* Alerting: Update RuleGroupConfig definitions with missing fields
This update adds previously missing fields to the `RuleGroupConfig` structs to
ensure compatibility with external Prometheus-like rulers.
Includes:
- `labels`: per https://github.com/prometheus/prometheus/pull/11474
- `remote_write`: per https://github
.com/grafana/mimir/blob/56f33fed6254fee5a53bde1eab36c604863e3d5f/pkg/mimirtool/rules/rwrulefmt/rulefmt.go#L16
Note: This does not add full support in Grafana; it only allows these fields to
pass through the alerting proxy without causing unmarshal errors when using
external rulers.
* Update OpenAPI spec
* Secrets: changes to allow a 3rd party keeper / secret references
* fix test
* make gofmt
* lint
* fix tests
* assign aws secrets manager to @grafana/grafana-operator-experience-squad
* rename Keeper.Reference to Keeper.RetrieveReference
* rename ModelSecretsManager to ModelAWSSecretsManager
* validator: ensure that only one of keeper.Spec.Aws.AccessKey or keeper.Spec.Aws.AssumeRole are set
* move secrets manager dep / go mod tidy
* move secrets manager dep
* keeper validator: move 3rd party secret stores validation to their own functions
* add github.com/aws/aws-sdk-go-v2/service/secretsmanager pkg/extensions/enterprise_imports
* make update-workspace
* undo go.mod changes in /apps
* make update-workspace
* fix test
* add github.com/aws/aws-sdk-go-v2/service/secretsmanager to enterprise_imports
* make update-workspace
* gcworker: handle refs
* make update-workspace
* create toggle: FeatureStageExperimental
* allow features.IsEnabled for now
* format
* Plugins: Implement bug fix for loki label selectors w/ variable interpolation
* Chore: Add test to ensure result is interpolated
---------
Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com>
* dashboard library check added
* community dashboard section tests in progress
* tests added
* translations added
* pagination removed
* total pages removed
* test updated. pagination removed
* filters applied
* tracking event removed to be created in another pr
* slug added so url is correclty generated
* ui fix
* improvements after review
* improvements after review
* more tests added. new logic created
* fix
* changes applied
* tests removed. pattern updated
* preset of 6 elements applied
* Improve code comments and adjust variable name based on PR feedback
* Fix unit test and add extra case for regex pattern
* Fix interaction event, we were missing contentKind on BasicProvisioned flow and datasources types were not being send
---------
Co-authored-by: nmarrs <nathanielmarrs@gmail.com>
Co-authored-by: alexandra vargas <alexa1866@gmail.com>
* Transformers: Add smoothing transformer
Added a smoothing transformer to help clean up noisy time series data.
It uses the ASAP algorithm to pick the most important data points while
keeping the overall shape and trends intact.
The transformer always keeps the first and last points so you get the
complete time range. I also added a test for it.
* Change category
Change category from Reformat to CalculateNewFields
* Remove first/last point preservation
* Fix operator recreation
* Simplify ASAP code
Include performance optimization as well
* Refactor interpolateFromSmoothedCurve
Break function into smaller focused functions and lift functions to the
top level
* Add isApplicable Check
Make sure the transformer is applicable for timeseries data
* Add tests for isApplicable check
* UI/UX improvements: Display effective resolution when limited by data points
Show "Effective: X" indicator when resolution is capped by the 2x data
points multiplier. Includes tooltip explaining the limit.
Memoizes calculation to prevent unnecessary recalculation on re-renders.
Example: With 72 data points and resolution set to 150, displays
"Effective: 144" since the limit is 72 x 2 = 144.
Plus added tests
* Improve discoverability by adding tags
* Preserve Original Data
Let's preserve original data as well, makes the UX so much better.
Changed from appending (smoothed) to frame names to use Smoothed frame name. This should match the pattern used by other transformers (e.g,. regression)
Updated tests accordingly
Updated tooltip note
* Add asap tests
Basic functionality:
* returns valid DataPoint objects
* Maintain x-axis ordering
Edge cases:
* Empty array
* single data point
* filter NaN values
* all NaN values
* sort unsorted data
* negative values
* Update dark and light images
* Clear state cache
* Add feature toggle
* Conditionally add new transformation to the registry
* chore: update and regenerate feature toggles
* chore: update yarn.lock
* chore: fix transformers and imports
* add support for skip TLS verify
* extract constructor for ExternalAMcfg and tests
* extract constructor for AlertmanagerConfig and tests
* add support for client cert auth
* chore(gdev-dashboard): minimal repro of escalation #19939 bug report
* fix(canvas): add branching logic to handle field mapping to icons case
* test(canvas): validate integration of canvas icon mappings
* refactor(resource-dimension): defensive against JS `undefined` in paths
* set panel level ds when converting from v2 to v1
* remove comment
* lint
* always set ds in sqr
* improve
* Apply suggestions from code review
Co-authored-by: Ivan Ortega Alba <ivanortegaalba@gmail.com>
---------
Co-authored-by: Ivan Ortega Alba <ivanortegaalba@gmail.com>
* Prometheus Dashboards: Use __rate_interval #110370 fix(prometheus): use in stats dashboard
* Added required changes to F:\grafana\public\app\plugins\datasource\prometheus\dashboards\prometheus_2_stats.json file
* removed empty line
* removed all steps
* OpenTSDB: Migrate metadata queries to data source backend
* OpenTSDB: Migrate annotations to the data source backend
* return errors for failed unmarshal
* remove trailing / from metadata requests
* remove console logs
* feat: add lock structure into bleve index files
* fix: another approach
* fix: new check
* fix: build in memory if index file already open
* fix: update workspace
* fix: add test
* refactor: update func signature
* fix: address comments
* fix: make const
* Suggestions: Add intermediate state to avoid unexpected saved states
* cleanup
* update and add e2es to confirm behavior
* fix some of the change dispatch
* codeowners
* fix js error that this exposed
* Apply suggestion from @fastfrwrd
* fix warning for VizRepeater styles
* Gauge: Update test dashboard to round two of the segment panels to whole numbers
* Gauge: E2E tests
* add test for sparklines
* Gauge: Change inner glow to be friendlier to our a11y tests
* remove unused CODEOWNER declaration
* expose text mode so that old displayName usage is somewhat preserved
* update migrations to use the value_and_text mode if displayName has a non-empty value
* more test cases
* update unit tests for fixture updates
* The builder query no longer runs if code mode query is empty. Remove checks for query being empty to run raw query.
* missed save
* prettier?
* Update public/app/plugins/datasource/elasticsearch/components/QueryEditor/BucketAggregationsEditor/state/reducer.ts
Co-authored-by: Andreas Christou <andreas.christou@grafana.com>
---------
Co-authored-by: Andreas Christou <andreas.christou@grafana.com>
* Clear selection on entering edit mode. Added test to verify selection is cleared when editing a panel.
* Update comment
---------
Co-authored-by: Haris Rozajac <58232930+harisrozajac@users.noreply.github.com>
* Add helper function to format numeric values in alert rule history
* Use formatting function in LogRecordViewer
* Refactor numerical formatting logic
* Handle edge cases when counting decimal places
* Cleanup tests and numberFormatter code
* V2: Panel datasource is defined only for mixed ds
* if getDatasourceFromQueryRunner only returns ds.type, resolve to full ds ref throgh ds service
---------
Co-authored-by: Haris Rozajac <haris.rozajac12@gmail.com>
* Dashboard: Add test case for BOM characters in link URLs
This test demonstrates the issue where BOM (Byte Order Mark) characters
in dashboard link URLs cause CUE validation errors during v1 to v2
conversion ('illegal byte order mark').
The test input contains BOMs in various URL locations:
- Dashboard links
- Panel data links
- Field config override links
- Options dataLinks
- Field config default links
* Dashboard: Strip BOM characters from URLs during v1 to v2 conversion
BOM (Byte Order Mark) characters in dashboard link URLs cause CUE
validation errors ('illegal byte order mark') when opening v2 dashboards.
This fix strips BOMs from all URL fields during conversion:
- Dashboard links
- Panel data links
- Field config override links
- Options dataLinks
- Field config default links
The stripBOM helper recursively processes nested structures to ensure
all string values have BOMs removed.
* Dashboard: Strip BOM characters in frontend v2 conversion
Add stripBOMs parameter to sortedDeepCloneWithoutNulls utility to remove
Byte Order Mark (U+FEFF) characters from all strings when serializing
dashboards to v2 format.
This prevents CUE validation errors ('illegal byte order mark') that occur
when BOMs are present in any string field. BOMs can be introduced through
copy/paste from certain editors or text sources.
Applied at the final serialization step so it catches BOMs from:
- Existing v1 dashboards being converted
- New data entered during dashboard editing
* add function to convert StateTransition to LokiEntry
* add QueryResultBuilder
* update backtesting to produce result similar to historian
* make shouldRecord public
* filter out noop transitions
* add experimental front-end
* add new fields
* move conversion of api model to AlertRule to validation
* add extra labels
* calculate tick timestamp using the same logic as in scheduler
* implement correct logic of calculating first evaluation timestamp
* add uid, group and folder uid they are needed for jitter strategy
* add JitterOffsetInDuration and JitterStrategy.String()
* add config `backtesting_max_evaluations` to [unified_alerting] (not documented for now)
* remove obsolete tests
* elevate permisisons for backtesting endpoint
* move backtesting to separate dir
What is this feature?
Add a config option to set data source to imported rules when X-Grafana-Alerting-Datasource-UID is not present.
Why do we need this feature?
Currently mimirtool requires passing --extra-headers 'X-Grafana-Alerting-Datasource-UID: {uid}' when used with Grafana. This config option allows to specify a default, which is used when the header is missing, making it easier to use and more similar to the case when it's used with Mimir.
* Gauge: Fit-and-finish tweaks to glows, text position, and sparkline size
* adjust text height and positions a little more
* cohesive no data handling
* more tweaks
* fix migration test
* Fix JSON formatting by adding missing newline
* remove new line
* Gauge: Add guide dots for rounded bars to help with accuracy
* 30% width
* remove spotlight, starting to make gradients a bit more predictable
* fix segmented
* update rotation of gauge color
* update i18n and migration tests
* fix spacing
* more fixture updates
* wip: using clip-path and CSS for drawing the gauge
* wip: overhaul color in gauge
* wip: progress on everything
* refactoring defs into utils
* its all working
* fixme comment
* fix backend migration tests
* remove any other mentions of spotlights
* one more tweak
* update gdev
* add lots of tests and reorganize the code a bit
* fix dev dashboard fixture
* more cleanup, optimization
* fix a couple of bugs
* fix bad import
* disable storybook test due to false positive
* a more sweeping disable of the color-contrast
* update backend tests
* update gradient for fixed color
* test all dark/light theme variants
* set opacity to 0.5 for dots
* move min degrees for start dot render to a const
* change endpoint marks to be configurable
* update gdev and fixtures
* i18n
* shore up testing a bit
* remove period for consistency
* hide glow at small angles
* more testing and cleanup
* addressing PR comments
* Update packages/grafana-ui/src/components/RadialGauge/colors.ts
Co-authored-by: Jesse David Peterson <jesdavpet@users.noreply.github.com>
* Update packages/grafana-ui/src/components/RadialGauge/colors.ts
Co-authored-by: Jesse David Peterson <jesdavpet@users.noreply.github.com>
* break out binary search stuff and write tests
* fix lint issues
---------
Co-authored-by: Jesse David Peterson <jesdavpet@users.noreply.github.com>
* error handling
* retry fetching suggestions
* add translation
* useAsyncRetry
* hasError test
* update error handling
* clean up the text panel stuff for the current version
* cleanup for loop
* some more tests for some failure cases
* fix lint issue
---------
Co-authored-by: Paul Marbach <paul.marbach@grafana.com>
* fix(legend-table): remove arbitrary 600px max width for full width cells
* test(legend-table): backfill test coverage for viz legend table
* test(legend-table): backfill test coverage for viz legend table item
* refactor(legend-table): use derived theme spacing, not hard-coded values
* update selected suggestion style
* update highlight styles for light theme, add inert to div
* remove commented-out original idea
---------
Co-authored-by: Paul Marbach <paul.marbach@grafana.com>
* Provisioning: Enable save for json model changes
* Do not pass props
* Simplify logic and fix warnings
* add tests
* Show diff for json changes
* Add try/catch
* Alerting: Add saved searches feature for alert rules page
Add ability to save, rename, delete, and apply search queries on the
Alert Rules page. Includes auto-apply default search on navigation
and UserStorage persistence.
Behind feature toggle `alertingSavedSearches` (disabled by default).
* Alerting: Add i18n translations for saved searches
* Alerting: Remove unused imports in saved searches
* Alerting: Add CODEOWNERS for e2e-playwright/alerting-suite
* Alerting: Add useSavedSearches mock to RulesFilter.v2 tests
* Alerting: Fix failing unit tests for saved searches
- Fix Jest mock hoisting issue in useSavedSearches.test.ts by configuring
UserStorage mock implementation after imports instead of inline
- Update SavedSearches.test.tsx to use findBy* queries for async popup content
- Fix tests to click apply button instead of text for applying searches
- Update maxLength test to verify attribute instead of trying to exceed it
* Alerting: Fix saved searches test mocking and assertions
- Fix UserStorage mock in useSavedSearches.test.ts by creating mock with
default Promise-returning functions inside jest.mock() factory, then
accessing the instance via getMockUserStorageInstance() helper
- Fix SavedSearches.test.tsx apply button tests to use correct accessible
name "Apply this search" (from tooltip) instead of dynamic aria-label
- Fix disabled button assertion to check native disabled attribute instead
of relying on aria-disabled which is set inconsistently by Button component
- Use findAllByRole for async popup content queries
* Alerting: Fix test query for disabled save button
Use findByText + closest instead of findByRole to find the disabled
"Save current search" button. The Grafana Button component renders
with conflicting accessibility attributes (disabled="" + aria-disabled="false")
which breaks role-based queries in React Testing Library.
* fix(alerting): preserve UserStorage mock reference before clearAllMocks
* fix(alerting): add missing test mocks for crypto and console
- Mock crypto.randomUUID for Node.js test environment
- Add console.error spy to tests expecting storage/parse errors
- Add console.warn spy to test expecting validation warnings
Fixes jest-fail-on-console failures and crypto.randomUUID TypeError.
* fix(alerting): add console.error spy to save failure test
* fix(alerting): address PR review feedback for saved searches
- Register alertingSavedSearches feature toggle in backend
- Extract shared types to SavedSearches.types.ts to fix circular dependencies
- Extract sub-components: InlineSaveInput, InlineRenameInput, SavedSearchItem
- Remove unused imports (IconButton, Input) and styles from SavedSearches.tsx
- Add try/catch for auto-apply default search error handling
- Remove maxLength validation and corresponding test
* fix(alerting): fix validation error display in saved searches
- Fix useEffect dependency array that was immediately clearing validation errors
- Remove error from deps so errors only clear when user types, not when set
- Run i18n-extract to remove unused error-name-too-long translation key
* fix(alerting): address PR review feedback for saved searches
- Replace toHaveBeenCalled assertions with UI verification using AppNotificationList
- Rename useSavedSearches.test.ts to .tsx for JSX support
- Update README documentation to reflect current test patterns
- Add test cleanup between E2E tests to prevent data leakage
* fix(alerting): remove unused import and fix test wrapper
- Remove unused locationService import from RulesFilter.v2.tsx
- Add missing bootData spread in useSavedSearches.test.tsx mock
- Add createWrapper to renderHook call for user-specific storage key test
* fix(alerting): add Redux wrapper to all useSavedSearches hook tests
All renderHook calls for useSavedSearches now include the createWrapper()
which provides the Redux Provider context required by useAppNotification.
* fix(alerting): use regex patterns in MSW handlers for UserStorage tests
MSW handlers now use regex patterns to match any namespace and user UID,
since UserStorage reads config values from internal imports that aren't
affected by jest.mock of @grafana/runtime.
* fix(alerting): mock UserStorage directly instead of using MSW
Replace MSW HTTP handlers with a direct mock of the UserStorage class.
The MSW approach failed because UserStorage evaluates config.namespace
at module load time, before jest.mock takes effect, causing the regex
patterns to not match the actual request URLs.
This follows the same pattern used in useFavoriteDatasources.test.ts.
* refactor(alerting): use react-hook-form and Dropdown for saved searches
- Migrate InlineRenameInput and InlineSaveInput to react-hook-form
- Replace custom PopupCard with Grafana Dropdown component
- Use useReducer for centralized dropdown state management
- Add stopPropagation handlers to prevent dropdown closing during form interactions
- Update tests to use real useSavedSearches hook with mocked UserStorage
- Consolidate and simplify saved searches test suite
* fix: resolve CI failures in SavedSearches component
- Fix TypeScript TS2540 errors by using MutableRefObject type for refs
- Fix form submission by using onClick instead of type="submit" on IconButton
(IconButton doesn't forward the type prop to the underlying button)
- Fix action menu tests by stopping click propagation on ActionMenu wrapper
- Fix Escape key handling by focusing the dialog element instead of the
potentially-disabled save button
* fix(alerting): add navTree to runtime mock in useSavedSearches tests
Add empty navTree array to the @grafana/runtime config mock to prevent
store initialization crash when buildInitialState() calls .find() on
undefined navTree.
* fix(alerting): add error handling for auto-apply default search
Wrap handleApplySearch call in try-catch to prevent unhandled exceptions
when auto-applying the default saved search on navigation.
* fix(alerting): prevent saved searches dropdown from closing when clicking action menu
The nested Dropdown components caused the outer SavedSearches dropdown to close
when clicking on action menu items (Set as default, Rename, Delete). This happened
because @floating-ui/react's useDismiss hook detected clicks on the inner Menu
(rendered via Portal) as "outside" clicks.
Fix: Replace the outer Dropdown with PopupCard and add custom click-outside
handling that explicitly excludes portal elements ([role="menu"] and
[data-popper-placement]). This matches the pattern used before the Dropdown
refactor.
Changes:
- SavedSearches.tsx: Use PopupCard instead of Dropdown, add click-outside handler
- SavedSearchItem.tsx: Add menuPortalRoot prop for action menu positioning
- RulesFilter.v2.tsx: Fix double analytics tracking on auto-apply
* fix(alerting): auto-apply default saved search on page navigation
The default saved search was not being applied when navigating to the
Alert rules page. This was caused by a race condition where `isLoading`
was `false` on initial render (status was 'not-executed'), causing the
auto-apply effect to run before saved searches were loaded.
Fix: Include the uninitialized state in the loading check so the effect
waits until data is actually loaded before attempting to auto-apply.
Also adds tests for the auto-apply functionality.
* fix(alerting): align action menu icon and improve saved search tests
- Fix vertical alignment of three-dot menu icon in saved search items
by adding flex centering to the wrapper div
- Add feature toggle setup/teardown in saved searches test suite
- Fix location mocking in test for URL search parameter handling
* refactor(alerting): improve saved searches validation and organization
- Rename SavedSearches.types.ts to savedSearchesSchema.ts
- Use react-hook-form's built-in validation instead of manual setError
- Change error handling to throw ValidationError instead of returning it
- Add type guard isValidationError for safe error checking
- Add alphabetical sorting for saved searches (default first)
- Replace console.warn/error with logWarning/logError for analytics
- Extract helper functions: sortSavedSearches, loadSavedSearchesFromStorage, hasUrlSearchQuery
* refactor(alerting): address PR review comments for saved searches (steps 9-12)
- Add comprehensive comment explaining useEffect double-render limitation
and potential future improvements for default search auto-apply (step 9)
- Add test documenting expected behavior when navigating back to alert list
after leaving the page - default filter is re-applied (step 10)
- Update RulesFilter.v2.test.tsx to use testWithFeatureToggles helper and
add MSW UserStorage handlers for future use (step 11)
- Update SavedSearches.test.tsx to use render from test/test-utils and
byRole selectors for menu items (step 12)
* test(alerting): update saved searches tests for refactored API
- Update mockSavedSearches order to match sorted output (default first, then alphabetically)
- Change validation error tests to use rejects pattern (saveSearch/renameSearch now throw)
- Add hasPermission mock to contextSrv for module-level permission check
* fix(alerting): fix CI failures for saved searches
- Update onRenameComplete type to match throw-based API (Promise<void>)
- Run i18n-extract to add missing translation keys
* fix(alerting): salvage valid entries when saved searches validation fails
Instead of returning an empty array when array validation fails,
iterate through each item and keep only the valid entries.
This prevents losing all saved searches if a single entry is corrupted.
* test(alerting): update test to expect valid entries to be preserved
Update the test assertion to match the new behavior where valid saved
search entries are preserved when some entries fail validation, rather
than discarding all entries.
* fix(alerting): eliminate double API request on saved search auto-apply
Move saved searches loading and auto-apply logic from RulesFilterV2 to
RuleListPage. This ensures the default search filter is applied BEFORE
FilterView mounts, preventing double API requests on initial page load.
- Load saved searches at RuleListPage level
- Gate RuleList rendering until saved searches are loaded
- Pass savedSearchesResult as prop to avoid duplicate hook calls
- Remove auto-apply tests from RulesFilter.v2.test.tsx (behavior moved)
* fix(alerting): mock useSavedSearches in RuleList.v2 tests
The useSavedSearches hook triggers async state updates that complete
after tests finish, causing React act() warnings. Mock the hook to
prevent async operations during tests.
* refactor(alerting): migrate saved searches tests to use MSW
Address code review feedback by migrating UserStorage tests from
jest.mock to MSW-based mocking:
- Add MSW helper functions (setAlertingStorageItem, getAlertingStorageItem)
to simplify test setup for UserStorage
- Migrate useSavedSearches.test.tsx to use MSW handlers instead of
jest.mock('@grafana/runtime/internal')
- Migrate RulesFilter.v2.test.tsx to use MSW handlers
- Update README documentation to accurately reflect how tests use MSW
- Add tests for default search auto-apply behavior in RuleListPage
- Simplify comments to be concise and accurate
* fix(alerting): mock UserStorage directly in useSavedSearches tests
The UserStorage class caches its storage spec at the instance level,
and the useSavedSearches hook creates the instance at module level.
This caused test isolation issues where cached state leaked between
tests, making all tests that depended on loading data fail.
Fix by mocking UserStorage class directly instead of relying on MSW
handlers. This gives each test explicit control over what getItem
and setItem return, ensuring proper isolation.
Also update persistence assertions to verify mock.setItem calls
instead of reading from MSW storage (which the mock bypasses).
* refactor(alerting): remove setup helper in SavedSearches tests
Replace the `setup()` helper function with direct `render()` calls
as suggested in PR review. This makes tests more explicit about
what component is being rendered and with what props.
* refactor(alerting): extract default search auto-apply into dedicated hook
Moves the default saved search auto-apply logic from useSavedSearches into
a new useApplyDefaultSearch hook. This improves separation of concerns by
keeping useSavedSearches focused on CRUD operations while the new hook
handles the page-level auto-apply behavior.
Key changes:
- Created useApplyDefaultSearch hook with session-based visit tracking
- Removed getAutoApplySearch method and user-specific session keys from useSavedSearches
- Exported loadDefaultSavedSearch utility for independent default search loading
- Simplified test mocks to use loadDefaultSavedSearch instead of full hook mocking
- Removed unused savedSearchesResult prop passing through component tree
* fix(alerting): improve default search auto-apply timing and test reliability
Replace react-use's auto-executing useAsync with internal useAsync hook
for better control over when default search is loaded. This prevents
race conditions and ensures the async operation only executes when needed.
Test improvements:
- Add proper session storage cleanup in beforeEach
- Use waitFor to handle async operations correctly
- Prevent visited flag from affecting subsequent tests
- Clear mock call history between tests
The internal useAsync hook doesn't auto-execute on mount, allowing us to
control exactly when the default search loads based on conditions rather
than relying on dependency array triggers.
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
* feat(auth): add ExtraAudience option to RoundTripper
Add ExtraAudience option to RoundTripper to allow operators to include
additional audiences (e.g., provisioning group) when connecting to the
multitenant aggregator. This ensures tokens include both the target API
server's audience and the provisioning group audience, which is required
to pass the enforceManagerProperties check.
- Add ExtraAudience RoundTripperOption
- Improve documentation and comments
- Add comprehensive test coverage
* fix(operators): add ExtraAudience for dashboards/folders API servers
Operators connecting to dashboards and folders API servers need to include
the provisioning group audience in addition to the target API server's
audience to pass the enforceManagerProperties check.
* provisioning: fix settings/stats authorization for AccessPolicy identities
The settings and stats endpoints were returning 403 for users accessing via
ST->MT because the AccessPolicy identity was routed to the access checker,
which doesn't know about these resources.
This fix handles 'settings' and 'stats' resources before the access checker
path, routing them to the role-based authorization that allows:
- settings: Viewer role (read-only, needed by frontend)
- stats: Admin role (can leak information)
* fix: update BootstrapStep component to remove legacy storage handling and adjust resource counting logic
- Removed legacy storage flag from useResourceStats hook in BootstrapStep.
- Updated BootstrapStepResourceCounting to simplify rendering logic and removed target prop.
- Adjusted tests to reflect changes in resource counting and rendering behavior.
* Revert "fix: update BootstrapStep component to remove legacy storage handling and adjust resource counting logic"
This reverts commit 148802cbb5.
* provisioning: allow any authenticated user for settings/stats endpoints
These are read-only endpoints needed by the frontend:
- settings: returns available repository types and configuration for the wizard
- stats: returns resource counts
Authentication is verified before reaching authorization, so any user who
reaches these endpoints is already authenticated. Requiring specific org
roles failed for AccessPolicy tokens which don't carry traditional roles.
* provisioning: remove redundant admin role check from listFolderFiles
The admin role check in listFolderFiles was redundant (route-level auth already
handles access) and broken for AccessPolicy identities which don't have org roles.
File access is controlled by the AccessClient as documented in the route-level
authorization comment.
* provisioning: add isAdminOrAccessPolicy helper for auth checks
Consolidates authorization logic for provisioning endpoints:
- Adds isAdminOrAccessPolicy() helper that allows admin users OR AccessPolicy identities
- AccessPolicy identities (ST->MT flow) are trusted internal callers without org roles
- Regular users must have admin role (matching frontend navtree restriction)
Used in: authorizeSettings, authorizeStats, authorizeJobs, listFolderFiles
* provisioning: consolidate auth helpers into allowForAdminsOrAccessPolicy
Simplifies authorization by:
- Adding isAccessPolicy() helper for AccessPolicy identity check
- Adding allowForAdminsOrAccessPolicy() that returns Decision directly
- Consolidating stats/settings/jobs into single switch case
- Using consistent pattern in files.go
* provisioning: require admin for files subresource at route level
Aligns route-level authorization with handler-level check in listFolderFiles.
Both now require admin role OR AccessPolicy identity for consistency.
* provisioning: restructure authorization with role-based helpers
Reorganizes authorization code for clarity:
Role-based helpers (all support AccessPolicy for ST->MT flow):
- allowForAdminsOrAccessPolicy: admin role required
- allowForEditorsOrAccessPolicy: editor role required
- allowForViewersOrAccessPolicy: viewer role required
Repository subresources by role:
- Admin: repository CRUD, test, files
- Editor: jobs, resources, sync, history
- Viewer: refs, status (GET only)
Connection subresources by role:
- Admin: connection CRUD
- Viewer: status (GET only)
* provisioning: move refs to admin-only
refs subresource now requires admin role (or AccessPolicy).
Updated documentation comments to reflect current permissions.
* provisioning: add fine-grained permissions for connections
Adds connection permissions following the same pattern as repositories:
- provisioning.connections:create
- provisioning.connections:read
- provisioning.connections:write
- provisioning.connections:delete
Roles:
- fixed:provisioning.connections:reader (granted to Admin)
- fixed:provisioning.connections:writer (granted to Admin)
* provisioning: remove non-existent sync subresource from auth
The sync subresource doesn't exist - syncing is done via the jobs endpoint.
Removed dead code from authorization switch case.
* provisioning: use access checker for fine-grained permissions
Refactors authorization to use b.access.Check() with verb-based checks:
Repository subresources:
- CRUD: uses actual verb (get/create/update/delete)
- test: uses 'update' (write permission)
- files/refs/resources/history/status: uses 'get' (read permission)
- jobs: uses actual verb for jobs resource
Connection subresources:
- CRUD: uses actual verb
- status: uses 'get' (read permission)
The access checker maps verbs to actions defined in accesscontrol.go.
Falls back to admin role for backwards compatibility.
Also removes redundant admin check from listFolderFiles since
authorization is now properly handled at route level.
* provisioning: use verb constants instead of string literals
Uses apiutils.VerbGet, apiutils.VerbUpdate instead of "get", "update".
* provisioning: use access checker for jobs and historicjobs resources
Jobs resource: uses actual verb (create/read/write/delete)
HistoricJobs resource: read-only (historicjobs:read)
* provisioning: allow viewers to access settings endpoint
Settings is read-only and needed by multiple UI pages (not just admin pages).
Stats remains admin-only.
* provisioning: consolidate role-based resource authorization
Extract isRoleBasedResource() and authorizeRoleBasedResource() helpers
to avoid duplicating settings/stats resource checks in multiple places.
* provisioning: use resource name constants instead of hardcoded strings
Replace 'repositories', 'connections', 'jobs', 'historicjobs' with
their corresponding ResourceInfo.GetName() constants.
* provisioning: delegate file authorization to connector
Route level: allow any authenticated user for files subresource
Connector: check repositories:read only for directory listing
Individual file CRUD: handled by DualReadWriter based on actual resource
* provisioning: enhance authorization for files and jobs resources
Updated file authorization to fall back to admin role for listing files. Introduced checkAccessForJobs function to manage job permissions, allowing editors to create and manage jobs while maintaining admin-only access for historic jobs. Improved error messaging for permission denials.
* provisioning: refactor authorization with fine-grained permissions
Authorization changes:
- Use access checker with role-based fallback for backwards compatibility
- Repositories/Connections: admin role fallback
- Jobs: editor role fallback (editors can manage jobs)
- HistoricJobs: admin role fallback (read-only)
- Settings: viewer role (needed by multiple UI pages)
- Stats: admin role
Files subresource:
- Route level allows any authenticated user
- Directory listing checks repositories:read in connector
- Individual file CRUD delegated to DualReadWriter
Refactored checkAccessWithFallback to accept fallback role parameter.
* provisioning: refactor access checker integration for improved authorization
Updated the authorization logic to utilize the new access checker across various resources, including files and jobs. This change simplifies the permission checks by removing redundant identity retrieval and enhances error handling. The access checker now supports role-based fallbacks for admin and editor roles, ensuring backward compatibility while streamlining the authorization process for repository and connection subresources.
* provisioning: remove legacy access checker tests and refactor access checker implementation
Deleted the access_checker_test.go file to streamline the codebase and focus on the updated access checker implementation. Refactored the access checker to enhance clarity and maintainability, ensuring it supports role-based fallback behavior. Updated the access checker integration in the API builder to utilize the new fallback role configuration, improving authorization logic across resources.
* refactor: split AccessChecker into TokenAccessChecker and SessionAccessChecker
- Renamed NewMultiTenantAccessChecker -> NewTokenAccessChecker (uses AuthInfoFrom)
- Renamed NewSingleTenantAccessChecker -> NewSessionAccessChecker (uses GetRequester)
- Split into separate files with their own tests
- Added mockery-generated mock for AccessChecker interface
- Names now reflect identity source rather than deployment mode
* fix: correct error message case and use accessWithAdmin for filesConnector
- Fixed error message to use lowercase 'admin role is required'
- Fixed filesConnector to use accessWithAdmin for proper role fallback
- Formatted code
* refactor: reduce cyclomatic complexity in filesConnector.Connect
Split the Connect handler into smaller focused functions:
- handleRequest: main request processing
- createDualReadWriter: setup dependencies
- parseRequestOptions: extract request options
- handleDirectoryListing: GET directory requests
- handleMethodRequest: route to method handlers
- handleGet/handlePost/handlePut/handleDelete: method-specific logic
- handleMove: move operation logic
* security: remove blind TypeAccessPolicy bypass from access checkers
Removed the code that bypassed authorization for TypeAccessPolicy identities.
All identities now go through proper permission verification via the inner
access checker, which will validate permissions from ServiceIdentityClaims.
This addresses the security concern where TypeAccessPolicy was being trusted
blindly without verifying whether the identity came from the wire or in-process.
* feat: allow editors to access repository refs subresource
Change refs authorization from admin to editor fallback so editors can
view repository branches when pushing changes to dashboards/folders.
- Split refs from other read-only subresources (resources, history, status)
- refs now uses accessWithEditor instead of accessWithAdmin
- Updated documentation comment to reflect authorization levels
- Added integration test TestIntegrationProvisioning_RefsPermissions
verifying editor access and viewer denial
* tests: add authorization tests for missing provisioning API endpoints
Add comprehensive authorization tests for:
- Repository subresources (test, resources, history, status)
- Connection status subresource
- HistoricJobs resource
- Settings and Stats resources
All authorization paths are now covered by integration tests.
* test: fix RefsPermissions test to use GitHub repository
Use github-readonly.json.tmpl template instead of local folder,
since refs endpoint requires a versioned repository that supports
git operations.
* chore: format test files
* fix: make settings/stats authorization work in MT mode
Update authorizeRoleBasedResource to check authlib.AuthInfoFrom(ctx)
for AccessPolicy identity type in addition to identity.GetRequester(ctx).
This ensures AccessPolicy identities are recognized in MT mode where
identity.GetRequester may not set the identity type correctly.
* fix: remove unused authorization helper functions
Remove allowForAdminsOrAccessPolicy and allowForViewersOrAccessPolicy
as they are no longer used after refactoring to use authorizeRoleBasedResource.
* Fix AccessPolicy identity detection in ST authorizer
- Add check for AccessPolicy identities via GetAuthID() in authorizeRoleBasedResource
- Extended JWT may set identity type to TypeUser but AuthID is 'access-policy:...'
- Forward user ID token in X-Grafana-Id header in RoundTripper for aggregator forwarding
* Revert "Fix AccessPolicy identity detection in ST authorizer"
This reverts commit 0f4885e503.
* Add fine-grained permissions for settings and stats endpoints
- Add provisioning.settings:read action (granted to Viewer role)
- Add provisioning.stats:read action (granted to Admin role)
- Add accessWithViewer to APIBuilder for Viewer role fallback
- Use access checker for settings/stats authorization
- Remove role-based authorization functions (isRoleBasedResource, authorizeRoleBasedResource)
This makes settings and stats consistent with other provisioning resources
and works properly in both ST and MT modes via the access checker.
* Remove AUTHORIZATION_COVERAGE.md
* Add provisioning resources to RBAC mapper
- Add connections, settings, stats to provisioning.grafana.app mappings
- Required for authz service to translate K8s verbs to legacy actions
- Fixes 403 errors for settings/stats in MT mode
* refactor: merge access checkers with original fallthrough behavior
Merge tokenAccessChecker and sessionAccessChecker into a unified
access checker that implements the original fallthrough behavior:
1. First try to get identity from access token (authlib.AuthInfoFrom)
2. If token exists AND (is TypeAccessPolicy OR useExclusivelyAccessCheckerForAuthz),
use the access checker with token identity
3. If no token or conditions not met, fall back to session identity
(identity.GetRequester) with optional role-based fallback
This fixes the issue where settings/stats/connections endpoints were
failing in MT mode because the tokenAccessChecker was returning an error
when there was no auth info in context, instead of falling through to
session-based authorization.
The unified checker now properly handles:
- MT mode: tries token first, falls back to session if no token
- ST mode: only uses token for AccessPolicy identities, otherwise session
- Role fallback: applies when configured and access checker denies
* Revert "refactor: merge access checkers with original fallthrough behavior"
This reverts commit 96451f948b.
* Grant settings view role to all
* fix: use actual request verb for settings/stats authorization
Use a.GetVerb() instead of hardcoded VerbGet for settings and stats
authorization. When listing resources (hitting collection endpoint),
the verb is 'list' not 'get', and this mismatch could cause issues
with the RBAC service.
* debug: add logging to access checkers for authorization debugging
Add klog debug logs (V4 level) to token and session access checkers
to help diagnose why settings/stats authorization is failing while
connections works.
* debug: improve access checker logging with grafana-app-sdk logger
- Use grafana-app-sdk logging.FromContext instead of klog
- Add error wrapping with resource.group format for better context
- Log more details including folder, group, and allowed status
- Log error.Error() for better error message visibility
* chore: use generic log messages in access checkers
* Revert "Grant settings view role to all"
This reverts commit 3f5758cf36.
* fix: use request verb for historicjobs authorization
The original role-based check allowed any verb for admins. To preserve
this behavior with the access checker, we should pass the actual verb
from the request instead of hardcoding VerbGet.
---------
Co-authored-by: Charandas Batra <charandas.batra@grafana.com>
* Default to folder sync only and block new instance sync repositories
- Change default allowed_targets to folder-only in backend configuration
- Modify validation to only enforce allowedTargets on CREATE operations
- Add deprecation warning for existing instance sync repositories
- Update frontend defaults and tests to reflect new behavior
Fixes#619
* Update warning message: change 'deprecated' to 'not fully supported'
* Fix health check: don't validate allowedTargets for existing repositories
Health checks for existing repositories should treat them as UPDATE operations,
not CREATE operations, so they don't fail validation for instance sync target.
* Fix tests and update i18n translations
- Update BootstrapStep tests to reflect folder-only default behavior
- Run i18n-extract to update translation file structure
* Fix integration tests
* Fix tests
* Fix provisioning test wizard
* Fix fronted test
* feat: add Grafana logo to embedded panels
- Add Grafana logo watermark to solo panel view (embedded panels)
- Logo appears in top-right corner with subtle background container
- Logo hides on hover to avoid interfering with panel content
- Uses React state to track hover for reliable behavior across nested elements
* minor formatting
* update changes to match public dashboards styling
* match styles of public dashboards
* feat: add responsive Grafana branding to embedded panels
- Add 'Powered by Grafana' branding with text logo to solo panel view
- Implement responsive scaling based on panel dimensions (0.6x to 1.0x)
- Logo and text scale proportionally with panel size
- Branding hides on hover to avoid interfering with panel content
- Matches public dashboard branding pattern for consistency
- Uses ResizeObserver for efficient responsive updates
* feat: add Grafana branding to embedded solo panels
- Add 'Powered by Grafana' branding with text logo to embedded panels
- Create SoloPanelPageLogo component for reusable branding
- Implement responsive scaling based on panel dimensions
- Add hover-to-hide functionality to avoid content overlap
- Logo scales between 0.6x and 1.0x based on panel size
* refactor: move scale calculation into SoloPanelPageLogo component
- Move responsive scale calculation logic from SoloPanelRenderer to SoloPanelPageLogo
- Logo component now manages its own scaling based on container dimensions
- Improves separation of concerns and component encapsulation
* feat: add hideLogo query parameter to disable embedded panel branding
- Add hideLogo query parameter support to SoloPanelPage
- Logo can be hidden via ?hideLogo, ?hideLogo=true, or ?hideLogo=1
- Useful for customers who want to disable branding and for image rendering scenarios
- Update Props interface to include hideLogo in queryParams type
* feat: hide logo in panel image renderer URLs
- Add hideLogo=true parameter to image renderer URLs in ShareLinkTab
- Ensures logo is hidden when generating panel images through share feature
- Update test to expect hideLogo=true in render URL
* feat: hide logo in old dashboard sharing panel image URLs
- Add hideLogo=true parameter to buildImageUrl in ShareModal utils
- Ensures logo is hidden when generating panel images through old share modal
- Update all ShareLink tests to expect hideLogo=true in render URLs
* test: add comprehensive tests for SoloPanelPage and SoloPanelPageLogo
- Add SoloPanelPageLogo tests covering rendering, hover behavior, theme selection, and scaling
- Add SoloPanelPage tests covering logo visibility based on hideLogo prop
- Test logo hiding functionality (most important behavior)
- Test responsive scaling based on container dimensions
- Test ResizeObserver integration
- All 14 tests passing
* refactor: centralize hideLogo handling in SoloPanelPageLogo
Move hideLogo parsing and decision-making into SoloPanelPageLogo so SoloPanelPage/SoloPanelRenderer only pass through the raw query param value.
* chore: clean up solo logo test and share link params
Remove a duplicate SVG mock in SoloPanelPageLogo.test, and simplify ShareLinkTab image URL building without changing behavior.
* chore: revert ShareLinkTab image query refactor
Restore the previous image URL query-param mutation logic in ShareLinkTab to reduce risk.
* chore: set hideLogo once for ShareLinkTab image URLs
Avoid passing hideLogo twice when building the rendered image URL.
* fix: handle boolean hideLogo query param in SoloPanelPageLogo
Handle query params that are represented as booleans (e.g., ?hideLogo) and arrays, and avoid calling trim() on non-strings.
* fix i18n
* fix(dashboard-scene): address SoloPanelPageLogo review feedback
Avoid double-scaling logo margin, clarify scaling comments, and extend tests for null/array values and ResizeObserver cleanup.
* update margin left on logo to better match text spacing
* wip
* boop
* Base factor on data
* Add some basic option control
* Remove old comments
* Add feature flag
* Apply feature flag to axis options
* Turn factor calculation into exported function
* Simplify bucket factor function
* Clarify comments
* Fix cell sizing of pre-bucketed heatmaps with log
* Remove unnecessary category change
* Consolidate editor for calculate from data no
* Update bucket function sanity checks
* Wire up scale config from yBucketScale
* Hide bucket controls for heatmap cells
* Fix splits
* Add test coverage
* Fix failing test
* Add basic util test coverage
* Fix tooltip for legacy in linear
* Fix y bucket option width to be consistent
* Hide tick alignment for explicit scale modes
* Clarify comment
* Make sure units are passed properly for linear
* Remove null assertion operator
* Clean up nested ternary
* Add type protection to scaleLog
* Remove repeated code for ySize calcs
* Remove ternary for scaleDistribution
* Add test coverage for YBucketScaleEditor
* Add isHeatmapSparse function to tooltip utils
* Create calculateYSizeDivisor util function
* Fix y axis min and max options and extend to log
* Add toLogBase test coverage
* Create applyExplicitMinMax function
* Add additional test coverage for scale editor
* Run i18n-extract
* Update eslint suppressions
---------
Co-authored-by: Drew Slobodnjak <60050885+drew08t@users.noreply.github.com>
* Dashboard migration: preserve legacy string datasource references
Fix v1beta1 → v2alpha1 conversion to handle legacy string datasource
references in QueryVariable, AdhocVariable, and GroupByVariable.
Previously, string datasource references (both template variables like
"$datasource" and direct names/UIDs like "prometheus") were being
dropped during conversion, causing variable chaining to break.
The frontend's DatasourceSrv.getInstanceSettings() already handles
string references by trying uid → name → id lookup at runtime, so we
preserve the string in the uid field and let the frontend resolve it.
* trigger frontend ci tests when dashboard migration code changes
* v1: if string convert to DS ref
* Update migration testdata to fix template variable datasource references
* update
* wip; DrilldownControls
* use wrapper so that drilldown controls wrap inline
* keep labels on top when input expands vertically
* add clear all button
* add collapsible prop
* i18n
* Increase maxWidth for adhoc
* bump scenes for testing
* fix
* remove clear all button
* use new feature toggle; pass collapsible in v2
* update variable controls to use new feature flag
* cleanup
* wip (#115441)
* wip
* fix
* update wrapping on smaller screens
---------
Co-authored-by: Haris Rozajac <haris.rozajac12@gmail.com>
* Filter out variables that are not in inControlsMenu
* filter out inControlsMenu vars, not hidden ones
* canary scenes
* fix
* cleanup
* canary scenes
* pass wideInput to groupby based on ff
* update var name and bump scenes
* bump scenes
* yarn lock
---------
Co-authored-by: Victor Marin <victor.marin@grafana.com>
* Fix Grafana App SDK logger log level
What
This commit fixes the hardcoded value of the app SDK logger log level
by properly setting it during the log manager initialization.
Why
To prevent app SDK logging from always logging at DEBUG.
Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
* Add missing argument to the logging test
Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
---------
Signed-off-by: Igor Suleymanov <igor.suleymanov@grafana.com>
* move content and mode properties to options level
* move to angular section
* Update comments
* handle missing angular text panel
* re-generate test files
* angualr panels tests
* fixing test
* Update output files
* Update output for dev dashboard
* Spread options at the top panel level for migration
* linting issue
---------
Co-authored-by: Ivan Ortega <ivanortegaalba@gmail.com>
* Remove the default alpine & ubuntu versions so that the ones in Dockerfile are used
* set default to just 'alpine' or 'ubuntu'
* use defaults instead
* Provisioning: Add Git Sync limitations warning and migrate resources checkbox
- Update SynchronizeStep alert to use warning severity with comprehensive Git Sync limitations
- Add conditional warnings for instance sync (permissions loss, alerts/library panels loss)
- Add conditional warnings for folder sync (folder structure changes, manual cleanup needed)
- Add "Migrate existing resources" checkbox for folder sync mode
- Update useCreateSyncJob hook to handle migrateResources option for folder sync
- Extract i18n translations for new strings
* Simplify createSyncJob: calculate requiresMigration in caller
- Remove syncTarget and migrateResources parameters from useCreateSyncJob hook
- Calculate requiresMigration in SynchronizeStep based on sync target and checkbox value
- Pass requiresMigration as parameter to createSyncJob function
* Revert: Pass requiresMigration as hook parameter
- Calculate requiresMigration in SynchronizeStep using useMemo
- Pass requiresMigration to useCreateSyncJob hook
- Remove parameter from createSyncJob function call
* Revert "Revert: Pass requiresMigration as hook parameter"
This reverts commit 97e3b7107d.
* Fix TypeScript errors in ProvisioningWizard
- Remove requiresMigration from useCreateSyncJob call
- Pass requiresMigration parameter to createSyncJob call
- Remove unused Target import from SynchronizeStep
* Show migrate resources checkbox for instance sync (checked and disabled)
- Display checkbox for both instance and folder sync
- For instance sync: checkbox is checked and disabled with explanation
- For instance sync: automatically set migrateResources to true via useEffect
- Update description to explain instance sync requires all resources to be managed
* Extract i18n translations for instance-migrate-resources-description
* Rename 'Synchronization options' to 'Options'
* Update i18n translations: rename synchronization-options to options
* Remove unnecessary conditional check for sync target
* Add bodySmall variant to announcement banner TextLink
* Move requiresMigration calculation logic into useResourceStats hook
- Add migrateResources parameter to useResourceStats hook
- Calculate final requiresMigration in hook based on sync target and checkbox value
- Use watch instead of getValues to reactively get migrateResources value
- Simplify startSynchronization to use requiresMigration from hook
* build(frontend): enable custom condition for resolving source files during dev and build
* feat(packages): apply conditional name to export properties
* chore(packages): add standard exports to flamegraph and prometheus
* chore(packages): resolve main, module, types to built files
* build(packages): clean up prepare-npm-package for custom condition changes
* refactor(packages): reduce repetition in conditional exports
* build(storybook): add @grafana-app/source to conditionNames
* test(frontend): add grafana-app/source customCondition for jest tests
* refactor(frontend): remove nested package import paths
* chore(jest): use customExportConditions for source files and browser
* chore(i18n): use src for ./eslint-plugin export
* chore(packages): set packages tsconfigs to moduleResolution bundler
* chore(packages): fix rollup builds
* build(packages): build cjs as multiple files
* chore(sql): reference MonitoringLogger for moduleresolution bundler to pass typecheck
* chore(ui): add type refs for moduleresolution bundler to pass typecheck
* feat(schema): add exports for cleaner import paths
* refactor(frontend): clean up schema paths to point to exports instead of nested file paths
* build(storybook): hack the builder-manager for custom conditions to resolve
* build(decoupled-plugins): fix broken builds due to missing conditionNames
* chore(e2e): pass condition to playwright to resolve local packages
* build(frontend): fix failing build
* chore(select): fix typings
* style(frontend): clean up eslint suppressions
* chore(packages): fix type errors due to incorrect tsconfig settings
* build(generate-apis): use swc with ts-node and moduleResolution bundler
* chore(cypress): add conditionNames to resolve monorepo packages
* build(npm): update prepare to work with latest exports changes
* build(packages): fix prepare-npm-package script
* fix(e2e-selectors): update debugoverlay for data-testid change
* build(packages): stop editing package.json at pack n publish time
* rerun ci
* chore(api-clients): use moduleResolution: bundler for customConditions support
* chore(api-clients): fix generation
* build(packages): remove aliasing exports, remove exports with only customConditions
* Revert "refactor(frontend): clean up schema paths to point to exports instead of nested file paths"
This reverts commit 7949b6ea0e60e51989d2a8149b7a24647cd68916.
* revert(schema): remove exports from package so builds work
* build(api-clients): fix up api-clients exports and rollup config
* build(api-clients): Update generated package exports for api clients
* build(schema): add overrides to cjsOutput and esmOutput so built directory structure is correct
* fix(packages): use rootDirs to prevent types/src directories in built d.ts file paths
* build(packages): prevent empty exports added to package.json during pack
* docs(packages): update readme with custom conditions information
---------
Co-authored-by: Tom Ratcliffe <tom.ratcliffe@grafana.com>
* `grafana-iam`: Add basic roles to the apis
* Fix validation
* chore: trigger CI
* Leave the hooks intact for now, moving them later
* Remove Role mention from the interface
* Refactor to use a NoopRest backend and Deny access
* fix(transformation): gray out transformation card on transformation tab
* fix(transformations): make data prop required in EmptyTransformationsMessage
This ensures TypeScript enforces that all call sites pass the data prop,
which is required for graying out inapplicable transformation cards.
- Changed data prop from optional to required in EmptyTransformationsProps
- Fixed TransformationsEditor.tsx to pass data (was missing in legacy code)
- Updated tests to pass the required data prop
---------
Co-authored-by: Sam Jewell <sam.jewell@grafana.com>
If you think you have found a security vulnerability, we have two routes for reporting security issues.
Important: Whichever route you choose, we ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
[Full guidance on reporting a security issue can be found here](https://grafana.com/legal/report-a-security-issue/).
This product is in scope for our Bug Bounty Program. To submit a vulnerability report, please visit [Grafana Labs Bug Bounty page](https://app.intigriti.com/programs/grafanalabs/grafanaossbbp/detail) and follow the instructions provided. Our security team will review your submission and get back to you as soon as possible.
---
For products and services outside the scope of our bug bounty program, or if you do not wish to receive a bounty, you can report issues directly to us via email at security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).
Please encrypt your message to us; please use our PGP key. The key fingerprint is:
225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from [keyserver.ubuntu.com](https://keyserver.ubuntu.com/pks/lookup?search=0x225E6A9BBB15A37E95EB6312C66A51CCB44C27E0&fingerprint=on&op=index).
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
**Important:** We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
## Security announcements
We will post a summary, remediation, and mitigation details for any patch containing security fixes on the Grafana blog. The security announcement blog posts will be tagged with the [security tag](https://grafana.com/tags/security/).
You can also track security announcements via the [RSS feed](https://grafana.com/tags/security/index.xml).
"description":"### Versions running\nShows the versions reported by each running pod.\n\nThe rollout will fail if any pod is not running the expected version.\n\nPods in green are running the expected version, while pods running other versions are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -185,6 +188,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Deployment rollout progress\nShows the number of pods for each `Deployment` that match the desired configuration, as a proportion of the desired number of pods.\n\nThe rollout will fail if insufficient pods match the desired configuration for any `Deployment`.\n\nPods in green match the desired configuration, while pods that do not match the desired configuration are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -286,6 +292,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### StatefulSet rollout progress\nShows the number of pods for each `StatefulSet` that match the desired configuration, as a proportion of the desired number of pods.\n\nThe rollout will fail if insufficient pods match the desired configuration for any `StatefulSet`.\n\nPods in green match the desired configuration, while pods that do not match the desired configuration are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -399,6 +408,9 @@
"type":"row"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Aggregator lag\nShows the consumption lag of each aggregator pod.\n\nThis panel may show no data if aggregators are not deployed to this cell.\n\nThe rollout will fail if any pod's consumption lag is both:\n* greater than 30s (red area on graph), and\n* trending upwards compared to 1 minute earlier\n\n",
"fieldConfig":{
"defaults":{
@@ -468,6 +480,9 @@
"type":"timeseries"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Unhealthy Deployment replicas\nShows the number of unavailable pods for each `Deployment`.\n\nThe rollout will fail if any `Deployment` has an unavailable pod.\n\nBoth this panel and the rollout check ignore any `Deployment`s that require spot nodes, as these are expected to be unavailable from time to time.\n\n`Deployment`s shown in green do not have any unavailable pods, while `Deployment`s shown in orange have one or more unavailable pods.\n\n",
"fieldConfig":{
"defaults":{
@@ -569,6 +584,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Unhealthy StatefulSet replicas\nShows the number of pods for each `StatefulSet` that are not ready.\n\nThe rollout will fail if any `StatefulSet` has fewer ready pods than requested.\n\nBoth this panel and the rollout check ignore any `StatefulSets`s that require spot nodes, as these are expected to be unavailable from time to time.\n\n`StatefulSets`s shown in green do not have any pods that are not ready, while `StatefulSet`s shown in orange have one or more pods that are not ready.\n\n",
"description":"### Versions running\nShows the versions reported by each running pod.\n\nThe rollout will fail if any pod is not running the expected version.\n\nPods in green are running the expected version, while pods running other versions are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -185,6 +188,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Deployment rollout progress\nShows the number of pods for each `Deployment` that match the desired configuration, as a proportion of the desired number of pods.\n\nThe rollout will fail if insufficient pods match the desired configuration for any `Deployment`.\n\nPods in green match the desired configuration, while pods that do not match the desired configuration are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -286,6 +292,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### StatefulSet rollout progress\nShows the number of pods for each `StatefulSet` that match the desired configuration, as a proportion of the desired number of pods.\n\nThe rollout will fail if insufficient pods match the desired configuration for any `StatefulSet`.\n\nPods in green match the desired configuration, while pods that do not match the desired configuration are shown in orange.\n\n",
"fieldConfig":{
"defaults":{
@@ -399,6 +408,9 @@
"type":"row"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Aggregator lag\nShows the consumption lag of each aggregator pod.\n\nThis panel may show no data if aggregators are not deployed to this cell.\n\nThe rollout will fail if any pod's consumption lag is both:\n* greater than 30s (red area on graph), and\n* trending upwards compared to 1 minute earlier\n\n",
"fieldConfig":{
"defaults":{
@@ -468,6 +480,9 @@
"type":"timeseries"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Unhealthy Deployment replicas\nShows the number of unavailable pods for each `Deployment`.\n\nThe rollout will fail if any `Deployment` has an unavailable pod.\n\nBoth this panel and the rollout check ignore any `Deployment`s that require spot nodes, as these are expected to be unavailable from time to time.\n\n`Deployment`s shown in green do not have any unavailable pods, while `Deployment`s shown in orange have one or more unavailable pods.\n\n",
"fieldConfig":{
"defaults":{
@@ -569,6 +584,9 @@
"type":"barchart"
},
{
"datasource":{
"uid":"$datasource"
},
"description":"### Unhealthy StatefulSet replicas\nShows the number of pods for each `StatefulSet` that are not ready.\n\nThe rollout will fail if any `StatefulSet` has fewer ready pods than requested.\n\nBoth this panel and the rollout check ignore any `StatefulSets`s that require spot nodes, as these are expected to be unavailable from time to time.\n\n`StatefulSets`s shown in green do not have any pods that are not ready, while `StatefulSet`s shown in orange have one or more pods that are not ready.\n\n",
"description":"Tests basic migration with default style pattern (/.*/) containing thresholds and colors. Should convert styles to fieldConfig.defaults with threshold steps.",
"gridPos":{
"h":3,
@@ -57,6 +61,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests comprehensive migration including: default style with thresholds/colors/unit/decimals/align/colorMode, column overrides with exact name and regex patterns, date formatting, hidden columns, and links with tooltips.",
"gridPos":{
"h":3,
@@ -80,6 +88,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_aggregations transform to reduce transformation with column mappings (avg-\u003emean, max-\u003emax, min-\u003emin, total-\u003esum, current-\u003elastNotNull, count-\u003ecount).",
"gridPos":{
"h":3,
@@ -103,6 +115,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_to_rows transform to seriesToRows transformation.",
"gridPos":{
"h":3,
@@ -126,6 +142,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_to_columns transform to seriesToColumns transformation.",
"gridPos":{
"h":3,
@@ -149,6 +169,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of table transform to merge transformation. Also tests auto alignment conversion to empty string.",
"gridPos":{
"h":3,
@@ -172,6 +196,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests that existing transformations are preserved and new transformation from old format is appended to the list.",
"gridPos":{
"h":3,
@@ -208,6 +236,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests handling of mixed numeric and string threshold values (int, string, float) with proper type conversion.",
"gridPos":{
"h":3,
@@ -231,6 +263,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests all color mode mappings: cell-\u003ecolor-background, row-\u003ecolor-background, value-\u003ecolor-text.",
"gridPos":{
"h":3,
@@ -254,6 +290,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests all alignment options: left, center, right, and auto (should convert to empty string).",
"gridPos":{
"h":3,
@@ -277,6 +317,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests both field matcher types: byName for exact matches and byRegexp for regex patterns.",
"gridPos":{
"h":3,
@@ -300,6 +344,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests various link configurations: with and without tooltip, with and without target blank.",
"gridPos":{
"h":3,
@@ -323,6 +371,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests various date format patterns and aliases.",
"gridPos":{
"h":3,
@@ -346,6 +398,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"React table (table2) should not be migrated. Properties should remain unchanged.",
"gridPos":{
"h":3,
@@ -369,6 +425,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Angular table without styles property should not be migrated.",
"gridPos":{
"h":3,
@@ -392,6 +452,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Non-table panels should remain completely unchanged.",
"gridPos":{
"h":3,
@@ -415,6 +479,10 @@
"type":"timeseries"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Other panel types should not be affected by table migration.",
"description":"Tests basic migration with default style pattern (/.*/) containing thresholds and colors. Should convert styles to fieldConfig.defaults with threshold steps.",
"gridPos":{
"h":3,
@@ -57,6 +61,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests comprehensive migration including: default style with thresholds/colors/unit/decimals/align/colorMode, column overrides with exact name and regex patterns, date formatting, hidden columns, and links with tooltips.",
"gridPos":{
"h":3,
@@ -80,6 +88,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_aggregations transform to reduce transformation with column mappings (avg-\u003emean, max-\u003emax, min-\u003emin, total-\u003esum, current-\u003elastNotNull, count-\u003ecount).",
"gridPos":{
"h":3,
@@ -103,6 +115,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_to_rows transform to seriesToRows transformation.",
"gridPos":{
"h":3,
@@ -126,6 +142,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of timeseries_to_columns transform to seriesToColumns transformation.",
"gridPos":{
"h":3,
@@ -149,6 +169,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests migration of table transform to merge transformation. Also tests auto alignment conversion to empty string.",
"gridPos":{
"h":3,
@@ -172,6 +196,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests that existing transformations are preserved and new transformation from old format is appended to the list.",
"gridPos":{
"h":3,
@@ -208,6 +236,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests handling of mixed numeric and string threshold values (int, string, float) with proper type conversion.",
"gridPos":{
"h":3,
@@ -231,6 +263,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests all color mode mappings: cell-\u003ecolor-background, row-\u003ecolor-background, value-\u003ecolor-text.",
"gridPos":{
"h":3,
@@ -254,6 +290,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests all alignment options: left, center, right, and auto (should convert to empty string).",
"gridPos":{
"h":3,
@@ -277,6 +317,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests both field matcher types: byName for exact matches and byRegexp for regex patterns.",
"gridPos":{
"h":3,
@@ -300,6 +344,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests various link configurations: with and without tooltip, with and without target blank.",
"gridPos":{
"h":3,
@@ -323,6 +371,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests various date format patterns and aliases.",
"gridPos":{
"h":3,
@@ -346,6 +398,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"React table (table2) should not be migrated. Properties should remain unchanged.",
"gridPos":{
"h":3,
@@ -369,6 +425,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Angular table without styles property should not be migrated.",
"gridPos":{
"h":3,
@@ -392,6 +452,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Non-table panels should remain completely unchanged.",
"gridPos":{
"h":3,
@@ -415,6 +479,10 @@
"type":"timeseries"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Other panel types should not be affected by table migration.",
"description":"Tests v33 migration behavior when panel datasource is explicitly null. Should remain null after migration (returnDefaultAsNull: true).",
"gridPos":{
"h":3,
@@ -51,6 +55,10 @@
"type":"stat"
},
{
"datasource":{
"type":"elasticsearch",
"uid":"existing-target-uid"
},
"description":"Tests v33 migration behavior when panel datasource is already a proper object reference. Should remain unchanged.",
"gridPos":{
"h":3,
@@ -75,6 +83,10 @@
"type":"stat"
},
{
"datasource":{
"type":"loki",
"uid":"non-default-test-ds-uid"
},
"description":"Tests v33 migration when panel datasource is a string name. Should convert to proper object with uid, type, apiVersion.",
"gridPos":{
"h":3,
@@ -98,6 +110,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests v33 migration when panel has datasource string but empty targets array. Panel datasource should still migrate.",
"gridPos":{
"h":3,
@@ -283,6 +299,10 @@
"id":-1,
"panels":[
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Nested panel with string datasource should migrate to proper object reference, proving row panel recursion works.",
"description":"Tests v33 migration behavior when panel datasource is explicitly null. Should remain null after migration (returnDefaultAsNull: true).",
"gridPos":{
"h":3,
@@ -51,6 +55,10 @@
"type":"stat"
},
{
"datasource":{
"type":"elasticsearch",
"uid":"existing-target-uid"
},
"description":"Tests v33 migration behavior when panel datasource is already a proper object reference. Should remain unchanged.",
"gridPos":{
"h":3,
@@ -75,6 +83,10 @@
"type":"stat"
},
{
"datasource":{
"type":"loki",
"uid":"non-default-test-ds-uid"
},
"description":"Tests v33 migration when panel datasource is a string name. Should convert to proper object with uid, type, apiVersion.",
"gridPos":{
"h":3,
@@ -98,6 +110,10 @@
"type":"table"
},
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Tests v33 migration when panel has datasource string but empty targets array. Panel datasource should still migrate.",
"gridPos":{
"h":3,
@@ -283,6 +299,10 @@
"id":-1,
"panels":[
{
"datasource":{
"type":"prometheus",
"uid":"default-ds-uid"
},
"description":"Nested panel with string datasource should migrate to proper object reference, proving row panel recursion works.",
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
