@@ -45,8 +45,8 @@ pub mod alerts_utils;
4545pub mod target;
4646
4747pub use crate :: alerts:: alert_enums:: {
48- AggregateFunction , AlertOperator , AlertState , AlertTask , AlertType , AlertVersion , EvalConfig ,
49- LogicalOperator , NotificationState , Severity , WhereConfigOperator ,
48+ AggregateFunction , AlertOperator , AlertQueryType , AlertState , AlertTask , AlertType ,
49+ AlertVersion , EvalConfig , LogicalOperator , NotificationState , Severity , WhereConfigOperator ,
5050} ;
5151pub use crate :: alerts:: alert_structs:: {
5252 AlertConfig , AlertInfo , AlertRequest , AlertStateEntry , Alerts , AlertsInfo , AlertsInfoByState ,
@@ -61,6 +61,7 @@ use crate::metastore::MetastoreError;
6161use crate :: parseable:: { DEFAULT_TENANT , PARSEABLE , StreamNotFound } ;
6262use crate :: query:: { QUERY_SESSION , resolve_stream_names} ;
6363use crate :: rbac:: map:: { SessionKey , sessions} ;
64+ use crate :: rbac:: { Response , Users , role:: Action } ;
6465use crate :: sse:: { SSE_HANDLER , SSEAlertInfo , SSEEvent } ;
6566use crate :: storage;
6667use crate :: storage:: ObjectStorageError ;
@@ -102,6 +103,31 @@ pub fn create_default_alerts_manager() -> Alerts {
102103 alerts
103104}
104105
106+ pub async fn user_auth_for_alert_config (
107+ session : & SessionKey ,
108+ alert : & AlertConfig ,
109+ ) -> Result < ( ) , actix_web:: Error > {
110+ match alert. query_type {
111+ AlertQueryType :: Builder | AlertQueryType :: Code => user_auth_for_query ( session, & alert. query ) . await ,
112+ AlertQueryType :: Promql => {
113+ let [ dataset] = alert. datasets . as_slice ( ) else {
114+ return Err ( actix_web:: error:: ErrorUnauthorized (
115+ "User does not have access to PromQL alert stream" ,
116+ ) ) ;
117+ } ;
118+
119+ if Users . authorize ( session. clone ( ) , Action :: Query , Some ( dataset) , None )
120+ != Response :: Authorized
121+ {
122+ return Err ( actix_web:: error:: ErrorUnauthorized ( format ! (
123+ "User does not have access to stream- {dataset}"
124+ ) ) ) ;
125+ }
126+ Ok ( ( ) )
127+ }
128+ }
129+ }
130+
105131impl AlertConfig {
106132 /// Migration function to convert v1 alerts to v2 structure
107133 pub async fn migrate_from_v1 (
@@ -125,6 +151,7 @@ impl AlertConfig {
125151 severity : basic_fields. severity ,
126152 title : basic_fields. title ,
127153 query,
154+ query_type : AlertQueryType :: Builder ,
128155 datasets,
129156 alert_type : AlertType :: Threshold ,
130157 threshold_config,
@@ -627,7 +654,7 @@ impl AlertConfig {
627654 let active_session = sessions ( ) . get_active_sessions ( ) ;
628655 let mut broadcast_to = vec ! [ ] ;
629656 for ( session, _, _) in active_session {
630- if user_auth_for_query ( & session, & self . query ) . await . is_ok ( )
657+ if user_auth_for_alert_config ( & session, self ) . await . is_ok ( )
631658 && let SessionKey :: SessionId ( id) = & session
632659 {
633660 broadcast_to. push ( * id) ;
@@ -1193,7 +1220,7 @@ impl AlertManagerTrait for Alerts {
11931220 let futures: Vec < _ > = all_alerts
11941221 . into_iter ( )
11951222 . map ( |alert| async {
1196- if user_auth_for_query ( & session. clone ( ) , & alert. query )
1223+ if user_auth_for_alert_config ( & session. clone ( ) , & alert)
11971224 . await
11981225 . is_ok ( )
11991226 {
@@ -1214,7 +1241,7 @@ impl AlertManagerTrait for Alerts {
12141241 let futures: Vec < _ > = all_alerts
12151242 . into_iter ( )
12161243 . map ( |alert| async {
1217- if user_auth_for_query ( & session, & alert. query ) . await . is_ok ( ) {
1244+ if user_auth_for_alert_config ( & session, & alert) . await . is_ok ( ) {
12181245 Some ( alert)
12191246 } else {
12201247 None
0 commit comments