chore: keep support for role for backward compatibility

* fix: check for metric type without query range constraint

* revert: revert check for metric type without query range constraint

* chore: move temporality+type fetcher to the case where it is actually used

* fix: don't send absent metrics to query builder

* chore: better package import name

* test: unit test add mock for metadata call (which is expected in the test's scenario)

* revert: revert seeding of absent metrics

* fix: throw a not found err if metric data is missing

* test: unit test add mock for metadata call (which is expected in the test's scenario)

* revert: no need for special err handling in threshold rule

* chore: add last seen info in err message

* test: fix broken dashboard test

* test: integration test for short time range query

* chore: python lint issue

.github/workflows/goci.yaml

@@ -102,13 +102,3 @@ jobs:
         run: |
           go run cmd/enterprise/*.go generate openapi
           git diff --compact-summary --exit-code || (echo; echo "Unexpected difference in openapi spec. Run go run cmd/enterprise/*.go generate openapi locally and commit."; exit 1)
-      - name: node-install
-        uses: actions/setup-node@v5
-        with:
-          node-version: "22"
-      - name: install-frontend
-        run: cd frontend && yarn install
-      - name: generate-api-clients
-        run: |
-          cd frontend && yarn generate:api
-          git diff --compact-summary --exit-code || (echo; echo "Unexpected difference in generated api clients. Run yarn generate:api in frontend/ locally and commit."; exit 1)

.github/workflows/jsci.yaml

@@ -52,16 +52,16 @@ jobs:
     with:
       PRIMUS_REF: main
       JS_SRC: frontend
-  md-languages:
+  languages:
     if: |
       github.event_name == 'merge_group' ||
       (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
       (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
     runs-on: ubuntu-latest
     steps:
-      - name: checkout
+      - name: self-checkout
         uses: actions/checkout@v4
-      - name: validate md languages
+      - name: run
         run: bash frontend/scripts/validate-md-languages.sh
   authz:
     if: |
@@ -70,44 +70,55 @@ jobs:
       (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
+      - name: self-checkout
         uses: actions/checkout@v5
-
-      - name: Set up Node.js
+      - name: node-install
         uses: actions/setup-node@v5
         with:
           node-version: "22"
-
-      - name: Install frontend dependencies
+      - name: deps-install
         working-directory: ./frontend
         run: |
           yarn install
-
-      - name: Install uv
+      - name: uv-install
         uses: astral-sh/setup-uv@v5
-
-      - name: Install Python dependencies
+      - name: uv-deps
         working-directory: ./tests/integration
         run: |
           uv sync
-
-      - name: Start test environment
+      - name: setup-test
         run: |
           make py-test-setup
-
-      - name: Generate permissions.type.ts
+      - name: generate
         working-directory: ./frontend
         run: |
           yarn generate:permissions-type
-
-      - name: Teardown test environment
+      - name: teardown-test
         if: always()
         run: |
           make py-test-teardown
-
-      - name: Check for changes
+      - name: validate
         run: |
           if ! git diff --exit-code frontend/src/hooks/useAuthZ/permissions.type.ts; then
             echo "::error::frontend/src/hooks/useAuthZ/permissions.type.ts is out of date. Please run the generator locally and commit the changes: npm run generate:permissions-type (from the frontend directory)"
             exit 1
           fi
+  openapi:
+    if: |
+      github.event_name == 'merge_group' ||
+      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
+      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: self-checkout
+        uses: actions/checkout@v4
+      - name: node-install
+        uses: actions/setup-node@v5
+        with:
+          node-version: "22"
+      - name: install-frontend
+        run: cd frontend && yarn install
+      - name: generate-api-clients
+        run: |
+          cd frontend && yarn generate:api
+          git diff --compact-summary --exit-code || (echo; echo "Unexpected difference in generated api clients. Run yarn generate:api in frontend/ locally and commit."; exit 1)

docs/api/openapi.yml

@@ -220,6 +220,13 @@ components:
       - additions
       - deletions
       type: object
+    AuthtypesPatchableRole:
+      properties:
+        description:
+          type: string
+      required:
+      - description
+      type: object
     AuthtypesPostableAuthDomain:
       properties:
         config:
@@ -236,6 +243,15 @@ components:
         password:
           type: string
       type: object
+    AuthtypesPostableRole:
+      properties:
+        description:
+          type: string
+        name:
+          type: string
+      required:
+      - name
+      type: object
     AuthtypesPostableRotateToken:
       properties:
         refreshToken:
@@ -251,6 +267,31 @@ components:
       - name
       - type
       type: object
+    AuthtypesRole:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        description:
+          type: string
+        id:
+          type: string
+        name:
+          type: string
+        orgId:
+          type: string
+        type:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+      required:
+      - id
+      - name
+      - description
+      - type
+      - orgId
+      type: object
     AuthtypesRoleMapping:
       properties:
         defaultRole:
@@ -1722,47 +1763,6 @@ components:
       - status
       - error
       type: object
-    RoletypesPatchableRole:
-      properties:
-        description:
-          type: string
-      required:
-      - description
-      type: object
-    RoletypesPostableRole:
-      properties:
-        description:
-          type: string
-        name:
-          type: string
-      required:
-      - name
-      type: object
-    RoletypesRole:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        description:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgId:
-          type: string
-        type:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - name
-      - description
-      - type
-      - orgId
-      type: object
     ServiceaccounttypesFactorAPIKey:
       properties:
         createdAt:
@@ -4234,7 +4234,7 @@ paths:
                 properties:
                   data:
                     items:
-                      $ref: '#/components/schemas/RoletypesRole'
+                      $ref: '#/components/schemas/AuthtypesRole'
                     type: array
                   status:
                     type: string
@@ -4277,7 +4277,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/RoletypesPostableRole'
+              $ref: '#/components/schemas/AuthtypesPostableRole'
       responses:
         "201":
           content:
@@ -4422,7 +4422,7 @@ paths:
               schema:
                 properties:
                   data:
-                    $ref: '#/components/schemas/RoletypesRole'
+                    $ref: '#/components/schemas/AuthtypesRole'
                   status:
                     type: string
                 required:
@@ -4470,7 +4470,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/RoletypesPatchableRole'
+              $ref: '#/components/schemas/AuthtypesPatchableRole'
       responses:
         "204":
           content:

ee/authz/openfgaauthz/provider.go

@@ -13,7 +13,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/licensing"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	openfgapkgtransformer "github.com/openfga/language/pkg/go/transformer"
@@ -23,7 +22,7 @@ type provider struct {
 	pkgAuthzService authz.AuthZ
 	openfgaServer   *openfgaserver.Server
 	licensing       licensing.Licensing
-	store           roletypes.Store
+	store           authtypes.RoleStore
 	registry        []authz.RegisterTypeable
 }
 
@@ -82,23 +81,23 @@ func (provider *provider) Write(ctx context.Context, additions []*openfgav1.Tupl
 	return provider.openfgaServer.Write(ctx, additions, deletions)
 }
 
-func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*roletypes.Role, error) {
+func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.Role, error) {
 	return provider.pkgAuthzService.Get(ctx, orgID, id)
 }
 
-func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*roletypes.Role, error) {
+func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
 	return provider.pkgAuthzService.GetByOrgIDAndName(ctx, orgID, name)
 }
 
-func (provider *provider) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.Role, error) {
+func (provider *provider) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.Role, error) {
 	return provider.pkgAuthzService.List(ctx, orgID)
 }
 
-func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*roletypes.Role, error) {
+func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.Role, error) {
 	return provider.pkgAuthzService.ListByOrgIDAndNames(ctx, orgID, names)
 }
 
-func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
+func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.Role, error) {
 	return provider.pkgAuthzService.ListByOrgIDAndIDs(ctx, orgID, ids)
 }
 
@@ -114,7 +113,7 @@ func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names [
 	return provider.pkgAuthzService.Revoke(ctx, orgID, names, subject)
 }
 
-func (provider *provider) CreateManagedRoles(ctx context.Context, orgID valuer.UUID, managedRoles []*roletypes.Role) error {
+func (provider *provider) CreateManagedRoles(ctx context.Context, orgID valuer.UUID, managedRoles []*authtypes.Role) error {
 	return provider.pkgAuthzService.CreateManagedRoles(ctx, orgID, managedRoles)
 }
 
@@ -136,16 +135,16 @@ func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context,
 	return provider.Write(ctx, tuples, nil)
 }
 
-func (provider *provider) Create(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) error {
+func (provider *provider) Create(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	return provider.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
+	return provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
 }
 
-func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) (*roletypes.Role, error) {
+func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) (*authtypes.Role, error) {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return nil, errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
@@ -159,10 +158,10 @@ func (provider *provider) GetOrCreate(ctx context.Context, orgID valuer.UUID, ro
 	}
 
 	if existingRole != nil {
-		return roletypes.NewRoleFromStorableRole(existingRole), nil
+		return authtypes.NewRoleFromStorableRole(existingRole), nil
 	}
 
-	err = provider.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
+	err = provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
 	if err != nil {
 		return nil, err
 	}
@@ -217,13 +216,13 @@ func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id
 	return objects, nil
 }
 
-func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *roletypes.Role) error {
+func (provider *provider) Patch(ctx context.Context, orgID valuer.UUID, role *authtypes.Role) error {
 	_, err := provider.licensing.GetActive(ctx, orgID)
 	if err != nil {
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	return provider.store.Update(ctx, orgID, roletypes.NewStorableRoleFromRole(role))
+	return provider.store.Update(ctx, orgID, authtypes.NewStorableRoleFromRole(role))
 }
 
 func (provider *provider) PatchObjects(ctx context.Context, orgID valuer.UUID, name string, relation authtypes.Relation, additions, deletions []*authtypes.Object) error {
@@ -232,12 +231,12 @@ func (provider *provider) PatchObjects(ctx context.Context, orgID valuer.UUID, n
 		return errors.New(errors.TypeLicenseUnavailable, errors.CodeLicenseUnavailable, "a valid license is not available").WithAdditional("this feature requires a valid license").WithAdditional(err.Error())
 	}
 
-	additionTuples, err := roletypes.GetAdditionTuples(name, orgID, relation, additions)
+	additionTuples, err := authtypes.GetAdditionTuples(name, orgID, relation, additions)
 	if err != nil {
 		return err
 	}
 
-	deletionTuples, err := roletypes.GetDeletionTuples(name, orgID, relation, deletions)
+	deletionTuples, err := authtypes.GetDeletionTuples(name, orgID, relation, deletions)
 	if err != nil {
 		return err
 	}
@@ -261,7 +260,7 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 		return err
 	}
 
-	role := roletypes.NewRoleFromStorableRole(storableRole)
+	role := authtypes.NewRoleFromStorableRole(storableRole)
 	err = role.ErrIfManaged()
 	if err != nil {
 		return err
@@ -271,7 +270,7 @@ func (provider *provider) Delete(ctx context.Context, orgID valuer.UUID, id valu
 }
 
 func (provider *provider) MustGetTypeables() []authtypes.Typeable {
-	return []authtypes.Typeable{authtypes.TypeableRole, roletypes.TypeableResourcesRoles}
+	return []authtypes.Typeable{authtypes.TypeableRole, authtypes.TypeableResourcesRoles}
 }
 
 func (provider *provider) getManagedRoleGrantTuples(orgID valuer.UUID, userID valuer.UUID) ([]*openfgav1.TupleKey, error) {
@@ -283,7 +282,7 @@ func (provider *provider) getManagedRoleGrantTuples(orgID valuer.UUID, userID va
 		adminSubject,
 		authtypes.RelationAssignee,
 		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		},
 		orgID,
 	)
@@ -298,7 +297,7 @@ func (provider *provider) getManagedRoleGrantTuples(orgID valuer.UUID, userID va
 		anonymousSubject,
 		authtypes.RelationAssignee,
 		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAnonymousRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAnonymousRoleName),
 		},
 		orgID,
 	)

ee/modules/dashboard/impldashboard/module.go

@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	"github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -224,7 +223,7 @@ func (module *module) MustGetTypeables() []authtypes.Typeable {
 
 func (module *module) MustGetManagedRoleTransactions() map[string][]*authtypes.Transaction {
 	return map[string][]*authtypes.Transaction{
-		roletypes.SigNozAnonymousRoleName: {
+		authtypes.SigNozAnonymousRoleName: {
 			{
 				ID:       valuer.GenerateUUID(),
 				Relation: authtypes.RelationRead,

ee/query-service/app/api/cloudIntegrations.go

@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	"log/slog"
+
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -18,7 +20,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
-	"log/slog"
 )
 
 type CloudIntegrationConnectionParamsResponse struct {
@@ -169,7 +170,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
 
-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, []string{authtypes.SigNozViewerRoleName}, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}

ee/query-service/rules/manager_test.go

@@ -80,6 +80,21 @@ func TestManager_TestNotification_SendUnmatched_ThresholdRule(t *testing.T) {
 					alertDataRows := cmock.NewRows(cols, tc.Values)
 
 					mock := telemetryStore.Mock()
+					// Mock metadata queries for FetchTemporalityAndTypeMulti
+					// First query: fetchMetricsTemporalityAndType (from signoz_metrics time series table)
+					metadataCols := []cmock.ColumnType{
+						{Name: "metric_name", Type: "String"},
+						{Name: "temporality", Type: "String"},
+						{Name: "type", Type: "String"},
+						{Name: "is_monotonic", Type: "Bool"},
+					}
+					metadataRows := cmock.NewRows(metadataCols, [][]any{
+						{"probe_success", metrictypes.Unspecified, metrictypes.GaugeType, false},
+					})
+					mock.ExpectQuery("*distributed_time_series_v4*").WithArgs(nil, nil, nil).WillReturnRows(metadataRows)
+					// Second query: fetchMeterSourceMetricsTemporalityAndType (from signoz_meter table)
+					emptyMetadataRows := cmock.NewRows(metadataCols, [][]any{})
+					mock.ExpectQuery("*meter*").WithArgs(nil).WillReturnRows(emptyMetadataRows)
 
 					// Generate query arguments for the metric query
 					evalTime := time.Now().UTC()

frontend/package.json

@@ -11,6 +11,7 @@
     "prettify": "prettier --write .",
     "fmt": "prettier --check .",
     "lint": "eslint ./src",
+    "lint:generated": "eslint ./src/api/generated --fix",
     "lint:fix": "eslint ./src --fix",
     "jest": "jest",
     "jest:coverage": "jest --coverage",
@@ -283,4 +284,4 @@
     "tmp": "0.2.4",
     "vite": "npm:rolldown-vite@7.3.1"
   }
-}
+}

frontend/scripts/post-types-generation.sh

@@ -25,7 +25,7 @@ echo "\n✅ Prettier formatting successful"
 
 # Fix linting issues
 echo "\n\n---\nRunning eslint...\n"
-if ! yarn lint --fix --quiet src/api/generated; then
+if ! yarn lint:generated; then
   echo "ESLint check failed! Please fix linting errors before proceeding."
   exit 1
 fi

frontend/src/api/generated/services/role/index.ts

@@ -21,6 +21,8 @@ import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
 import type {
 	AuthtypesPatchableObjectsDTO,
+	AuthtypesPatchableRoleDTO,
+	AuthtypesPostableRoleDTO,
 	CreateRole201,
 	DeleteRolePathParameters,
 	GetObjects200,
@@ -31,8 +33,6 @@ import type {
 	PatchObjectsPathParameters,
 	PatchRolePathParameters,
 	RenderErrorResponseDTO,
-	RoletypesPatchableRoleDTO,
-	RoletypesPostableRoleDTO,
 } from '../sigNoz.schemas';
 
 /**
@@ -118,14 +118,14 @@ export const invalidateListRoles = async (
  * @summary Create role
  */
 export const createRole = (
-	roletypesPostableRoleDTO: BodyType<RoletypesPostableRoleDTO>,
+	authtypesPostableRoleDTO: BodyType<AuthtypesPostableRoleDTO>,
 	signal?: AbortSignal,
 ) => {
 	return GeneratedAPIInstance<CreateRole201>({
 		url: `/api/v1/roles`,
 		method: 'POST',
 		headers: { 'Content-Type': 'application/json' },
-		data: roletypesPostableRoleDTO,
+		data: authtypesPostableRoleDTO,
 		signal,
 	});
 };
@@ -137,13 +137,13 @@ export const getCreateRoleMutationOptions = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		{ data: BodyType<RoletypesPostableRoleDTO> },
+		{ data: BodyType<AuthtypesPostableRoleDTO> },
 		TContext
 	>;
 }): UseMutationOptions<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	{ data: BodyType<RoletypesPostableRoleDTO> },
+	{ data: BodyType<AuthtypesPostableRoleDTO> },
 	TContext
 > => {
 	const mutationKey = ['createRole'];
@@ -157,7 +157,7 @@ export const getCreateRoleMutationOptions = <
 
 	const mutationFn: MutationFunction<
 		Awaited<ReturnType<typeof createRole>>,
-		{ data: BodyType<RoletypesPostableRoleDTO> }
+		{ data: BodyType<AuthtypesPostableRoleDTO> }
 	> = (props) => {
 		const { data } = props ?? {};
 
@@ -170,7 +170,7 @@ export const getCreateRoleMutationOptions = <
 export type CreateRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof createRole>>
 >;
-export type CreateRoleMutationBody = BodyType<RoletypesPostableRoleDTO>;
+export type CreateRoleMutationBody = BodyType<AuthtypesPostableRoleDTO>;
 export type CreateRoleMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
@@ -183,13 +183,13 @@ export const useCreateRole = <
 	mutation?: UseMutationOptions<
 		Awaited<ReturnType<typeof createRole>>,
 		TError,
-		{ data: BodyType<RoletypesPostableRoleDTO> },
+		{ data: BodyType<AuthtypesPostableRoleDTO> },
 		TContext
 	>;
 }): UseMutationResult<
 	Awaited<ReturnType<typeof createRole>>,
 	TError,
-	{ data: BodyType<RoletypesPostableRoleDTO> },
+	{ data: BodyType<AuthtypesPostableRoleDTO> },
 	TContext
 > => {
 	const mutationOptions = getCreateRoleMutationOptions(options);
@@ -370,13 +370,13 @@ export const invalidateGetRole = async (
  */
 export const patchRole = (
 	{ id }: PatchRolePathParameters,
-	roletypesPatchableRoleDTO: BodyType<RoletypesPatchableRoleDTO>,
+	authtypesPatchableRoleDTO: BodyType<AuthtypesPatchableRoleDTO>,
 ) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/roles/${id}`,
 		method: 'PATCH',
 		headers: { 'Content-Type': 'application/json' },
-		data: roletypesPatchableRoleDTO,
+		data: authtypesPatchableRoleDTO,
 	});
 };
 
@@ -389,7 +389,7 @@ export const getPatchRoleMutationOptions = <
 		TError,
 		{
 			pathParams: PatchRolePathParameters;
-			data: BodyType<RoletypesPatchableRoleDTO>;
+			data: BodyType<AuthtypesPatchableRoleDTO>;
 		},
 		TContext
 	>;
@@ -398,7 +398,7 @@ export const getPatchRoleMutationOptions = <
 	TError,
 	{
 		pathParams: PatchRolePathParameters;
-		data: BodyType<RoletypesPatchableRoleDTO>;
+		data: BodyType<AuthtypesPatchableRoleDTO>;
 	},
 	TContext
 > => {
@@ -415,7 +415,7 @@ export const getPatchRoleMutationOptions = <
 		Awaited<ReturnType<typeof patchRole>>,
 		{
 			pathParams: PatchRolePathParameters;
-			data: BodyType<RoletypesPatchableRoleDTO>;
+			data: BodyType<AuthtypesPatchableRoleDTO>;
 		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};
@@ -429,7 +429,7 @@ export const getPatchRoleMutationOptions = <
 export type PatchRoleMutationResult = NonNullable<
 	Awaited<ReturnType<typeof patchRole>>
 >;
-export type PatchRoleMutationBody = BodyType<RoletypesPatchableRoleDTO>;
+export type PatchRoleMutationBody = BodyType<AuthtypesPatchableRoleDTO>;
 export type PatchRoleMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
@@ -444,7 +444,7 @@ export const usePatchRole = <
 		TError,
 		{
 			pathParams: PatchRolePathParameters;
-			data: BodyType<RoletypesPatchableRoleDTO>;
+			data: BodyType<AuthtypesPatchableRoleDTO>;
 		},
 		TContext
 	>;
@@ -453,7 +453,7 @@ export const usePatchRole = <
 	TError,
 	{
 		pathParams: PatchRolePathParameters;
-		data: BodyType<RoletypesPatchableRoleDTO>;
+		data: BodyType<AuthtypesPatchableRoleDTO>;
 	},
 	TContext
 > => {

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -278,6 +278,13 @@ export interface AuthtypesPatchableObjectsDTO {
 	deletions: AuthtypesGettableObjectsDTO[] | null;
 }
 
+export interface AuthtypesPatchableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description: string;
+}
+
 export interface AuthtypesPostableAuthDomainDTO {
 	config?: AuthtypesAuthDomainConfigDTO;
 	/**
@@ -301,6 +308,17 @@ export interface AuthtypesPostableEmailPasswordSessionDTO {
 	password?: string;
 }
 
+export interface AuthtypesPostableRoleDTO {
+	/**
+	 * @type string
+	 */
+	description?: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
 export interface AuthtypesPostableRotateTokenDTO {
 	/**
 	 * @type string
@@ -319,6 +337,39 @@ export interface AuthtypesResourceDTO {
 	type: string;
 }
 
+export interface AuthtypesRoleDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	description: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	orgId: string;
+	/**
+	 * @type string
+	 */
+	type: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
 /**
  * @nullable
  */
@@ -2039,57 +2090,6 @@ export interface RenderErrorResponseDTO {
 	status: string;
 }
 
-export interface RoletypesPatchableRoleDTO {
-	/**
-	 * @type string
-	 */
-	description: string;
-}
-
-export interface RoletypesPostableRoleDTO {
-	/**
-	 * @type string
-	 */
-	description?: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-}
-
-export interface RoletypesRoleDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	description: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type string
-	 */
-	orgId: string;
-	/**
-	 * @type string
-	 */
-	type: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-}
-
 export interface ServiceaccounttypesFactorAPIKeyDTO {
 	/**
 	 * @type string
@@ -3163,7 +3163,7 @@ export type ListRoles200 = {
 	/**
 	 * @type array
 	 */
-	data: RoletypesRoleDTO[];
+	data: AuthtypesRoleDTO[];
 	/**
 	 * @type string
 	 */
@@ -3185,7 +3185,7 @@ export type GetRolePathParameters = {
 	id: string;
 };
 export type GetRole200 = {
-	data: RoletypesRoleDTO;
+	data: AuthtypesRoleDTO;
 	/**
 	 * @type string
 	 */

frontend/src/container/RolesSettings/RolesComponents/CreateRoleModal.tsx

@@ -13,8 +13,8 @@ import {
 	usePatchRole,
 } from 'api/generated/services/role';
 import {
+	AuthtypesPostableRoleDTO,
 	RenderErrorResponseDTO,
-	RoletypesPostableRoleDTO,
 } from 'api/generated/services/sigNoz.schemas';
 import { ErrorType } from 'api/generatedAPIInstance';
 import ROUTES from 'constants/routes';
@@ -114,7 +114,7 @@ function CreateRoleModal({
 					data: { description: values.description || '' },
 				});
 			} else {
-				const data: RoletypesPostableRoleDTO = {
+				const data: AuthtypesPostableRoleDTO = {
 					name: values.name,
 					...(values.description ? { description: values.description } : {}),
 				};

frontend/src/container/RolesSettings/RolesComponents/RolesListingTable.tsx

@@ -2,7 +2,7 @@ import { useCallback, useEffect, useMemo } from 'react';
 import { useHistory } from 'react-router-dom';
 import { Pagination, Skeleton } from 'antd';
 import { useListRoles } from 'api/generated/services/role';
-import { RoletypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
+import { AuthtypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
 import ErrorInPlace from 'components/ErrorInPlace/ErrorInPlace';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
 import ROUTES from 'constants/routes';
@@ -20,7 +20,7 @@ const PAGE_SIZE = 20;
 
 type DisplayItem =
 	| { type: 'section'; label: string; count?: number }
-	| { type: 'role'; role: RoletypesRoleDTO };
+	| { type: 'role'; role: AuthtypesRoleDTO };
 
 interface RolesListingTableProps {
 	searchQuery: string;
@@ -187,7 +187,7 @@ function RolesListingTable({
 	};
 
 	// todo: use table from periscope when its available for consumption
-	const renderRow = (role: RoletypesRoleDTO): JSX.Element => (
+	const renderRow = (role: AuthtypesRoleDTO): JSX.Element => (
 		<div
 			key={role.id}
 			className={`roles-table-row ${

frontend/src/mocks-server/__mockdata__/roles.ts

@@ -1,8 +1,8 @@
-import { RoletypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
+import { AuthtypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
 
 const orgId = '019ba2bb-2fa1-7b24-8159-cfca08617ef9';
 
-export const managedRoles: RoletypesRoleDTO[] = [
+export const managedRoles: AuthtypesRoleDTO[] = [
 	{
 		id: '019c24aa-2248-756f-9833-984f1ab63819',
 		createdAt: new Date('2026-02-03T18:00:55.624356Z'),
@@ -35,7 +35,7 @@ export const managedRoles: RoletypesRoleDTO[] = [
 	},
 ];
 
-export const customRoles: RoletypesRoleDTO[] = [
+export const customRoles: AuthtypesRoleDTO[] = [
 	{
 		id: '019c24aa-3333-0001-aaaa-111111111111',
 		createdAt: new Date('2026-02-10T10:30:00.000Z'),
@@ -56,7 +56,7 @@ export const customRoles: RoletypesRoleDTO[] = [
 	},
 ];
 
-export const allRoles: RoletypesRoleDTO[] = [...managedRoles, ...customRoles];
+export const allRoles: AuthtypesRoleDTO[] = [...managedRoles, ...customRoles];
 
 export const listRolesSuccessResponse = {
 	status: 'success',

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/dgraph-io/ristretto/v2 v2.3.0
 	github.com/dustin/go-humanize v1.0.1
-	github.com/emersion/go-smtp v0.24.0
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-co-op/gocron v1.30.1
 	github.com/go-openapi/runtime v0.29.2
@@ -109,7 +108,6 @@ require (
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
 	github.com/go-openapi/swag/conv v0.25.4 // indirect
@@ -163,7 +161,7 @@ require (
 	github.com/ClickHouse/ch-go v0.67.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Yiling-J/theine-go v0.6.2 // indirect
-	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b
+	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/beevik/etree v1.1.0 // indirect

pkg/alertmanager/alertmanagernotify/email/email.go

@@ -1,430 +0,0 @@
-package email
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"fmt"
-	"log/slog"
-	"math/rand"
-	"mime"
-	"mime/multipart"
-	"mime/quotedprintable"
-	"net"
-	"net/mail"
-	"net/smtp"
-	"net/textproto"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	commoncfg "github.com/prometheus/common/config"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-const (
-	Integration = "email"
-)
-
-// Email implements a Notifier for email notifications.
-type Email struct {
-	conf     *config.EmailConfig
-	tmpl     *template.Template
-	logger   *slog.Logger
-	hostname string
-}
-
-var errNoAuthUserNameConfigured = errors.NewInternalf(errors.CodeInternal, "no auth username configured")
-
-// New returns a new Email notifier.
-func New(c *config.EmailConfig, t *template.Template, l *slog.Logger) *Email {
-	if _, ok := c.Headers["Subject"]; !ok {
-		c.Headers["Subject"] = config.DefaultEmailSubject
-	}
-	if _, ok := c.Headers["To"]; !ok {
-		c.Headers["To"] = c.To
-	}
-	if _, ok := c.Headers["From"]; !ok {
-		c.Headers["From"] = c.From
-	}
-
-	h, err := os.Hostname()
-	// If we can't get the hostname, we'll use localhost
-	if err != nil {
-		h = "localhost.localdomain"
-	}
-	return &Email{conf: c, tmpl: t, logger: l, hostname: h}
-}
-
-// auth resolves a string of authentication mechanisms.
-func (n *Email) auth(mechs string) (smtp.Auth, error) {
-	username := n.conf.AuthUsername
-
-	// If no username is set, return custom error which can be ignored if needed.
-	if n.conf.AuthUsername == "" {
-		return nil, errNoAuthUserNameConfigured
-	}
-
-	err := &types.MultiError{}
-	for mech := range strings.SplitSeq(mechs, " ") {
-		switch mech {
-		case "CRAM-MD5":
-			secret, secretErr := n.getAuthSecret()
-			if secretErr != nil {
-				err.Add(secretErr)
-				continue
-			}
-			if secret == "" {
-				err.Add(errors.NewInternalf(errors.CodeInternal, "missing secret for CRAM-MD5 auth mechanism"))
-				continue
-			}
-			return smtp.CRAMMD5Auth(username, secret), nil
-
-		case "PLAIN":
-			password, passwordErr := n.getPassword()
-			if passwordErr != nil {
-				err.Add(passwordErr)
-				continue
-			}
-			if password == "" {
-				err.Add(errors.NewInternalf(errors.CodeInternal, "missing password for PLAIN auth mechanism"))
-				continue
-			}
-			identity := n.conf.AuthIdentity
-
-			return smtp.PlainAuth(identity, username, password, n.conf.Smarthost.Host), nil
-		case "LOGIN":
-			password, passwordErr := n.getPassword()
-			if passwordErr != nil {
-				err.Add(passwordErr)
-				continue
-			}
-			if password == "" {
-				err.Add(errors.NewInternalf(errors.CodeInternal, "missing password for LOGIN auth mechanism"))
-				continue
-			}
-			return LoginAuth(username, password), nil
-		}
-	}
-	if err.Len() == 0 {
-		err.Add(errors.NewInternalf(errors.CodeInternal, "unknown auth mechanism: %s", mechs))
-	}
-	return nil, err
-}
-
-// Notify implements the Notifier interface.
-func (n *Email) Notify(ctx context.Context, as ...*types.Alert) (bool, error) {
-	var (
-		c       *smtp.Client
-		conn    net.Conn
-		err     error
-		success = false
-	)
-	// Determine whether to use Implicit TLS
-	var useImplicitTLS bool
-	if n.conf.ForceImplicitTLS != nil {
-		useImplicitTLS = *n.conf.ForceImplicitTLS
-	} else {
-		// Default logic: port 465 uses implicit TLS (backward compatibility)
-		useImplicitTLS = n.conf.Smarthost.Port == "465"
-	}
-
-	if useImplicitTLS {
-		tlsConfig, err := commoncfg.NewTLSConfig(n.conf.TLSConfig)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "parse TLS configuration")
-		}
-		if tlsConfig.ServerName == "" {
-			tlsConfig.ServerName = n.conf.Smarthost.Host
-		}
-
-		conn, err = tls.Dial("tcp", n.conf.Smarthost.String(), tlsConfig)
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "establish TLS connection to server")
-		}
-	} else {
-		var (
-			d   = net.Dialer{}
-			err error
-		)
-		conn, err = d.DialContext(ctx, "tcp", n.conf.Smarthost.String())
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "establish connection to server")
-		}
-	}
-	c, err = smtp.NewClient(conn, n.conf.Smarthost.Host)
-	if err != nil {
-		conn.Close()
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "create SMTP client")
-	}
-	defer func() {
-		// Try to clean up after ourselves but don't log anything if something has failed.
-		if err := c.Quit(); success && err != nil {
-			n.logger.WarnContext(ctx, "failed to close SMTP connection", "err", err)
-		}
-	}()
-
-	if n.conf.Hello != "" {
-		err = c.Hello(n.conf.Hello)
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "send EHLO command")
-		}
-	}
-
-	// Global Config guarantees RequireTLS is not nil.
-	if *n.conf.RequireTLS && !useImplicitTLS {
-		if ok, _ := c.Extension("STARTTLS"); !ok {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "'require_tls' is true (default) but %q does not advertise the STARTTLS extension", n.conf.Smarthost)
-		}
-
-		tlsConf, err := commoncfg.NewTLSConfig(n.conf.TLSConfig)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "parse TLS configuration")
-		}
-		if tlsConf.ServerName == "" {
-			tlsConf.ServerName = n.conf.Smarthost.Host
-		}
-
-		if err := c.StartTLS(tlsConf); err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "send STARTTLS command")
-		}
-	}
-
-	if ok, mech := c.Extension("AUTH"); ok {
-		auth, err := n.auth(mech)
-		if err != nil && err != errNoAuthUserNameConfigured {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "find auth mechanism")
-		} else if err == errNoAuthUserNameConfigured {
-			n.logger.DebugContext(ctx, "no auth username configured. Attempting to send email without authenticating")
-		}
-		if auth != nil {
-			if err := c.Auth(auth); err != nil {
-				return true, errors.WrapInternalf(err, errors.CodeInternal, "%T auth", auth)
-			}
-		}
-	}
-
-	var (
-		tmplErr error
-		data    = notify.GetTemplateData(ctx, n.tmpl, as, n.logger)
-		tmpl    = notify.TmplText(n.tmpl, data, &tmplErr)
-	)
-	from := tmpl(n.conf.From)
-	if tmplErr != nil {
-		return false, errors.WrapInternalf(tmplErr, errors.CodeInternal, "execute 'from' template")
-	}
-	to := tmpl(n.conf.To)
-	if tmplErr != nil {
-		return false, errors.WrapInternalf(tmplErr, errors.CodeInternal, "execute 'to' template")
-	}
-
-	addrs, err := mail.ParseAddressList(from)
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "parse 'from' addresses")
-	}
-	if len(addrs) != 1 {
-		return false, errors.NewInternalf(errors.CodeInternal, "must be exactly one 'from' address (got: %d)", len(addrs))
-	}
-	if err = c.Mail(addrs[0].Address); err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "send MAIL command")
-	}
-	addrs, err = mail.ParseAddressList(to)
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "parse 'to' addresses")
-	}
-	for _, addr := range addrs {
-		if err = c.Rcpt(addr.Address); err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "send RCPT command")
-		}
-	}
-
-	// Send the email headers and body.
-	message, err := c.Data()
-	if err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "send DATA command")
-	}
-	closeOnce := sync.OnceValue(func() error {
-		return message.Close()
-	})
-	// Close the message when this method exits in order to not leak resources. Even though we're calling this explicitly
-	// further down, the method may exit before then.
-	defer func() {
-		// If we try close an already-closed writer, it'll send a subsequent request to the server which is invalid.
-		_ = closeOnce()
-	}()
-
-	buffer := &bytes.Buffer{}
-	for header, t := range n.conf.Headers {
-		value, err := n.tmpl.ExecuteTextString(t, data)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "execute %q header template", header)
-		}
-		fmt.Fprintf(buffer, "%s: %s\r\n", header, mime.QEncoding.Encode("utf-8", value))
-	}
-
-	if _, ok := n.conf.Headers["Message-Id"]; !ok {
-		fmt.Fprintf(buffer, "Message-Id: %s\r\n", fmt.Sprintf("<%d.%d@%s>", time.Now().UnixNano(), rand.Uint64(), n.hostname))
-	}
-
-	if n.conf.Threading.Enabled {
-		key, err := notify.ExtractGroupKey(ctx)
-		if err != nil {
-			return false, err
-		}
-		// Add threading headers. All notifications for the same alert group
-		// (identified by key hash) are threaded together.
-		threadBy := ""
-		if n.conf.Threading.ThreadByDate != "none" {
-			// ThreadByDate is 'daily':
-			// Use current date so all mails for this alert today thread together.
-			threadBy = time.Now().Format("2006-01-02")
-		}
-		keyHash := key.Hash()
-		if len(keyHash) > 16 {
-			keyHash = keyHash[:16]
-		}
-		// The thread root ID is a Message-ID that doesn't correspond to
-		// any actual email. Email clients following the (commonly used) JWZ
-		// algorithm will create a dummy container to group these messages.
-		threadRootID := fmt.Sprintf("<alert-%s-%s@alertmanager>", keyHash, threadBy)
-		fmt.Fprintf(buffer, "References: %s\r\n", threadRootID)
-		fmt.Fprintf(buffer, "In-Reply-To: %s\r\n", threadRootID)
-	}
-
-	multipartBuffer := &bytes.Buffer{}
-	multipartWriter := multipart.NewWriter(multipartBuffer)
-
-	fmt.Fprintf(buffer, "Date: %s\r\n", time.Now().Format(time.RFC1123Z))
-	fmt.Fprintf(buffer, "Content-Type: multipart/alternative;  boundary=%s\r\n", multipartWriter.Boundary())
-	fmt.Fprintf(buffer, "MIME-Version: 1.0\r\n\r\n")
-
-	// TODO: Add some useful headers here, such as URL of the alertmanager
-	// and active/resolved.
-	_, err = message.Write(buffer.Bytes())
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "write headers")
-	}
-
-	if len(n.conf.Text) > 0 {
-		// Text template
-		w, err := multipartWriter.CreatePart(textproto.MIMEHeader{
-			"Content-Transfer-Encoding": {"quoted-printable"},
-			"Content-Type":              {"text/plain; charset=UTF-8"},
-		})
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "create part for text template")
-		}
-		body, err := n.tmpl.ExecuteTextString(n.conf.Text, data)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "execute text template")
-		}
-		qw := quotedprintable.NewWriter(w)
-		_, err = qw.Write([]byte(body))
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "write text part")
-		}
-		err = qw.Close()
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "close text part")
-		}
-	}
-
-	if len(n.conf.HTML) > 0 {
-		// Html template
-		// Preferred alternative placed last per section 5.1.4 of RFC 2046
-		// https://www.ietf.org/rfc/rfc2046.txt
-		w, err := multipartWriter.CreatePart(textproto.MIMEHeader{
-			"Content-Transfer-Encoding": {"quoted-printable"},
-			"Content-Type":              {"text/html; charset=UTF-8"},
-		})
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "create part for html template")
-		}
-		body, err := n.tmpl.ExecuteHTMLString(n.conf.HTML, data)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "execute html template")
-		}
-		qw := quotedprintable.NewWriter(w)
-		_, err = qw.Write([]byte(body))
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "write HTML part")
-		}
-		err = qw.Close()
-		if err != nil {
-			return true, errors.WrapInternalf(err, errors.CodeInternal, "close HTML part")
-		}
-	}
-
-	err = multipartWriter.Close()
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "close multipartWriter")
-	}
-
-	_, err = message.Write(multipartBuffer.Bytes())
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "write body buffer")
-	}
-
-	// Complete the message and await response.
-	if err = closeOnce(); err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "delivery failure")
-	}
-
-	success = true
-	return false, nil
-}
-
-type loginAuth struct {
-	username, password string
-}
-
-func LoginAuth(username, password string) smtp.Auth {
-	return &loginAuth{username, password}
-}
-
-func (a *loginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
-	return "LOGIN", []byte{}, nil
-}
-
-// Used for AUTH LOGIN. (Maybe password should be encrypted).
-func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
-	if more {
-		switch strings.ToLower(string(fromServer)) {
-		case "username:":
-			return []byte(a.username), nil
-		case "password:":
-			return []byte(a.password), nil
-		default:
-			return nil, errors.NewInternalf(errors.CodeInternal, "unexpected server challenge")
-		}
-	}
-	return nil, nil
-}
-
-func (n *Email) getPassword() (string, error) {
-	if len(n.conf.AuthPasswordFile) > 0 {
-		content, err := os.ReadFile(n.conf.AuthPasswordFile)
-		if err != nil {
-			return "", errors.NewInternalf(errors.CodeInternal, "could not read %s: %v", n.conf.AuthPasswordFile, err)
-		}
-		return strings.TrimSpace(string(content)), nil
-	}
-	return string(n.conf.AuthPassword), nil
-}
-
-func (n *Email) getAuthSecret() (string, error) {
-	if len(n.conf.AuthSecretFile) > 0 {
-		content, err := os.ReadFile(n.conf.AuthSecretFile)
-		if err != nil {
-			return "", errors.NewInternalf(errors.CodeInternal, "could not read %s: %v", n.conf.AuthSecretFile, err)
-		}
-		return string(content), nil
-	}
-	return string(n.conf.AuthSecret), nil
-}

pkg/alertmanager/alertmanagernotify/email/testdata/auth-local.yml

@@ -1,4 +0,0 @@
-smarthost: 127.0.0.1:1026
-server: http://127.0.0.1:1081/
-username: user
-password: pass

pkg/alertmanager/alertmanagernotify/email/testdata/auth.yml

@@ -1,4 +0,0 @@
-smarthost: maildev-auth:1025
-server: http://maildev-auth:1080/
-username: user
-password: pass

pkg/alertmanager/alertmanagernotify/email/testdata/noauth-local.yml

@@ -1,2 +0,0 @@
-smarthost: 127.0.0.1:1025
-server: http://127.0.0.1:1080/

pkg/alertmanager/alertmanagernotify/email/testdata/noauth.yml

@@ -1,2 +0,0 @@
-smarthost: maildev-noauth:1025
-server: http://maildev-noauth:1080/

pkg/alertmanager/alertmanagernotify/msteamsv2/msteamsv2.go

@@ -27,10 +27,6 @@ const (
 	colorGrey  = "Warning"
 )
 
-const (
-	Integration = "msteamsv2"
-)
-
 type Notifier struct {
 	conf         *config.MSTeamsV2Config
 	titleLink    string
@@ -91,7 +87,7 @@ type teamsMessage struct {
 
 // New returns a new notifier that uses the Microsoft Teams Power Platform connector.
 func New(c *config.MSTeamsV2Config, t *template.Template, titleLink string, l *slog.Logger, httpOpts ...commoncfg.HTTPClientOption) (*Notifier, error) {
-	client, err := notify.NewClientWithTracing(*c.HTTPConfig, Integration, httpOpts...)
+	client, err := commoncfg.NewClientFromConfig(*c.HTTPConfig, "msteamsv2", httpOpts...)
 	if err != nil {
 		return nil, err
 	}

pkg/alertmanager/alertmanagernotify/opsgenie/api_key_file

@@ -1,2 +0,0 @@
-my_secret_api_key
-

pkg/alertmanager/alertmanagernotify/opsgenie/opsgenie.go

@@ -1,290 +0,0 @@
-package opsgenie
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"log/slog"
-	"maps"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-const (
-	Integration = "opsgenie"
-)
-
-// https://docs.opsgenie.com/docs/alert-api - 130 characters meaning runes.
-const maxMessageLenRunes = 130
-
-// Notifier implements a Notifier for OpsGenie notifications.
-type Notifier struct {
-	conf    *config.OpsGenieConfig
-	tmpl    *template.Template
-	logger  *slog.Logger
-	client  *http.Client
-	retrier *notify.Retrier
-}
-
-// New returns a new OpsGenie notifier.
-func New(c *config.OpsGenieConfig, t *template.Template, l *slog.Logger, httpOpts ...commoncfg.HTTPClientOption) (*Notifier, error) {
-	client, err := notify.NewClientWithTracing(*c.HTTPConfig, Integration, httpOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return &Notifier{
-		conf:    c,
-		tmpl:    t,
-		logger:  l,
-		client:  client,
-		retrier: &notify.Retrier{RetryCodes: []int{http.StatusTooManyRequests}},
-	}, nil
-}
-
-type opsGenieCreateMessage struct {
-	Alias       string                           `json:"alias"`
-	Message     string                           `json:"message"`
-	Description string                           `json:"description,omitempty"`
-	Details     map[string]string                `json:"details"`
-	Source      string                           `json:"source"`
-	Responders  []opsGenieCreateMessageResponder `json:"responders,omitempty"`
-	Tags        []string                         `json:"tags,omitempty"`
-	Note        string                           `json:"note,omitempty"`
-	Priority    string                           `json:"priority,omitempty"`
-	Entity      string                           `json:"entity,omitempty"`
-	Actions     []string                         `json:"actions,omitempty"`
-}
-
-type opsGenieCreateMessageResponder struct {
-	ID       string `json:"id,omitempty"`
-	Name     string `json:"name,omitempty"`
-	Username string `json:"username,omitempty"`
-	Type     string `json:"type"` // team, user, escalation, schedule etc.
-}
-
-type opsGenieCloseMessage struct {
-	Source string `json:"source"`
-}
-
-type opsGenieUpdateMessageMessage struct {
-	Message string `json:"message,omitempty"`
-}
-
-type opsGenieUpdateDescriptionMessage struct {
-	Description string `json:"description,omitempty"`
-}
-
-// Notify implements the Notifier interface.
-func (n *Notifier) Notify(ctx context.Context, as ...*types.Alert) (bool, error) {
-	requests, retry, err := n.createRequests(ctx, as...)
-	if err != nil {
-		return retry, err
-	}
-
-	for _, req := range requests {
-		req.Header.Set("User-Agent", notify.UserAgentHeader)
-		resp, err := n.client.Do(req) //nolint:bodyclose
-		if err != nil {
-			return true, err
-		}
-		shouldRetry, err := n.retrier.Check(resp.StatusCode, resp.Body)
-		notify.Drain(resp)
-		if err != nil {
-			return shouldRetry, notify.NewErrorWithReason(notify.GetFailureReasonFromStatusCode(resp.StatusCode), err)
-		}
-	}
-	return true, nil
-}
-
-// Like Split but filter out empty strings.
-func safeSplit(s, sep string) []string {
-	a := strings.Split(strings.TrimSpace(s), sep)
-	b := a[:0]
-	for _, x := range a {
-		if x != "" {
-			b = append(b, x)
-		}
-	}
-	return b
-}
-
-// Create requests for a list of alerts.
-func (n *Notifier) createRequests(ctx context.Context, as ...*types.Alert) ([]*http.Request, bool, error) {
-	key, err := notify.ExtractGroupKey(ctx)
-	if err != nil {
-		return nil, false, err
-	}
-	logger := n.logger.With("group_key", key)
-	logger.DebugContext(ctx, "extracted group key")
-
-	data := notify.GetTemplateData(ctx, n.tmpl, as, logger)
-
-	tmpl := notify.TmplText(n.tmpl, data, &err)
-
-	details := make(map[string]string)
-
-	maps.Copy(details, data.CommonLabels)
-
-	for k, v := range n.conf.Details {
-		details[k] = tmpl(v)
-	}
-
-	requests := []*http.Request{}
-
-	var (
-		alias  = key.Hash()
-		alerts = types.Alerts(as...)
-	)
-	switch alerts.Status() {
-	case model.AlertResolved:
-		resolvedEndpointURL := n.conf.APIURL.Copy()
-		resolvedEndpointURL.Path += fmt.Sprintf("v2/alerts/%s/close", alias)
-		q := resolvedEndpointURL.Query()
-		q.Set("identifierType", "alias")
-		resolvedEndpointURL.RawQuery = q.Encode()
-		msg := &opsGenieCloseMessage{Source: tmpl(n.conf.Source)}
-		var buf bytes.Buffer
-		if err := json.NewEncoder(&buf).Encode(msg); err != nil {
-			return nil, false, err
-		}
-		req, err := http.NewRequest("POST", resolvedEndpointURL.String(), &buf)
-		if err != nil {
-			return nil, true, err
-		}
-		requests = append(requests, req.WithContext(ctx))
-	default:
-		message, truncated := notify.TruncateInRunes(tmpl(n.conf.Message), maxMessageLenRunes)
-		if truncated {
-			logger.WarnContext(ctx, "Truncated message", "alert", key, "max_runes", maxMessageLenRunes)
-		}
-
-		createEndpointURL := n.conf.APIURL.Copy()
-		createEndpointURL.Path += "v2/alerts"
-
-		var responders []opsGenieCreateMessageResponder
-		for _, r := range n.conf.Responders {
-			responder := opsGenieCreateMessageResponder{
-				ID:       tmpl(r.ID),
-				Name:     tmpl(r.Name),
-				Username: tmpl(r.Username),
-				Type:     tmpl(r.Type),
-			}
-
-			if responder == (opsGenieCreateMessageResponder{}) {
-				// Filter out empty responders. This is useful if you want to fill
-				// responders dynamically from alert's common labels.
-				continue
-			}
-
-			if responder.Type == "teams" {
-				teams := safeSplit(responder.Name, ",")
-				for _, team := range teams {
-					newResponder := opsGenieCreateMessageResponder{
-						Name: tmpl(team),
-						Type: tmpl("team"),
-					}
-					responders = append(responders, newResponder)
-				}
-				continue
-			}
-
-			responders = append(responders, responder)
-		}
-
-		msg := &opsGenieCreateMessage{
-			Alias:       alias,
-			Message:     message,
-			Description: tmpl(n.conf.Description),
-			Details:     details,
-			Source:      tmpl(n.conf.Source),
-			Responders:  responders,
-			Tags:        safeSplit(tmpl(n.conf.Tags), ","),
-			Note:        tmpl(n.conf.Note),
-			Priority:    tmpl(n.conf.Priority),
-			Entity:      tmpl(n.conf.Entity),
-			Actions:     safeSplit(tmpl(n.conf.Actions), ","),
-		}
-		var buf bytes.Buffer
-		if err := json.NewEncoder(&buf).Encode(msg); err != nil {
-			return nil, false, err
-		}
-		req, err := http.NewRequest("POST", createEndpointURL.String(), &buf)
-		if err != nil {
-			return nil, true, err
-		}
-		requests = append(requests, req.WithContext(ctx))
-
-		if n.conf.UpdateAlerts {
-			updateMessageEndpointURL := n.conf.APIURL.Copy()
-			updateMessageEndpointURL.Path += fmt.Sprintf("v2/alerts/%s/message", alias)
-			q := updateMessageEndpointURL.Query()
-			q.Set("identifierType", "alias")
-			updateMessageEndpointURL.RawQuery = q.Encode()
-			updateMsgMsg := &opsGenieUpdateMessageMessage{
-				Message: msg.Message,
-			}
-			var updateMessageBuf bytes.Buffer
-			if err := json.NewEncoder(&updateMessageBuf).Encode(updateMsgMsg); err != nil {
-				return nil, false, err
-			}
-			req, err := http.NewRequest("PUT", updateMessageEndpointURL.String(), &updateMessageBuf)
-			if err != nil {
-				return nil, true, err
-			}
-			requests = append(requests, req)
-
-			updateDescriptionEndpointURL := n.conf.APIURL.Copy()
-			updateDescriptionEndpointURL.Path += fmt.Sprintf("v2/alerts/%s/description", alias)
-			q = updateDescriptionEndpointURL.Query()
-			q.Set("identifierType", "alias")
-			updateDescriptionEndpointURL.RawQuery = q.Encode()
-			updateDescMsg := &opsGenieUpdateDescriptionMessage{
-				Description: msg.Description,
-			}
-
-			var updateDescriptionBuf bytes.Buffer
-			if err := json.NewEncoder(&updateDescriptionBuf).Encode(updateDescMsg); err != nil {
-				return nil, false, err
-			}
-			req, err = http.NewRequest("PUT", updateDescriptionEndpointURL.String(), &updateDescriptionBuf)
-			if err != nil {
-				return nil, true, err
-			}
-			requests = append(requests, req.WithContext(ctx))
-		}
-	}
-
-	var apiKey string
-	if n.conf.APIKey != "" {
-		apiKey = tmpl(string(n.conf.APIKey))
-	} else {
-		content, err := os.ReadFile(n.conf.APIKeyFile)
-		if err != nil {
-			return nil, false, errors.WrapInternalf(err, errors.CodeInternal, "read key_file error")
-		}
-		apiKey = tmpl(string(content))
-		apiKey = strings.TrimSpace(string(apiKey))
-	}
-
-	if err != nil {
-		return nil, false, errors.WrapInternalf(err, errors.CodeInternal, "templating error")
-	}
-
-	for _, req := range requests {
-		req.Header.Set("Content-Type", "application/json")
-		req.Header.Set("Authorization", fmt.Sprintf("GenieKey %s", apiKey))
-	}
-
-	return requests, true, nil
-}

pkg/alertmanager/alertmanagernotify/opsgenie/opsgenie_test.go

@@ -1,333 +0,0 @@
-package opsgenie
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-	"testing"
-	"time"
-
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-	"github.com/prometheus/common/promslog"
-	"github.com/stretchr/testify/require"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/notify/test"
-	"github.com/prometheus/alertmanager/types"
-)
-
-func TestOpsGenieRetry(t *testing.T) {
-	notifier, err := New(
-		&config.OpsGenieConfig{
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	retryCodes := append(test.DefaultRetryCodes(), http.StatusTooManyRequests)
-	for statusCode, expected := range test.RetryTests(retryCodes) {
-		actual, _ := notifier.retrier.Check(statusCode, nil)
-		require.Equal(t, expected, actual, "error on status %d", statusCode)
-	}
-}
-
-func TestOpsGenieRedactedURL(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	key := "key"
-	notifier, err := New(
-		&config.OpsGenieConfig{
-			APIURL:     &config.URL{URL: u},
-			APIKey:     config.Secret(key),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestGettingOpsGegineApikeyFromFile(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	key := "key"
-
-	f, err := os.CreateTemp(t.TempDir(), "opsgenie_test")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(key)
-	require.NoError(t, err, "writing to temp file failed")
-
-	notifier, err := New(
-		&config.OpsGenieConfig{
-			APIURL:     &config.URL{URL: u},
-			APIKeyFile: f.Name(),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestOpsGenie(t *testing.T) {
-	u, err := url.Parse("https://opsgenie/api")
-	if err != nil {
-		t.Fatalf("failed to parse URL: %v", err)
-	}
-	logger := promslog.NewNopLogger()
-	tmpl := test.CreateTmpl(t)
-
-	for _, tc := range []struct {
-		title string
-		cfg   *config.OpsGenieConfig
-
-		expectedEmptyAlertBody string
-		expectedBody           string
-	}{
-		{
-			title: "config without details",
-			cfg: &config.OpsGenieConfig{
-				NotifierConfig: config.NotifierConfig{
-					VSendResolved: true,
-				},
-				Message:     `{{ .CommonLabels.Message }}`,
-				Description: `{{ .CommonLabels.Description }}`,
-				Source:      `{{ .CommonLabels.Source }}`,
-				Responders: []config.OpsGenieConfigResponder{
-					{
-						Name: `{{ .CommonLabels.ResponderName1 }}`,
-						Type: `{{ .CommonLabels.ResponderType1 }}`,
-					},
-					{
-						Name: `{{ .CommonLabels.ResponderName2 }}`,
-						Type: `{{ .CommonLabels.ResponderType2 }}`,
-					},
-				},
-				Tags:       `{{ .CommonLabels.Tags }}`,
-				Note:       `{{ .CommonLabels.Note }}`,
-				Priority:   `{{ .CommonLabels.Priority }}`,
-				Entity:     `{{ .CommonLabels.Entity }}`,
-				Actions:    `{{ .CommonLabels.Actions }}`,
-				APIKey:     `{{ .ExternalURL }}`,
-				APIURL:     &config.URL{URL: u},
-				HTTPConfig: &commoncfg.HTTPClientConfig{},
-			},
-			expectedEmptyAlertBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"","details":{},"source":""}
-`,
-			expectedBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"message","description":"description","details":{"Actions":"doThis,doThat","Description":"description","Entity":"test-domain","Message":"message","Note":"this is a note","Priority":"P1","ResponderName1":"TeamA","ResponderName2":"EscalationA","ResponderName3":"TeamA,TeamB","ResponderType1":"team","ResponderType2":"escalation","ResponderType3":"teams","Source":"http://prometheus","Tags":"tag1,tag2"},"source":"http://prometheus","responders":[{"name":"TeamA","type":"team"},{"name":"EscalationA","type":"escalation"}],"tags":["tag1","tag2"],"note":"this is a note","priority":"P1","entity":"test-domain","actions":["doThis","doThat"]}
-`,
-		},
-		{
-			title: "config with details",
-			cfg: &config.OpsGenieConfig{
-				NotifierConfig: config.NotifierConfig{
-					VSendResolved: true,
-				},
-				Message:     `{{ .CommonLabels.Message }}`,
-				Description: `{{ .CommonLabels.Description }}`,
-				Source:      `{{ .CommonLabels.Source }}`,
-				Details: map[string]string{
-					"Description": `adjusted {{ .CommonLabels.Description }}`,
-				},
-				Responders: []config.OpsGenieConfigResponder{
-					{
-						Name: `{{ .CommonLabels.ResponderName1 }}`,
-						Type: `{{ .CommonLabels.ResponderType1 }}`,
-					},
-					{
-						Name: `{{ .CommonLabels.ResponderName2 }}`,
-						Type: `{{ .CommonLabels.ResponderType2 }}`,
-					},
-				},
-				Tags:       `{{ .CommonLabels.Tags }}`,
-				Note:       `{{ .CommonLabels.Note }}`,
-				Priority:   `{{ .CommonLabels.Priority }}`,
-				Entity:     `{{ .CommonLabels.Entity }}`,
-				Actions:    `{{ .CommonLabels.Actions }}`,
-				APIKey:     `{{ .ExternalURL }}`,
-				APIURL:     &config.URL{URL: u},
-				HTTPConfig: &commoncfg.HTTPClientConfig{},
-			},
-			expectedEmptyAlertBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"","details":{"Description":"adjusted "},"source":""}
-`,
-			expectedBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"message","description":"description","details":{"Actions":"doThis,doThat","Description":"adjusted description","Entity":"test-domain","Message":"message","Note":"this is a note","Priority":"P1","ResponderName1":"TeamA","ResponderName2":"EscalationA","ResponderName3":"TeamA,TeamB","ResponderType1":"team","ResponderType2":"escalation","ResponderType3":"teams","Source":"http://prometheus","Tags":"tag1,tag2"},"source":"http://prometheus","responders":[{"name":"TeamA","type":"team"},{"name":"EscalationA","type":"escalation"}],"tags":["tag1","tag2"],"note":"this is a note","priority":"P1","entity":"test-domain","actions":["doThis","doThat"]}
-`,
-		},
-		{
-			title: "config with multiple teams",
-			cfg: &config.OpsGenieConfig{
-				NotifierConfig: config.NotifierConfig{
-					VSendResolved: true,
-				},
-				Message:     `{{ .CommonLabels.Message }}`,
-				Description: `{{ .CommonLabels.Description }}`,
-				Source:      `{{ .CommonLabels.Source }}`,
-				Details: map[string]string{
-					"Description": `adjusted {{ .CommonLabels.Description }}`,
-				},
-				Responders: []config.OpsGenieConfigResponder{
-					{
-						Name: `{{ .CommonLabels.ResponderName3 }}`,
-						Type: `{{ .CommonLabels.ResponderType3 }}`,
-					},
-				},
-				Tags:       `{{ .CommonLabels.Tags }}`,
-				Note:       `{{ .CommonLabels.Note }}`,
-				Priority:   `{{ .CommonLabels.Priority }}`,
-				APIKey:     `{{ .ExternalURL }}`,
-				APIURL:     &config.URL{URL: u},
-				HTTPConfig: &commoncfg.HTTPClientConfig{},
-			},
-			expectedEmptyAlertBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"","details":{"Description":"adjusted "},"source":""}
-`,
-			expectedBody: `{"alias":"6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b","message":"message","description":"description","details":{"Actions":"doThis,doThat","Description":"adjusted description","Entity":"test-domain","Message":"message","Note":"this is a note","Priority":"P1","ResponderName1":"TeamA","ResponderName2":"EscalationA","ResponderName3":"TeamA,TeamB","ResponderType1":"team","ResponderType2":"escalation","ResponderType3":"teams","Source":"http://prometheus","Tags":"tag1,tag2"},"source":"http://prometheus","responders":[{"name":"TeamA","type":"team"},{"name":"TeamB","type":"team"}],"tags":["tag1","tag2"],"note":"this is a note","priority":"P1"}
-`,
-		},
-	} {
-		t.Run(tc.title, func(t *testing.T) {
-			notifier, err := New(tc.cfg, tmpl, logger)
-			require.NoError(t, err)
-
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "1")
-
-			expectedURL, _ := url.Parse("https://opsgenie/apiv2/alerts")
-
-			// Empty alert.
-			alert1 := &types.Alert{
-				Alert: model.Alert{
-					StartsAt: time.Now(),
-					EndsAt:   time.Now().Add(time.Hour),
-				},
-			}
-
-			req, retry, err := notifier.createRequests(ctx, alert1)
-			require.NoError(t, err)
-			require.Len(t, req, 1)
-			require.True(t, retry)
-			require.Equal(t, expectedURL, req[0].URL)
-			require.Equal(t, "GenieKey http://am", req[0].Header.Get("Authorization"))
-			require.Equal(t, tc.expectedEmptyAlertBody, readBody(t, req[0]))
-
-			// Fully defined alert.
-			alert2 := &types.Alert{
-				Alert: model.Alert{
-					Labels: model.LabelSet{
-						"Message":        "message",
-						"Description":    "description",
-						"Source":         "http://prometheus",
-						"ResponderName1": "TeamA",
-						"ResponderType1": "team",
-						"ResponderName2": "EscalationA",
-						"ResponderType2": "escalation",
-						"ResponderName3": "TeamA,TeamB",
-						"ResponderType3": "teams",
-						"Tags":           "tag1,tag2",
-						"Note":           "this is a note",
-						"Priority":       "P1",
-						"Entity":         "test-domain",
-						"Actions":        "doThis,doThat",
-					},
-					StartsAt: time.Now(),
-					EndsAt:   time.Now().Add(time.Hour),
-				},
-			}
-			req, retry, err = notifier.createRequests(ctx, alert2)
-			require.NoError(t, err)
-			require.True(t, retry)
-			require.Len(t, req, 1)
-			require.Equal(t, tc.expectedBody, readBody(t, req[0]))
-
-			// Broken API Key Template.
-			tc.cfg.APIKey = "{{ kaput "
-			_, _, err = notifier.createRequests(ctx, alert2)
-			require.Error(t, err)
-			require.Equal(t, "template: :1: function \"kaput\" not defined", err.Error())
-		})
-	}
-}
-
-func TestOpsGenieWithUpdate(t *testing.T) {
-	u, err := url.Parse("https://test-opsgenie-url")
-	require.NoError(t, err)
-	tmpl := test.CreateTmpl(t)
-	ctx := context.Background()
-	ctx = notify.WithGroupKey(ctx, "1")
-	opsGenieConfigWithUpdate := config.OpsGenieConfig{
-		Message:      `{{ .CommonLabels.Message }}`,
-		Description:  `{{ .CommonLabels.Description }}`,
-		UpdateAlerts: true,
-		APIKey:       "test-api-key",
-		APIURL:       &config.URL{URL: u},
-		HTTPConfig:   &commoncfg.HTTPClientConfig{},
-	}
-	notifierWithUpdate, err := New(&opsGenieConfigWithUpdate, tmpl, promslog.NewNopLogger())
-	alert := &types.Alert{
-		Alert: model.Alert{
-			StartsAt: time.Now(),
-			EndsAt:   time.Now().Add(time.Hour),
-			Labels: model.LabelSet{
-				"Message":     "new message",
-				"Description": "new description",
-			},
-		},
-	}
-	require.NoError(t, err)
-	requests, retry, err := notifierWithUpdate.createRequests(ctx, alert)
-	require.NoError(t, err)
-	require.True(t, retry)
-	require.Len(t, requests, 3)
-
-	body0 := readBody(t, requests[0])
-	body1 := readBody(t, requests[1])
-	body2 := readBody(t, requests[2])
-	key, _ := notify.ExtractGroupKey(ctx)
-	alias := key.Hash()
-
-	require.Equal(t, "https://test-opsgenie-url/v2/alerts", requests[0].URL.String())
-	require.NotEmpty(t, body0)
-
-	require.Equal(t, requests[1].URL.String(), fmt.Sprintf("https://test-opsgenie-url/v2/alerts/%s/message?identifierType=alias", alias))
-	require.JSONEq(t, `{"message":"new message"}`, body1)
-	require.Equal(t, requests[2].URL.String(), fmt.Sprintf("https://test-opsgenie-url/v2/alerts/%s/description?identifierType=alias", alias))
-	require.JSONEq(t, `{"description":"new description"}`, body2)
-}
-
-func TestOpsGenieApiKeyFile(t *testing.T) {
-	u, err := url.Parse("https://test-opsgenie-url")
-	require.NoError(t, err)
-	tmpl := test.CreateTmpl(t)
-	ctx := context.Background()
-	ctx = notify.WithGroupKey(ctx, "1")
-	opsGenieConfigWithUpdate := config.OpsGenieConfig{
-		APIKeyFile: `./api_key_file`,
-		APIURL:     &config.URL{URL: u},
-		HTTPConfig: &commoncfg.HTTPClientConfig{},
-	}
-	notifierWithUpdate, err := New(&opsGenieConfigWithUpdate, tmpl, promslog.NewNopLogger())
-
-	require.NoError(t, err)
-	requests, _, err := notifierWithUpdate.createRequests(ctx)
-	require.NoError(t, err)
-	require.Equal(t, "GenieKey my_secret_api_key", requests[0].Header.Get("Authorization"))
-}
-
-func readBody(t *testing.T, r *http.Request) string {
-	t.Helper()
-	body, err := io.ReadAll(r.Body)
-	require.NoError(t, err)
-	return string(body)
-}

pkg/alertmanager/alertmanagernotify/pagerduty/pagerduty.go

@@ -1,374 +0,0 @@
-package pagerduty
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"log/slog"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/alecthomas/units"
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-const (
-	Integration = "pagerduty"
-)
-
-const (
-	maxEventSize int = 512000
-	// https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTc4-send-a-v1-event - 1024 characters or runes.
-	maxV1DescriptionLenRunes = 1024
-	// https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event - 1024 characters or runes.
-	maxV2SummaryLenRunes = 1024
-)
-
-// Notifier implements a Notifier for PagerDuty notifications.
-type Notifier struct {
-	conf    *config.PagerdutyConfig
-	tmpl    *template.Template
-	logger  *slog.Logger
-	apiV1   string // for tests.
-	client  *http.Client
-	retrier *notify.Retrier
-}
-
-// New returns a new PagerDuty notifier.
-func New(c *config.PagerdutyConfig, t *template.Template, l *slog.Logger, httpOpts ...commoncfg.HTTPClientOption) (*Notifier, error) {
-	client, err := notify.NewClientWithTracing(*c.HTTPConfig, Integration, httpOpts...)
-	if err != nil {
-		return nil, err
-	}
-	n := &Notifier{conf: c, tmpl: t, logger: l, client: client}
-	if c.ServiceKey != "" || c.ServiceKeyFile != "" {
-		n.apiV1 = "https://events.pagerduty.com/generic/2010-04-15/create_event.json"
-		// Retrying can solve the issue on 403 (rate limiting) and 5xx response codes.
-		// https://developer.pagerduty.com/docs/events-api-v1-overview#api-response-codes--retry-logic
-		n.retrier = &notify.Retrier{RetryCodes: []int{http.StatusForbidden}, CustomDetailsFunc: errDetails}
-	} else {
-		// Retrying can solve the issue on 429 (rate limiting) and 5xx response codes.
-		// https://developer.pagerduty.com/docs/events-api-v2-overview#response-codes--retry-logic
-		n.retrier = &notify.Retrier{RetryCodes: []int{http.StatusTooManyRequests}, CustomDetailsFunc: errDetails}
-	}
-	return n, nil
-}
-
-const (
-	pagerDutyEventTrigger = "trigger"
-	pagerDutyEventResolve = "resolve"
-)
-
-type pagerDutyMessage struct {
-	RoutingKey  string            `json:"routing_key,omitempty"`
-	ServiceKey  string            `json:"service_key,omitempty"`
-	DedupKey    string            `json:"dedup_key,omitempty"`
-	IncidentKey string            `json:"incident_key,omitempty"`
-	EventType   string            `json:"event_type,omitempty"`
-	Description string            `json:"description,omitempty"`
-	EventAction string            `json:"event_action"`
-	Payload     *pagerDutyPayload `json:"payload"`
-	Client      string            `json:"client,omitempty"`
-	ClientURL   string            `json:"client_url,omitempty"`
-	Details     map[string]any    `json:"details,omitempty"`
-	Images      []pagerDutyImage  `json:"images,omitempty"`
-	Links       []pagerDutyLink   `json:"links,omitempty"`
-}
-
-type pagerDutyLink struct {
-	HRef string `json:"href"`
-	Text string `json:"text"`
-}
-
-type pagerDutyImage struct {
-	Src  string `json:"src"`
-	Alt  string `json:"alt"`
-	Href string `json:"href"`
-}
-
-type pagerDutyPayload struct {
-	Summary       string         `json:"summary"`
-	Source        string         `json:"source"`
-	Severity      string         `json:"severity"`
-	Timestamp     string         `json:"timestamp,omitempty"`
-	Class         string         `json:"class,omitempty"`
-	Component     string         `json:"component,omitempty"`
-	Group         string         `json:"group,omitempty"`
-	CustomDetails map[string]any `json:"custom_details,omitempty"`
-}
-
-func (n *Notifier) encodeMessage(ctx context.Context, msg *pagerDutyMessage) (bytes.Buffer, error) {
-	var buf bytes.Buffer
-	if err := json.NewEncoder(&buf).Encode(msg); err != nil {
-		return buf, errors.WrapInternalf(err, errors.CodeInternal, "failed to encode PagerDuty message")
-	}
-
-	if buf.Len() > maxEventSize {
-		truncatedMsg := fmt.Sprintf("Custom details have been removed because the original event exceeds the maximum size of %s", units.MetricBytes(maxEventSize).String())
-
-		if n.apiV1 != "" {
-			msg.Details = map[string]any{"error": truncatedMsg}
-		} else {
-			msg.Payload.CustomDetails = map[string]any{"error": truncatedMsg}
-		}
-
-		n.logger.WarnContext(ctx, "Truncated Details because message of size exceeds limit", "message_size", units.MetricBytes(buf.Len()).String(), "max_size", units.MetricBytes(maxEventSize).String())
-
-		buf.Reset()
-		if err := json.NewEncoder(&buf).Encode(msg); err != nil {
-			return buf, errors.WrapInternalf(err, errors.CodeInternal, "failed to encode PagerDuty message")
-		}
-	}
-
-	return buf, nil
-}
-
-func (n *Notifier) notifyV1(
-	ctx context.Context,
-	eventType string,
-	key notify.Key,
-	data *template.Data,
-	details map[string]any,
-) (bool, error) {
-	var tmplErr error
-	tmpl := notify.TmplText(n.tmpl, data, &tmplErr)
-
-	description, truncated := notify.TruncateInRunes(tmpl(n.conf.Description), maxV1DescriptionLenRunes)
-	if truncated {
-		n.logger.WarnContext(ctx, "Truncated description", "key", key, "max_runes", maxV1DescriptionLenRunes)
-	}
-
-	serviceKey := string(n.conf.ServiceKey)
-	if serviceKey == "" {
-		content, fileErr := os.ReadFile(n.conf.ServiceKeyFile)
-		if fileErr != nil {
-			return false, errors.WrapInternalf(fileErr, errors.CodeInternal, "failed to read service key from file")
-		}
-		serviceKey = strings.TrimSpace(string(content))
-	}
-
-	msg := &pagerDutyMessage{
-		ServiceKey:  tmpl(serviceKey),
-		EventType:   eventType,
-		IncidentKey: key.Hash(),
-		Description: description,
-		Details:     details,
-	}
-
-	if eventType == pagerDutyEventTrigger {
-		msg.Client = tmpl(n.conf.Client)
-		msg.ClientURL = tmpl(n.conf.ClientURL)
-	}
-
-	if tmplErr != nil {
-		return false, errors.WrapInternalf(tmplErr, errors.CodeInternal, "failed to template PagerDuty v1 message")
-	}
-
-	// Ensure that the service key isn't empty after templating.
-	if msg.ServiceKey == "" {
-		return false, errors.NewInternalf(errors.CodeInternal, "service key cannot be empty")
-	}
-
-	encodedMsg, err := n.encodeMessage(ctx, msg)
-	if err != nil {
-		return false, err
-	}
-
-	resp, err := notify.PostJSON(ctx, n.client, n.apiV1, &encodedMsg) //nolint:bodyclose
-	if err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "failed to post message to PagerDuty v1")
-	}
-	defer notify.Drain(resp)
-
-	return n.retrier.Check(resp.StatusCode, resp.Body)
-}
-
-func (n *Notifier) notifyV2(
-	ctx context.Context,
-	eventType string,
-	key notify.Key,
-	data *template.Data,
-	details map[string]any,
-) (bool, error) {
-	var tmplErr error
-	tmpl := notify.TmplText(n.tmpl, data, &tmplErr)
-
-	if n.conf.Severity == "" {
-		n.conf.Severity = "error"
-	}
-
-	summary, truncated := notify.TruncateInRunes(tmpl(n.conf.Description), maxV2SummaryLenRunes)
-	if truncated {
-		n.logger.WarnContext(ctx, "Truncated summary", "key", key, "max_runes", maxV2SummaryLenRunes)
-	}
-
-	routingKey := string(n.conf.RoutingKey)
-	if routingKey == "" {
-		content, fileErr := os.ReadFile(n.conf.RoutingKeyFile)
-		if fileErr != nil {
-			return false, errors.WrapInternalf(fileErr, errors.CodeInternal, "failed to read routing key from file")
-		}
-		routingKey = strings.TrimSpace(string(content))
-	}
-
-	msg := &pagerDutyMessage{
-		Client:      tmpl(n.conf.Client),
-		ClientURL:   tmpl(n.conf.ClientURL),
-		RoutingKey:  tmpl(routingKey),
-		EventAction: eventType,
-		DedupKey:    key.Hash(),
-		Images:      make([]pagerDutyImage, 0, len(n.conf.Images)),
-		Links:       make([]pagerDutyLink, 0, len(n.conf.Links)),
-		Payload: &pagerDutyPayload{
-			Summary:       summary,
-			Source:        tmpl(n.conf.Source),
-			Severity:      tmpl(n.conf.Severity),
-			CustomDetails: details,
-			Class:         tmpl(n.conf.Class),
-			Component:     tmpl(n.conf.Component),
-			Group:         tmpl(n.conf.Group),
-		},
-	}
-
-	for _, item := range n.conf.Images {
-		image := pagerDutyImage{
-			Src:  tmpl(item.Src),
-			Alt:  tmpl(item.Alt),
-			Href: tmpl(item.Href),
-		}
-
-		if image.Src != "" {
-			msg.Images = append(msg.Images, image)
-		}
-	}
-
-	for _, item := range n.conf.Links {
-		link := pagerDutyLink{
-			HRef: tmpl(item.Href),
-			Text: tmpl(item.Text),
-		}
-
-		if link.HRef != "" {
-			msg.Links = append(msg.Links, link)
-		}
-	}
-
-	if tmplErr != nil {
-		return false, errors.WrapInternalf(tmplErr, errors.CodeInternal, "failed to template PagerDuty v2 message")
-	}
-
-	// Ensure that the routing key isn't empty after templating.
-	if msg.RoutingKey == "" {
-		return false, errors.NewInternalf(errors.CodeInternal, "routing key cannot be empty")
-	}
-
-	encodedMsg, err := n.encodeMessage(ctx, msg)
-	if err != nil {
-		return false, err
-	}
-
-	resp, err := notify.PostJSON(ctx, n.client, n.conf.URL.String(), &encodedMsg) //nolint:bodyclose
-	if err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "failed to post message to PagerDuty")
-	}
-	defer notify.Drain(resp)
-
-	retry, err := n.retrier.Check(resp.StatusCode, resp.Body)
-	if err != nil {
-		return retry, notify.NewErrorWithReason(notify.GetFailureReasonFromStatusCode(resp.StatusCode), err)
-	}
-	return retry, err
-}
-
-// Notify implements the Notifier interface.
-func (n *Notifier) Notify(ctx context.Context, as ...*types.Alert) (bool, error) {
-	key, err := notify.ExtractGroupKey(ctx)
-	if err != nil {
-		return false, err
-	}
-	logger := n.logger.With("group_key", key)
-
-	var (
-		alerts    = types.Alerts(as...)
-		data      = notify.GetTemplateData(ctx, n.tmpl, as, logger)
-		eventType = pagerDutyEventTrigger
-	)
-
-	if alerts.Status() == model.AlertResolved {
-		eventType = pagerDutyEventResolve
-	}
-
-	logger.DebugContext(ctx, "extracted group key", "event_type", eventType)
-
-	details, err := n.renderDetails(data)
-	if err != nil {
-		return false, errors.WrapInternalf(err, errors.CodeInternal, "failed to render details: %v", err)
-	}
-
-	if n.conf.Timeout > 0 {
-		nfCtx, cancel := context.WithTimeoutCause(ctx, n.conf.Timeout, errors.NewInternalf(errors.CodeTimeout, "configured pagerduty timeout reached (%s)", n.conf.Timeout))
-		defer cancel()
-		ctx = nfCtx
-	}
-
-	nf := n.notifyV2
-	if n.apiV1 != "" {
-		nf = n.notifyV1
-	}
-	retry, err := nf(ctx, eventType, key, data, details)
-	if err != nil {
-		if ctx.Err() != nil {
-			err = errors.WrapInternalf(err, errors.CodeInternal, "failed to notify PagerDuty: %v", context.Cause(ctx))
-		}
-		return retry, err
-	}
-	return retry, nil
-}
-
-func errDetails(status int, body io.Reader) string {
-	// See https://v2.developer.pagerduty.com/docs/trigger-events for the v1 events API.
-	// See https://v2.developer.pagerduty.com/docs/send-an-event-events-api-v2 for the v2 events API.
-	if status != http.StatusBadRequest || body == nil {
-		return ""
-	}
-	var pgr struct {
-		Status  string   `json:"status"`
-		Message string   `json:"message"`
-		Errors  []string `json:"errors"`
-	}
-	if err := json.NewDecoder(body).Decode(&pgr); err != nil {
-		return ""
-	}
-	return fmt.Sprintf("%s: %s", pgr.Message, strings.Join(pgr.Errors, ","))
-}
-
-func (n *Notifier) renderDetails(
-	data *template.Data,
-) (map[string]any, error) {
-	var (
-		tmplTextErr  error
-		tmplText     = notify.TmplText(n.tmpl, data, &tmplTextErr)
-		tmplTextFunc = func(tmpl string) (string, error) {
-			return tmplText(tmpl), tmplTextErr
-		}
-	)
-	var err error
-	rendered := make(map[string]any, len(n.conf.Details))
-	for k, v := range n.conf.Details {
-		rendered[k], err = template.DeepCopyWithTemplate(v, tmplTextFunc)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return rendered, nil
-}

pkg/alertmanager/alertmanagernotify/pagerduty/pagerduty_test.go

@@ -1,879 +0,0 @@
-package pagerduty
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-	"github.com/prometheus/common/promslog"
-	"github.com/stretchr/testify/require"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/notify/test"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-func TestPagerDutyRetryV1(t *testing.T) {
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			ServiceKey: config.Secret("01234567890123456789012345678901"),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	retryCodes := append(test.DefaultRetryCodes(), http.StatusForbidden)
-	for statusCode, expected := range test.RetryTests(retryCodes) {
-		actual, _ := notifier.retrier.Check(statusCode, nil)
-		require.Equal(t, expected, actual, "retryv1 - error on status %d", statusCode)
-	}
-}
-
-func TestPagerDutyRetryV2(t *testing.T) {
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			RoutingKey: config.Secret("01234567890123456789012345678901"),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	retryCodes := append(test.DefaultRetryCodes(), http.StatusTooManyRequests)
-	for statusCode, expected := range test.RetryTests(retryCodes) {
-		actual, _ := notifier.retrier.Check(statusCode, nil)
-		require.Equal(t, expected, actual, "retryv2 - error on status %d", statusCode)
-	}
-}
-
-func TestPagerDutyRedactedURLV1(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	key := "01234567890123456789012345678901"
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			ServiceKey: config.Secret(key),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-	notifier.apiV1 = u.String()
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestPagerDutyRedactedURLV2(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	key := "01234567890123456789012345678901"
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			URL:        &config.URL{URL: u},
-			RoutingKey: config.Secret(key),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestPagerDutyV1ServiceKeyFromFile(t *testing.T) {
-	key := "01234567890123456789012345678901"
-	f, err := os.CreateTemp(t.TempDir(), "pagerduty_test")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(key)
-	require.NoError(t, err, "writing to temp file failed")
-
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			ServiceKeyFile: f.Name(),
-			HTTPConfig:     &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-	notifier.apiV1 = u.String()
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestPagerDutyV2RoutingKeyFromFile(t *testing.T) {
-	key := "01234567890123456789012345678901"
-	f, err := os.CreateTemp(t.TempDir(), "pagerduty_test")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(key)
-	require.NoError(t, err, "writing to temp file failed")
-
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	notifier, err := New(
-		&config.PagerdutyConfig{
-			URL:            &config.URL{URL: u},
-			RoutingKeyFile: f.Name(),
-			HTTPConfig:     &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, key)
-}
-
-func TestPagerDutyTemplating(t *testing.T) {
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		dec := json.NewDecoder(r.Body)
-		out := make(map[string]any)
-		err := dec.Decode(&out)
-		if err != nil {
-			panic(err)
-		}
-	}))
-	defer srv.Close()
-	u, _ := url.Parse(srv.URL)
-
-	for _, tc := range []struct {
-		title string
-		cfg   *config.PagerdutyConfig
-
-		retry  bool
-		errMsg string
-	}{
-		{
-			title: "full-blown legacy message",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Images: []config.PagerdutyImage{
-					{
-						Src:  "{{ .Status }}",
-						Alt:  "{{ .Status }}",
-						Href: "{{ .Status }}",
-					},
-				},
-				Links: []config.PagerdutyLink{
-					{
-						Href: "{{ .Status }}",
-						Text: "{{ .Status }}",
-					},
-				},
-				Details: map[string]any{
-					"firing":       `{{ .Alerts.Firing | toJson }}`,
-					"resolved":     `{{ .Alerts.Resolved | toJson }}`,
-					"num_firing":   `{{ .Alerts.Firing | len }}`,
-					"num_resolved": `{{ .Alerts.Resolved | len }}`,
-				},
-			},
-		},
-		{
-			title: "full-blown legacy message",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Images: []config.PagerdutyImage{
-					{
-						Src:  "{{ .Status }}",
-						Alt:  "{{ .Status }}",
-						Href: "{{ .Status }}",
-					},
-				},
-				Links: []config.PagerdutyLink{
-					{
-						Href: "{{ .Status }}",
-						Text: "{{ .Status }}",
-					},
-				},
-				Details: map[string]any{
-					"firing":       `{{ template "pagerduty.default.instances" .Alerts.Firing }}`,
-					"resolved":     `{{ template "pagerduty.default.instances" .Alerts.Resolved }}`,
-					"num_firing":   `{{ .Alerts.Firing | len }}`,
-					"num_resolved": `{{ .Alerts.Resolved | len }}`,
-				},
-			},
-		},
-		{
-			title: "nested details",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Details: map[string]any{
-					"a": map[string]any{
-						"b": map[string]any{
-							"c": map[string]any{
-								"firing":       `{{ .Alerts.Firing | toJson }}`,
-								"resolved":     `{{ .Alerts.Resolved | toJson }}`,
-								"num_firing":   `{{ .Alerts.Firing | len }}`,
-								"num_resolved": `{{ .Alerts.Resolved | len }}`,
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			title: "nested details with template error",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Details: map[string]any{
-					"a": map[string]any{
-						"b": map[string]any{
-							"c": map[string]any{
-								"firing": `{{ template "pagerduty.default.instances" .Alerts.Firing`,
-							},
-						},
-					},
-				},
-			},
-			errMsg: "failed to render details: template: :1: unclosed action",
-		},
-		{
-			title: "details with templating errors",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Details: map[string]any{
-					"firing":       `{{ .Alerts.Firing | toJson`,
-					"resolved":     `{{ .Alerts.Resolved | toJson }}`,
-					"num_firing":   `{{ .Alerts.Firing | len }}`,
-					"num_resolved": `{{ .Alerts.Resolved | len }}`,
-				},
-			},
-			errMsg: "failed to render details: template: :1: unclosed action",
-		},
-		{
-			title: "v2 message with templating errors",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				Severity:   "{{ ",
-			},
-			errMsg: "failed to template",
-		},
-		{
-			title: "v1 message with templating errors",
-			cfg: &config.PagerdutyConfig{
-				ServiceKey: config.Secret("01234567890123456789012345678901"),
-				Client:     "{{ ",
-			},
-			errMsg: "failed to template",
-		},
-		{
-			title: "routing key cannot be empty",
-			cfg: &config.PagerdutyConfig{
-				RoutingKey: config.Secret(`{{ "" }}`),
-			},
-			errMsg: "routing key cannot be empty",
-		},
-		{
-			title: "service_key cannot be empty",
-			cfg: &config.PagerdutyConfig{
-				ServiceKey: config.Secret(`{{ "" }}`),
-			},
-			errMsg: "service key cannot be empty",
-		},
-	} {
-		t.Run(tc.title, func(t *testing.T) {
-			tc.cfg.URL = &config.URL{URL: u}
-			tc.cfg.HTTPConfig = &commoncfg.HTTPClientConfig{}
-			pd, err := New(tc.cfg, test.CreateTmpl(t), promslog.NewNopLogger())
-			require.NoError(t, err)
-			if pd.apiV1 != "" {
-				pd.apiV1 = u.String()
-			}
-
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "1")
-
-			ok, err := pd.Notify(ctx, []*types.Alert{
-				{
-					Alert: model.Alert{
-						Labels: model.LabelSet{
-							"lbl1": "val1",
-						},
-						StartsAt: time.Now(),
-						EndsAt:   time.Now().Add(time.Hour),
-					},
-				},
-			}...)
-			if tc.errMsg == "" {
-				require.NoError(t, err)
-			} else {
-				require.Error(t, err)
-				if errors.Asc(err, errors.CodeInternal) {
-					_, _, errMsg, _, _, _ := errors.Unwrapb(err)
-					require.Contains(t, errMsg, tc.errMsg)
-				} else {
-					require.Contains(t, err.Error(), tc.errMsg)
-				}
-			}
-			require.Equal(t, tc.retry, ok)
-		})
-	}
-}
-
-func TestErrDetails(t *testing.T) {
-	for _, tc := range []struct {
-		status int
-		body   io.Reader
-
-		exp string
-	}{
-		{
-			status: http.StatusBadRequest,
-			body: bytes.NewBuffer([]byte(
-				`{"status":"invalid event","message":"Event object is invalid","errors":["Length of 'routing_key' is incorrect (should be 32 characters)"]}`,
-			)),
-
-			exp: "Length of 'routing_key' is incorrect",
-		},
-		{
-			status: http.StatusBadRequest,
-			body:   bytes.NewBuffer([]byte(`{"status"}`)),
-
-			exp: "",
-		},
-		{
-			status: http.StatusBadRequest,
-
-			exp: "",
-		},
-		{
-			status: http.StatusTooManyRequests,
-
-			exp: "",
-		},
-	} {
-		t.Run("", func(t *testing.T) {
-			err := errDetails(tc.status, tc.body)
-			require.Contains(t, err, tc.exp)
-		})
-	}
-}
-
-func TestEventSizeEnforcement(t *testing.T) {
-	bigDetailsV1 := map[string]any{
-		"firing": strings.Repeat("a", 513000),
-	}
-	bigDetailsV2 := map[string]any{
-		"firing": strings.Repeat("a", 513000),
-	}
-
-	// V1 Messages
-	msgV1 := &pagerDutyMessage{
-		ServiceKey: "01234567890123456789012345678901",
-		EventType:  "trigger",
-		Details:    bigDetailsV1,
-	}
-
-	notifierV1, err := New(
-		&config.PagerdutyConfig{
-			ServiceKey: config.Secret("01234567890123456789012345678901"),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	encodedV1, err := notifierV1.encodeMessage(context.Background(), msgV1)
-	require.NoError(t, err)
-	require.Contains(t, encodedV1.String(), `"details":{"error":"Custom details have been removed because the original event exceeds the maximum size of 512KB"}`)
-
-	// V2 Messages
-	msgV2 := &pagerDutyMessage{
-		RoutingKey:  "01234567890123456789012345678901",
-		EventAction: "trigger",
-		Payload: &pagerDutyPayload{
-			CustomDetails: bigDetailsV2,
-		},
-	}
-
-	notifierV2, err := New(
-		&config.PagerdutyConfig{
-			RoutingKey: config.Secret("01234567890123456789012345678901"),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	encodedV2, err := notifierV2.encodeMessage(context.Background(), msgV2)
-	require.NoError(t, err)
-	require.Contains(t, encodedV2.String(), `"custom_details":{"error":"Custom details have been removed because the original event exceeds the maximum size of 512KB"}`)
-}
-
-func TestPagerDutyEmptySrcHref(t *testing.T) {
-	type pagerDutyEvent struct {
-		RoutingKey  string           `json:"routing_key"`
-		EventAction string           `json:"event_action"`
-		DedupKey    string           `json:"dedup_key"`
-		Payload     pagerDutyPayload `json:"payload"`
-		Images      []pagerDutyImage
-		Links       []pagerDutyLink
-	}
-
-	images := []config.PagerdutyImage{
-		{
-			Src:  "",
-			Alt:  "Empty src",
-			Href: "https://example.com/",
-		},
-		{
-			Src:  "https://example.com/cat.jpg",
-			Alt:  "Empty href",
-			Href: "",
-		},
-		{
-			Src:  "https://example.com/cat.jpg",
-			Alt:  "",
-			Href: "https://example.com/",
-		},
-	}
-
-	links := []config.PagerdutyLink{
-		{
-			Href: "",
-			Text: "Empty href",
-		},
-		{
-			Href: "https://example.com/",
-			Text: "",
-		},
-	}
-
-	expectedImages := make([]pagerDutyImage, 0, len(images))
-	for _, image := range images {
-		if image.Src == "" {
-			continue
-		}
-		expectedImages = append(expectedImages, pagerDutyImage{
-			Src:  image.Src,
-			Alt:  image.Alt,
-			Href: image.Href,
-		})
-	}
-
-	expectedLinks := make([]pagerDutyLink, 0, len(links))
-	for _, link := range links {
-		if link.Href == "" {
-			continue
-		}
-		expectedLinks = append(expectedLinks, pagerDutyLink{
-			HRef: link.Href,
-			Text: link.Text,
-		})
-	}
-
-	server := httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {
-			decoder := json.NewDecoder(r.Body)
-			var event pagerDutyEvent
-			if err := decoder.Decode(&event); err != nil {
-				panic(err)
-			}
-
-			if event.RoutingKey == "" || event.EventAction == "" {
-				http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-				return
-			}
-
-			for _, image := range event.Images {
-				if image.Src == "" {
-					http.Error(w, "Event object is invalid: 'image src' is missing or blank", http.StatusBadRequest)
-					return
-				}
-			}
-
-			for _, link := range event.Links {
-				if link.HRef == "" {
-					http.Error(w, "Event object is invalid: 'link href' is missing or blank", http.StatusBadRequest)
-					return
-				}
-			}
-
-			require.Equal(t, expectedImages, event.Images)
-			require.Equal(t, expectedLinks, event.Links)
-		},
-	))
-	defer server.Close()
-
-	url, err := url.Parse(server.URL)
-	require.NoError(t, err)
-
-	pagerDutyConfig := config.PagerdutyConfig{
-		HTTPConfig: &commoncfg.HTTPClientConfig{},
-		RoutingKey: config.Secret("01234567890123456789012345678901"),
-		URL:        &config.URL{URL: url},
-		Images:     images,
-		Links:      links,
-	}
-
-	pagerDuty, err := New(&pagerDutyConfig, test.CreateTmpl(t), promslog.NewNopLogger())
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	ctx = notify.WithGroupKey(ctx, "1")
-
-	_, err = pagerDuty.Notify(ctx, []*types.Alert{
-		{
-			Alert: model.Alert{
-				Labels: model.LabelSet{
-					"lbl1": "val1",
-				},
-				StartsAt: time.Now(),
-				EndsAt:   time.Now().Add(time.Hour),
-			},
-		},
-	}...)
-	require.NoError(t, err)
-}
-
-func TestPagerDutyTimeout(t *testing.T) {
-	type pagerDutyEvent struct {
-		RoutingKey  string           `json:"routing_key"`
-		EventAction string           `json:"event_action"`
-		DedupKey    string           `json:"dedup_key"`
-		Payload     pagerDutyPayload `json:"payload"`
-		Images      []pagerDutyImage
-		Links       []pagerDutyLink
-	}
-
-	tests := map[string]struct {
-		latency time.Duration
-		timeout time.Duration
-		wantErr bool
-	}{
-		"success": {latency: 100 * time.Millisecond, timeout: 120 * time.Millisecond, wantErr: false},
-		"error":   {latency: 100 * time.Millisecond, timeout: 80 * time.Millisecond, wantErr: true},
-	}
-
-	for name, tt := range tests {
-		t.Run(name, func(t *testing.T) {
-			srv := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
-					decoder := json.NewDecoder(r.Body)
-					var event pagerDutyEvent
-					if err := decoder.Decode(&event); err != nil {
-						panic(err)
-					}
-
-					if event.RoutingKey == "" || event.EventAction == "" {
-						http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-						return
-					}
-					time.Sleep(tt.latency)
-				},
-			))
-			defer srv.Close()
-			u, err := url.Parse(srv.URL)
-			require.NoError(t, err)
-
-			cfg := config.PagerdutyConfig{
-				HTTPConfig: &commoncfg.HTTPClientConfig{},
-				RoutingKey: config.Secret("01234567890123456789012345678901"),
-				URL:        &config.URL{URL: u},
-				Timeout:    tt.timeout,
-			}
-
-			pd, err := New(&cfg, test.CreateTmpl(t), promslog.NewNopLogger())
-			require.NoError(t, err)
-
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "1")
-			alert := &types.Alert{
-				Alert: model.Alert{
-					Labels: model.LabelSet{
-						"lbl1": "val1",
-					},
-					StartsAt: time.Now(),
-					EndsAt:   time.Now().Add(time.Hour),
-				},
-			}
-			_, err = pd.Notify(ctx, alert)
-			require.Equal(t, tt.wantErr, err != nil)
-		})
-	}
-}
-
-func TestRenderDetails(t *testing.T) {
-	type args struct {
-		details map[string]any
-		data    *template.Data
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    map[string]any
-		wantErr bool
-	}{
-		{
-			name: "flat",
-			args: args{
-				details: map[string]any{
-					"a": "{{ .Status }}",
-					"b": "String",
-				},
-				data: &template.Data{
-					Status: "Flat",
-				},
-			},
-			want: map[string]any{
-				"a": "Flat",
-				"b": "String",
-			},
-			wantErr: false,
-		},
-		{
-			name: "flat error",
-			args: args{
-				details: map[string]any{
-					"a": "{{ .Status",
-				},
-				data: &template.Data{
-					Status: "Error",
-				},
-			},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name: "nested",
-			args: args{
-				details: map[string]any{
-					"a": map[string]any{
-						"b": map[string]any{
-							"c": "{{ .Status }}",
-							"d": "String",
-						},
-					},
-				},
-				data: &template.Data{
-					Status: "Nested",
-				},
-			},
-			want: map[string]any{
-				"a": map[string]any{
-					"b": map[string]any{
-						"c": "Nested",
-						"d": "String",
-					},
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "nested error",
-			args: args{
-				details: map[string]any{
-					"a": map[string]any{
-						"b": map[string]any{
-							"c": "{{ .Status",
-						},
-					},
-				},
-				data: &template.Data{
-					Status: "Error",
-				},
-			},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name: "alerts",
-			args: args{
-				details: map[string]any{
-					"alerts": map[string]any{
-						"firing":       "{{ .Alerts.Firing | toJson }}",
-						"resolved":     "{{ .Alerts.Resolved | toJson }}",
-						"num_firing":   "{{ len .Alerts.Firing }}",
-						"num_resolved": "{{ len .Alerts.Resolved }}",
-					},
-				},
-				data: &template.Data{
-					Alerts: template.Alerts{
-						{
-							Status: "firing",
-							Annotations: template.KV{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							Labels: template.KV{
-								"alertname": "Firing1",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							Fingerprint:  "fingerprint1",
-							GeneratorURL: "http://generator1",
-							StartsAt:     time.Date(2001, time.January, 1, 0, 0, 0, 0, time.UTC),
-							EndsAt:       time.Date(2001, time.January, 1, 1, 0, 0, 0, time.UTC),
-						},
-						{
-							Status: "firing",
-							Annotations: template.KV{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							Labels: template.KV{
-								"alertname": "Firing2",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							Fingerprint:  "fingerprint2",
-							GeneratorURL: "http://generator2",
-							StartsAt:     time.Date(2002, time.January, 1, 0, 0, 0, 0, time.UTC),
-							EndsAt:       time.Date(2002, time.January, 1, 1, 0, 0, 0, time.UTC),
-						},
-						{
-							Status: "resolved",
-							Annotations: template.KV{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							Labels: template.KV{
-								"alertname": "Resolved1",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							Fingerprint:  "fingerprint3",
-							GeneratorURL: "http://generator3",
-							StartsAt:     time.Date(2001, time.January, 1, 0, 0, 0, 0, time.UTC),
-							EndsAt:       time.Date(2001, time.January, 1, 1, 0, 0, 0, time.UTC),
-						},
-						{
-							Status: "resolved",
-							Annotations: template.KV{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							Labels: template.KV{
-								"alertname": "Resolved2",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							Fingerprint:  "fingerprint4",
-							GeneratorURL: "http://generator4",
-							StartsAt:     time.Date(2002, time.January, 1, 0, 0, 0, 0, time.UTC),
-							EndsAt:       time.Date(2002, time.January, 1, 1, 0, 0, 0, time.UTC),
-						},
-					},
-				},
-			},
-			want: map[string]any{
-				"alerts": map[string]any{
-					"firing": []any{
-						map[string]any{
-							"status": "firing",
-							"labels": map[string]any{
-								"alertname": "Firing1",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							"annotations": map[string]any{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							"startsAt":     time.Date(2001, time.January, 1, 0, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"endsAt":       time.Date(2001, time.January, 1, 1, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"fingerprint":  "fingerprint1",
-							"generatorURL": "http://generator1",
-						},
-						map[string]any{
-							"status": "firing",
-							"labels": map[string]any{
-								"alertname": "Firing2",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							"annotations": map[string]any{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							"startsAt":     time.Date(2002, time.January, 1, 0, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"endsAt":       time.Date(2002, time.January, 1, 1, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"fingerprint":  "fingerprint2",
-							"generatorURL": "http://generator2",
-						},
-					},
-					"resolved": []any{
-						map[string]any{
-							"status": "resolved",
-							"labels": map[string]any{
-								"alertname": "Resolved1",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							"annotations": map[string]any{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							"startsAt":     time.Date(2001, time.January, 1, 0, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"endsAt":       time.Date(2001, time.January, 1, 1, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"fingerprint":  "fingerprint3",
-							"generatorURL": "http://generator3",
-						},
-						map[string]any{
-							"status": "resolved",
-							"labels": map[string]any{
-								"alertname": "Resolved2",
-								"label1":    "value1",
-								"label2":    "value2",
-							},
-							"annotations": map[string]any{
-								"annotation1": "value1",
-								"annotation2": "value2",
-							},
-							"startsAt":     time.Date(2002, time.January, 1, 0, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"endsAt":       time.Date(2002, time.January, 1, 1, 0, 0, 0, time.UTC).Format(time.RFC3339),
-							"fingerprint":  "fingerprint4",
-							"generatorURL": "http://generator4",
-						},
-					},
-					"num_firing":   2,
-					"num_resolved": 2,
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			n := &Notifier{
-				conf: &config.PagerdutyConfig{
-					Details: tt.args.details,
-				},
-				tmpl: test.CreateTmpl(t),
-			}
-			got, err := n.renderDetails(tt.args.data)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("renderDetails() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			require.Equal(t, tt.want, got)
-		})
-	}
-}

pkg/alertmanager/alertmanagernotify/receiver.go

@@ -2,14 +2,8 @@ package alertmanagernotify
 
 import (
 	"log/slog"
-	"slices"
 
-	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/email"
 	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/msteamsv2"
-	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/opsgenie"
-	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/pagerduty"
-	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/slack"
-	"github.com/SigNoz/signoz/pkg/alertmanager/alertmanagernotify/webhook"
 	"github.com/SigNoz/signoz/pkg/types/alertmanagertypes"
 	"github.com/prometheus/alertmanager/config/receiver"
 	"github.com/prometheus/alertmanager/notify"
@@ -17,15 +11,6 @@ import (
 	"github.com/prometheus/alertmanager/types"
 )
 
-var customNotifierIntegrations = []string{
-	webhook.Integration,
-	email.Integration,
-	pagerduty.Integration,
-	opsgenie.Integration,
-	slack.Integration,
-	msteamsv2.Integration,
-}
-
 func NewReceiverIntegrations(nc alertmanagertypes.Receiver, tmpl *template.Template, logger *slog.Logger) ([]notify.Integration, error) {
 	upstreamIntegrations, err := receiver.BuildReceiverIntegrations(nc, tmpl, logger)
 	if err != nil {
@@ -46,29 +31,14 @@ func NewReceiverIntegrations(nc alertmanagertypes.Receiver, tmpl *template.Templ
 	)
 
 	for _, integration := range upstreamIntegrations {
-		// skip upstream integration if we support custom integration for it
-		if !slices.Contains(customNotifierIntegrations, integration.Name()) {
+		// skip upstream msteamsv2 integration
+		if integration.Name() != "msteamsv2" {
 			integrations = append(integrations, integration)
 		}
 	}
 
-	for i, c := range nc.WebhookConfigs {
-		add(webhook.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) { return webhook.New(c, tmpl, l) })
-	}
-	for i, c := range nc.EmailConfigs {
-		add(email.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) { return email.New(c, tmpl, l), nil })
-	}
-	for i, c := range nc.PagerdutyConfigs {
-		add(pagerduty.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) { return pagerduty.New(c, tmpl, l) })
-	}
-	for i, c := range nc.OpsGenieConfigs {
-		add(opsgenie.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) { return opsgenie.New(c, tmpl, l) })
-	}
-	for i, c := range nc.SlackConfigs {
-		add(slack.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) { return slack.New(c, tmpl, l) })
-	}
 	for i, c := range nc.MSTeamsV2Configs {
-		add(msteamsv2.Integration, i, c, func(l *slog.Logger) (notify.Notifier, error) {
+		add("msteamsv2", i, c, func(l *slog.Logger) (notify.Notifier, error) {
 			return msteamsv2.New(c, tmpl, `{{ template "msteamsv2.default.titleLink" . }}`, l)
 		})
 	}

pkg/alertmanager/alertmanagernotify/slack/slack.go

@@ -1,278 +0,0 @@
-package slack
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"io"
-	"log/slog"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	commoncfg "github.com/prometheus/common/config"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-const (
-	Integration = "slack"
-)
-
-// https://api.slack.com/reference/messaging/attachments#legacy_fields - 1024, no units given, assuming runes or characters.
-const maxTitleLenRunes = 1024
-
-// Notifier implements a Notifier for Slack notifications.
-type Notifier struct {
-	conf    *config.SlackConfig
-	tmpl    *template.Template
-	logger  *slog.Logger
-	client  *http.Client
-	retrier *notify.Retrier
-
-	postJSONFunc func(ctx context.Context, client *http.Client, url string, body io.Reader) (*http.Response, error)
-}
-
-// New returns a new Slack notification handler.
-func New(c *config.SlackConfig, t *template.Template, l *slog.Logger, httpOpts ...commoncfg.HTTPClientOption) (*Notifier, error) {
-	client, err := notify.NewClientWithTracing(*c.HTTPConfig, Integration, httpOpts...)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Notifier{
-		conf:         c,
-		tmpl:         t,
-		logger:       l,
-		client:       client,
-		retrier:      &notify.Retrier{},
-		postJSONFunc: notify.PostJSON,
-	}, nil
-}
-
-// request is the request for sending a slack notification.
-type request struct {
-	Channel     string       `json:"channel,omitempty"`
-	Username    string       `json:"username,omitempty"`
-	IconEmoji   string       `json:"icon_emoji,omitempty"`
-	IconURL     string       `json:"icon_url,omitempty"`
-	LinkNames   bool         `json:"link_names,omitempty"`
-	Text        string       `json:"text,omitempty"`
-	Attachments []attachment `json:"attachments"`
-}
-
-// attachment is used to display a richly-formatted message block.
-type attachment struct {
-	Title      string               `json:"title,omitempty"`
-	TitleLink  string               `json:"title_link,omitempty"`
-	Pretext    string               `json:"pretext,omitempty"`
-	Text       string               `json:"text"`
-	Fallback   string               `json:"fallback"`
-	CallbackID string               `json:"callback_id"`
-	Fields     []config.SlackField  `json:"fields,omitempty"`
-	Actions    []config.SlackAction `json:"actions,omitempty"`
-	ImageURL   string               `json:"image_url,omitempty"`
-	ThumbURL   string               `json:"thumb_url,omitempty"`
-	Footer     string               `json:"footer"`
-	Color      string               `json:"color,omitempty"`
-	MrkdwnIn   []string             `json:"mrkdwn_in,omitempty"`
-}
-
-// Notify implements the Notifier interface.
-func (n *Notifier) Notify(ctx context.Context, as ...*types.Alert) (bool, error) {
-	var err error
-
-	key, err := notify.ExtractGroupKey(ctx)
-	if err != nil {
-		return false, err
-	}
-	logger := n.logger.With("group_key", key)
-	logger.DebugContext(ctx, "extracted group key")
-
-	var (
-		data     = notify.GetTemplateData(ctx, n.tmpl, as, logger)
-		tmplText = notify.TmplText(n.tmpl, data, &err)
-	)
-	var markdownIn []string
-
-	if len(n.conf.MrkdwnIn) == 0 {
-		markdownIn = []string{"fallback", "pretext", "text"}
-	} else {
-		markdownIn = n.conf.MrkdwnIn
-	}
-
-	title, truncated := notify.TruncateInRunes(tmplText(n.conf.Title), maxTitleLenRunes)
-	if truncated {
-		logger.WarnContext(ctx, "Truncated title", "max_runes", maxTitleLenRunes)
-	}
-	att := &attachment{
-		Title:      title,
-		TitleLink:  tmplText(n.conf.TitleLink),
-		Pretext:    tmplText(n.conf.Pretext),
-		Text:       tmplText(n.conf.Text),
-		Fallback:   tmplText(n.conf.Fallback),
-		CallbackID: tmplText(n.conf.CallbackID),
-		ImageURL:   tmplText(n.conf.ImageURL),
-		ThumbURL:   tmplText(n.conf.ThumbURL),
-		Footer:     tmplText(n.conf.Footer),
-		Color:      tmplText(n.conf.Color),
-		MrkdwnIn:   markdownIn,
-	}
-
-	numFields := len(n.conf.Fields)
-	if numFields > 0 {
-		fields := make([]config.SlackField, numFields)
-		for index, field := range n.conf.Fields {
-			// Check if short was defined for the field otherwise fallback to the global setting
-			var short bool
-			if field.Short != nil {
-				short = *field.Short
-			} else {
-				short = n.conf.ShortFields
-			}
-
-			// Rebuild the field by executing any templates and setting the new value for short
-			fields[index] = config.SlackField{
-				Title: tmplText(field.Title),
-				Value: tmplText(field.Value),
-				Short: &short,
-			}
-		}
-		att.Fields = fields
-	}
-
-	numActions := len(n.conf.Actions)
-	if numActions > 0 {
-		actions := make([]config.SlackAction, numActions)
-		for index, action := range n.conf.Actions {
-			slackAction := config.SlackAction{
-				Type:  tmplText(action.Type),
-				Text:  tmplText(action.Text),
-				URL:   tmplText(action.URL),
-				Style: tmplText(action.Style),
-				Name:  tmplText(action.Name),
-				Value: tmplText(action.Value),
-			}
-
-			if action.ConfirmField != nil {
-				slackAction.ConfirmField = &config.SlackConfirmationField{
-					Title:       tmplText(action.ConfirmField.Title),
-					Text:        tmplText(action.ConfirmField.Text),
-					OkText:      tmplText(action.ConfirmField.OkText),
-					DismissText: tmplText(action.ConfirmField.DismissText),
-				}
-			}
-
-			actions[index] = slackAction
-		}
-		att.Actions = actions
-	}
-
-	req := &request{
-		Channel:     tmplText(n.conf.Channel),
-		Username:    tmplText(n.conf.Username),
-		IconEmoji:   tmplText(n.conf.IconEmoji),
-		IconURL:     tmplText(n.conf.IconURL),
-		LinkNames:   n.conf.LinkNames,
-		Text:        tmplText(n.conf.MessageText),
-		Attachments: []attachment{*att},
-	}
-	if err != nil {
-		return false, err
-	}
-
-	var buf bytes.Buffer
-	if err := json.NewEncoder(&buf).Encode(req); err != nil {
-		return false, err
-	}
-
-	var u string
-	if n.conf.APIURL != nil {
-		u = n.conf.APIURL.String()
-	} else {
-		content, err := os.ReadFile(n.conf.APIURLFile)
-		if err != nil {
-			return false, err
-		}
-		u = strings.TrimSpace(string(content))
-	}
-
-	if n.conf.Timeout > 0 {
-		postCtx, cancel := context.WithTimeoutCause(ctx, n.conf.Timeout, errors.NewInternalf(errors.CodeTimeout, "configured slack timeout reached (%s)", n.conf.Timeout))
-		defer cancel()
-		ctx = postCtx
-	}
-
-	resp, err := n.postJSONFunc(ctx, n.client, u, &buf) //nolint:bodyclose
-	if err != nil {
-		if ctx.Err() != nil {
-			err = errors.NewInternalf(errors.CodeInternal, "failed to post JSON to slack: %v", context.Cause(ctx))
-		}
-		return true, notify.RedactURL(err)
-	}
-	defer notify.Drain(resp)
-
-	// Use a retrier to generate an error message for non-200 responses and
-	// classify them as retriable or not.
-	retry, err := n.retrier.Check(resp.StatusCode, resp.Body)
-	if err != nil {
-		err = errors.NewInternalf(errors.CodeInternal, "channel %q: %v", req.Channel, err)
-		return retry, notify.NewErrorWithReason(notify.GetFailureReasonFromStatusCode(resp.StatusCode), err)
-	}
-
-	// Slack web API might return errors with a 200 response code.
-	// https://slack.dev/node-slack-sdk/web-api#handle-errors
-	retry, err = checkResponseError(resp)
-	if err != nil {
-		err = errors.NewInternalf(errors.CodeInternal, "channel %q: %v", req.Channel, err)
-		return retry, notify.NewErrorWithReason(notify.ClientErrorReason, err)
-	}
-
-	return retry, nil
-}
-
-// checkResponseError parses out the error message from Slack API response.
-func checkResponseError(resp *http.Response) (bool, error) {
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return true, errors.WrapInternalf(err, errors.CodeInternal, "could not read response body")
-	}
-
-	if strings.HasPrefix(resp.Header.Get("Content-Type"), "application/json") {
-		return checkJSONResponseError(body)
-	}
-	return checkTextResponseError(body)
-}
-
-// checkTextResponseError classifies plaintext responses from Slack.
-// A plaintext (non-JSON) response is successful if it's a string "ok".
-// This is typically a response for an Incoming Webhook
-// (https://api.slack.com/messaging/webhooks#handling_errors)
-func checkTextResponseError(body []byte) (bool, error) {
-	if !bytes.Equal(body, []byte("ok")) {
-		return false, errors.NewInternalf(errors.CodeInternal, "received an error response from Slack: %s", string(body))
-	}
-	return false, nil
-}
-
-// checkJSONResponseError classifies JSON responses from Slack.
-func checkJSONResponseError(body []byte) (bool, error) {
-	// response is for parsing out errors from the JSON response.
-	type response struct {
-		OK    bool   `json:"ok"`
-		Error string `json:"error"`
-	}
-
-	var data response
-	if err := json.Unmarshal(body, &data); err != nil {
-		return true, errors.NewInternalf(errors.CodeInternal, "could not unmarshal JSON response %q: %v", string(body), err)
-	}
-	if !data.OK {
-		return false, errors.NewInternalf(errors.CodeInternal, "error response from Slack: %s", data.Error)
-	}
-	return false, nil
-}

pkg/alertmanager/alertmanagernotify/slack/slack_test.go

@@ -1,339 +0,0 @@
-package slack
-
-import (
-	"context"
-	"encoding/json"
-	"io"
-	"log/slog"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"strings"
-	"testing"
-	"time"
-
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-	"github.com/prometheus/common/promslog"
-	"github.com/stretchr/testify/require"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/notify/test"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-func TestSlackRetry(t *testing.T) {
-	notifier, err := New(
-		&config.SlackConfig{
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	for statusCode, expected := range test.RetryTests(test.DefaultRetryCodes()) {
-		actual, _ := notifier.retrier.Check(statusCode, nil)
-		require.Equal(t, expected, actual, "error on status %d", statusCode)
-	}
-}
-
-func TestSlackRedactedURL(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	notifier, err := New(
-		&config.SlackConfig{
-			APIURL:     &config.SecretURL{URL: u},
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, u.String())
-}
-
-func TestGettingSlackURLFromFile(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	f, err := os.CreateTemp(t.TempDir(), "slack_test")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(u.String())
-	require.NoError(t, err, "writing to temp file failed")
-
-	notifier, err := New(
-		&config.SlackConfig{
-			APIURLFile: f.Name(),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, u.String())
-}
-
-func TestTrimmingSlackURLFromFile(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	f, err := os.CreateTemp(t.TempDir(), "slack_test_newline")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(u.String() + "\n\n")
-	require.NoError(t, err, "writing to temp file failed")
-
-	notifier, err := New(
-		&config.SlackConfig{
-			APIURLFile: f.Name(),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, u.String())
-}
-
-func TestNotifier_Notify_WithReason(t *testing.T) {
-	tests := []struct {
-		name           string
-		statusCode     int
-		responseBody   string
-		expectedReason notify.Reason
-		expectedErr    string
-		expectedRetry  bool
-		noError        bool
-	}{
-		{
-			name:           "with a 4xx status code",
-			statusCode:     http.StatusUnauthorized,
-			expectedReason: notify.ClientErrorReason,
-			expectedRetry:  false,
-			expectedErr:    "unexpected status code 401",
-		},
-		{
-			name:           "with a 5xx status code",
-			statusCode:     http.StatusInternalServerError,
-			expectedReason: notify.ServerErrorReason,
-			expectedRetry:  true,
-			expectedErr:    "unexpected status code 500",
-		},
-		{
-			name:           "with a 3xx status code",
-			statusCode:     http.StatusTemporaryRedirect,
-			expectedReason: notify.DefaultReason,
-			expectedRetry:  false,
-			expectedErr:    "unexpected status code 307",
-		},
-		{
-			name:           "with a 1xx status code",
-			statusCode:     http.StatusSwitchingProtocols,
-			expectedReason: notify.DefaultReason,
-			expectedRetry:  false,
-			expectedErr:    "unexpected status code 101",
-		},
-		{
-			name:           "2xx response with invalid JSON",
-			statusCode:     http.StatusOK,
-			responseBody:   `{"not valid json"}`,
-			expectedReason: notify.ClientErrorReason,
-			expectedRetry:  true,
-			expectedErr:    "could not unmarshal",
-		},
-		{
-			name:           "2xx response with a JSON error",
-			statusCode:     http.StatusOK,
-			responseBody:   `{"ok":false,"error":"error_message"}`,
-			expectedReason: notify.ClientErrorReason,
-			expectedRetry:  false,
-			expectedErr:    "error response from Slack: error_message",
-		},
-		{
-			name:           "2xx response with a plaintext error",
-			statusCode:     http.StatusOK,
-			responseBody:   "no_channel",
-			expectedReason: notify.ClientErrorReason,
-			expectedRetry:  false,
-			expectedErr:    "error response from Slack: no_channel",
-		},
-		{
-			name:         "successful JSON response",
-			statusCode:   http.StatusOK,
-			responseBody: `{"ok":true}`,
-			noError:      true,
-		},
-		{
-			name:         "successful plaintext response",
-			statusCode:   http.StatusOK,
-			responseBody: "ok",
-			noError:      true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			apiurl, _ := url.Parse("https://slack.com/post.Message")
-			notifier, err := New(
-				&config.SlackConfig{
-					NotifierConfig: config.NotifierConfig{},
-					HTTPConfig:     &commoncfg.HTTPClientConfig{},
-					APIURL:         &config.SecretURL{URL: apiurl},
-					Channel:        "channelname",
-				},
-				test.CreateTmpl(t),
-				promslog.NewNopLogger(),
-			)
-			require.NoError(t, err)
-
-			notifier.postJSONFunc = func(ctx context.Context, client *http.Client, url string, body io.Reader) (*http.Response, error) {
-				resp := httptest.NewRecorder()
-				if strings.HasPrefix(tt.responseBody, "{") {
-					resp.Header().Add("Content-Type", "application/json; charset=utf-8")
-				}
-				resp.WriteHeader(tt.statusCode)
-				_, _ = resp.WriteString(tt.responseBody)
-				return resp.Result(), nil
-			}
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "1")
-
-			alert1 := &types.Alert{
-				Alert: model.Alert{
-					StartsAt: time.Now(),
-					EndsAt:   time.Now().Add(time.Hour),
-				},
-			}
-			retry, err := notifier.Notify(ctx, alert1)
-			require.Equal(t, tt.expectedRetry, retry)
-			if tt.noError {
-				require.NoError(t, err)
-			} else {
-				var reasonError *notify.ErrorWithReason
-				require.ErrorAs(t, err, &reasonError)
-				require.Equal(t, tt.expectedReason, reasonError.Reason)
-				require.Contains(t, err.Error(), tt.expectedErr)
-				require.Contains(t, err.Error(), "channelname")
-			}
-		})
-	}
-}
-
-func TestSlackTimeout(t *testing.T) {
-	tests := map[string]struct {
-		latency time.Duration
-		timeout time.Duration
-		wantErr bool
-	}{
-		"success": {latency: 100 * time.Millisecond, timeout: 120 * time.Millisecond, wantErr: false},
-		"error":   {latency: 100 * time.Millisecond, timeout: 80 * time.Millisecond, wantErr: true},
-	}
-
-	for name, tt := range tests {
-		t.Run(name, func(t *testing.T) {
-			u, _ := url.Parse("https://slack.com/post.Message")
-			notifier, err := New(
-				&config.SlackConfig{
-					NotifierConfig: config.NotifierConfig{},
-					HTTPConfig:     &commoncfg.HTTPClientConfig{},
-					APIURL:         &config.SecretURL{URL: u},
-					Channel:        "channelname",
-					Timeout:        tt.timeout,
-				},
-				test.CreateTmpl(t),
-				promslog.NewNopLogger(),
-			)
-			require.NoError(t, err)
-			notifier.postJSONFunc = func(ctx context.Context, client *http.Client, url string, body io.Reader) (*http.Response, error) {
-				select {
-				case <-ctx.Done():
-					return nil, ctx.Err()
-				case <-time.After(tt.latency):
-					resp := httptest.NewRecorder()
-					resp.Header().Set("Content-Type", "application/json; charset=utf-8")
-					resp.WriteHeader(http.StatusOK)
-					_, _ = resp.WriteString(`{"ok":true}`)
-
-					return resp.Result(), nil
-				}
-			}
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "1")
-
-			alert := &types.Alert{
-				Alert: model.Alert{
-					StartsAt: time.Now(),
-					EndsAt:   time.Now().Add(time.Hour),
-				},
-			}
-			_, err = notifier.Notify(ctx, alert)
-			require.Equal(t, tt.wantErr, err != nil)
-		})
-	}
-}
-
-func TestSlackMessageField(t *testing.T) {
-	// 1. Setup a fake Slack server
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var body map[string]any
-		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
-			t.Fatal(err)
-		}
-
-		// 2. VERIFY: Top-level text exists
-		if body["text"] != "My Top Level Message" {
-			t.Errorf("Expected top-level 'text' to be 'My Top Level Message', got %v", body["text"])
-		}
-
-		// 3. VERIFY: Old attachments still exist
-		attachments, ok := body["attachments"].([]any)
-		if !ok || len(attachments) == 0 {
-			t.Errorf("Expected attachments to exist")
-		} else {
-			first := attachments[0].(map[string]any)
-			if first["title"] != "Old Attachment Title" {
-				t.Errorf("Expected attachment title 'Old Attachment Title', got %v", first["title"])
-			}
-		}
-
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(`{"ok": true}`))
-	}))
-	defer server.Close()
-
-	// 4. Configure Notifier with BOTH new and old fields
-	u, _ := url.Parse(server.URL)
-	conf := &config.SlackConfig{
-		APIURL:      &config.SecretURL{URL: u},
-		MessageText: "My Top Level Message", // Your NEW field
-		Title:       "Old Attachment Title", // An OLD field
-		Channel:     "#test-channel",
-		HTTPConfig:  &commoncfg.HTTPClientConfig{},
-	}
-
-	tmpl, err := template.FromGlobs([]string{})
-	if err != nil {
-		t.Fatal(err)
-	}
-	tmpl.ExternalURL = u
-
-	logger := slog.New(slog.DiscardHandler)
-	notifier, err := New(conf, tmpl, logger)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	ctx := context.Background()
-	ctx = notify.WithGroupKey(ctx, "test-group-key")
-
-	if _, err := notifier.Notify(ctx); err != nil {
-		t.Fatal("Notify failed:", err)
-	}
-}

pkg/alertmanager/alertmanagernotify/webhook/webhook.go

@@ -1,136 +0,0 @@
-package webhook
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"log/slog"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	commoncfg "github.com/prometheus/common/config"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/template"
-	"github.com/prometheus/alertmanager/types"
-)
-
-const (
-	Integration = "webhook"
-)
-
-// Notifier implements a Notifier for generic webhooks.
-type Notifier struct {
-	conf    *config.WebhookConfig
-	tmpl    *template.Template
-	logger  *slog.Logger
-	client  *http.Client
-	retrier *notify.Retrier
-}
-
-// New returns a new Webhook.
-func New(conf *config.WebhookConfig, t *template.Template, l *slog.Logger, httpOpts ...commoncfg.HTTPClientOption) (*Notifier, error) {
-	client, err := notify.NewClientWithTracing(*conf.HTTPConfig, Integration, httpOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return &Notifier{
-		conf:   conf,
-		tmpl:   t,
-		logger: l,
-		client: client,
-		// Webhooks are assumed to respond with 2xx response codes on a successful
-		// request and 5xx response codes are assumed to be recoverable.
-		retrier: &notify.Retrier{},
-	}, nil
-}
-
-// Message defines the JSON object send to webhook endpoints.
-type Message struct {
-	*template.Data
-
-	// The protocol version.
-	Version         string `json:"version"`
-	GroupKey        string `json:"groupKey"`
-	TruncatedAlerts uint64 `json:"truncatedAlerts"`
-}
-
-func truncateAlerts(maxAlerts uint64, alerts []*types.Alert) ([]*types.Alert, uint64) {
-	if maxAlerts != 0 && uint64(len(alerts)) > maxAlerts {
-		return alerts[:maxAlerts], uint64(len(alerts)) - maxAlerts
-	}
-
-	return alerts, 0
-}
-
-// Notify implements the Notifier interface.
-func (n *Notifier) Notify(ctx context.Context, alerts ...*types.Alert) (bool, error) {
-	alerts, numTruncated := truncateAlerts(n.conf.MaxAlerts, alerts)
-	data := notify.GetTemplateData(ctx, n.tmpl, alerts, n.logger)
-
-	groupKey, err := notify.ExtractGroupKey(ctx)
-	if err != nil {
-		return false, err
-	}
-
-	logger := n.logger.With("group_key", groupKey)
-	logger.DebugContext(ctx, "extracted group key")
-
-	msg := &Message{
-		Version:         "4",
-		Data:            data,
-		GroupKey:        groupKey.String(),
-		TruncatedAlerts: numTruncated,
-	}
-
-	var buf bytes.Buffer
-	if err := json.NewEncoder(&buf).Encode(msg); err != nil {
-		return false, err
-	}
-
-	var url string
-	var tmplErr error
-	tmpl := notify.TmplText(n.tmpl, data, &tmplErr)
-
-	if n.conf.URL != "" {
-		url = tmpl(string(n.conf.URL))
-	} else {
-		content, err := os.ReadFile(n.conf.URLFile)
-		if err != nil {
-			return false, errors.WrapInternalf(err, errors.CodeInternal, "read url_file")
-		}
-		url = tmpl(strings.TrimSpace(string(content)))
-	}
-
-	if tmplErr != nil {
-		return false, errors.NewInternalf(errors.CodeInternal, "failed to template webhook URL: %v", tmplErr)
-	}
-
-	if url == "" {
-		return false, errors.NewInternalf(errors.CodeInternal, "webhook URL is empty after templating")
-	}
-
-	if n.conf.Timeout > 0 {
-		postCtx, cancel := context.WithTimeoutCause(ctx, n.conf.Timeout, errors.NewInternalf(errors.CodeTimeout, "configured webhook timeout reached (%s)", n.conf.Timeout))
-		defer cancel()
-		ctx = postCtx
-	}
-
-	resp, err := notify.PostJSON(ctx, n.client, url, &buf) //nolint:bodyclose
-	if err != nil {
-		if ctx.Err() != nil {
-			err = errors.NewInternalf(errors.CodeInternal, "failed to post JSON to webhook: %v", context.Cause(ctx))
-		}
-		return true, notify.RedactURL(err)
-	}
-	defer notify.Drain(resp)
-
-	shouldRetry, err := n.retrier.Check(resp.StatusCode, resp.Body)
-	if err != nil {
-		return shouldRetry, notify.NewErrorWithReason(notify.GetFailureReasonFromStatusCode(resp.StatusCode), err)
-	}
-	return shouldRetry, err
-}

pkg/alertmanager/alertmanagernotify/webhook/webhook_test.go

@@ -1,214 +0,0 @@
-package webhook
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"testing"
-	"time"
-
-	commoncfg "github.com/prometheus/common/config"
-	"github.com/prometheus/common/model"
-	"github.com/prometheus/common/promslog"
-	"github.com/stretchr/testify/require"
-
-	"github.com/prometheus/alertmanager/config"
-	"github.com/prometheus/alertmanager/notify"
-	"github.com/prometheus/alertmanager/notify/test"
-	"github.com/prometheus/alertmanager/types"
-)
-
-func TestWebhookRetry(t *testing.T) {
-	notifier, err := New(
-		&config.WebhookConfig{
-			URL:        config.SecretTemplateURL("http://example.com"),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	if err != nil {
-		require.NoError(t, err)
-	}
-
-	t.Run("test retry status code", func(t *testing.T) {
-		for statusCode, expected := range test.RetryTests(test.DefaultRetryCodes()) {
-			actual, _ := notifier.retrier.Check(statusCode, nil)
-			require.Equal(t, expected, actual, "error on status %d", statusCode)
-		}
-	})
-
-	t.Run("test retry error details", func(t *testing.T) {
-		for _, tc := range []struct {
-			status int
-			body   io.Reader
-
-			exp string
-		}{
-			{
-				status: http.StatusBadRequest,
-				body: bytes.NewBuffer([]byte(
-					`{"status":"invalid event"}`,
-				)),
-
-				exp: fmt.Sprintf(`unexpected status code %d: {"status":"invalid event"}`, http.StatusBadRequest),
-			},
-			{
-				status: http.StatusBadRequest,
-
-				exp: fmt.Sprintf(`unexpected status code %d`, http.StatusBadRequest),
-			},
-		} {
-			t.Run("", func(t *testing.T) {
-				_, err = notifier.retrier.Check(tc.status, tc.body)
-				require.Equal(t, tc.exp, err.Error())
-			})
-		}
-	})
-}
-
-func TestWebhookTruncateAlerts(t *testing.T) {
-	alerts := make([]*types.Alert, 10)
-
-	truncatedAlerts, numTruncated := truncateAlerts(0, alerts)
-	require.Len(t, truncatedAlerts, 10)
-	require.EqualValues(t, 0, numTruncated)
-
-	truncatedAlerts, numTruncated = truncateAlerts(4, alerts)
-	require.Len(t, truncatedAlerts, 4)
-	require.EqualValues(t, 6, numTruncated)
-
-	truncatedAlerts, numTruncated = truncateAlerts(100, alerts)
-	require.Len(t, truncatedAlerts, 10)
-	require.EqualValues(t, 0, numTruncated)
-}
-
-func TestWebhookRedactedURL(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	secret := "secret"
-	notifier, err := New(
-		&config.WebhookConfig{
-			URL:        config.SecretTemplateURL(u.String()),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, secret)
-}
-
-func TestWebhookReadingURLFromFile(t *testing.T) {
-	ctx, u, fn := test.GetContextWithCancelingURL()
-	defer fn()
-
-	f, err := os.CreateTemp(t.TempDir(), "webhook_url")
-	require.NoError(t, err, "creating temp file failed")
-	_, err = f.WriteString(u.String() + "\n")
-	require.NoError(t, err, "writing to temp file failed")
-
-	notifier, err := New(
-		&config.WebhookConfig{
-			URLFile:    f.Name(),
-			HTTPConfig: &commoncfg.HTTPClientConfig{},
-		},
-		test.CreateTmpl(t),
-		promslog.NewNopLogger(),
-	)
-	require.NoError(t, err)
-
-	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, u.String())
-}
-
-func TestWebhookURLTemplating(t *testing.T) {
-	var calledURL string
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		calledURL = r.URL.Path
-		w.WriteHeader(http.StatusOK)
-	}))
-	defer srv.Close()
-
-	tests := []struct {
-		name           string
-		url            string
-		groupLabels    model.LabelSet
-		alertLabels    model.LabelSet
-		expectError    bool
-		expectedErrMsg string
-		expectedPath   string
-	}{
-		{
-			name:         "templating with alert labels",
-			url:          srv.URL + "/{{ .GroupLabels.alertname }}/{{ .CommonLabels.severity }}",
-			groupLabels:  model.LabelSet{"alertname": "TestAlert"},
-			alertLabels:  model.LabelSet{"alertname": "TestAlert", "severity": "critical"},
-			expectError:  false,
-			expectedPath: "/TestAlert/critical",
-		},
-		{
-			name:           "invalid template field",
-			url:            srv.URL + "/{{ .InvalidField }}",
-			groupLabels:    model.LabelSet{"alertname": "TestAlert"},
-			alertLabels:    model.LabelSet{"alertname": "TestAlert"},
-			expectError:    true,
-			expectedErrMsg: "failed to template webhook URL",
-		},
-		{
-			name:           "template renders to empty string",
-			url:            "{{ if .CommonLabels.nonexistent }}http://example.com{{ end }}",
-			groupLabels:    model.LabelSet{"alertname": "TestAlert"},
-			alertLabels:    model.LabelSet{"alertname": "TestAlert"},
-			expectError:    true,
-			expectedErrMsg: "webhook URL is empty after templating",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			calledURL = "" // Reset for each test
-
-			notifier, err := New(
-				&config.WebhookConfig{
-					URL:        config.SecretTemplateURL(tc.url),
-					HTTPConfig: &commoncfg.HTTPClientConfig{},
-				},
-				test.CreateTmpl(t),
-				promslog.NewNopLogger(),
-			)
-			require.NoError(t, err)
-
-			ctx := context.Background()
-			ctx = notify.WithGroupKey(ctx, "test-group")
-			if tc.groupLabels != nil {
-				ctx = notify.WithGroupLabels(ctx, tc.groupLabels)
-			}
-
-			alerts := []*types.Alert{
-				{
-					Alert: model.Alert{
-						Labels:   tc.alertLabels,
-						StartsAt: time.Now(),
-						EndsAt:   time.Now().Add(time.Hour),
-					},
-				},
-			}
-
-			_, err = notifier.Notify(ctx, alerts...)
-
-			if tc.expectError {
-				require.Error(t, err)
-				require.Contains(t, err.Error(), tc.expectedErrMsg)
-			} else {
-				require.NoError(t, err)
-				require.Equal(t, tc.expectedPath, calledURL)
-			}
-		})
-	}
-}

pkg/apiserver/signozapiserver/role.go

@@ -6,7 +6,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/gorilla/mux"
 )
 
@@ -16,7 +15,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Create role",
 		Description:         "This endpoint creates a role",
-		Request:             new(roletypes.PostableRole),
+		Request:             new(authtypes.PostableRole),
 		RequestContentType:  "",
 		Response:            new(types.Identifiable),
 		ResponseContentType: "application/json",
@@ -35,7 +34,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all roles",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*roletypes.Role, 0),
+		Response:            make([]*authtypes.Role, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -52,7 +51,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Description:         "This endpoint gets a role",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(roletypes.Role),
+		Response:            new(authtypes.Role),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -84,7 +83,7 @@ func (provider *provider) addRoleRoutes(router *mux.Router) error {
 		Tags:                []string{"role"},
 		Summary:             "Patch role",
 		Description:         "This endpoint patches a role",
-		Request:             new(roletypes.PatchableRole),
+		Request:             new(authtypes.PatchableRole),
 		RequestContentType:  "",
 		Response:            nil,
 		ResponseContentType: "application/json",

pkg/apiserver/signozapiserver/user.go

@@ -186,7 +186,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.GettableUser, 0),
+		Response:            make([]*types.User, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -203,7 +203,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -220,7 +220,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -237,7 +237,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint updates the user by id",
 		Request:             new(types.User),
 		RequestContentType:  "application/json",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

pkg/authn/authnstore/sqlauthnstore/store.go

@@ -17,8 +17,8 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
-	user := new(types.User)
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error) {
+	user := new(types.StorableUser)
 	factorPassword := new(types.FactorPassword)
 
 	err := store.

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
-	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), nil
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), nil
 }

pkg/authz/authz.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 )
@@ -30,10 +29,10 @@ type AuthZ interface {
 	ListObjects(context.Context, string, authtypes.Relation, authtypes.Typeable) ([]*authtypes.Object, error)
 
 	// Creates the role.
-	Create(context.Context, valuer.UUID, *roletypes.Role) error
+	Create(context.Context, valuer.UUID, *authtypes.Role) error
 
 	// Gets the role if it exists or creates one.
-	GetOrCreate(context.Context, valuer.UUID, *roletypes.Role) (*roletypes.Role, error)
+	GetOrCreate(context.Context, valuer.UUID, *authtypes.Role) (*authtypes.Role, error)
 
 	// Gets the objects associated with the given role and relation.
 	GetObjects(context.Context, valuer.UUID, valuer.UUID, authtypes.Relation) ([]*authtypes.Object, error)
@@ -42,7 +41,7 @@ type AuthZ interface {
 	GetResources(context.Context) []*authtypes.Resource
 
 	// Patches the role.
-	Patch(context.Context, valuer.UUID, *roletypes.Role) error
+	Patch(context.Context, valuer.UUID, *authtypes.Role) error
 
 	// Patches the objects in authorization server associated with the given role and relation
 	PatchObjects(context.Context, valuer.UUID, string, authtypes.Relation, []*authtypes.Object, []*authtypes.Object) error
@@ -51,19 +50,19 @@ type AuthZ interface {
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
 
 	// Gets the role
-	Get(context.Context, valuer.UUID, valuer.UUID) (*roletypes.Role, error)
+	Get(context.Context, valuer.UUID, valuer.UUID) (*authtypes.Role, error)
 
 	// Gets the role by org_id and name
-	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*roletypes.Role, error)
+	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*authtypes.Role, error)
 
 	// Lists all the roles for the organization.
-	List(context.Context, valuer.UUID) ([]*roletypes.Role, error)
+	List(context.Context, valuer.UUID) ([]*authtypes.Role, error)
 
 	//  Lists all the roles for the organization filtered by name
-	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*roletypes.Role, error)
+	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*authtypes.Role, error)
 
 	//  Lists all the roles for the organization filtered by ids
-	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*roletypes.Role, error)
+	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*authtypes.Role, error)
 
 	// Grants a role to the subject based on role name.
 	Grant(context.Context, valuer.UUID, []string, string) error
@@ -75,7 +74,7 @@ type AuthZ interface {
 	ModifyGrant(context.Context, valuer.UUID, []string, []string, string) error
 
 	// Bootstrap the managed roles.
-	CreateManagedRoles(context.Context, valuer.UUID, []*roletypes.Role) error
+	CreateManagedRoles(context.Context, valuer.UUID, []*authtypes.Role) error
 
 	// Bootstrap managed roles transactions and user assignments
 	CreateManagedUserRoleTransactions(context.Context, valuer.UUID, valuer.UUID) error

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
@@ -14,11 +14,11 @@ type store struct {
 	sqlstore sqlstore.SQLStore
 }
 
-func NewSqlAuthzStore(sqlstore sqlstore.SQLStore) roletypes.Store {
+func NewSqlAuthzStore(sqlstore sqlstore.SQLStore) authtypes.RoleStore {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) error {
+func (store *store) Create(ctx context.Context, role *authtypes.StorableRole) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -32,8 +32,8 @@ func (store *store) Create(ctx context.Context, role *roletypes.StorableRole) er
 	return nil
 }
 
-func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*roletypes.StorableRole, error) {
-	role := new(roletypes.StorableRole)
+func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.StorableRole, error) {
+	role := new(authtypes.StorableRole)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -43,14 +43,14 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 		Where("id = ?", id).
 		Scan(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, roletypes.ErrCodeRoleNotFound, "role with id: %s doesn't exist", id)
+		return nil, store.sqlstore.WrapNotFoundErrf(err, authtypes.ErrCodeRoleNotFound, "role with id: %s doesn't exist", id)
 	}
 
 	return role, nil
 }
 
-func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*roletypes.StorableRole, error) {
-	role := new(roletypes.StorableRole)
+func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.StorableRole, error) {
+	role := new(authtypes.StorableRole)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -60,14 +60,14 @@ func (store *store) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, na
 		Where("name = ?", name).
 		Scan(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, roletypes.ErrCodeRoleNotFound, "role with name: %s doesn't exist", name)
+		return nil, store.sqlstore.WrapNotFoundErrf(err, authtypes.ErrCodeRoleNotFound, "role with name: %s doesn't exist", name)
 	}
 
 	return role, nil
 }
 
-func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.StorableRole, error) {
-	roles := make([]*roletypes.StorableRole, 0)
+func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.StorableRole, error) {
+	roles := make([]*authtypes.StorableRole, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -82,8 +82,8 @@ func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.S
 	return roles, nil
 }
 
-func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*roletypes.StorableRole, error) {
-	roles := make([]*roletypes.StorableRole, 0)
+func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.StorableRole, error) {
+	roles := make([]*authtypes.StorableRole, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -99,7 +99,7 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 	if len(roles) != len(names) {
 		return nil, store.sqlstore.WrapNotFoundErrf(
 			nil,
-			roletypes.ErrCodeRoleNotFound,
+			authtypes.ErrCodeRoleNotFound,
 			"not all roles found for the provided names: %v", names,
 		)
 	}
@@ -107,8 +107,8 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 	return roles, nil
 }
 
-func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.StorableRole, error) {
-	roles := make([]*roletypes.StorableRole, 0)
+func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.StorableRole, error) {
+	roles := make([]*authtypes.StorableRole, 0)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -124,7 +124,7 @@ func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, id
 	if len(roles) != len(ids) {
 		return nil, store.sqlstore.WrapNotFoundErrf(
 			nil,
-			roletypes.ErrCodeRoleNotFound,
+			authtypes.ErrCodeRoleNotFound,
 			"not all roles found for the provided ids: %v", ids,
 		)
 	}
@@ -132,7 +132,7 @@ func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, id
 	return roles, nil
 }
 
-func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *roletypes.StorableRole) error {
+func (store *store) Update(ctx context.Context, orgID valuer.UUID, role *authtypes.StorableRole) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -153,12 +153,12 @@ func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUI
 		sqlstore.
 		BunDBCtx(ctx).
 		NewDelete().
-		Model(new(roletypes.StorableRole)).
+		Model(new(authtypes.StorableRole)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
 	if err != nil {
-		return store.sqlstore.WrapNotFoundErrf(err, roletypes.ErrCodeRoleNotFound, "role with id %s doesn't exist", id)
+		return store.sqlstore.WrapNotFoundErrf(err, authtypes.ErrCodeRoleNotFound, "role with id %s doesn't exist", id)
 	}
 
 	return nil

pkg/authz/openfgaauthz/provider.go

@@ -8,7 +8,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/authz/openfgaserver"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 
 	"github.com/SigNoz/signoz/pkg/factory"
@@ -19,7 +18,7 @@ import (
 
 type provider struct {
 	server *openfgaserver.Server
-	store  roletypes.Store
+	store  authtypes.RoleStore
 }
 
 func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile) factory.ProviderFactory[authz.AuthZ, authz.Config] {
@@ -68,61 +67,61 @@ func (provider *provider) ListObjects(ctx context.Context, subject string, relat
 	return provider.server.ListObjects(ctx, subject, relation, typeable)
 }
 
-func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*roletypes.Role, error) {
+func (provider *provider) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*authtypes.Role, error) {
 	storableRole, err := provider.store.Get(ctx, orgID, id)
 	if err != nil {
 		return nil, err
 	}
 
-	return roletypes.NewRoleFromStorableRole(storableRole), nil
+	return authtypes.NewRoleFromStorableRole(storableRole), nil
 }
 
-func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*roletypes.Role, error) {
+func (provider *provider) GetByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*authtypes.Role, error) {
 	storableRole, err := provider.store.GetByOrgIDAndName(ctx, orgID, name)
 	if err != nil {
 		return nil, err
 	}
 
-	return roletypes.NewRoleFromStorableRole(storableRole), nil
+	return authtypes.NewRoleFromStorableRole(storableRole), nil
 }
 
-func (provider *provider) List(ctx context.Context, orgID valuer.UUID) ([]*roletypes.Role, error) {
+func (provider *provider) List(ctx context.Context, orgID valuer.UUID) ([]*authtypes.Role, error) {
 	storableRoles, err := provider.store.List(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}
 
-	roles := make([]*roletypes.Role, len(storableRoles))
+	roles := make([]*authtypes.Role, len(storableRoles))
 	for idx, storableRole := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storableRole)
+		roles[idx] = authtypes.NewRoleFromStorableRole(storableRole)
 	}
 
 	return roles, nil
 }
 
-func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*roletypes.Role, error) {
+func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID, names []string) ([]*authtypes.Role, error) {
 	storableRoles, err := provider.store.ListByOrgIDAndNames(ctx, orgID, names)
 	if err != nil {
 		return nil, err
 	}
 
-	roles := make([]*roletypes.Role, len(storableRoles))
+	roles := make([]*authtypes.Role, len(storableRoles))
 	for idx, storable := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storable)
+		roles[idx] = authtypes.NewRoleFromStorableRole(storable)
 	}
 
 	return roles, nil
 }
 
-func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
+func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*authtypes.Role, error) {
 	storableRoles, err := provider.store.ListByOrgIDAndIDs(ctx, orgID, ids)
 	if err != nil {
 		return nil, err
 	}
 
-	roles := make([]*roletypes.Role, len(storableRoles))
+	roles := make([]*authtypes.Role, len(storableRoles))
 	for idx, storable := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storable)
+		roles[idx] = authtypes.NewRoleFromStorableRole(storable)
 	}
 
 	return roles, nil
@@ -179,10 +178,10 @@ func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names [
 	return provider.Write(ctx, nil, tuples)
 }
 
-func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID, managedRoles []*roletypes.Role) error {
+func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID, managedRoles []*authtypes.Role) error {
 	err := provider.store.RunInTx(ctx, func(ctx context.Context) error {
 		for _, role := range managedRoles {
-			err := provider.store.Create(ctx, roletypes.NewStorableRoleFromRole(role))
+			err := provider.store.Create(ctx, authtypes.NewStorableRoleFromRole(role))
 			if err != nil {
 				return err
 			}
@@ -199,15 +198,15 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 }
 
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
-	return provider.Grant(ctx, orgID, []string{roletypes.SigNozAdminRoleName}, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
+	return provider.Grant(ctx, orgID, []string{authtypes.SigNozAdminRoleName}, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }
 
-func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
+	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
-func (provider *provider) GetOrCreate(_ context.Context, _ valuer.UUID, _ *roletypes.Role) (*roletypes.Role, error) {
-	return nil, errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+func (provider *provider) GetOrCreate(_ context.Context, _ valuer.UUID, _ *authtypes.Role) (*authtypes.Role, error) {
+	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
 func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource {
@@ -215,19 +214,19 @@ func (provider *provider) GetResources(_ context.Context) []*authtypes.Resource
 }
 
 func (provider *provider) GetObjects(ctx context.Context, orgID valuer.UUID, id valuer.UUID, relation authtypes.Relation) ([]*authtypes.Object, error) {
-	return nil, errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+	return nil, errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
-func (provider *provider) Patch(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+func (provider *provider) Patch(_ context.Context, _ valuer.UUID, _ *authtypes.Role) error {
+	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
 func (provider *provider) PatchObjects(_ context.Context, _ valuer.UUID, _ string, _ authtypes.Relation, _, _ []*authtypes.Object) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
 func (provider *provider) Delete(_ context.Context, _ valuer.UUID, _ valuer.UUID) error {
-	return errors.Newf(errors.TypeUnsupported, roletypes.ErrCodeRoleUnsupported, "not implemented")
+	return errors.Newf(errors.TypeUnsupported, authtypes.ErrCodeRoleUnsupported, "not implemented")
 }
 
 func (provider *provider) MustGetTypeables() []authtypes.Typeable {

pkg/authz/signozauthzapi/handler.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -30,13 +29,13 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	req := new(roletypes.PostableRole)
+	req := new(authtypes.PostableRole)
 	if err := binding.JSON.BindBody(r.Body, req); err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	role := roletypes.NewRole(req.Name, req.Description, roletypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
+	role := authtypes.NewRole(req.Name, req.Description, authtypes.RoleTypeCustom, valuer.MustNewUUID(claims.OrgID))
 	err = handler.authz.Create(ctx, valuer.MustNewUUID(claims.OrgID), role)
 	if err != nil {
 		render.Error(rw, err)
@@ -56,7 +55,7 @@ func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
 
 	id, ok := mux.Vars(r)["id"]
 	if !ok {
-		render.Error(rw, errors.New(errors.TypeInvalidInput, roletypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
+		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
 		return
 	}
 	roleID, err := valuer.NewUUID(id)
@@ -84,7 +83,7 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 
 	id, ok := mux.Vars(r)["id"]
 	if !ok {
-		render.Error(rw, errors.New(errors.TypeInvalidInput, roletypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
+		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "id is missing from the request"))
 		return
 	}
 	roleID, err := valuer.NewUUID(id)
@@ -95,7 +94,7 @@ func (handler *handler) GetObjects(rw http.ResponseWriter, r *http.Request) {
 
 	relationStr, ok := mux.Vars(r)["relation"]
 	if !ok {
-		render.Error(rw, errors.New(errors.TypeInvalidInput, roletypes.ErrCodeRoleInvalidInput, "relation is missing from the request"))
+		render.Error(rw, errors.New(errors.TypeInvalidInput, authtypes.ErrCodeRoleInvalidInput, "relation is missing from the request"))
 		return
 	}
 	relation, err := authtypes.NewRelation(relationStr)
@@ -150,7 +149,7 @@ func (handler *handler) Patch(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	req := new(roletypes.PatchableRole)
+	req := new(authtypes.PatchableRole)
 	if err := binding.JSON.BindBody(r.Body, req); err != nil {
 		render.Error(rw, err)
 		return

pkg/errors/errors.go

@@ -147,7 +147,7 @@ func Ast(cause error, typ typ) bool {
 	return t == typ
 }
 
-// Asc checks if the provided error matches the specified custom error code.
+// Ast checks if the provided error matches the specified custom error code.
 func Asc(cause error, code Code) bool {
 	_, c, _, _, _, _ := Unwrapb(cause)
 

pkg/http/middleware/authz.go

@@ -10,7 +10,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -56,9 +55,9 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 		}
 
 		selectors := []authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozViewerRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozViewerRoleName),
 		}
 
 		err = middleware.authzService.CheckWithTupleCreation(
@@ -108,8 +107,8 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 		}
 
 		selectors := []authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
 		}
 
 		err = middleware.authzService.CheckWithTupleCreation(
@@ -159,7 +158,7 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 		}
 
 		selectors := []authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
+			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		}
 
 		err = middleware.authzService.CheckWithTupleCreation(

pkg/modules/session/implsession/module.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/authn"
+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -28,9 +29,10 @@ type module struct {
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
+	authz      authz.AuthZ
 }
 
-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, authz authz.AuthZ) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
@@ -39,6 +41,7 @@ func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.A
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
 		orgGetter:  orgGetter,
+		authz:      authz,
 	}
 }
 
@@ -142,9 +145,15 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	}
 
 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
-	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
+	legacyRole, managedRoles := roleMapping.ManagedRolesFromCallbackIdentity(callbackIdentity)
 
-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
+	// pass only valid or fallback to viewer
+	validRoles, err := module.resolveValidRoles(ctx, callbackIdentity.OrgID, managedRoles, callbackIdentity.Email)
+	if err != nil {
+		return "", err
+	}
+
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, legacyRole, validRoles, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}
@@ -158,7 +167,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}
 
-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role, authtypes.IdentNProviderTokenizer), map[string]string{})
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, types.RoleViewer, authtypes.IdentNProviderTokenizer), map[string]string{})
 	if err != nil {
 		return "", err
 	}
@@ -222,3 +231,38 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma
 
 	return provider, nil
 }
+
+// resolveValidRoles validates role names against the database
+// returns only roles that exist. If none are valid, falls back to signoz-viewer role
+func (module *module) resolveValidRoles(ctx context.Context, orgID valuer.UUID, roles []string, email valuer.Email) ([]string, error) {
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	validRoles := make([]string, 0, len(storableRoles))
+	validSet := make(map[string]struct{})
+	for _, sr := range storableRoles {
+		validRoles = append(validRoles, sr.Name)
+		validSet[sr.Name] = struct{}{}
+	}
+
+	// log ignored roles
+	if len(validRoles) < len(roles) {
+		var ignored []string
+		for _, r := range roles {
+			if _, ok := validSet[r]; !ok {
+				ignored = append(ignored, r)
+			}
+		}
+		module.settings.Logger().WarnContext(ctx, "ignoring non-existent roles from SSO mapping", "ignored_roles", ignored, "email", email)
+	}
+
+	// fallback to viewer if no valid roles
+	if len(validRoles) == 0 {
+		module.settings.Logger().WarnContext(ctx, "no valid roles from SSO mapping, falling back to viewer", "email", email)
+		validRoles = []string{authtypes.SigNozViewerRoleName}
+	}
+
+	return validRoles, nil
+}

pkg/modules/tracefunnel/impltracefunnel/module.go

@@ -30,7 +30,7 @@ func (module *module) Create(ctx context.Context, timestamp int64, name string,
 	funnel.CreatedBy = userID.String()
 
 	// Set up the user relationship
-	funnel.CreatedByUser = &types.User{
+	funnel.CreatedByUser = &types.StorableUser{
 		Identifiable: types.Identifiable{
 			ID: userID,
 		},

pkg/modules/user/impluser/getter.go

@@ -2,78 +2,56 @@ package impluser
 
 import (
 	"context"
-	"slices"
 
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type getter struct {
-	store   types.UserStore
-	flagger flagger.Flagger
+	store types.UserStore
 }
 
-func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
-	return &getter{store: store, flagger: flagger}
-}
-
-func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	return module.store.GetRootUserByOrgID(ctx, orgID)
+func NewGetter(store types.UserStore) user.Getter {
+	return &getter{store: store}
 }
 
 func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}
 
-	// filter root users if feature flag `hide_root_users` is true
-	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
-	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
-
-	if hideRootUsers {
-		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
+	// we are not resolving roles for getter methods
+	users := make([]*types.User, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
 	}
 
 	return users, nil
 }
 
-func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	users, err := module.store.GetUsersByEmail(ctx, email)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
-
 func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetUser(ctx, id)
+	storableUser, err := module.store.GetUser(ctx, id)
 	if err != nil {
 		return nil, err
 	}
 
-	return user, nil
+	return types.NewUserFromStorable(storableUser, make([]string, 0)), nil
 }
 
 func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	storableUsers, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 	if err != nil {
 		return nil, err
 	}
 
+	users := make([]*types.User, len(storableUsers))
+
+	for idx, storableUser := range storableUsers {
+		users[idx] = types.NewUserFromStorable(storableUser, make([]string, 0))
+	}
+
 	return users, nil
 }
 

pkg/modules/user/impluser/handler.go

@@ -169,7 +169,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -188,7 +188,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -207,7 +207,7 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	users, err := h.getter.ListByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
+	users, err := h.module.ListUsersByOrgID(ctx, valuer.MustNewUUID(claims.OrgID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -270,7 +270,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
-	id := mux.Vars(r)["id"]
+	userID := mux.Vars(r)["id"]
 
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -278,13 +278,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/user/impluser/module.go

@@ -11,48 +11,103 @@ import (
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
+	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
 )
 
 type Module struct {
-	store     types.UserStore
-	tokenizer tokenizer.Tokenizer
-	emailing  emailing.Emailing
-	settings  factory.ScopedProviderSettings
-	orgSetter organization.Setter
-	authz     authz.AuthZ
-	analytics analytics.Analytics
-	config    user.Config
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	tokenizer     tokenizer.Tokenizer
+	emailing      emailing.Emailing
+	settings      factory.ScopedProviderSettings
+	orgSetter     organization.Setter
+	authz         authz.AuthZ
+	analytics     analytics.Analytics
+	config        root.Config
+	flagger       flagger.Flagger
 }
 
 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
+func NewModule(store types.UserStore, userRoleStore authtypes.UserRoleStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config, flagger flagger.Flagger) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
-		store:     store,
-		tokenizer: tokenizer,
-		emailing:  emailing,
-		settings:  settings,
-		orgSetter: orgSetter,
-		analytics: analytics,
-		authz:     authz,
-		config:    config,
+		store:         store,
+		userRoleStore: userRoleStore,
+		tokenizer:     tokenizer,
+		emailing:      emailing,
+		settings:      settings,
+		orgSetter:     orgSetter,
+		analytics:     analytics,
+		authz:         authz,
+		config:        config,
+		flagger:       flagger,
 	}
 }
 
+// this function gets user with its proper roles populated
+func (m *Module) GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error) {
+	storableUser, err := m.store.GetByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := m.resolveRoleNamesForUser(ctx, userID, storableUser.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
+	return user, nil
+}
+
+func (module *Module) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]valuer.UUID, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		userIDs[idx] = storableUser.ID
+	}
+
+	storableUserRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDToRoleIDs, roleIDs := authtypes.GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.IsRoot })
+	}
+
+	users := module.usersFromStorableUsersAndRolesMaps(storableUsers, roles, userIDToRoleIDs)
+
+	return users, nil
+}
+
 func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
 	// get the user by reset password token
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
 	if err != nil {
 		return nil, err
 	}
@@ -64,7 +119,7 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 	}
 
 	// query the user again
-	user, err = m.store.GetByOrgIDAndID(ctx, user.OrgID, user.ID)
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +129,12 @@ func (m *Module) AcceptInvite(ctx context.Context, token string, password string
 
 func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
 	// get the user
-	user, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
 	if err != nil {
 		return nil, err
 	}
@@ -88,6 +148,7 @@ func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Inv
 		Email: user.Email,
 		Token: token,
 		Role:  user.Role,
+		Roles: user.Roles,
 		OrgID: user.OrgID,
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: user.CreatedAt,
@@ -107,24 +168,40 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
+	var allRolesFromRequest []string
+	seenRolesFromRequest := make(map[string]struct{})
 	for idx, invite := range bulkInvites.Invites {
 		emails[idx] = invite.Email.StringValue()
+		// for role name validation
+		for _, role := range invite.Roles {
+			if _, ok := seenRolesFromRequest[role]; !ok {
+				seenRolesFromRequest[role] = struct{}{}
+				allRolesFromRequest = append(allRolesFromRequest, role)
+			}
+		}
 	}
-	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+
+	storableUsers, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}
 
-	if len(users) > 0 {
-		if err := users[0].ErrIfRoot(); err != nil {
+	if len(storableUsers) > 0 {
+		if err := storableUsers[0].ErrIfRoot(); err != nil {
 			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
 		}
 
-		if users[0].Status == types.UserStatusPendingInvite {
-			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
+		if storableUsers[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", storableUsers[0].Email.StringValue())
 		}
 
-		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", storableUsers[0].Email.StringValue())
+	}
+
+	// this function returns error if some role is not found by name
+	_, err = m.authz.ListByOrgIDAndNames(ctx, orgID, allRolesFromRequest)
+	if err != nil {
+		return nil, err
 	}
 
 	type userWithResetToken struct {
@@ -136,25 +213,20 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 
 	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			role, err := types.NewRole(invite.Role.String())
-			if err != nil {
-				return err
-			}
-
 			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			newUser, err := types.NewUser(invite.Name, invite.Email, invite.Role,  invite.Roles, orgID, types.UserStatusPendingInvite)
 			if err != nil {
 				return err
 			}
 
-			// store the user and password in db
+			// store the user and user_role entries in db
 			err = m.createUserWithoutGrant(ctx, newUser)
 			if err != nil {
 				return err
 			}
 
 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.OrgID, newUser.ID)
 			if err != nil {
 				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
 				return err
@@ -176,7 +248,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, userWithToken := range newUsersWithResetToken {
 		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_role":  userWithToken.User.Role,
+			"invitee_roles": userWithToken.User.Roles,
 		})
 
 		invite := &types.Invite{
@@ -187,6 +259,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
 			Role:  userWithToken.User.Role,
+			Roles: userWithToken.User.Roles,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -220,8 +293,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 }
 
 func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
-	// find all the users with pending_invite status
-	users, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	users, err := m.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +304,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 
 	for _, pUser := range pendingUsers {
 		// get the reset password token
-		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.ID)
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, pUser.OrgID, pUser.ID)
 		if err != nil {
 			return nil, err
 		}
@@ -246,6 +318,7 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 			Email: pUser.Email,
 			Token: resetPasswordToken.Token,
 			Role:  pUser.Role,
+			Roles: pUser.Roles,
 			OrgID: pUser.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: pUser.CreatedAt,
@@ -260,16 +333,27 @@ func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite,
 }
 
 func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
-	createUserOpts := root.NewCreateUserOptions(opts...)
-
-	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	// validate the roles
+	_, err := module.authz.ListByOrgIDAndNames(ctx, input.OrgID, input.Roles)
 	if err != nil {
 		return err
 	}
 
+	// since assign is idempotant multiple calls to assign won't cause issues in case of retries, also we cannot run this in a transaction for now
+	err = module.authz.Grant(ctx, input.OrgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	if err != nil {
+		return err
+	}
+
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}
 
@@ -292,7 +376,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 }
 
 func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
+	existingUser, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -309,18 +393,21 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update pending user")
 	}
 
-	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
+	requestor, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}
 
-	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	grants, revokes := existingUser.PatchRoles(user.Roles)
+	rolesChanged := (len(grants) > 0) || (len(revokes) > 0)
+
+	if rolesChanged && !slices.Contains(requestor.Roles, authtypes.SigNozAdminRoleName) {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}
 
 	// Make sure that the request is not demoting the last admin user.
-	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	if rolesChanged && slices.Contains(existingUser.Roles, authtypes.SigNozAdminRoleName) && !slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
+		adminUsers, err := m.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -330,28 +417,49 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}
 
-	if user.Role != "" && user.Role != existingUser.Role {
-		err = m.authz.ModifyGrant(ctx,
-			orgID,
-			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
-			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
-		)
+	if rolesChanged {
+		// can't run in txn
+		err = m.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	existingUser.Update(user.DisplayName, user.Role)
-	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-		return nil, err
+	existingUser.Update(user.DisplayName, user.Role, user.Roles)
+	if rolesChanged {
+		err = m.store.RunInTx(ctx, func(ctx context.Context) error {
+			// update the user
+			if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+				return err
+			}
+
+			// delete old role entries and create new ones
+			if err := m.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			// create new ones
+			if err := m.createUserRoleEntries(ctx, existingUser); err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// persist display name change even when roles haven't changed
+		if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+			return nil, err
+		}
 	}
 
 	return existingUser, nil
 }
 
 func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
-	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+	storableUser := types.NewStorableUser(user)
+	if err := module.store.UpdateUser(ctx, orgID, storableUser); err != nil {
 		return err
 	}
 
@@ -367,7 +475,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 }
 
 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -385,17 +493,17 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 	if err != nil {
 		return err
 	}
 
-	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
+	if len(adminUsers) == 1 && slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}
 
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, user.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -412,8 +520,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }
 
-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	user, err := module.store.GetUser(ctx, userID)
+func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -492,7 +600,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
-	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := module.GetOrCreateResetPasswordToken(ctx, orgID, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
 		return err
@@ -535,17 +643,17 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	storableUser, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
 	if err != nil {
 		return err
 	}
 
 	// handle deleted user
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
 	}
 
-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}
 
@@ -553,12 +661,19 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}
 
+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+	if err != nil {
+		return err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			user.Roles,
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
@@ -570,7 +685,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 				return err
 			}
-			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+			if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
 				return err
 			}
 		}
@@ -588,16 +703,16 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }
 
 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
-	user, err := module.store.GetUser(ctx, userID)
+	storableUser, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}
 
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for deleted user")
 	}
 
-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}
 
@@ -643,7 +758,7 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
 			// respect the role coming from the SSO
-			existingUser.Update("", user.Role)
+			existingUser.Update("", user.Role, user.Roles)
 			// activate the user
 			if err = module.activatePendingUser(ctx, existingUser); err != nil {
 				return nil, err
@@ -682,7 +797,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }
 
 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewRootUser(name, email, organization.ID)
+	user, err := types.NewRootUser(name, email, organization.ID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return nil, err
 	}
@@ -692,7 +807,7 @@ func (module *Module) CreateFirstUser(ctx context.Context, organization *types.O
 		return nil, err
 	}
 
-	managedRoles := roletypes.NewManagedRoles(organization.ID)
+	managedRoles := authtypes.NewManagedRoles(organization.ID)
 	err = module.authz.CreateManagedUserRoleTransactions(ctx, organization.ID, user.ID)
 	if err != nil {
 		return nil, err
@@ -744,20 +859,24 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 
 // this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
 func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	existingStorableUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}
 
 	// filter out the deleted users
-	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+	existingStorableUsers = slices.DeleteFunc(existingStorableUsers, func(user *types.StorableUser) bool { return user.ErrIfDeleted() != nil })
 
-	if len(existingUsers) > 1 {
+	if len(existingStorableUsers) > 1 {
 		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
 	}
 
-	if len(existingUsers) == 1 {
-		return existingUsers[0], nil
+	if len(existingStorableUsers) == 1 {
+		existingUser, err := module.GetByOrgIDAndUserID(ctx, existingStorableUsers[0].OrgID, existingStorableUsers[0].ID)
+		if err != nil {
+			return nil, err
+		}
+		return existingUser, nil
 	}
 
 	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
@@ -767,7 +886,12 @@ func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, emai
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}
 
@@ -789,11 +913,25 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 	return nil
 }
 
+func (module *Module) createUserRoleEntries(ctx context.Context, user *types.User) error {
+	if len(user.Roles) == 0 {
+		return nil
+	}
+
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, user.OrgID, user.Roles)
+	if err != nil {
+		return err
+	}
+
+	userRoles := authtypes.NewStorableUserRoles(user.ID, storableRoles)
+	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
+}
+
 func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
 	err := module.authz.Grant(
 		ctx,
 		user.OrgID,
-		[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+		user.Roles,
 		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 	)
 	if err != nil {
@@ -803,10 +941,59 @@ func (module *Module) activatePendingUser(ctx context.Context, user *types.User)
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, user)
+	err = module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user))
 	if err != nil {
 		return err
 	}
 
 	return nil
 }
+
+func (module *Module) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
+	users := make([]*types.User, 0, len(storableUsers))
+
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
+	}
+
+	for _, user := range storableUsers {
+		roleIDs := userIDToRoleIDsMap[user.ID]
+
+		roleNames := make([]string, 0, len(roleIDs))
+		for _, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames = append(roleNames, role.Name)
+			}
+		}
+
+		account := types.NewUserFromStorable(user, roleNames)
+		users = append(users, account)
+	}
+
+	return users
+}
+
+func (m *Module) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
+	storableUserRoles, err := m.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableUserRoles))
+	for idx, sur := range storableUserRoles {
+		roleIDs[idx] = sur.RoleID
+	}
+
+	roles, err := m.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames := make([]string, len(roles))
+	for idx, role := range roles {
+		roleNames[idx] = role.Name
+	}
+
+	return roleNames, nil
+}

pkg/modules/user/impluser/service.go

@@ -11,36 +11,38 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type service struct {
-	settings  factory.ScopedProviderSettings
-	store     types.UserStore
-	module    user.Module
-	orgGetter organization.Getter
-	authz     authz.AuthZ
-	config    user.RootConfig
-	stopC     chan struct{}
+	settings      factory.ScopedProviderSettings
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	module        user.Module
+	orgGetter     organization.Getter
+	authz         authz.AuthZ
+	config        user.RootConfig
+	stopC         chan struct{}
 }
 
 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
+	userRoleStore authtypes.UserRoleStore,
 	module user.Module,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
 ) user.Service {
 	return &service{
-		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-		store:     store,
-		module:    module,
-		orgGetter: orgGetter,
-		authz:     authz,
-		config:    config,
-		stopC:     make(chan struct{}),
+		settings:      factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:         store,
+		userRoleStore: userRoleStore,
+		module:        module,
+		orgGetter:     orgGetter,
+		authz:         authz,
+		config:        config,
+		stopC:         make(chan struct{}),
 	}
 }
 
@@ -130,16 +132,16 @@ func (s *service) reconcileByName(ctx context.Context) error {
 }
 
 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	existingStorableRoot, err := s.getRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}
 
-	if existingRoot == nil {
+	if existingStorableRoot == nil {
 		return s.createOrPromoteRootUser(ctx, orgID)
 	}
 
-	return s.updateExistingRootUser(ctx, orgID, existingRoot)
+	return s.updateExistingRootUser(ctx, orgID, existingStorableRoot)
 }
 
 func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID) error {
@@ -149,29 +151,27 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 	}
 
 	if existingUser != nil {
-		oldRole := existingUser.Role
+		oldRoles := existingUser.Roles
 
-		existingUser.PromoteToRoot()
+		existingUser.PromoteToRoot() // this only sets the column is_root as true (permissions are managed by authz in next step)
 		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 			return err
 		}
 
-		if oldRole != types.RoleAdmin {
-			if err := s.authz.ModifyGrant(ctx,
-				orgID,
-				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
-				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
-			); err != nil {
-				return err
-			}
+		if err := s.authz.ModifyGrant(ctx,
+			orgID,
+			oldRoles,
+			[]string{authtypes.SigNozAdminRoleName},
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		); err != nil {
+			return err
 		}
 
 		return s.setPassword(ctx, existingUser.ID)
 	}
 
 	// Create new root user
-	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return err
 	}
@@ -181,6 +181,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}
 
+	// authz grants are handled inside CreateUser
 	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
 }
 
@@ -222,3 +223,12 @@ func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {
 
 	return nil
 }
+
+func (s *service) getRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	storableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.module.GetByOrgIDAndUserID(ctx, orgID, storableRoot.ID)
+}

pkg/modules/user/impluser/store.go

@@ -39,7 +39,7 @@ func (store *store) CreatePassword(ctx context.Context, password *types.FactorPa
 	return nil
 }
 
-func (store *store) CreateUser(ctx context.Context, user *types.User) error {
+func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -52,8 +52,8 @@ func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	return nil
 }
 
-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
 
 	err := store.
 		sqlstore.
@@ -69,8 +69,8 @@ func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]
 	return users, nil
 }
 
-func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
@@ -86,8 +86,8 @@ func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, e
 	return user, nil
 }
 
-func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
@@ -104,8 +104,8 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
 
 	err := store.
 		sqlstore.
@@ -122,26 +122,7 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 	return users, nil
 }
 
-func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("org_id = ?", orgID).
-		Where("role = ?", role).
-		Where("status = ?", types.UserStatusActive.StringValue()).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -162,8 +143,8 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }
 
-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 
 	err := store.
 		sqlstore.
@@ -247,7 +228,7 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 
 	// delete user
 	_, err = tx.NewDelete().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -332,7 +313,7 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 	// soft delete user
 	now := time.Now()
 	_, err = tx.NewUpdate().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Set("status = ?", types.UserStatusDeleted).
 		Set("deleted_at = ?", now).
 		Set("updated_at = ?", now).
@@ -563,7 +544,7 @@ func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*type
 }
 
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 
 	count, err := store.
 		sqlstore.
@@ -580,7 +561,7 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 }
 
 func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 	var results []struct {
 		Status valuer.String `bun:"status"`
 		Count  int64         `bun:"count"`
@@ -633,8 +614,8 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }
 
-func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -649,8 +630,8 @@ func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (
 	return user, nil
 }
 
-func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 	err := store.
 		sqlstore.
 		BunDB().
@@ -666,15 +647,15 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 	return users, nil
 }
 
-func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(user).
-		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
+		Join(`JOIN factor_password ON factor_password.user_id = "users".id`).
 		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
 		Where("reset_password_token.token = ?", token).
 		Scan(ctx)
@@ -685,8 +666,8 @@ func (store *store) GetUserByResetPasswordToken(ctx context.Context, token strin
 	return user, nil
 }
 
-func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 
 	err := store.
 		sqlstore.
@@ -703,3 +684,20 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID
 
 	return users, nil
 }
+
+func (store *store) GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().
+		Model(&users).
+		Join("JOIN user_role ON user_role.user_id = users.id").
+		Join("JOIN role ON role.id = user_role.role_id").
+		Where("users.org_id = ?", orgID).
+		Where("role.name = ?", roleName).
+		Where("users.status = ?", types.UserStatusActive.StringValue()).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}

pkg/modules/user/impluser/userrolestore.go

@@ -0,0 +1,62 @@
+package impluser
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type userRoleStore struct {
+	sqlstore sqlstore.SQLStore
+	settings factory.ProviderSettings
+}
+
+func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
+	return &userRoleStore{sqlstore: sqlstore, settings: settings}
+}
+
+func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).
+		Join("JOIN users").
+		JoinOn("users.id = user_role.user_id").
+		Where("users.org_id = ?", orgID).Where("users.id IN (?)", bun.In(userIDs)).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
+
+func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.StorableUserRole) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewInsert().Model(&userRoles).Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+	return nil
+}
+
+func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().Model(new(authtypes.StorableUserRole)).Where("user_id = ?", userID).Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).Where("user_id = ?", userID).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}

pkg/modules/user/user.go

@@ -10,6 +10,12 @@ import (
 )
 
 type Module interface {
+	// Gets user by org id and user id, this includes the roles resolution
+	GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error)
+
+	// Lists all the users by org id, no filters applied and includes roles resolution
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error)
+
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)
 
@@ -21,7 +27,7 @@ type Module interface {
 
 	// Get or Create a reset password token for a user. If the password does not exist, a new one is randomly generated and inserted. The function
 	// is idempotent and can be called multiple times.
-	GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error)
+	GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error)
 
 	// Updates password of a user using a reset password token. It also deletes all reset password tokens for the user.
 	// This is used to reset the password of a user when they forget their password.
@@ -58,22 +64,13 @@ type Module interface {
 }
 
 type Getter interface {
-	// Get root user by org id.
-	GetRootUserByOrgID(context.Context, valuer.UUID) (*types.User, error)
-
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)
 
-	// Get users by email.
-	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
-
-	// Get user by orgID and id.
-	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
-
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.User, error)
 
-	// List users by email and org ids.
+	// List users by email and org ids. This does not includes roles resolution as this is only used for session context
 	ListUsersByEmailAndOrgIDs(context.Context, valuer.Email, []valuer.UUID) ([]*types.User, error)
 
 	// Count users by org id.

pkg/querier/querier.go

@@ -20,6 +20,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/instrumentationtypes"
 	"github.com/SigNoz/signoz/pkg/types/metrictypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
+	"github.com/dustin/go-humanize"
 	"golang.org/x/exp/maps"
 
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
@@ -158,7 +159,8 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 	metricNames := make([]string, 0)
 	for idx, query := range req.CompositeQuery.Queries {
 		event.QueryType = query.Type.StringValue()
-		if query.Type == qbtypes.QueryTypeBuilder {
+		switch query.Type {
+		case qbtypes.QueryTypeBuilder:
 			if spec, ok := query.Spec.(qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]); ok {
 				for _, agg := range spec.Aggregations {
 					if agg.MetricName != "" {
@@ -236,7 +238,7 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 				}
 				req.CompositeQuery.Queries[idx].Spec = spec
 			}
-		} else if query.Type == qbtypes.QueryTypePromQL {
+		case qbtypes.QueryTypePromQL:
 			event.MetricsUsed = true
 			switch spec := query.Spec.(type) {
 			case qbtypes.PromQuery:
@@ -247,7 +249,7 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 				}
 				req.CompositeQuery.Queries[idx].Spec = spec
 			}
-		} else if query.Type == qbtypes.QueryTypeClickHouseSQL {
+		case qbtypes.QueryTypeClickHouseSQL:
 			switch spec := query.Spec.(type) {
 			case qbtypes.ClickHouseQuery:
 				if strings.TrimSpace(spec.Query) != "" {
@@ -256,7 +258,7 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 					event.TracesUsed = strings.Contains(spec.Query, "signoz_traces")
 				}
 			}
-		} else if query.Type == qbtypes.QueryTypeTraceOperator {
+		case qbtypes.QueryTypeTraceOperator:
 			if spec, ok := query.Spec.(qbtypes.QueryBuilderTraceOperator); ok {
 				if spec.StepInterval.Seconds() == 0 {
 					spec.StepInterval = qbtypes.Step{
@@ -276,23 +278,9 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 		}
 	}
 
-	// Fetch temporality for all metrics at once
-	var metricTemporality map[string]metrictypes.Temporality
-	var metricTypes map[string]metrictypes.Type
-	if len(metricNames) > 0 {
-		var err error
-		metricTemporality, metricTypes, err = q.metadataStore.FetchTemporalityAndTypeMulti(ctx, req.Start, req.End, metricNames...)
-		if err != nil {
-			q.logger.WarnContext(ctx, "failed to fetch metric temporality", "error", err, "metrics", metricNames)
-			// Continue without temporality - statement builder will handle unspecified
-			metricTemporality = make(map[string]metrictypes.Temporality)
-			metricTypes = make(map[string]metrictypes.Type)
-		}
-		q.logger.DebugContext(ctx, "fetched metric temporalities and types", "metric_temporality", metricTemporality, "metric_types", metricTypes)
-	}
-
 	queries := make(map[string]qbtypes.Query)
 	steps := make(map[string]qbtypes.Step)
+	missingMetrics := []string{}
 
 	for _, query := range req.CompositeQuery.Queries {
 		var queryName string
@@ -374,15 +362,26 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 				queries[spec.Name] = bq
 				steps[spec.Name] = spec.StepInterval
 			case qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]:
+				var metricTemporality map[string]metrictypes.Temporality
+				var metricTypes map[string]metrictypes.Type
+				if len(metricNames) > 0 {
+					var err error
+					metricTemporality, metricTypes, err = q.metadataStore.FetchTemporalityAndTypeMulti(ctx, req.Start, req.End, metricNames...)
+					if err != nil {
+						q.logger.WarnContext(ctx, "failed to fetch metric temporality", "error", err, "metrics", metricNames)
+						return nil, errors.NewInternalf(errors.CodeInternal, "failed to fetch metrics temporality")
+					}
+					q.logger.DebugContext(ctx, "fetched metric temporalities and types", "metric_temporality", metricTemporality, "metric_types", metricTypes)
+				}
 				for i := range spec.Aggregations {
 					if spec.Aggregations[i].MetricName != "" && spec.Aggregations[i].Temporality == metrictypes.Unknown {
 						if temp, ok := metricTemporality[spec.Aggregations[i].MetricName]; ok && temp != metrictypes.Unknown {
 							spec.Aggregations[i].Temporality = temp
 						}
 					}
-					// TODO(srikanthccv): warn when the metric is missing
 					if spec.Aggregations[i].Temporality == metrictypes.Unknown {
-						spec.Aggregations[i].Temporality = metrictypes.Unspecified
+						missingMetrics = append(missingMetrics, spec.Aggregations[i].MetricName)
+						continue
 					}
 
 					if spec.Aggregations[i].MetricName != "" && spec.Aggregations[i].Type == metrictypes.UnspecifiedType {
@@ -409,6 +408,24 @@ func (q *querier) QueryRange(ctx context.Context, orgID valuer.UUID, req *qbtype
 			}
 		}
 	}
+	if len(missingMetrics) > 0 {
+		lastSeenInfo, _ := q.metadataStore.FetchLastSeenInfoMulti(ctx, missingMetrics...)
+		lastSeenStr := func(name string) string {
+			if ts, ok := lastSeenInfo[name]; ok && ts > 0 {
+				ago := humanize.RelTime(time.UnixMilli(ts), time.Now(), "ago", "from now")
+				return fmt.Sprintf("%s (last seen %s)", name, ago)
+			}
+			return name
+		}
+		if len(missingMetrics) == 1 {
+			return nil, errors.NewNotFoundf(errors.CodeNotFound, "no data found for the metric %s in the query time range", lastSeenStr(missingMetrics[0]))
+		}
+		parts := make([]string, len(missingMetrics))
+		for i, m := range missingMetrics {
+			parts[i] = lastSeenStr(m)
+		}
+		return nil, errors.NewNotFoundf(errors.CodeNotFound, "no data found for the following metrics in the query time range: %s", strings.Join(parts, ", "))
+	}
 	qbResp, qbErr := q.run(ctx, orgID, queries, req, steps, event)
 	if qbResp != nil {
 		qbResp.QBEvent = event
@@ -663,7 +680,7 @@ func (q *querier) run(
 }
 
 // executeWithCache executes a query using the bucket cache
-func (q *querier) executeWithCache(ctx context.Context, orgID valuer.UUID, query qbtypes.Query, step qbtypes.Step, noCache bool) (*qbtypes.Result, error) {
+func (q *querier) executeWithCache(ctx context.Context, orgID valuer.UUID, query qbtypes.Query, step qbtypes.Step, _ bool) (*qbtypes.Result, error) {
 	// Get cached data and missing ranges
 	cachedResult, missingRanges := q.bucketCache.GetMissRanges(ctx, orgID, query, step)
 

pkg/query-service/rules/manager_test.go

@@ -76,6 +76,21 @@ func TestManager_TestNotification_SendUnmatched_ThresholdRule(t *testing.T) {
 					alertDataRows := cmock.NewRows(cols, tc.Values)
 
 					mock := mockStore.Mock()
+					// Mock metadata queries for FetchTemporalityAndTypeMulti
+					// First query: fetchMetricsTemporalityAndType (from signoz_metrics time series table)
+					metadataCols := []cmock.ColumnType{
+						{Name: "metric_name", Type: "String"},
+						{Name: "temporality", Type: "String"},
+						{Name: "type", Type: "String"},
+						{Name: "is_monotonic", Type: "Bool"},
+					}
+					metadataRows := cmock.NewRows(metadataCols, [][]any{
+						{"probe_success", metrictypes.Unspecified, metrictypes.GaugeType, false},
+					})
+					mock.ExpectQuery("*distributed_time_series_v4*").WithArgs(nil, nil, nil).WillReturnRows(metadataRows)
+					// Second query: fetchMeterSourceMetricsTemporalityAndType (from signoz_meter table)
+					emptyMetadataRows := cmock.NewRows(metadataCols, [][]any{})
+					mock.ExpectQuery("*meter*").WithArgs(nil).WillReturnRows(emptyMetadataRows)
 
 					// Generate query arguments for the metric query
 					evalTime := time.Now().UTC()

pkg/signoz/handler_test.go

@@ -48,9 +48,11 @@ func TestNewHandlers(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
 
 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)

pkg/signoz/module.go

@@ -8,6 +8,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/cache"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/apdex"
 	"github.com/SigNoz/signoz/pkg/modules/apdex/implapdex"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -89,10 +90,12 @@ func NewModules(
 	config Config,
 	dashboard dashboard.Module,
 	userGetter user.Getter,
+	userRoleStore authtypes.UserRoleStore,
+	flagger flagger.Flagger,
 ) Modules {
 	quickfilter := implquickfilter.NewModule(implquickfilter.NewStore(sqlstore))
 	orgSetter := implorganization.NewSetter(implorganization.NewStore(sqlstore), alertmanager, quickfilter)
-	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User)
+	user := impluser.NewModule(impluser.NewStore(sqlstore, providerSettings), userRoleStore, tokenizer, emailing, providerSettings, orgSetter, authz, analytics, config.User, flagger)
 	ruleStore := sqlrulestore.NewRuleStore(sqlstore, queryParser, providerSettings)
 
 	return Modules{
@@ -108,7 +111,7 @@ func NewModules(
 		TraceFunnel:     impltracefunnel.NewModule(impltracefunnel.NewStore(sqlstore)),
 		RawDataExport:   implrawdataexport.NewModule(querier),
 		AuthDomain:      implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs),
-		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter),
+		Session:         implsession.NewModule(providerSettings, authNs, user, userGetter, implauthdomain.NewModule(implauthdomain.NewStore(sqlstore), authNs), tokenizer, orgGetter, authz),
 		SpanPercentile:  implspanpercentile.NewModule(querier, providerSettings),
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),

pkg/signoz/module_test.go

@@ -47,9 +47,11 @@ func TestNewModules(t *testing.T) {
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings))
+
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter, userRoleStore, flagger)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/provider.go

@@ -175,6 +175,8 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
 		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddUserRoleAuthzFactory(sqlstore),
 	)
 }
 

pkg/signoz/provider_test.go

@@ -1,13 +1,11 @@
 package signoz
 
 import (
-	"context"
 	"testing"
 
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/SigNoz/signoz/pkg/alertmanager/nfmanager/nfmanagertest"
 	"github.com/SigNoz/signoz/pkg/analytics"
-	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/instrumentation/instrumentationtest"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -77,12 +75,7 @@ func TestNewProviderFactories(t *testing.T) {
 	})
 
 	assert.NotPanics(t, func() {
-		flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
-		if err != nil {
-			panic(err)
-		}
-
-		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()), flagger)
+		userGetter := impluser.NewGetter(impluser.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual), instrumentationtest.New().ToProviderSettings()))
 		orgGetter := implorganization.NewGetter(implorganization.NewStore(sqlstoretest.New(sqlstore.Config{Provider: "sqlite"}, sqlmock.QueryMatcherEqual)), nil)
 		telemetryStore := telemetrystoretest.New(telemetrystore.Config{Provider: "clickhouse"}, sqlmock.QueryMatcherEqual)
 		NewStatsReporterProviderFactories(telemetryStore, []statsreporter.StatsCollector{}, orgGetter, userGetter, tokenizertest.NewMockTokenizer(t), version.Build{}, analytics.Config{Enabled: true})

pkg/signoz/signoz.go

@@ -281,8 +281,14 @@ func New(
 		return nil, err
 	}
 
+	// Initialize user store
+	userStore := impluser.NewStore(sqlstore, providerSettings)
+
+	// Initialize user role store
+	userRoleStore := impluser.NewUserRoleStore(sqlstore, providerSettings)
+
 	// Initialize user getter
-	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	userGetter := impluser.NewGetter(userStore)
 
 	licensingProviderFactory := licenseProviderFactory(sqlstore, zeus, orgGetter, analytics)
 	licensing, err := licensingProviderFactory.New(
@@ -390,7 +396,7 @@ func New(
 	}
 
 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
+	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter, userRoleStore, flagger)
 
 	// Initialize identN resolver
 	identNFactories := NewIdentNProviderFactories(sqlstore, tokenizer)
@@ -404,7 +410,7 @@ func New(
 	}
 	identNResolver := identn.NewIdentNResolver(providerSettings, identNs...)
 
-	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
+	userService := impluser.NewService(providerSettings, userStore, userRoleStore, modules.User, orgGetter, authz, config.User.Root)
 
 	// Initialize the querier handler via callback (allows EE to decorate with anomaly detection)
 	querierHandler := querierHandlerCallback(providerSettings, querier, analytics)

pkg/sqlmigration/037_add_trace_funnels.go

@@ -2,6 +2,7 @@ package sqlmigration
 
 import (
 	"context"
+
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -16,12 +17,12 @@ type funnel struct {
 	types.Identifiable // funnel id
 	types.TimeAuditable
 	types.UserAuditable
-	Name          string       `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
-	Description   string       `json:"description" bun:"description,type:text"`  // funnel description
-	OrgID         valuer.UUID  `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []funnelStep `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string       `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.User  `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"` // funnel name
+	Description   string              `json:"description" bun:"description,type:text"`  // funnel description
+	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []funnelStep        `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string              `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }
 
 type funnelStep struct {

pkg/sqlmigration/059_add_managed_roles.go

@@ -7,7 +7,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlschema"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/migrate"
@@ -54,7 +54,7 @@ func (migration *addManagedRoles) Up(ctx context.Context, db *bun.DB) error {
 		return err
 	}
 
-	managedRoles := []*roletypes.StorableRole{}
+	managedRoles := []*authtypes.StorableRole{}
 	for _, orgIDStr := range orgIDs {
 		orgID, err := valuer.NewUUID(orgIDStr)
 		if err != nil {
@@ -62,20 +62,20 @@ func (migration *addManagedRoles) Up(ctx context.Context, db *bun.DB) error {
 		}
 
 		// signoz admin
-		signozAdminRole := roletypes.NewRole(roletypes.SigNozAdminRoleName, roletypes.SigNozAdminRoleDescription, roletypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, roletypes.NewStorableRoleFromRole(signozAdminRole))
+		signozAdminRole := authtypes.NewRole(authtypes.SigNozAdminRoleName, authtypes.SigNozAdminRoleDescription, authtypes.RoleTypeManaged, orgID)
+		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozAdminRole))
 
 		// signoz editor
-		signozEditorRole := roletypes.NewRole(roletypes.SigNozEditorRoleName, roletypes.SigNozEditorRoleDescription, roletypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, roletypes.NewStorableRoleFromRole(signozEditorRole))
+		signozEditorRole := authtypes.NewRole(authtypes.SigNozEditorRoleName, authtypes.SigNozEditorRoleDescription, authtypes.RoleTypeManaged, orgID)
+		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozEditorRole))
 
 		// signoz viewer
-		signozViewerRole := roletypes.NewRole(roletypes.SigNozViewerRoleName, roletypes.SigNozViewerRoleDescription, roletypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, roletypes.NewStorableRoleFromRole(signozViewerRole))
+		signozViewerRole := authtypes.NewRole(authtypes.SigNozViewerRoleName, authtypes.SigNozViewerRoleDescription, authtypes.RoleTypeManaged, orgID)
+		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozViewerRole))
 
 		// signoz anonymous
-		signozAnonymousRole := roletypes.NewRole(roletypes.SigNozAnonymousRoleName, roletypes.SigNozAnonymousRoleDescription, roletypes.RoleTypeManaged, orgID)
-		managedRoles = append(managedRoles, roletypes.NewStorableRoleFromRole(signozAnonymousRole))
+		signozAnonymousRole := authtypes.NewRole(authtypes.SigNozAnonymousRoleName, authtypes.SigNozAnonymousRoleDescription, authtypes.RoleTypeManaged, orgID)
+		managedRoles = append(managedRoles, authtypes.NewStorableRoleFromRole(signozAnonymousRole))
 	}
 
 	if len(managedRoles) > 0 {

pkg/sqlmigration/063_add_public_dashboard_txn.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/oklog/ulid/v2"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect"
@@ -83,7 +83,7 @@ func (migration *addAnonymousPublicDashboardTransaction) Up(ctx context.Context,
 			INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
 			VALUES (?, ?, ?, ?, ?, ?, ?, ?)
 			ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
-				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role:organization/"+orgID+"/role/"+roletypes.SigNozAnonymousRoleName+"#assignee", "userset", tupleID, now,
+				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role:organization/"+orgID+"/role/"+authtypes.SigNozAnonymousRoleName+"#assignee", "userset", tupleID, now,
 			)
 			if err != nil {
 				return err
@@ -102,7 +102,7 @@ func (migration *addAnonymousPublicDashboardTransaction) Up(ctx context.Context,
 			INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
 			VALUES (?, ?, ?, ?, ?, ?, ?, ?)
 			ON CONFLICT (store, ulid, object_type) DO NOTHING`,
-				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role:organization/"+orgID+"/role/"+roletypes.SigNozAnonymousRoleName+"#assignee", "TUPLE_OPERATION_WRITE", tupleID, now,
+				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role:organization/"+orgID+"/role/"+authtypes.SigNozAnonymousRoleName+"#assignee", "TUPLE_OPERATION_WRITE", tupleID, now,
 			)
 			if err != nil {
 				return err
@@ -113,7 +113,7 @@ func (migration *addAnonymousPublicDashboardTransaction) Up(ctx context.Context,
 			INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
 			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 			ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
-				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role", "organization/"+orgID+"/role/"+roletypes.SigNozAnonymousRoleName, "assignee", "userset", tupleID, now,
+				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role", "organization/"+orgID+"/role/"+authtypes.SigNozAnonymousRoleName, "assignee", "userset", tupleID, now,
 			)
 			if err != nil {
 				return err
@@ -132,7 +132,7 @@ func (migration *addAnonymousPublicDashboardTransaction) Up(ctx context.Context,
 			INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
 			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 			ON CONFLICT (store, ulid, object_type) DO NOTHING`,
-				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role", "organization/"+orgID+"/role/"+roletypes.SigNozAnonymousRoleName, "assignee", 0, tupleID, now,
+				storeID, "metaresource", "organization/"+orgID+"/public-dashboard/*", "read", "role", "organization/"+orgID+"/role/"+authtypes.SigNozAnonymousRoleName, "assignee", 0, tupleID, now,
 			)
 			if err != nil {
 				return err

pkg/sqlmigration/069_add_user_role.go

@@ -0,0 +1,197 @@
+package sqlmigration
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+var (
+	userRoleToSigNozManagedRoleMap = map[string]string{
+		"ADMIN":  "signoz-admin",
+		"EDITOR": "signoz-editor",
+		"VIEWER": "signoz-viewer",
+	}
+)
+
+type userRow struct {
+	ID    string `bun:"id"`
+	Role  string `bun:"role"`
+	OrgID string `bun:"org_id"`
+}
+
+type roleRow struct {
+	ID    string `bun:"id"`
+	Name  string `bun:"name"`
+	OrgID string `bun:"org_id"`
+}
+
+type orgRoleKey struct {
+	OrgID    string
+	RoleName string
+}
+
+type addUserRole struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+type userRoleRow struct {
+	bun.BaseModel `bun:"table:user_role"`
+
+	types.Identifiable
+	UserID string `bun:"user_id"`
+	RoleID string `bun:"role_id"`
+	types.TimeAuditable
+}
+
+func NewAddUserRoleFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRole{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *addUserRole) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "user_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "user_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("user_id"),
+				ReferencedTableName:   sqlschema.TableName("users"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(
+		&sqlschema.UniqueIndex{
+			TableName:   "user_role",
+			ColumnNames: []sqlschema.ColumnName{"user_id", "role_id"},
+		},
+	)
+
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	// fill the new user_role table for existing users
+	var users []userRow
+	err = tx.NewSelect().TableExpr("users").ColumnExpr("id, role, org_id").Scan(ctx, &users)
+	if err != nil {
+		return err
+	}
+
+	if len(users) == 0 {
+		return tx.Commit()
+	}
+
+	orgIDs := make(map[string]struct{})
+	for _, u := range users {
+		orgIDs[u.OrgID] = struct{}{}
+	}
+
+	orgIDList := make([]string, 0, len(orgIDs))
+	for oid := range orgIDs {
+		orgIDList = append(orgIDList, oid)
+	}
+
+	var roles []roleRow
+	err = tx.NewSelect().TableExpr("role").ColumnExpr("id, name, org_id").Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx, &roles)
+	if err != nil {
+		return err
+	}
+
+	roleMap := make(map[orgRoleKey]string)
+	for _, r := range roles {
+		roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID
+	}
+
+	now := time.Now()
+	userRoles := make([]*userRoleRow, 0, len(users))
+	for _, u := range users {
+		managedRoleName, ok := userRoleToSigNozManagedRoleMap[u.Role]
+		if !ok {
+			managedRoleName = "signoz-viewer" // fallback
+		}
+		roleID, ok := roleMap[orgRoleKey{OrgID: u.OrgID, RoleName: managedRoleName}]
+		if !ok {
+			continue // user needs to get access again
+		}
+
+		userRoles = append(userRoles, &userRoleRow{
+			Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
+			UserID:       u.ID,
+			RoleID:       roleID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: now,
+				UpdatedAt: now,
+			},
+		})
+	}
+
+	if len(userRoles) > 0 {
+		if _, err := tx.NewInsert().Model(&userRoles).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRole) Down(ctx context.Context, db *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/070_add_user_role_authz.go

@@ -0,0 +1,156 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/oklog/ulid/v2"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addUserRoleAuthz struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewAddUserRoleAuthzFactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_user_role_authz"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addUserRoleAuthz{sqlstore: sqlstore}, nil
+	})
+}
+
+func (migration *addUserRoleAuthz) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addUserRoleAuthz) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	var storeID string
+	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
+	if err != nil {
+		return err
+	}
+
+	type userRoleTuple struct {
+		UserID   string
+		OrgID    string
+		RoleName string
+	}
+
+	rows, err := tx.QueryContext(ctx, `
+		SELECT u.id, u.org_id, r.name
+		FROM users u
+		JOIN user_role ur ON ur.user_id = u.id
+		JOIN role r ON r.id = ur.role_id
+		WHERE u.status != 'deleted'
+	`)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return tx.Commit()
+		}
+		return err
+	}
+	defer rows.Close()
+
+	tuples := make([]userRoleTuple, 0)
+	for rows.Next() {
+		var t userRoleTuple
+		if err := rows.Scan(&t.UserID, &t.OrgID, &t.RoleName); err != nil {
+			return err
+		}
+		tuples = append(tuples, t)
+	}
+
+	if err := rows.Err(); err != nil {
+		return err
+	}
+
+	entropy := ulid.DefaultEntropy()
+	for _, t := range tuples {
+		now := time.Now().UTC()
+		tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
+
+		objectID := "organization/" + t.OrgID + "/role/" + t.RoleName
+		userID := "organization/" + t.OrgID + "/user/" + t.UserID
+
+		if migration.sqlstore.BunDB().Dialect().Name() == dialect.PG {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user:"+userID, "TUPLE_OPERATION_WRITE", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		} else {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "user", userID, "", 0, tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addUserRoleAuthz) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/telemetrymetadata/metadata.go

@@ -1928,3 +1928,37 @@ func (t *telemetryMetaStore) GetFirstSeenFromMetricMetadata(ctx context.Context,
 
 	return result, nil
 }
+
+func (t *telemetryMetaStore) FetchLastSeenInfoMulti(ctx context.Context, metricNames ...string) (map[string]int64, error) {
+	sb := sqlbuilder.Select(
+		"metric_name",
+		"max(unix_milli)",
+	).
+		From(t.metricsDBName + "." + telemetrymetrics.TimeseriesV4TableName)
+	sb.Where(sb.In("metric_name", metricNames))
+	sb.GroupBy("metric_name")
+
+	query, args := sb.BuildWithFlavor(sqlbuilder.ClickHouse)
+
+	t.logger.DebugContext(ctx, "fetching metric last seen timestamp", "query", query, "args", args)
+
+	rows, err := t.telemetrystore.ClickhouseDB().Query(ctx, query, args...)
+	if err != nil {
+		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to fetch metric last seen info")
+	}
+	defer rows.Close()
+
+	lastSeenInfo := make(map[string]int64)
+	for rows.Next() {
+		var metricName string
+		var unix_milli int64
+		if err := rows.Scan(&metricName, &unix_milli); err != nil {
+			return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to scan last seen info result")
+		}
+		lastSeenInfo[metricName] = unix_milli
+	}
+	if err := rows.Err(); err != nil {
+		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "error iterating over metrics temporality rows")
+	}
+	return lastSeenInfo, nil
+}

pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go

@@ -34,7 +34,7 @@ func (store *store) Create(ctx context.Context, token *authtypes.StorableToken)
 }
 
 func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) (*authtypes.Identity, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 
 	err := store.
 		sqlstore.

pkg/types/authtypes/authn.go

@@ -128,7 +128,7 @@ func (typ *Identity) ToClaims() Claims {
 
 type AuthNStore interface {
 	// Get user and factor password by email and orgID.
-	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error)
+	GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error)
 
 	// Get org domain from id.
 	GetAuthDomainFromID(ctx context.Context, domainID valuer.UUID) (*AuthDomain, error)

pkg/types/authtypes/mapping.go

@@ -83,44 +83,62 @@ func (typ *RoleMapping) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func (roleMapping *RoleMapping) NewRoleFromCallbackIdentity(callbackIdentity *CallbackIdentity) types.Role {
+func (roleMapping *RoleMapping) ManagedRolesFromCallbackIdentity(callbackIdentity *CallbackIdentity) (types.Role, []string) {
 	if roleMapping == nil {
-		return types.RoleViewer
+		return types.RoleViewer, []string{SigNozViewerRoleName}
 	}
 
 	if roleMapping.UseRoleAttribute && callbackIdentity.Role != "" {
-		if role, err := types.NewRole(strings.ToUpper(callbackIdentity.Role)); err == nil {
-			return role
+		legacyRole, err := types.NewRole(strings.ToUpper(callbackIdentity.Role))
+		if err != nil {
+			return types.RoleViewer, []string{SigNozViewerRoleName}
+		}
+		if managedRole := resolveToManagedRole(callbackIdentity.Role); managedRole != "" {
+			return legacyRole, []string{managedRole}
 		}
 	}
 
 	if len(roleMapping.GroupMappings) > 0 && len(callbackIdentity.Groups) > 0 {
-		highestRole := types.RoleViewer
-		found := false
-
+		highestLegacyRole := types.RoleViewer
 		for _, group := range callbackIdentity.Groups {
 			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
-				found = true
 				if role, err := types.NewRole(strings.ToUpper(mappedRole)); err == nil {
-					if compareRoles(role, highestRole) > 0 {
-						highestRole = role
+					if compareRoles(role, highestLegacyRole) > 0 {
+						highestLegacyRole = role
 					}
 				}
 			}
 		}
 
-		if found {
-			return highestRole
+		seen := make(map[string]struct{})
+		var roles []string
+		for _, group := range callbackIdentity.Groups {
+			if mappedRole, exists := roleMapping.GroupMappings[group]; exists {
+				managedRole := resolveToManagedRole(mappedRole)
+				if managedRole != "" {
+					if _, ok := seen[managedRole]; !ok {
+						seen[managedRole] = struct{}{}
+						roles = append(roles, managedRole)
+					}
+				}
+			}
+		}
+		if len(roles) > 0 {
+			return highestLegacyRole, roles
 		}
 	}
 
 	if roleMapping.DefaultRole != "" {
-		if role, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole)); err == nil {
-			return role
+		legacyRole, err := types.NewRole(strings.ToUpper(roleMapping.DefaultRole))
+		if err != nil {
+			return types.RoleViewer, []string{SigNozViewerRoleName}
+		}
+		if managedRole := resolveToManagedRole(roleMapping.DefaultRole); managedRole != "" {
+			return legacyRole, []string{managedRole}
 		}
 	}
 
-	return types.RoleViewer
+	return types.RoleViewer, []string{SigNozViewerRoleName}
 }
 
 func compareRoles(a, b types.Role) int {
@@ -131,3 +149,12 @@ func compareRoles(a, b types.Role) int {
 	}
 	return order[a] - order[b]
 }
+
+func resolveToManagedRole(role string) string {
+	// backward compatible legacy role (ADMIN -> signoz-admin) useful in case of SSO
+	if legacyRole, err := types.NewRole(strings.ToUpper(role)); err == nil {
+		return MustGetSigNozManagedRoleFromExistingRole(legacyRole)
+	}
+
+	return role
+}

pkg/types/authtypes/role.go

@@ -1,13 +1,13 @@
-package roletypes
+package authtypes
 
 import (
+	"context"
 	"encoding/json"
 	"regexp"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	"github.com/uptrace/bun"
@@ -51,7 +51,7 @@ var (
 )
 
 var (
-	TypeableResourcesRoles = authtypes.MustNewTypeableMetaResources(authtypes.MustNewName("roles"))
+	TypeableResourcesRoles = MustNewTypeableMetaResources(MustNewName("roles"))
 )
 
 type StorableRole struct {
@@ -194,20 +194,20 @@ func (role *PatchableRole) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func GetAdditionTuples(name string, orgID valuer.UUID, relation authtypes.Relation, additions []*authtypes.Object) ([]*openfgav1.TupleKey, error) {
+func GetAdditionTuples(name string, orgID valuer.UUID, relation Relation, additions []*Object) ([]*openfgav1.TupleKey, error) {
 	tuples := make([]*openfgav1.TupleKey, 0)
 
 	for _, object := range additions {
-		typeable := authtypes.MustNewTypeableFromType(object.Resource.Type, object.Resource.Name)
+		typeable := MustNewTypeableFromType(object.Resource.Type, object.Resource.Name)
 		transactionTuples, err := typeable.Tuples(
-			authtypes.MustNewSubject(
-				authtypes.TypeableRole,
+			MustNewSubject(
+				TypeableRole,
 				name,
 				orgID,
-				&authtypes.RelationAssignee,
+				&RelationAssignee,
 			),
 			relation,
-			[]authtypes.Selector{object.Selector},
+			[]Selector{object.Selector},
 			orgID,
 		)
 		if err != nil {
@@ -220,20 +220,20 @@ func GetAdditionTuples(name string, orgID valuer.UUID, relation authtypes.Relati
 	return tuples, nil
 }
 
-func GetDeletionTuples(name string, orgID valuer.UUID, relation authtypes.Relation, deletions []*authtypes.Object) ([]*openfgav1.TupleKey, error) {
+func GetDeletionTuples(name string, orgID valuer.UUID, relation Relation, deletions []*Object) ([]*openfgav1.TupleKey, error) {
 	tuples := make([]*openfgav1.TupleKey, 0)
 
 	for _, object := range deletions {
-		typeable := authtypes.MustNewTypeableFromType(object.Resource.Type, object.Resource.Name)
+		typeable := MustNewTypeableFromType(object.Resource.Type, object.Resource.Name)
 		transactionTuples, err := typeable.Tuples(
-			authtypes.MustNewSubject(
-				authtypes.TypeableRole,
+			MustNewSubject(
+				TypeableRole,
 				name,
 				orgID,
-				&authtypes.RelationAssignee,
+				&RelationAssignee,
 			),
 			relation,
-			[]authtypes.Selector{object.Selector},
+			[]Selector{object.Selector},
 			orgID,
 		)
 		if err != nil {
@@ -254,3 +254,15 @@ func MustGetSigNozManagedRoleFromExistingRole(role types.Role) string {
 
 	return managedRole
 }
+
+type RoleStore interface {
+	Create(context.Context, *StorableRole) error
+	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableRole, error)
+	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableRole, error)
+	List(context.Context, valuer.UUID) ([]*StorableRole, error)
+	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*StorableRole, error)
+	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*StorableRole, error)
+	Update(context.Context, valuer.UUID, *StorableRole) error
+	Delete(context.Context, valuer.UUID, valuer.UUID) error
+	RunInTx(context.Context, func(ctx context.Context) error) error
+}

pkg/types/authtypes/user_role.go

@@ -0,0 +1,104 @@
+package authtypes
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeUserRoleAlreadyExists = errors.MustNewCode("user_role_already_exists")
+)
+
+type StorableUserRole struct {
+	bun.BaseModel `bun:"table:user_role,alias:user_role"`
+
+	types.Identifiable
+
+	UserID valuer.UUID `bun:"user_id"`
+	RoleID valuer.UUID `bun:"role_id"`
+
+	types.TimeAuditable
+}
+
+func newStorableUserRole(userID valuer.UUID, roleID valuer.UUID) *StorableUserRole {
+	return &StorableUserRole{
+		Identifiable: types.Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		UserID: userID,
+		RoleID: roleID,
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+	}
+}
+
+func NewStorableUserRoles(userID valuer.UUID, roles []*Role) []*StorableUserRole {
+	storableUserRoles := make([]*StorableUserRole, len(roles))
+
+	for idx, role := range roles {
+		storableUserRoles[idx] = newStorableUserRole(userID, role.ID)
+	}
+
+	return storableUserRoles
+}
+
+func GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles []*StorableUserRole) (map[valuer.UUID][]valuer.UUID, []valuer.UUID) {
+	userIDRoles := make(map[valuer.UUID][]valuer.UUID)
+	uniqueRoleIDSet := make(map[valuer.UUID]struct{})
+
+	for _, userRole := range storableUserRoles {
+		userID := userRole.UserID
+		if _, ok := userIDRoles[userID]; !ok {
+			userIDRoles[userID] = make([]valuer.UUID, 0)
+		}
+		roleUUID := userRole.RoleID
+		userIDRoles[userID] = append(userIDRoles[userID], roleUUID)
+		uniqueRoleIDSet[userRole.RoleID] = struct{}{}
+	}
+
+	roleIDs := make([]valuer.UUID, 0, len(uniqueRoleIDSet))
+	for rid := range uniqueRoleIDSet {
+		roleIDs = append(roleIDs, rid)
+	}
+
+	return userIDRoles, roleIDs
+}
+
+func NewRoleNamesFromStorableUserRoles(storableUserRoles []*StorableUserRole, roles []*Role) ([]string, error) {
+	roleIDToName := make(map[valuer.UUID]string, len(roles))
+	for _, role := range roles {
+		roleIDToName[role.ID] = role.Name
+	}
+
+	names := make([]string, 0, len(storableUserRoles))
+	for _, storableUserRole := range storableUserRoles {
+		roleName, ok := roleIDToName[storableUserRole.RoleID]
+		if !ok {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "role id %s not found in provided roles", storableUserRole.RoleID)
+		}
+		names = append(names, roleName)
+	}
+
+	return names, nil
+}
+
+type UserRoleStore interface {
+	// create user roles in bulk
+	CreateUserRoles(ctx context.Context, userRoles []*StorableUserRole) error
+
+	// get user roles by user id
+	GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*StorableUserRole, error)
+
+	// list all user_role entries for
+	ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*StorableUserRole, error)
+
+	// delete user role entries by user id
+	DeleteUserRoles(ctx context.Context, userID valuer.UUID) error
+}

pkg/types/factor_api_key.go

@@ -39,15 +39,15 @@ type OrgUserAPIKey struct {
 }
 
 type UserWithAPIKey struct {
-	*User   `bun:",extend"`
-	APIKeys []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
+	*StorableUser `bun:",extend"`
+	APIKeys       []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
 }
 
 type StorableAPIKeyUser struct {
 	StorableAPIKey `bun:",extend"`
 
-	CreatedByUser *User `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
-	UpdatedByUser *User `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
+	CreatedByUser *StorableUser `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
+	UpdatedByUser *StorableUser `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
 }
 
 type StorableAPIKey struct {
@@ -138,7 +138,7 @@ func NewGettableAPIKeyFromStorableAPIKey(storableAPIKey *StorableAPIKeyUser) *Ge
 		LastUsed:      lastUsed,
 		Revoked:       storableAPIKey.Revoked,
 		UserID:        storableAPIKey.UserID.String(),
-		CreatedByUser: storableAPIKey.CreatedByUser,
-		UpdatedByUser: storableAPIKey.UpdatedByUser,
+		CreatedByUser: NewUserFromStorable(storableAPIKey.CreatedByUser, make([]string, 0)), // factor api key will be removed
+		UpdatedByUser: NewUserFromStorable(storableAPIKey.UpdatedByUser, make([]string, 0)), // factor api key will be removed
 	}
 }

pkg/types/invite.go

@@ -25,6 +25,7 @@ type Invite struct {
 	Email valuer.Email `bun:"email,type:text" json:"email"`
 	Token string       `bun:"token,type:text" json:"token"`
 	Role  Role         `bun:"role,type:text" json:"role"`
+	Roles []string     `bun:"roles,type:text" json:"roles"`
 	OrgID valuer.UUID  `bun:"org_id,type:text" json:"orgId"`
 
 	InviteLink string `bun:"-" json:"inviteLink"`
@@ -50,6 +51,7 @@ type PostableInvite struct {
 	Name            string       `json:"name"`
 	Email           valuer.Email `json:"email"`
 	Role            Role         `json:"role"`
+	Roles           []string     `json:"roles"`
 	FrontendBaseUrl string       `json:"frontendBaseUrl"`
 }
 
@@ -83,7 +85,7 @@ type GettableCreateInviteResponse struct {
 	InviteToken string `json:"token"`
 }
 
-func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
+func NewInvite(name string, role Role, roles []string, orgID valuer.UUID, email valuer.Email) (*Invite, error) {
 	invite := &Invite{
 		Identifiable: Identifiable{
 			ID: valuer.GenerateUUID(),
@@ -92,6 +94,7 @@ func NewInvite(name string, role Role, orgID valuer.UUID, email valuer.Email) (*
 		Email: email,
 		Token: valuer.GenerateUUID().String(),
 		Role:  role,
+		Roles: roles,
 		OrgID: orgID,
 		TimeAuditable: TimeAuditable{
 			CreatedAt: time.Now(),

pkg/types/roletypes/store.go

@@ -1,19 +0,0 @@
-package roletypes
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type Store interface {
-	Create(context.Context, *StorableRole) error
-	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableRole, error)
-	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableRole, error)
-	List(context.Context, valuer.UUID) ([]*StorableRole, error)
-	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*StorableRole, error)
-	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*StorableRole, error)
-	Update(context.Context, valuer.UUID, *StorableRole) error
-	Delete(context.Context, valuer.UUID, valuer.UUID) error
-	RunInTx(context.Context, func(ctx context.Context) error) error
-}

pkg/types/serviceaccounttypes/service_acccount.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
@@ -102,10 +102,10 @@ func NewServiceAccountFromStorables(storableServiceAccount *StorableServiceAccou
 	}
 }
 
-func NewServiceAccountsFromRoles(storableServiceAccounts []*StorableServiceAccount, roles []*roletypes.Role, serviceAccountIDToRoleIDsMap map[string][]valuer.UUID) []*ServiceAccount {
+func NewServiceAccountsFromRoles(storableServiceAccounts []*StorableServiceAccount, roles []*authtypes.Role, serviceAccountIDToRoleIDsMap map[string][]valuer.UUID) []*ServiceAccount {
 	serviceAccounts := make([]*ServiceAccount, 0, len(storableServiceAccounts))
 
-	roleIDToRole := make(map[string]*roletypes.Role, len(roles))
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
 	for _, role := range roles {
 		roleIDToRole[role.ID.String()] = role
 	}

pkg/types/serviceaccounttypes/service_account_role.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
@@ -19,7 +19,7 @@ type StorableServiceAccountRole struct {
 	RoleID           string `bun:"role_id"`
 }
 
-func NewStorableServiceAccountRoles(serviceAccountID valuer.UUID, roles []*roletypes.Role) []*StorableServiceAccountRole {
+func NewStorableServiceAccountRoles(serviceAccountID valuer.UUID, roles []*authtypes.Role) []*StorableServiceAccountRole {
 	storableServiceAccountRoles := make([]*StorableServiceAccountRole, len(roles))
 	for idx, role := range roles {
 		storableServiceAccountRoles[idx] = &StorableServiceAccountRole{
@@ -38,7 +38,7 @@ func NewStorableServiceAccountRoles(serviceAccountID valuer.UUID, roles []*rolet
 	return storableServiceAccountRoles
 }
 
-func NewRolesFromStorableServiceAccountRoles(storable []*StorableServiceAccountRole, roles []*roletypes.Role) ([]string, error) {
+func NewRolesFromStorableServiceAccountRoles(storable []*StorableServiceAccountRole, roles []*authtypes.Role) ([]string, error) {
 	roleIDToName := make(map[string]string, len(roles))
 	for _, role := range roles {
 		roleIDToName[role.ID.String()] = role.Name

pkg/types/telemetrytypes/store.go

@@ -45,6 +45,8 @@ type MetadataStore interface {
 
 	// GetFirstSeenFromMetricMetadata gets the first seen timestamp for a metric metadata lookup key.
 	GetFirstSeenFromMetricMetadata(ctx context.Context, lookupKeys []MetricMetadataLookupKey) (map[MetricMetadataLookupKey]int64, error)
+
+	FetchLastSeenInfoMulti(ctx context.Context, metricNames ...string) (map[string]int64, error)
 }
 
 type MetricMetadataLookupKey struct {

pkg/types/telemetrytypes/telemetrytypestest/metadata_store.go

@@ -342,3 +342,7 @@ func (m *MockMetadataStore) SetFirstSeenFromMetricMetadata(firstSeenMap map[tele
 		m.LookupKeysMap[key] = value
 	}
 }
+
+func (m *MockMetadataStore) FetchLastSeenInfoMulti(ctx context.Context, metricNames ...string) (map[string]int64, error) {
+	return make(map[string]int64), nil
+}

pkg/types/tracefunneltypes/tracefunnel.go

@@ -18,12 +18,12 @@ type StorableFunnel struct {
 	types.TimeAuditable
 	types.UserAuditable
 	bun.BaseModel `bun:"table:trace_funnel"`
-	Name          string        `json:"funnel_name" bun:"name,type:text,notnull"`
-	Description   string        `json:"description" bun:"description,type:text"`
-	OrgID         valuer.UUID   `json:"org_id" bun:"org_id,type:varchar,notnull"`
-	Steps         []*FunnelStep `json:"steps" bun:"steps,type:text,notnull"`
-	Tags          string        `json:"tags" bun:"tags,type:text"`
-	CreatedByUser *types.User   `json:"user" bun:"rel:belongs-to,join:created_by=id"`
+	Name          string              `json:"funnel_name" bun:"name,type:text,notnull"`
+	Description   string              `json:"description" bun:"description,type:text"`
+	OrgID         valuer.UUID         `json:"org_id" bun:"org_id,type:varchar,notnull"`
+	Steps         []*FunnelStep       `json:"steps" bun:"steps,type:text,notnull"`
+	Tags          string              `json:"tags" bun:"tags,type:text"`
+	CreatedByUser *types.StorableUser `json:"user" bun:"rel:belongs-to,join:created_by=id"`
 }
 
 type FunnelStep struct {

pkg/types/tracefunneltypes/utils_test.go

@@ -443,7 +443,7 @@ func TestConstructFunnelResponse(t *testing.T) {
 				},
 				Name:  "test-funnel",
 				OrgID: orgID,
-				CreatedByUser: &types.User{
+				CreatedByUser: &types.StorableUser{
 					Identifiable: types.Identifiable{
 						ID: userID,
 					},

pkg/types/user.go

@@ -33,10 +33,21 @@ var (
 	ValidUserStatus         = []valuer.String{UserStatusPendingInvite, UserStatusActive, UserStatusDeleted}
 )
 
-type GettableUser = User
-
 type User struct {
-	bun.BaseModel `bun:"table:users"`
+	Identifiable
+	DisplayName string        `json:"displayName"`
+	Email       valuer.Email  `json:"email"`
+	Role        Role          `json:"role"`
+	Roles       []string      `json:"roles"`
+	OrgID       valuer.UUID   `json:"orgId"`
+	IsRoot      bool          `json:"isRoot"`
+	Status      valuer.String `json:"status"`
+	DeletedAt   time.Time     `json:"-"`
+	TimeAuditable
+}
+
+type StorableUser struct {
+	bun.BaseModel `bun:"table:users,alias:users"`
 
 	Identifiable
 	DisplayName string        `bun:"display_name" json:"displayName"`
@@ -57,7 +68,59 @@ type PostableRegisterOrgAndAdmin struct {
 	OrgName        string       `json:"orgName"`
 }
 
-func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID, status valuer.String) (*User, error) {
+func NewStorableUser(user *User) *StorableUser {
+	if user == nil {
+		return nil
+	}
+
+	return &StorableUser{
+		Identifiable:  user.Identifiable,
+		DisplayName:   user.DisplayName,
+		Email:         user.Email,
+		Role:          user.Role,
+		OrgID:         user.OrgID,
+		IsRoot:        user.IsRoot,
+		Status:        user.Status,
+		DeletedAt:     user.DeletedAt,
+		TimeAuditable: user.TimeAuditable,
+	}
+}
+
+func NewUserFromStorable(storableUser *StorableUser, roleNames []string) *User {
+	if storableUser == nil {
+		return nil
+	}
+	return &User{
+		Identifiable:  storableUser.Identifiable,
+		DisplayName:   storableUser.DisplayName,
+		Email:         storableUser.Email,
+		Role:          storableUser.Role,
+		Roles:         roleNames,
+		OrgID:         storableUser.OrgID,
+		IsRoot:        storableUser.IsRoot,
+		Status:        storableUser.Status,
+		DeletedAt:     storableUser.DeletedAt,
+		TimeAuditable: storableUser.TimeAuditable,
+	}
+}
+
+// func NewUsersFromStorables(storableUsers []*StorableUser) []*User {
+// 	users := make([]*User, len(storableUsers))
+// 	for i, s := range storableUsers {
+// 		users[i] = NewUserFromStorable(s)
+// 	}
+// 	return users
+// }
+
+func NewStorableUsers(users []*User) []*StorableUser {
+	storableUsers := make([]*StorableUser, len(users))
+	for i, u := range users {
+		storableUsers[i] = NewStorableUser(u)
+	}
+	return storableUsers
+}
+
+func NewUser(displayName string, email valuer.Email, role Role, roles []string, orgID valuer.UUID, status valuer.String) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -81,6 +144,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 		DisplayName: displayName,
 		Email:       email,
 		Role:        role,
+		Roles:       roles,
 		OrgID:       orgID,
 		IsRoot:      false,
 		Status:      status,
@@ -91,7 +155,7 @@ func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUI
 	}, nil
 }
 
-func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*User, error) {
+func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID, roleNames []string) (*User, error) {
 	if email.IsZero() {
 		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
 	}
@@ -107,6 +171,7 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 		DisplayName: displayName,
 		Email:       email,
 		Role:        RoleAdmin,
+		Roles:       roleNames,
 		OrgID:       orgID,
 		IsRoot:      true,
 		Status:      UserStatusActive,
@@ -119,13 +184,10 @@ func NewRootUser(displayName string, email valuer.Email, orgID valuer.UUID) (*Us
 
 // Update applies mutable fields from the input to the user. Immutable fields
 // (email, is_root, org_id, id) are preserved. Only non-zero input fields are applied.
-func (u *User) Update(displayName string, role Role) {
-	if displayName != "" {
-		u.DisplayName = displayName
-	}
-	if role != "" {
-		u.Role = role
-	}
+func (u *User) Update(displayName string, role Role, roles []string) {
+	u.DisplayName = displayName
+	u.Role = role
+	u.Roles = roles
 	u.UpdatedAt = time.Now()
 }
 
@@ -168,6 +230,15 @@ func (u *User) ErrIfRoot() error {
 	return nil
 }
 
+// ErrIfRoot returns an error if the user is a root user. The caller should
+// enrich the error with the specific operation using errors.WithAdditionalf.
+func (u *StorableUser) ErrIfRoot() error {
+	if u.IsRoot {
+		return errors.New(errors.TypeUnsupported, ErrCodeRootUserOperationUnsupported, "this operation is not supported for the root user")
+	}
+	return nil
+}
+
 // ErrIfDeleted returns an error if the user is in deleted state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfDeleted() error {
@@ -177,6 +248,15 @@ func (u *User) ErrIfDeleted() error {
 	return nil
 }
 
+// ErrIfDeleted returns an error if the user is in deleted state.
+// This error can be enriched with specific operation by the called using errors.WithAdditionalf
+func (u *StorableUser) ErrIfDeleted() error {
+	if u.Status == UserStatusDeleted {
+		return errors.New(errors.TypeUnsupported, ErrCodeUserStatusDeleted, "unsupported operation for deleted user")
+	}
+	return nil
+}
+
 // ErrIfPending returns an error if the user is in pending invite state.
 // This error can be enriched with specific operation by the called using errors.WithAdditionalf
 func (u *User) ErrIfPending() error {
@@ -186,10 +266,40 @@ func (u *User) ErrIfPending() error {
 	return nil
 }
 
+func (u *User) PatchRoles(targetRoles []string) ([]string, []string) {
+	currentRolesSet := make(map[string]struct{}, len(u.Roles))
+	inputRolesSet := make(map[string]struct{}, len(targetRoles))
+
+	for _, role := range u.Roles {
+		currentRolesSet[role] = struct{}{}
+	}
+	for _, role := range targetRoles {
+		inputRolesSet[role] = struct{}{}
+	}
+
+	// additions: roles present in input but not in current
+	additions := []string{}
+	for _, role := range targetRoles {
+		if _, exists := currentRolesSet[role]; !exists {
+			additions = append(additions, role)
+		}
+	}
+
+	// deletions: roles present in current but not in input
+	deletions := []string{}
+	for _, role := range u.Roles {
+		if _, exists := inputRolesSet[role]; !exists {
+			deletions = append(deletions, role)
+		}
+	}
+
+	return additions, deletions
+}
+
 func NewTraitsFromUser(user *User) map[string]any {
 	return map[string]any{
 		"name":         user.DisplayName,
-		"role":         user.Role,
+		"roles":        user.Roles,
 		"email":        user.Email.String(),
 		"display_name": user.DisplayName,
 		"status":       user.Status,
@@ -215,33 +325,33 @@ func (request *PostableRegisterOrgAndAdmin) UnmarshalJSON(data []byte) error {
 
 type UserStore interface {
 	// Creates a user.
-	CreateUser(ctx context.Context, user *User) error
+	CreateUser(ctx context.Context, user *StorableUser) error
 
 	// Get user by id.
-	GetUser(context.Context, valuer.UUID) (*User, error)
+	GetUser(context.Context, valuer.UUID) (*StorableUser, error)
 
 	// Get user by orgID and id.
-	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*User, error)
+	GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*StorableUser, error)
 
 	// Get user by email and orgID.
-	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*User, error)
+	GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*StorableUser, error)
 
 	// Get users by email.
-	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*User, error)
+	GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*StorableUser, error)
 
-	// Get users by role and org.
-	GetActiveUsersByRoleAndOrgID(ctx context.Context, role Role, orgID valuer.UUID) ([]*User, error)
+	// Get active users by role name and org. join to user_role table.
+	GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*StorableUser, error)
 
 	// List users by org.
-	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*User, error)
+	ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*StorableUser, error)
 
 	// List users by email and org ids.
-	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*User, error)
+	ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*StorableUser, error)
 
 	// Get users for an org id using emails and statuses
-	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*User, error)
+	GetUsersByEmailsOrgIDAndStatuses(context.Context, valuer.UUID, []string, []string) ([]*StorableUser, error)
 
-	UpdateUser(ctx context.Context, orgID valuer.UUID, user *User) error
+	UpdateUser(ctx context.Context, orgID valuer.UUID, user *StorableUser) error
 	DeleteUser(ctx context.Context, orgID string, id string) error
 	SoftDeleteUser(ctx context.Context, orgID string, id string) error
 
@@ -267,10 +377,10 @@ type UserStore interface {
 	CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error)
 
 	// Get root user by org.
-	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*User, error)
+	GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*StorableUser, error)
 
 	// Get user by reset password token
-	GetUserByResetPasswordToken(ctx context.Context, token string) (*User, error)
+	GetUserByResetPasswordToken(ctx context.Context, token string) (*StorableUser, error)
 
 	// Transaction
 	RunInTx(ctx context.Context, cb func(ctx context.Context) error) error

tests/integration/src/dashboard/02_public_dashboard.py

@@ -1,3 +1,4 @@
+from datetime import datetime, timedelta, timezone
 from http import HTTPStatus
 from typing import Callable, List
 
@@ -7,6 +8,7 @@ from sqlalchemy import sql
 from wiremock.resources.mappings import Mapping
 
 from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD, add_license
+from fixtures.metrics import Metrics
 from fixtures.types import Operation, SigNoz, TestContainerDocker
 
 
@@ -74,9 +76,37 @@ def test_public_dashboard_widget_query_range(
     signoz: SigNoz,
     create_user_admin: Operation,  # pylint: disable=unused-argument
     get_token: Callable[[str, str], str],
+    insert_metrics: Callable[[List[Metrics]], None],
 ):
     admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
 
+    # Insert metric data so the widget query returns results instead of 404
+    now = datetime.now(tz=timezone.utc).replace(second=0, microsecond=0)
+    metrics: List[Metrics] = [
+        Metrics(
+            metric_name="container.cpu.time",
+            labels={"service": "test-service"},
+            timestamp=now - timedelta(minutes=5),
+            value=100.0,
+            temporality="Cumulative",
+        ),
+        Metrics(
+            metric_name="container.cpu.time",
+            labels={"service": "test-service"},
+            timestamp=now - timedelta(minutes=3),
+            value=200.0,
+            temporality="Cumulative",
+        ),
+        Metrics(
+            metric_name="container.cpu.time",
+            labels={"service": "test-service"},
+            timestamp=now - timedelta(minutes=1),
+            value=300.0,
+            temporality="Cumulative",
+        ),
+    ]
+    insert_metrics(metrics)
+
     dashboard_req = {
         "title": "Test Widget Query Range Dashboard",
         "description": "For testing widget query range",

tests/integration/src/querier/03_metrics.py

@@ -10,12 +10,16 @@ from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD
 from fixtures.metrics import Metrics
 from fixtures.querier import (
     assert_minutely_bucket_values,
+    build_builder_query,
     find_named_result,
     index_series_by_label,
+    make_query_request,
 )
+from fixtures.utils import get_testdata_file_path
 
 FILL_GAPS = "fillGaps"
 FILL_ZERO = "fillZero"
+HISTOGRAM_FILE = get_testdata_file_path("histogram_data_1h.jsonl")
 
 
 def _build_format_options(fill_mode: str) -> Dict[str, Any]:
@@ -580,3 +584,39 @@ def test_metrics_fill_formula_with_group_by(
             expected_by_ts=expectations[group],
             context=f"metrics/{fill_mode}/F1/{group}",
         )
+
+def test_histogram_p90_returns_404_outside_data_window(
+    signoz: types.SigNoz,
+    create_user_admin: None,  # pylint: disable=unused-argument
+    get_token: Callable[[str, str], str],
+    insert_metrics: Callable[[List[Metrics]], None],
+) -> None:
+    
+    now = datetime.now(tz=timezone.utc).replace(second=0, microsecond=0)
+    metric_name = "test_p90_last_seen_bucket"
+
+    metrics = Metrics.load_from_file(
+        HISTOGRAM_FILE,
+        base_time=now - timedelta(minutes=90),
+        metric_name_override=metric_name,
+    )
+    insert_metrics(metrics)
+
+    token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)
+    query = build_builder_query(
+        "A",
+        metric_name,
+        "doesnotreallymatter",
+        "p90",
+    )
+
+    end_ms = int(now.timestamp() * 1000)
+
+    start_2h = int((now - timedelta(hours=2)).timestamp() * 1000)
+    response = make_query_request(signoz, token, start_2h, end_ms, [query])
+    assert response.status_code == HTTPStatus.OK
+    assert response.json()["status"] == "success"
+
+    start_15m = int((now - timedelta(minutes=15)).timestamp() * 1000)
+    response = make_query_request(signoz, token, start_15m, end_ms, [query])
+    assert response.status_code == HTTPStatus.NOT_FOUND