Merge branch 'main' into gio/feat/create-correlation-api

Author: Elfo404

docs/sources/alerting/migrating-alerts/_index.md

@@ -13,7 +13,7 @@ weight: 101
 
 Grafana Alerting is enabled by default for new installations or existing installations whether or not legacy alerting is configured.
 
-> **Note**: We recommend that Grafana Enterprise customers with more than a dozen Grafana dashboard alert rules do not upgrade and remain on legacy alerting for now by [opting out]({{< relref "opt-out/" >}}). If you do want to upgrade to Grafana Alerting, contact customer support.
+> **Note**: When upgrading, your dashboard alerts are migrated to a new format. This migration can be rolled back easily by [opting out]({{< relref "opt-out/" >}}). If you have any questions regarding this migration, please contact us.
 
 Existing installations that do not use legacy alerting will have Grafana Alerting enabled by default unless alerting is disabled in the configuration.
 

docs/sources/developers/http_api/admin.md

@@ -718,11 +718,7 @@ Content-Type: application/json
 
 `POST /api/admin/encryption/rotate-data-keys`
 
-Rotates data encryption keys, so all the active keys are disabled
-and no longer used for encryption but kept for decryption operations.
-
-Secrets encrypted with one of the deactivated keys need to be re-encrypted
-to actually stop using those keys for both encryption and decryption.
+[Rotates]({{< relref "../../setup-grafana/configure-security/configure-database-encryption/#rotate-data-keys" >}}) data encryption keys.
 
 **Example Request**:
 
@@ -738,3 +734,66 @@ Content-Type: application/json
 HTTP/1.1 204
 Content-Type: application/json
 ```
+
+## Re-encrypt data encryption keys
+
+`POST /api/admin/encryption/reencrypt-data-keys`
+
+[Re-encrypts]({{< relref "../../setup-grafana/configure-security/configure-database-encryption/#re-encrypt-data-keys" >}}) data encryption keys.
+
+**Example Request**:
+
+```http
+POST /api/admin/encryption/reencrypt-data-keys HTTP/1.1
+Accept: application/json
+Content-Type: application/json
+```
+
+**Example Response**:
+
+```http
+HTTP/1.1 204
+Content-Type: application/json
+```
+
+## Re-encrypt secrets
+
+`POST /api/admin/encryption/reencrypt-secrets`
+
+[Re-encrypts]({{< relref "../../setup-grafana/configure-security/configure-database-encryption/#re-encrypt-secrets" >}}) secrets.
+
+**Example Request**:
+
+```http
+POST /api/admin/encryption/reencrypt-secrets HTTP/1.1
+Accept: application/json
+Content-Type: application/json
+```
+
+**Example Response**:
+
+```http
+HTTP/1.1 204
+Content-Type: application/json
+```
+
+## Roll back secrets
+
+`POST /api/admin/encryption/rollback-secrets`
+
+[Rolls back]({{< relref "../../setup-grafana/configure-security/configure-database-encryption/#roll-back-secrets" >}}) secrets.
+
+**Example Request**:
+
+```http
+POST /api/admin/encryption/rollback-secrets HTTP/1.1
+Accept: application/json
+Content-Type: application/json
+```
+
+**Example Response**:
+
+```http
+HTTP/1.1 204
+Content-Type: application/json
+```

docs/sources/setup-grafana/configure-security/configure-database-encryption/_index.md

@@ -18,7 +18,7 @@ Grafana encrypts these secrets before they are written to the database, by using
 Since Grafana v9.0, it uses [envelope encryption](#envelope-encryption) by default, which adds a layer of indirection to the
 encryption process that represents an [**implicit breaking change**](#implicit-breaking-change) for older versions of Grafana.
 
-For further details about how to operate a Grafana instance with envelope encryption, see the [Operational work]({{< relref "/#operational-work" >}}) section below.
+For further details about how to operate a Grafana instance with envelope encryption, see the [Operational work](#operational-work) section below.
 
 > **Note:** In Grafana Enterprise, you can also choose to [encrypt secrets in AES-GCM mode]({{< relref "#changing-your-encryption-mode-to-aes-gcm" >}}) instead of AES-CFB.
 
@@ -31,7 +31,7 @@ Instead of encrypting all secrets with a single key, Grafana uses a set of keys
 encrypt them. These data encryption keys are themselves encrypted with a single key encryption key (KEK), configured
 through the `secret_key` attribute in your
 [Grafana configuration]({{< relref "../../configure-grafana/#secret_key" >}}) or with a
-[KMS integration](#kms-integration).
+[KMS integration](#encrypting-your-database-with-a-key-from-a-key-management-system-kms).
 
 ## Implicit breaking change
 
@@ -67,24 +67,27 @@ Secrets re-encryption can be performed when a Grafana administrator wants to eit
 - Re-encrypt secrets after a [data keys rotation](#rotate-data-keys).
 
 > **Note:** This operation is available through Grafana CLI by running `grafana-cli admin secrets-migration re-encrypt`
-> command. It's safe to run more than once. Recommended to run under maintenance mode.
+> command and through Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#re-encrypt-secrets" >}}).
+> It's safe to run more than once. Recommended to run under maintenance mode.
 
 ## Roll back secrets
 
 Used to roll back secrets encrypted with envelope encryption to legacy encryption. It can be used to downgrade to
 a Grafana version earlier than Grafana v9.0 after an unsuccessful upgrade.
 
 > **Note:** This operation is available through Grafana CLI by running `grafana-cli admin secrets-migration rollback`
-> command. It's safe to run more than once. Recommended to run under maintenance mode.
+> command and through Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#roll-back-secrets" >}}).
+> It's safe to run more than once. Recommended to run under maintenance mode.
 
 ## Re-encrypt data keys
 
 Used to re-encrypt data keys encrypted with a specific key encryption key (KEK). It can be used to either re-encrypt
-existing data keys with a new key encryption key version (see [KMS integration](#kms-integration) rotation) or to
+existing data keys with a new key encryption key version (see [KMS integration](#encrypting-your-database-with-a-key-from-a-key-management-system-kms) rotation) or to
 re-encrypt them with a completely different key encryption key.
 
 > **Note:** This operation is available through Grafana CLI by running `grafana-cli admin secrets-migration re-encrypt-data-keys`
-> command. It's safe to run more than once. Recommended to run under maintenance mode.
+> command and through Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#re-encrypt-data-encryption-keys" >}}).
+> It's safe to run more than once. Recommended to run under maintenance mode.
 
 ## Rotate data keys
 

pkg/api/admin_encryption.go

@@ -9,8 +9,42 @@ import (
 
 func (hs *HTTPServer) AdminRotateDataEncryptionKeys(c *models.ReqContext) response.Response {
 	if err := hs.SecretsService.RotateDataKeys(c.Req.Context()); err != nil {
-		return response.Error(http.StatusInternalServerError, "Failed to rotate data key", err)
+		return response.Error(http.StatusInternalServerError, "Failed to rotate data keys", err)
 	}
 
 	return response.Respond(http.StatusNoContent, "")
 }
+
+func (hs *HTTPServer) AdminReEncryptEncryptionKeys(c *models.ReqContext) response.Response {
+	if err := hs.SecretsService.ReEncryptDataKeys(c.Req.Context()); err != nil {
+		return response.Error(http.StatusInternalServerError, "Failed to re-encrypt data keys", err)
+	}
+
+	return response.Respond(http.StatusOK, "Data encryption keys re-encrypted successfully")
+}
+
+func (hs *HTTPServer) AdminReEncryptSecrets(c *models.ReqContext) response.Response {
+	success, err := hs.secretsMigrator.ReEncryptSecrets(c.Req.Context())
+	if err != nil {
+		return response.Error(http.StatusInternalServerError, "Failed to re-encrypt secrets", err)
+	}
+
+	if !success {
+		return response.Error(http.StatusPartialContent, "Something unexpected happened, refer to the server logs for more details", err)
+	}
+
+	return response.Respond(http.StatusOK, "Secrets re-encrypted successfully")
+}
+
+func (hs *HTTPServer) AdminRollbackSecrets(c *models.ReqContext) response.Response {
+	success, err := hs.secretsMigrator.RollBackSecrets(c.Req.Context())
+	if err != nil {
+		return response.Error(http.StatusInternalServerError, "Failed to rollback secrets", err)
+	}
+
+	if !success {
+		return response.Error(http.StatusPartialContent, "Something unexpected happened, refer to the server logs for more details", err)
+	}
+
+	return response.Respond(http.StatusOK, "Secrets rolled back successfully")
+}

pkg/api/api.go

@@ -575,6 +575,9 @@ func (hs *HTTPServer) registerRoutes() {
 		}
 
 		adminRoute.Post("/encryption/rotate-data-keys", reqGrafanaAdmin, routing.Wrap(hs.AdminRotateDataEncryptionKeys))
+		adminRoute.Post("/encryption/reencrypt-data-keys", reqGrafanaAdmin, routing.Wrap(hs.AdminReEncryptEncryptionKeys))
+		adminRoute.Post("/encryption/reencrypt-secrets", reqGrafanaAdmin, routing.Wrap(hs.AdminReEncryptSecrets))
+		adminRoute.Post("/encryption/rollback-secrets", reqGrafanaAdmin, routing.Wrap(hs.AdminRollbackSecrets))
 
 		adminRoute.Post("/provisioning/dashboards/reload", authorize(reqGrafanaAdmin, ac.EvalPermission(ActionProvisioningReload, ScopeProvisionersDashboards)), routing.Wrap(hs.AdminProvisioningReloadDashboards))
 		adminRoute.Post("/provisioning/plugins/reload", authorize(reqGrafanaAdmin, ac.EvalPermission(ActionProvisioningReload, ScopeProvisionersPlugins)), routing.Wrap(hs.AdminProvisioningReloadPlugins))

pkg/api/docs/definitions/playlists.go

@@ -2,7 +2,7 @@ package definitions
 
 import (
 	"github.com/grafana/grafana/pkg/api/dtos"
-	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/playlist"
 )
 
 // swagger:route GET /playlists playlists searchPlaylists
@@ -121,7 +121,7 @@ type DeletePlaylistParams struct {
 type UpdatePlaylistParams struct {
 	// in:body
 	// required:true
-	Body models.UpdatePlaylistCommand
+	Body playlist.UpdatePlaylistCommand
 	// in:path
 	// required:true
 	UID string `json:"uid"`
@@ -131,28 +131,28 @@ type UpdatePlaylistParams struct {
 type CreatePlaylistParams struct {
 	// in:body
 	// required:true
-	Body models.CreatePlaylistCommand
+	Body playlist.CreatePlaylistCommand
 }
 
 // swagger:response searchPlaylistsResponse
 type SearchPlaylistsResponse struct {
 	// The response message
 	// in: body
-	Body models.Playlists `json:"body"`
+	Body playlist.Playlists `json:"body"`
 }
 
 // swagger:response getPlaylistResponse
 type GetPlaylistResponse struct {
 	// The response message
 	// in: body
-	Body *models.PlaylistDTO `json:"body"`
+	Body *playlist.PlaylistDTO `json:"body"`
 }
 
 // swagger:response getPlaylistItemsResponse
 type GetPlaylistItemsResponse struct {
 	// The response message
 	// in: body
-	Body []models.PlaylistItemDTO `json:"body"`
+	Body []playlist.PlaylistItemDTO `json:"body"`
 }
 
 // swagger:response getPlaylistDashboardsResponse
@@ -166,12 +166,12 @@ type GetPlaylistDashboardsResponse struct {
 type UpdatePlaylistResponseResponse struct {
 	// The response message
 	// in: body
-	Body *models.PlaylistDTO `json:"body"`
+	Body *playlist.PlaylistDTO `json:"body"`
 }
 
 // swagger:response createPlaylistResponse
 type CreatePlaylistResponse struct {
 	// The response message
 	// in: body
-	Body *models.Playlist `json:"body"`
+	Body *playlist.Playlist `json:"body"`
 }

pkg/api/http_server.go

@@ -58,6 +58,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/ngalert"
 	"github.com/grafana/grafana/pkg/services/notifications"
+	"github.com/grafana/grafana/pkg/services/playlist"
 	"github.com/grafana/grafana/pkg/services/plugindashboards"
 	pluginSettings "github.com/grafana/grafana/pkg/services/pluginsettings/service"
 	pref "github.com/grafana/grafana/pkg/services/preference"
@@ -170,6 +171,7 @@ type HTTPServer struct {
 	dashboardVersionService      dashver.Service
 	PublicDashboardsApi          *publicdashboardsApi.Api
 	starService                  star.Service
+	playlistService              playlist.Service
 	CoremodelRegistry            *registry.Generic
 	CoremodelStaticRegistry      *registry.Static
 	kvStore                      kvstore.KVStore
@@ -208,7 +210,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
 	avatarCacheServer *avatar.AvatarCacheServer, preferenceService pref.Service, entityEventsService store.EntityEventsService,
 	teamsPermissionsService accesscontrol.TeamPermissionsService, folderPermissionsService accesscontrol.FolderPermissionsService,
 	dashboardPermissionsService accesscontrol.DashboardPermissionsService, dashboardVersionService dashver.Service,
-	starService star.Service, csrfService csrf.Service, coremodelRegistry *registry.Generic, coremodelStaticRegistry *registry.Static,
+	starService star.Service, playlistService playlist.Service, csrfService csrf.Service, coremodelRegistry *registry.Generic, coremodelStaticRegistry *registry.Static,
 	kvStore kvstore.KVStore, secretsMigrator secrets.Migrator, remoteSecretsCheck secretsKV.UseRemoteSecretsPluginCheck,
 	publicDashboardsApi *publicdashboardsApi.Api, userService user.Service) (*HTTPServer, error) {
 	web.Env = cfg.Env
@@ -292,6 +294,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
 		dashboardPermissionsService:  dashboardPermissionsService,
 		dashboardVersionService:      dashboardVersionService,
 		starService:                  starService,
+		playlistService:              playlistService,
 		CoremodelRegistry:            coremodelRegistry,
 		CoremodelStaticRegistry:      coremodelStaticRegistry,
 		kvStore:                      kvStore,