PMM-13059 Grafana 10.4.2

Merge pull request #745

.github/bot.md

@@ -9,8 +9,8 @@ Comment commands:
 
 Label commands:
 
-* Add label `bot/question` the the bot will close with standard question message and add label `type/question`
-* Add label `bot/duplicate` the the bot will close with standard duplicate message and add label `type/duplicate`
+* Add label `bot/question` the bot will close with standard question message and add label `type/question`
+* Add label `bot/duplicate` the bot will close with standard duplicate message and add label `type/duplicate`
 * Add label `bot/needs more info` for bot to request more info (or use comment command mentioned above)
 * Add label `bot/close feature request` for bot to close a feature request with standard message and adds label `not implemented`
 * Add label `bot/no new info` for bot to close an issue where we asked for more info but has not received any updates in at least 14 days.

.github/workflows/doc-validator.yml

@@ -7,7 +7,7 @@ jobs:
   doc-validator:
     runs-on: "ubuntu-latest"
     container:
-      image: "grafana/doc-validator:v4.0.0"
+      image: "grafana/doc-validator:v4.1.1"
     steps:
       - name: "Checkout code"
         uses: "actions/checkout@v4"

Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG BASE_IMAGE=alpine:3.18.5
-ARG JS_IMAGE=node:20-alpine3.18
+ARG BASE_IMAGE=alpine:3.19.1
+ARG JS_IMAGE=node:20-alpine
 ARG JS_PLATFORM=linux/amd64
-ARG GO_IMAGE=golang:1.21.8-alpine3.18
+ARG GO_IMAGE=golang:1.21.8-alpine
 
 ARG GO_SRC=go-builder
 ARG JS_SRC=js-builder
@@ -20,6 +20,8 @@ COPY packages packages
 COPY plugins-bundled plugins-bundled
 COPY public public
 
+RUN apk add --no-cache make build-base python3
+
 RUN yarn install --immutable
 
 COPY tsconfig.json .eslintrc .editorconfig .browserslistrc .prettierrc.js ./

conf/defaults.ini

@@ -134,6 +134,9 @@ log_queries =
 # For "mysql", use either "true", "false", or "skip-verify".
 ssl_mode = disable
 
+# For "postregs", use either "1" to enable or "0" to disable SNI
+ssl_sni =
+
 # Database drivers may support different transaction isolation levels.
 # Currently, only "mysql" driver supports isolation levels.
 # If the value is empty - driver's default isolation level is applied.
@@ -679,6 +682,7 @@ token_url = https://oauth2.googleapis.com/token
 api_url = https://openidconnect.googleapis.com/v1/userinfo
 signout_redirect_url =
 allowed_domains =
+validate_hd = false
 hosted_domain =
 allowed_groups =
 role_attribute_path =

conf/sample.ini

@@ -124,6 +124,9 @@
 # For "mysql", use either "true", "false", or "skip-verify".
 ;ssl_mode = disable
 
+# For "postregs", use either "1" to enable or "0" to disable SNI
+;ssl_sni =
+
 # Database drivers may support different transaction isolation levels.
 # Currently, only "mysql" driver supports isolation levels.
 # If the value is empty - driver's default isolation level is applied.
@@ -643,6 +646,7 @@
 ;api_url = https://openidconnect.googleapis.com/v1/userinfo
 ;signout_redirect_url =
 ;allowed_domains =
+;validate_hd =
 ;hosted_domain =
 ;allowed_groups =
 ;role_attribute_path =

contribute/style-guides/frontend.md

@@ -180,7 +180,7 @@ const getStyles = (theme: GrafanaTheme2) => ({
 });
 ```
 
-Use hook useStyles2(getStyles) to memoize the styles generation and try to avoid passing props to the the getStyles function and instead compose classes using emotion cx function.
+Use hook useStyles2(getStyles) to memoize the styles generation and try to avoid passing props to the getStyles function and instead compose classes using emotion cx function.
 
 #### Use `ALL_CAPS` for constants.
 

docs/sources/_index.md

@@ -15,6 +15,7 @@ labels:
     - oss
 cascade:
   TEMPO_VERSION: latest
+  PYROSCOPE_VERSION: latest
 title: Grafana open source documentation
 ---
 
@@ -81,8 +82,8 @@ title: Grafana open source documentation
         <h4>Provisioning</h4>
         <p>Learn how to automate your Grafana configuration.</p>
     </a>
-    <a href="{{< relref "whatsnew/whats-new-in-v10-3/" >}}" class="nav-cards__item nav-cards__item--guide">
-        <h4>What's new in v10.3</h4>
+    <a href="{{< relref "whatsnew/whats-new-in-v10-4/" >}}" class="nav-cards__item nav-cards__item--guide">
+        <h4>What's new in v10.4</h4>
         <p>Explore the features and enhancements in the latest release.</p>
     </a>
 

docs/sources/administration/data-source-management/index.md → docs/sources/administration/data-source-management/_index.md

@@ -10,7 +10,7 @@ description: Data source management information for Grafana administrators
 labels:
   products:
     - enterprise
-    - oss
+    - cloud
 title: Data source management
 weight: 100
 ---
@@ -21,27 +21,15 @@ Grafana supports many different storage backends for your time series data (data
 Refer to [data sources]({{< relref "../../datasources" >}}) for more information about using data sources in Grafana.
 Only users with the organization admin role can add data sources.
 
-## Add a data source
-
-Before you can create your first dashboard, you need to add your data source.
-
-{{% admonition type="note" %}}
-Only users with the organization admin role can add data sources.
-{{% /admonition %}}
-
-**To add a data source:**
-
-1. Click **Connections** in the left-side menu.
-1. Enter the name of a specific data source in the search dialog. You can filter by **Data source** to only see data sources.
-1. Click the data source you want to add.
-1. Configure the data source following instructions specific to that data source.
-
 For links to data source-specific documentation, see [Data sources]({{< relref "../../datasources" >}}).
 
 ## Data source permissions
 
 You can configure data source permissions to allow or deny certain users the ability to query, edit, or administrate a data source. Each data source’s configuration includes a Permissions tab where you can restrict data source permissions to specific users, service accounts, teams, or roles.
-Query permission allows users to query the data source. Edit permission allows users to query the data source, edit the data source’s configuration and delete the data source. Admin permission allows users to query and edit the data source, change permissions on the data source and enable or disable query caching for the data source.
+
+- The `query` permission allows users to query the data source.
+- The `edit` permission allows users to query the data source, edit the data source’s configuration and delete the data source.
+- The `admin` permission allows users to query and edit the data source, change permissions on the data source and enable or disable query caching for the data source.
 
 {{% admonition type="note" %}}
 Available in [Grafana Enterprise]({{< relref "../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud](/docs/grafana-cloud).
@@ -71,7 +59,7 @@ You can assign data source permissions to users, service accounts, teams, and ro
 1. Click **Connections** in the left-side menu.
 1. Under Your connections, click **Data sources**.
 1. Select the data source for which you want to edit permissions.
-1. On the Permissions tab, find the user, service account, team, or role permission you want to update.
+1. On the Permissions tab, find the **User**, **Service Account**, **Team**, or **Role** permission you want to update.
 1. Select a different option in the **Permission** dropdown.
 
 <div class="clearfix"></div>
@@ -81,7 +69,7 @@ You can assign data source permissions to users, service accounts, teams, and ro
 1. Click **Connections** in the left-side menu.
 1. Under Your connections, click **Data sources**.
 1. Select the data source from which you want to remove permissions.
-1. On the Permissions tab, find the user, service account, team, or role permission you want to remove.
+1. On the Permissions tab, find the **User**, **Service Account**, **Team**, or **Role** permission you want to remove.
 1. Click the **X** next to the permission.
 
 <div class="clearfix"></div>
@@ -178,22 +166,3 @@ This action impacts all cache-enabled data sources. If you are using Memcached,
 ### Sending a request without cache
 
 If a data source query request contains an `X-Cache-Skip` header, then Grafana skips the caching middleware, and does not search the cache for a response. This can be particularly useful when debugging data source queries using cURL.
-
-## Add data source plugins
-
-Grafana ships with several [built-in data sources]({{< relref "../../datasources#built-in-core-data-sources" >}}).
-You can add additional data sources as plugins, which you can install or create yourself.
-
-### Find data source plugins in the plugin catalog
-
-To view available data source plugins, go to the [plugin catalog](/grafana/plugins/?type=datasource) and select the "Data sources" filter.
-For details about the plugin catalog, refer to [Plugin management]({{< relref "../../administration/plugin-management/" >}}).
-
-You can further filter the plugin catalog's results for data sources provided by the Grafana community, Grafana Labs, and partners.
-If you use [Grafana Enterprise]({{< relref "../../introduction/grafana-enterprise/" >}}), you can also filter by Enterprise-supported plugins.
-
-For more documentation on a specific data source plugin's features, including its query language and editor, refer to its plugin catalog page.
-
-### Create a data source plugin
-
-To build your own data source plugin, refer to the ["Build a data source plugin"](/developers/plugin-tools/tutorials/build-a-data-source-plugin) tutorial and our documentation about [building a plugin](/developers/plugin-tools).

docs/sources/administration/data-source-management/teamlbac/_index.md

@@ -14,57 +14,55 @@ weight: 100
 
 # Team LBAC
 
-{{% admonition type="note" %}}
-Creating Team LBAC rules is available for preview preview for logs with Loki in Grafana Cloud. Report any unexpected behavior to the Grafana Support team.
-{{% /admonition %}}
+Team Label Based Access Control (LBAC) simplifies and streamlines data source access management based on team memberships.
 
-**Current Limitation:**
+{{< admonition type="note" >}}
+Creating Team LBAC rules is available for preview for logs with Loki in Grafana Cloud.
+Report any unexpected behavior to the Grafana Support team.
+{{< /admonition >}}
 
-- Any user with `query` permissions for a Loki data source can query all logs if there are no Team LBAC rules configured for any of the users team.
-- An admin that is part of a team, would have it's Team LBAC rules applied to the request.
+You can configure user access based upon team memberships using LogQL.
+Team LBAC controls access to logs depending on the rules set for each team.
 
-Grafana's new **Team LBAC** (Label Based Access Control) feature for Loki is a significant enhancement that simplifies and streamlines data source access management based on team memberships.
+This feature addresses two common challenges faced by Grafana users:
 
-**Team LBAC** in the context of Loki, is a way to control access to logs based on labels present depending on the rules set for each team. Users wanting fine grained access to their logs in Loki, can now configure their users access based on their team memberships via **LogQL**.
+1. Having a high number of Grafana Cloud data sources.
+   Team LBAC lets Grafana administrators reduce the total number of data sources per instance from hundreds, to one.
+1. Using the same dashboard across multiple teams.
+   Team LBAC lets Grafana Teams use the same dashboard with different access control rules.
 
-This feature addresses two common challenge faced by Grafana users:
+To set up Team LBAC for a Loki data source, refer to [Configure Team LBAC](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).
 
-1. High volume of Grafana Cloud datasource. Team LBAC lets Grafana Admins reduce the total volume of data sources per instance from hundreds, to one.
-1. Hard for teams to share dashboard. Team LBAC lets Grafana Teams share the same dashboard despite different access control rules.
+## Limitations
 
-For setting up Team LBAC for a Loki data source, refer to [Configure Team LBAC]({{< relref "./configure-teamlbac-for-loki/" >}}).
+- If there are no Team LBAC rules for a user's team, that user can query all logs.
+- If an administrator is part of a team with Team LBAC rules, those rules are applied to the administrator requests.
+- Cloud Access Policies (CAP) LBAC rules override Team LBAC rules.
+  Cloud Access Policies are the access controls from Grafana Cloud.
+  If there are any CAP LBAC rules configured for the same data source, then only the CAP LBAC rules are applied.
 
-#### Datasource Permissions
+  You must remove any label selectors from your Cloud Access Policies to use Team LBAC.
+  For more information about CAP label selectors, refer to [Use label-based access control (LBAC) with access policies](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/label-access-policies/).
 
-Datasource permissions allow the users access to query the datasource. The permissions are set at the datasource level and are inherited by all the teams and users that are part of the datasource.
+## Data source permissions
 
-We recommend to create a new loki datasource for Team LBAC rules with only teams having `query` permission. This will allow you to have a clear separation of datasources for Team LBAC and the datasources that are not using Team LBAC.
+Data source permissions allow the users access to query the data source.
+Administrators set the permissions at the data source level.
+All the teams and users that are part of the data source inherit those permissions.
 
-## Team LBAC rules
-
-Team LBAC rules are added to the http request to Loki data source. Setting up Team LBAC rules for any team will apply those rules to the teams.
-Users who want teams with a specific set of label selectors can add rules for each team.
-
-Configuring multiple rules for a team, each rule is evaluated separately. If a team has `X` number of rules configured for it, all rules will be applied to the request and the result will be the an "OR" operation of the `X` number of rules.
-
-Only users with data source Admin permissions can edit LBAC rules at the data source permissions tab. Changing LBAC rules requires the same access level as editing data source permissions (admin permission for data source).
-
-For setting up Team LBAC Rules for the data source, refer to [Create Team LBAC rules]({{< relref "./create-teamlbac-rules/" >}}).
+## Recommended setup
 
-### FAQ
+It's recommended that you create a single Loki data source for using Team LBAC rules so you have a clear separation of data sources using Team LBAC and those that aren't.
+All teams should have with only teams having `query` permission.
+You should create another Loki data source configured without Team LBAC for full access to the logs.
 
-> #### "If a team does not have a rule, what happens?"
-
-If a team does not have a rule; any users that are part of that team having query permissions for loki will have access to **all** logs.
-
-> #### "Can I use CAPs (cloud access policies) together with TeamLBAC rules?"
-
-No, CAP (cloud access policies) always have precedence. If there are any CAP LBAC configured for the same datasource and there are TeamLBAC rules configured, then only the CAP LBAC will be applied.
+## Team LBAC rules
 
-Cloud access policies are the access controls from Grafana Cloud, the CAP configured for loki should only to be used to gain read access to the logs.
+Grafana adds Team LBAC rules to the HTTP request via the Loki data source.
 
-> #### "If administrator forget to add rule for a team, what happens?"
+If you configure multiple rules for a team, each rule is evaluated separately.
+Query results include lines that match any of the rules.
 
-The teams that does not have a rule applied to it, would be able to query all logs if `query` permissions are setup for their role within Grafana.
+Only users with data source `Admin` permissions can edit Team LBAC rules in the **Data source permissions** tab because changing LBAC rules requires the same access level as editing data source permissions.
 
-**Note:** A user who is part of a team within Grafana without a rule will be able to query all logs if there are role based queriying setup.
+To set up Team LBAC for a Loki data source, refer to [Configure Team LBAC](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).

docs/sources/administration/recorded-queries/index.md

@@ -22,7 +22,7 @@ Recorded queries allow you to see trends over time by taking a snapshot of a dat
 For our plugins that do not return time series, it might be useful to plot historical data. For example, you might want to query ServiceNow to see a history of request response times but it can only return current point-in-time metrics.
 
 {{% admonition type="note" %}}
-Available in [Grafana Enterprise]({{< relref "../../introduction/grafana-enterprise/" >}}).
+Available in [Grafana Enterprise](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and [Grafana Cloud](https://grafana.com/docs/grafana-cloud/).
 {{% /admonition %}}
 
 ## How recorded queries work