuri-tceretian
yuri-tceretian approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@yuri-tceretian yuri-tceretian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comments are non-blocking and can be implemented in a follow-up PR that already there.
Feel free to merge it as is. LGTM

@JacobsonMT JacobsonMT merged commit bc5d077 into main May 23, 2024
13 checks passed
@JacobsonMT JacobsonMT deleted the jacobsonmt/silence-ac-refactor branch May 23, 2024 16:34
ryantxu pushed a commit that referenced this pull request May 24, 2024
@JacobsonMT @ryantxu
Alerting: separate out silence auth service preconditions checks (#87998
77cc825 
)

* Alerting: separate out silence auth service preconditions checks

Will be useful for subsequent PR that adds metadata to silence response

* Add silence read wildcard scope to precondition for read all silences
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuri-tceretian yuri-tceretian yuri-tceretian approved these changes

@jtheory jtheory Awaiting requested review from jtheory jtheory was automatically assigned from grafana/alerting-backend-product

@rwwiv rwwiv Awaiting requested review from rwwiv rwwiv was automatically assigned from grafana/alerting-backend-product

@grobinson-grafana grobinson-grafana Awaiting requested review from grobinson-grafana grobinson-grafana was automatically assigned from grafana/alerting-backend-product

Assignees
No one assigned
Labels
area/alerting Grafana Alerting area/backend no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes type/refactor
Projects
Alerting
Status: Done
Milestone
11.1.x
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@JacobsonMT @yuri-tceretian