Skip to content

PMM-15138 Fix alerting permissions#5493

Open
ademidoff wants to merge 9 commits into
v3from
PMM-15138-fix-alerting-permissions
Open

PMM-15138 Fix alerting permissions#5493
ademidoff wants to merge 9 commits into
v3from
PMM-15138-fix-alerting-permissions

Conversation

@ademidoff

@ademidoff ademidoff commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Member

Ticket number: PMM-15138

Feature build: SUBMODULES-4403

Ref: percona/pmm-qa#1014

@ademidoff ademidoff mentioned this pull request Jun 11, 2026
Draft
@codecov

codecov Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 64.51613% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.49%. Comparing base (29af54e) to head (2c3a045).
⚠️ Report is 3 commits behind head on v3.

Files with missing lines Patch % Lines
managed/services/grafana/auth_server.go 64.51% 11 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##               v3    #5493      +/-   ##
==========================================
+ Coverage   43.46%   43.49%   +0.03%     
==========================================
  Files         413      413              
  Lines       42928    42935       +7     
==========================================
+ Hits        18659    18675      +16     
+ Misses      22393    22385       -8     
+ Partials     1876     1875       -1
Flag Coverage Δ
admin 34.78% <ø> (ø)
agent 48.94% <ø> (+0.12%) ⬆️
managed 42.86% <64.51%> (ø)
vmproxy 72.22% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ademidoff ademidoff marked this pull request as ready for review June 11, 2026 21:18
@ademidoff ademidoff requested a review from a team as a code owner June 11, 2026 21:18
@ademidoff ademidoff requested review from 4nte and maxkondr and removed request for a team June 11, 2026 21:18
maxkondr
maxkondr reviewed Jun 12, 2026
View reviewed changes
Comment thread managed/services/grafana/auth_server.go Outdated
Comment thread managed/services/grafana/auth_server.go Outdated
ademidoff and others added 2 commits June 12, 2026 15:19
@ademidoff @maxkondr
Update managed/services/grafana/auth_server.go
02ba68c 
Co-authored-by: Maxim Kondratenko <maxim.kondratenko@percona.com>
@ademidoff
PMM-15138 Resolve minRole in a single place
7826d07
@ademidoff ademidoff requested a review from maxkondr June 12, 2026 14:16
ademidoff added 3 commits June 13, 2026 00:53
@ademidoff
PMM-15138 Return 403 for authorization denials
33712fd 
The nginx auth layer returned 401 for permission denials, which triggers
the error_page 401 re-run against /auth_request as a GET. For method-specific
rules (e.g. POST /v1/alerting/templates) the GET re-run is allowed, so the
client received a misleading 200 even though the write was blocked.

Map PermissionDenied to 403 so nginx denies outright via error_page 403,
which serves a static body without re-running. Unauthenticated stays 401.
@ademidoff
PMM-15138 Remove the period from the error message
42e1315
@ademidoff
PMM-15138 Enhance comments in auth_server.go
2c3a045
@ademidoff ademidoff mentioned this pull request Jun 13, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@4nte 4nte 4nte approved these changes

@JiriCtvrtka JiriCtvrtka JiriCtvrtka approved these changes

@maxkondr maxkondr Awaiting requested review from maxkondr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ademidoff @4nte @maxkondr @JiriCtvrtka