2022-06-03 08:09:47 -06:00
|
|
|
import logging
|
2024-01-04 12:34:28 -03:00
|
|
|
import uuid
|
2022-06-03 08:09:47 -06:00
|
|
|
|
|
|
|
|
from celery.utils.log import get_task_logger
|
2022-09-02 14:06:42 -06:00
|
|
|
from django.conf import settings
|
2022-06-03 08:09:47 -06:00
|
|
|
from django.utils import timezone
|
|
|
|
|
|
|
|
|
|
from apps.grafana_plugin.helpers.client import GcomAPIClient, GrafanaAPIClient
|
|
|
|
|
from apps.user_management.models import Organization, Team, User
|
2023-04-14 09:15:57 +02:00
|
|
|
from apps.user_management.signals import org_sync_signal
|
2024-01-04 12:34:28 -03:00
|
|
|
from common.utils import task_lock
|
2022-06-03 08:09:47 -06:00
|
|
|
|
|
|
|
|
logger = get_task_logger(__name__)
|
|
|
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
|
|
|
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_organization(organization: Organization) -> None:
|
2024-01-04 12:34:28 -03:00
|
|
|
# ensure one sync task is running at most for a given org at a given time
|
|
|
|
|
lock_id = "sync-organization-lock-{}".format(organization.id)
|
|
|
|
|
random_value = str(uuid.uuid4())
|
|
|
|
|
with task_lock(lock_id, random_value) as acquired:
|
|
|
|
|
if acquired:
|
|
|
|
|
_sync_organization(organization)
|
|
|
|
|
else:
|
|
|
|
|
# sync already running
|
|
|
|
|
logger.info(f"Sync for Organization {organization.pk} already in progress.")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _sync_organization(organization: Organization) -> None:
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
grafana_api_client = GrafanaAPIClient(api_url=organization.grafana_url, api_token=organization.api_token)
|
Refactor how RBAC enabled/disabled status is determined for Grafana Cloud stacks (#4279)
# What this PR does
In cloud we are currently (somewhat) improperly determining whether or
not a Grafana stack had the `accessControlOnCall` feature flag enabled.
At first things worked fine. We would enable this feature toggle via the
Grafana Admin UI, and then the OnCall backend would read this value from
GCOM's `GET /instance/<stack_id>` endpoint (via
`config.feature_toggles`), and everything worked as expected.
There was a recent change made in `grafana/deployment_tools` to set this
feature flag to True for all stacks. However, for some reason, the GCOM
endpoint above doesn't return the `accessControlOnCall` feature toggle
value in `config.feature_toggles` if it is set in this manner (it only
returns the value if it is set via the Grafana Admin UI).
So what we should instead be doing is such instead of asking GCOM for
this feature toggle, infer whether RBAC is enabled on the stack by doing
a `HEAD /api/access-control/users/permissions/search` (this endpoint _is
only_ available on a Grafana stack if `accessControlOnCall` is enabled).
**Few caveats to this ☝️**
1. we first have to make sure that the cloud stack is in an `active`
state (ie. not paused). This is because, no matter if the
`accessControlOnCall` is enabled or not, if the stack is in a `paused`
state it will ALWAYS return `HTTP 200` which can be misleading and lead
to bugs (this feels like a bug on the Grafana API, will follow up with
core grafana team)
2. Once we roll out this change we will effectively **actually** be
enabling RBAC for OnCall for all orgs. The Identity Access team would
prefer a progressive rollout, which is why I decided to introduce the
concept of
[`settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE`](https://github.com/grafana/oncall/pull/4279/files#diff-3383aef931e41e44d95829ad971641eeb98fe001be2f5da92217446d300ea1b3R918)
(see also [`Organization.
should_be_considered_for_rbac_permissioning`](https://github.com/grafana/oncall/pull/4279/files#diff-2ca9917f4f56349be39545ee8abd459be5076295d02ca3a7ec545152fcddccdfR348-R362))
## Which issue(s) this PR closes
Related to https://github.com/grafana/identity-access-team/issues/667
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
2024-05-14 12:30:16 -04:00
|
|
|
rbac_is_enabled = organization.is_rbac_permissions_enabled
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
|
|
|
|
|
# NOTE: checking whether or not RBAC is enabled depends on whether we are dealing with an open-source or cloud
|
Refactor how RBAC enabled/disabled status is determined for Grafana Cloud stacks (#4279)
# What this PR does
In cloud we are currently (somewhat) improperly determining whether or
not a Grafana stack had the `accessControlOnCall` feature flag enabled.
At first things worked fine. We would enable this feature toggle via the
Grafana Admin UI, and then the OnCall backend would read this value from
GCOM's `GET /instance/<stack_id>` endpoint (via
`config.feature_toggles`), and everything worked as expected.
There was a recent change made in `grafana/deployment_tools` to set this
feature flag to True for all stacks. However, for some reason, the GCOM
endpoint above doesn't return the `accessControlOnCall` feature toggle
value in `config.feature_toggles` if it is set in this manner (it only
returns the value if it is set via the Grafana Admin UI).
So what we should instead be doing is such instead of asking GCOM for
this feature toggle, infer whether RBAC is enabled on the stack by doing
a `HEAD /api/access-control/users/permissions/search` (this endpoint _is
only_ available on a Grafana stack if `accessControlOnCall` is enabled).
**Few caveats to this ☝️**
1. we first have to make sure that the cloud stack is in an `active`
state (ie. not paused). This is because, no matter if the
`accessControlOnCall` is enabled or not, if the stack is in a `paused`
state it will ALWAYS return `HTTP 200` which can be misleading and lead
to bugs (this feels like a bug on the Grafana API, will follow up with
core grafana team)
2. Once we roll out this change we will effectively **actually** be
enabling RBAC for OnCall for all orgs. The Identity Access team would
prefer a progressive rollout, which is why I decided to introduce the
concept of
[`settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE`](https://github.com/grafana/oncall/pull/4279/files#diff-3383aef931e41e44d95829ad971641eeb98fe001be2f5da92217446d300ea1b3R918)
(see also [`Organization.
should_be_considered_for_rbac_permissioning`](https://github.com/grafana/oncall/pull/4279/files#diff-2ca9917f4f56349be39545ee8abd459be5076295d02ca3a7ec545152fcddccdfR348-R362))
## Which issue(s) this PR closes
Related to https://github.com/grafana/identity-access-team/issues/667
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
2024-05-14 12:30:16 -04:00
|
|
|
# stack. For open-source, simply make a HEAD request to the grafana instance's API and consider RBAC enabled if
|
|
|
|
|
# the list RBAC permissions endpoint returns 200.
|
|
|
|
|
#
|
|
|
|
|
# For cloud, we need to check the stack's status first. If the stack is active, we can make the same HEAD request
|
|
|
|
|
# to the grafana instance's API. If the stack is not active, we will simply rely on the org's previous state of
|
|
|
|
|
# org.is_rbac_permissions_enabled
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
if settings.LICENSE == settings.CLOUD_LICENSE_NAME:
|
Refactor how RBAC enabled/disabled status is determined for Grafana Cloud stacks (#4279)
# What this PR does
In cloud we are currently (somewhat) improperly determining whether or
not a Grafana stack had the `accessControlOnCall` feature flag enabled.
At first things worked fine. We would enable this feature toggle via the
Grafana Admin UI, and then the OnCall backend would read this value from
GCOM's `GET /instance/<stack_id>` endpoint (via
`config.feature_toggles`), and everything worked as expected.
There was a recent change made in `grafana/deployment_tools` to set this
feature flag to True for all stacks. However, for some reason, the GCOM
endpoint above doesn't return the `accessControlOnCall` feature toggle
value in `config.feature_toggles` if it is set in this manner (it only
returns the value if it is set via the Grafana Admin UI).
So what we should instead be doing is such instead of asking GCOM for
this feature toggle, infer whether RBAC is enabled on the stack by doing
a `HEAD /api/access-control/users/permissions/search` (this endpoint _is
only_ available on a Grafana stack if `accessControlOnCall` is enabled).
**Few caveats to this ☝️**
1. we first have to make sure that the cloud stack is in an `active`
state (ie. not paused). This is because, no matter if the
`accessControlOnCall` is enabled or not, if the stack is in a `paused`
state it will ALWAYS return `HTTP 200` which can be misleading and lead
to bugs (this feels like a bug on the Grafana API, will follow up with
core grafana team)
2. Once we roll out this change we will effectively **actually** be
enabling RBAC for OnCall for all orgs. The Identity Access team would
prefer a progressive rollout, which is why I decided to introduce the
concept of
[`settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE`](https://github.com/grafana/oncall/pull/4279/files#diff-3383aef931e41e44d95829ad971641eeb98fe001be2f5da92217446d300ea1b3R918)
(see also [`Organization.
should_be_considered_for_rbac_permissioning`](https://github.com/grafana/oncall/pull/4279/files#diff-2ca9917f4f56349be39545ee8abd459be5076295d02ca3a7ec545152fcddccdfR348-R362))
## Which issue(s) this PR closes
Related to https://github.com/grafana/identity-access-team/issues/667
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
2024-05-14 12:30:16 -04:00
|
|
|
# We cannot simply rely on the HEAD call in cloud because if an instance is not active
|
|
|
|
|
# the grafana gateway will still return 200 for the HEAD request.
|
|
|
|
|
stack_id = organization.stack_id
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
gcom_client = GcomAPIClient(settings.GRAFANA_COM_ADMIN_API_TOKEN)
|
Refactor how RBAC enabled/disabled status is determined for Grafana Cloud stacks (#4279)
# What this PR does
In cloud we are currently (somewhat) improperly determining whether or
not a Grafana stack had the `accessControlOnCall` feature flag enabled.
At first things worked fine. We would enable this feature toggle via the
Grafana Admin UI, and then the OnCall backend would read this value from
GCOM's `GET /instance/<stack_id>` endpoint (via
`config.feature_toggles`), and everything worked as expected.
There was a recent change made in `grafana/deployment_tools` to set this
feature flag to True for all stacks. However, for some reason, the GCOM
endpoint above doesn't return the `accessControlOnCall` feature toggle
value in `config.feature_toggles` if it is set in this manner (it only
returns the value if it is set via the Grafana Admin UI).
So what we should instead be doing is such instead of asking GCOM for
this feature toggle, infer whether RBAC is enabled on the stack by doing
a `HEAD /api/access-control/users/permissions/search` (this endpoint _is
only_ available on a Grafana stack if `accessControlOnCall` is enabled).
**Few caveats to this ☝️**
1. we first have to make sure that the cloud stack is in an `active`
state (ie. not paused). This is because, no matter if the
`accessControlOnCall` is enabled or not, if the stack is in a `paused`
state it will ALWAYS return `HTTP 200` which can be misleading and lead
to bugs (this feels like a bug on the Grafana API, will follow up with
core grafana team)
2. Once we roll out this change we will effectively **actually** be
enabling RBAC for OnCall for all orgs. The Identity Access team would
prefer a progressive rollout, which is why I decided to introduce the
concept of
[`settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE`](https://github.com/grafana/oncall/pull/4279/files#diff-3383aef931e41e44d95829ad971641eeb98fe001be2f5da92217446d300ea1b3R918)
(see also [`Organization.
should_be_considered_for_rbac_permissioning`](https://github.com/grafana/oncall/pull/4279/files#diff-2ca9917f4f56349be39545ee8abd459be5076295d02ca3a7ec545152fcddccdfR348-R362))
## Which issue(s) this PR closes
Related to https://github.com/grafana/identity-access-team/issues/667
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
2024-05-14 12:30:16 -04:00
|
|
|
|
2024-05-22 11:27:16 -04:00
|
|
|
if gcom_client.is_stack_active(stack_id):
|
Refactor how RBAC enabled/disabled status is determined for Grafana Cloud stacks (#4279)
# What this PR does
In cloud we are currently (somewhat) improperly determining whether or
not a Grafana stack had the `accessControlOnCall` feature flag enabled.
At first things worked fine. We would enable this feature toggle via the
Grafana Admin UI, and then the OnCall backend would read this value from
GCOM's `GET /instance/<stack_id>` endpoint (via
`config.feature_toggles`), and everything worked as expected.
There was a recent change made in `grafana/deployment_tools` to set this
feature flag to True for all stacks. However, for some reason, the GCOM
endpoint above doesn't return the `accessControlOnCall` feature toggle
value in `config.feature_toggles` if it is set in this manner (it only
returns the value if it is set via the Grafana Admin UI).
So what we should instead be doing is such instead of asking GCOM for
this feature toggle, infer whether RBAC is enabled on the stack by doing
a `HEAD /api/access-control/users/permissions/search` (this endpoint _is
only_ available on a Grafana stack if `accessControlOnCall` is enabled).
**Few caveats to this ☝️**
1. we first have to make sure that the cloud stack is in an `active`
state (ie. not paused). This is because, no matter if the
`accessControlOnCall` is enabled or not, if the stack is in a `paused`
state it will ALWAYS return `HTTP 200` which can be misleading and lead
to bugs (this feels like a bug on the Grafana API, will follow up with
core grafana team)
2. Once we roll out this change we will effectively **actually** be
enabling RBAC for OnCall for all orgs. The Identity Access team would
prefer a progressive rollout, which is why I decided to introduce the
concept of
[`settings.CLOUD_RBAC_ROLLOUT_PERCENTAGE`](https://github.com/grafana/oncall/pull/4279/files#diff-3383aef931e41e44d95829ad971641eeb98fe001be2f5da92217446d300ea1b3R918)
(see also [`Organization.
should_be_considered_for_rbac_permissioning`](https://github.com/grafana/oncall/pull/4279/files#diff-2ca9917f4f56349be39545ee8abd459be5076295d02ca3a7ec545152fcddccdfR348-R362))
## Which issue(s) this PR closes
Related to https://github.com/grafana/identity-access-team/issues/667
## Checklist
- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
show up in the autogenerated release notes.
2024-05-14 12:30:16 -04:00
|
|
|
# the stack MUST be active for this check.. if it is in any other state
|
|
|
|
|
# the Grafana API risks returning an HTTP 200 but the actual permissions data that is
|
|
|
|
|
# synced later on will be empty (and we'd erase all RBAC permissions stored in OnCall)
|
|
|
|
|
rbac_is_enabled = grafana_api_client.is_rbac_enabled_for_organization()
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
else:
|
|
|
|
|
rbac_is_enabled = grafana_api_client.is_rbac_enabled_for_organization()
|
|
|
|
|
|
|
|
|
|
organization.is_rbac_permissions_enabled = rbac_is_enabled
|
2024-01-23 15:59:33 -07:00
|
|
|
logger.info(f"RBAC status org={organization.pk} rbac_enabled={organization.is_rbac_permissions_enabled}")
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
|
2022-12-12 18:25:56 +01:00
|
|
|
_sync_instance_info(organization)
|
2022-11-29 09:41:56 +01:00
|
|
|
|
2023-01-24 13:44:07 +08:00
|
|
|
_, check_token_call_status = grafana_api_client.check_token()
|
2023-02-23 14:23:57 +01:00
|
|
|
if check_token_call_status["connected"]:
|
2022-06-03 08:09:47 -06:00
|
|
|
organization.api_token_status = Organization.API_TOKEN_STATUS_OK
|
2023-01-24 13:44:07 +08:00
|
|
|
sync_users_and_teams(grafana_api_client, organization)
|
|
|
|
|
organization.last_time_synced = timezone.now()
|
2023-12-05 14:58:05 -05:00
|
|
|
|
2024-01-30 15:29:16 +08:00
|
|
|
_sync_grafana_incident_plugin(organization, grafana_api_client)
|
|
|
|
|
_sync_grafana_labels_plugin(organization, grafana_api_client)
|
2022-06-03 08:09:47 -06:00
|
|
|
else:
|
|
|
|
|
organization.api_token_status = Organization.API_TOKEN_STATUS_FAILED
|
2024-01-23 15:59:33 -07:00
|
|
|
logger.warning(f"Sync not successful org={organization.pk} token_status=FAILED")
|
2022-06-03 08:09:47 -06:00
|
|
|
|
|
|
|
|
organization.save(
|
|
|
|
|
update_fields=[
|
2023-03-09 12:10:19 +08:00
|
|
|
"cluster_slug",
|
2022-06-03 08:09:47 -06:00
|
|
|
"stack_slug",
|
|
|
|
|
"org_slug",
|
|
|
|
|
"org_title",
|
2022-10-11 12:04:33 -06:00
|
|
|
"region_slug",
|
2022-06-03 08:09:47 -06:00
|
|
|
"grafana_url",
|
|
|
|
|
"last_time_synced",
|
|
|
|
|
"api_token_status",
|
|
|
|
|
"gcom_token_org_last_time_synced",
|
2022-11-29 09:41:56 +01:00
|
|
|
"is_rbac_permissions_enabled",
|
2023-01-17 13:04:50 +01:00
|
|
|
"is_grafana_incident_enabled",
|
2024-02-01 13:43:32 +08:00
|
|
|
"is_grafana_labels_enabled",
|
2023-12-05 14:58:05 -05:00
|
|
|
"grafana_incident_backend_url",
|
2022-06-03 08:09:47 -06:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2023-04-14 09:15:57 +02:00
|
|
|
org_sync_signal.send(sender=None, organization=organization)
|
|
|
|
|
|
2022-06-03 08:09:47 -06:00
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def _sync_instance_info(organization: Organization) -> None:
|
2022-12-12 18:25:56 +01:00
|
|
|
if organization.gcom_token:
|
|
|
|
|
gcom_client = GcomAPIClient(organization.gcom_token)
|
Revert "Refactor gcom api calls when syncing org" (#3498)
Reverts grafana/oncall#3489
Reviewing logs, it seems something broke related to [token
auth](https://ops.grafana-ops.net/explore?schemaVersion=1&panes=%7B%22ffS%22:%7B%22datasource%22:%22OP27Xzxnk%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D~%5C%22dev-.%2A%5C%22,%20namespace%3D%5C%22grafana-com%5C%22,%20job%3D%5C%22grafana-com%2Fgrafana-com-api%5C%22%7D%20%7C~%20%5C%22%2Finstances%2F%5Ba-z0-9%5D%2B.config%3Dtrue%5C%22%20%7C%3D%20%5C%22Grafana%20OnCall%5C%22%22,%22editorMode%22:%22code%22,%22queryType%22:%22range%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22OP27Xzxnk%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&orgId=1).
Reverting for now, will revisit in a later PR.
2023-12-04 15:02:58 -03:00
|
|
|
instance_info = gcom_client.get_instance_info(organization.stack_id)
|
2022-12-12 18:25:56 +01:00
|
|
|
|
|
|
|
|
if not instance_info or instance_info["orgId"] != organization.org_id:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
organization.stack_slug = instance_info["slug"]
|
|
|
|
|
organization.org_slug = instance_info["orgSlug"]
|
|
|
|
|
organization.org_title = instance_info["orgName"]
|
|
|
|
|
organization.region_slug = instance_info["regionSlug"]
|
|
|
|
|
organization.grafana_url = instance_info["url"]
|
2023-03-09 12:10:19 +08:00
|
|
|
organization.cluster_slug = instance_info["clusterSlug"]
|
2022-12-12 18:25:56 +01:00
|
|
|
organization.gcom_token_org_last_time_synced = timezone.now()
|
|
|
|
|
|
|
|
|
|
|
2024-01-30 15:29:16 +08:00
|
|
|
def _sync_grafana_labels_plugin(organization: Organization, grafana_api_client) -> None:
|
|
|
|
|
"""
|
|
|
|
|
_sync_grafana_labels_plugin checks if grafana-labels-app plugin is enabled and sets a flag in the organization.
|
|
|
|
|
It intended to use only inside _sync_organization. It mutates, but not saves org, it's saved in _sync_organization.
|
|
|
|
|
"""
|
|
|
|
|
grafana_labels_plugin_settings, _ = grafana_api_client.get_grafana_labels_plugin_settings()
|
|
|
|
|
if grafana_labels_plugin_settings is not None:
|
|
|
|
|
organization.is_grafana_labels_enabled = grafana_labels_plugin_settings["enabled"]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _sync_grafana_incident_plugin(organization: Organization, grafana_api_client) -> None:
|
|
|
|
|
"""
|
|
|
|
|
_sync_grafana_incident_plugin check if incident plugin is enabled and sets a flag and its url in the organization.
|
|
|
|
|
It intended to use only inside _sync_organization. It mutates, but not saves org, it's saved in _sync_organization.
|
|
|
|
|
"""
|
|
|
|
|
grafana_incident_settings, _ = grafana_api_client.get_grafana_incident_plugin_settings()
|
2024-01-31 11:52:20 -07:00
|
|
|
organization.is_grafana_incident_enabled = False
|
|
|
|
|
organization.grafana_incident_backend_url = None
|
|
|
|
|
|
2024-01-30 15:29:16 +08:00
|
|
|
if grafana_incident_settings is not None:
|
|
|
|
|
organization.is_grafana_incident_enabled = grafana_incident_settings["enabled"]
|
2024-01-31 11:52:20 -07:00
|
|
|
organization.grafana_incident_backend_url = (grafana_incident_settings.get("jsonData") or {}).get(
|
2024-01-30 15:29:16 +08:00
|
|
|
GrafanaAPIClient.GRAFANA_INCIDENT_PLUGIN_BACKEND_URL_KEY
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_users_and_teams(client: GrafanaAPIClient, organization: Organization) -> None:
|
2023-01-24 13:44:07 +08:00
|
|
|
sync_users(client, organization)
|
|
|
|
|
sync_teams(client, organization)
|
|
|
|
|
sync_team_members(client, organization)
|
|
|
|
|
|
|
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_users(client: GrafanaAPIClient, organization: Organization, **kwargs) -> None:
|
2023-01-24 13:44:07 +08:00
|
|
|
api_users = client.get_users(organization.is_rbac_permissions_enabled, **kwargs)
|
2022-06-03 08:09:47 -06:00
|
|
|
# check if api_users are shaped correctly. e.g. for paused instance, the response is not a list.
|
|
|
|
|
if not api_users or not isinstance(api_users, (tuple, list)):
|
|
|
|
|
return
|
|
|
|
|
User.objects.sync_for_organization(organization=organization, api_users=api_users)
|
|
|
|
|
|
2023-01-24 13:44:07 +08:00
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_teams(client: GrafanaAPIClient, organization: Organization, **kwargs) -> None:
|
2023-01-24 13:44:07 +08:00
|
|
|
api_teams_result, _ = client.get_teams(**kwargs)
|
2022-06-03 08:09:47 -06:00
|
|
|
if not api_teams_result:
|
|
|
|
|
return
|
|
|
|
|
api_teams = api_teams_result["teams"]
|
|
|
|
|
Team.objects.sync_for_organization(organization=organization, api_teams=api_teams)
|
|
|
|
|
|
2023-01-24 13:44:07 +08:00
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_team_members(client: GrafanaAPIClient, organization: Organization) -> None:
|
2022-06-03 08:09:47 -06:00
|
|
|
for team in organization.teams.all():
|
|
|
|
|
members, _ = client.get_team_members(team.team_id)
|
|
|
|
|
if not members:
|
|
|
|
|
continue
|
|
|
|
|
User.objects.sync_for_team(team=team, api_members=members)
|
|
|
|
|
|
2023-01-24 13:44:07 +08:00
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def sync_users_for_teams(client: GrafanaAPIClient, organization: Organization, **kwargs) -> None:
|
2023-01-24 13:44:07 +08:00
|
|
|
api_teams_result, _ = client.get_teams(**kwargs)
|
|
|
|
|
if not api_teams_result:
|
|
|
|
|
return
|
|
|
|
|
api_teams = api_teams_result["teams"]
|
|
|
|
|
Team.objects.sync_for_organization(organization=organization, api_teams=api_teams)
|
2022-06-03 08:09:47 -06:00
|
|
|
|
|
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def delete_organization_if_needed(organization: Organization) -> bool:
|
2022-09-02 14:06:42 -06:00
|
|
|
# Organization has a manually set API token, it will not be found within GCOM
|
|
|
|
|
# and would need to be deleted manually.
|
2023-07-25 10:43:23 +01:00
|
|
|
from apps.auth_token.models import PluginAuthToken
|
|
|
|
|
|
2023-05-17 06:56:57 -06:00
|
|
|
manually_provisioned_token = PluginAuthToken.objects.filter(organization_id=organization.pk).first()
|
|
|
|
|
if manually_provisioned_token:
|
|
|
|
|
logger.info(f"Organization {organization.pk} has PluginAuthToken. Probably it's needed to delete org manually.")
|
2022-06-03 08:09:47 -06:00
|
|
|
return False
|
|
|
|
|
|
2022-09-02 14:06:42 -06:00
|
|
|
# Use common token as organization.gcom_token could be already revoked
|
2023-05-17 06:56:57 -06:00
|
|
|
client = GcomAPIClient(settings.GRAFANA_COM_ADMIN_API_TOKEN)
|
2022-09-02 14:06:42 -06:00
|
|
|
is_stack_deleted = client.is_stack_deleted(organization.stack_id)
|
2022-06-03 08:09:47 -06:00
|
|
|
if not is_stack_deleted:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
organization.delete()
|
|
|
|
|
return True
|
2022-09-02 14:06:42 -06:00
|
|
|
|
|
|
|
|
|
2023-08-03 11:43:03 +02:00
|
|
|
def cleanup_organization(organization_pk: int) -> None:
|
2022-09-02 14:06:42 -06:00
|
|
|
logger.info(f"Start cleanup Organization {organization_pk}")
|
|
|
|
|
try:
|
2024-03-04 12:45:01 -07:00
|
|
|
organization = Organization.objects_with_deleted.get(pk=organization_pk)
|
|
|
|
|
|
|
|
|
|
from apps.grafana_plugin.tasks.sync import cleanup_empty_deleted_integrations
|
|
|
|
|
|
|
|
|
|
cleanup_empty_deleted_integrations.apply_async(
|
|
|
|
|
(
|
|
|
|
|
organization.pk,
|
|
|
|
|
False,
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
2022-09-02 14:06:42 -06:00
|
|
|
if delete_organization_if_needed(organization):
|
|
|
|
|
logger.info(
|
|
|
|
|
f"Deleting organization due to stack deletion. "
|
2022-09-08 11:56:04 -06:00
|
|
|
f"pk: {organization_pk}, stack_id: {organization.stack_id}, org_id: {organization.org_id}"
|
2022-09-02 14:06:42 -06:00
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
|
logger.info(f"Organization {organization_pk} not deleted in gcom, no action taken")
|
2024-03-04 12:45:01 -07:00
|
|
|
|
2022-09-02 14:06:42 -06:00
|
|
|
except Organization.DoesNotExist:
|
|
|
|
|
logger.info(f"Organization {organization_pk} was not found")
|