chore: authz helpers

.github/workflows/jsci.yaml

@@ -61,3 +61,49 @@ jobs:
     with:
       PRIMUS_REF: main
       JS_SRC: frontend
+  authz:
+    if: |
+      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
+      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: "22"
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: |
+          yarn install
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Install Python dependencies
+        working-directory: ./tests/integration
+        run: |
+          uv sync
+
+      - name: Start test environment
+        run: |
+          make py-test-setup
+
+      - name: Generate permissions.type.ts
+        run: |
+          node frontend/scripts/generate-permissions-type.js
+
+      - name: Teardown test environment
+        if: always()
+        run: |
+          make py-test-teardown
+
+      - name: Check for changes
+        run: |
+          if ! git diff --exit-code frontend/src/hooks/useAuthZ/permissions.type.ts; then
+            echo "::error::frontend/src/hooks/useAuthZ/permissions.type.ts is out of date. Please run the generator locally and commit the changes: npm run generate:permissions-type (from the frontend directory)"
+            exit 1
+          fi

ee/query-service/rules/anomaly.go

@@ -26,7 +26,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/utils/times"
 	"github.com/SigNoz/signoz/pkg/query-service/utils/timestamp"
 
-	"github.com/SigNoz/signoz/pkg/query-service/formatter"
+	"github.com/SigNoz/signoz/pkg/units"
 
 	baserules "github.com/SigNoz/signoz/pkg/query-service/rules"
 
@@ -335,7 +335,7 @@ func (r *AnomalyRule) Eval(ctx context.Context, ts time.Time) (int, error) {
 
 	prevState := r.State()
 
-	valueFormatter := formatter.FromUnit(r.Unit())
+	valueFormatter := units.FormatterFromUnit(r.Unit())
 
 	var res ruletypes.Vector
 	var err error

frontend/.eslintrc.js

@@ -2,7 +2,11 @@
  * ESLint Configuration for SigNoz Frontend
  */
 module.exports = {
-	ignorePatterns: ['src/parser/*.ts', 'scripts/update-registry.js'],
+	ignorePatterns: [
+		'src/parser/*.ts',
+		'scripts/update-registry.js',
+		'scripts/generate-permissions-type.js',
+	],
 	env: {
 		browser: true,
 		es2021: true,

frontend/package.json

@@ -19,7 +19,8 @@
 		"commitlint": "commitlint --edit $1",
 		"test": "jest",
 		"test:changedsince": "jest --changedSince=main --coverage --silent",
-		"generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh"
+		"generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh",
+		"generate:permissions-type": "node scripts/generate-permissions-type.js"
 	},
 	"engines": {
 		"node": ">=16.15.0"

frontend/scripts/generate-permissions-type.js

@@ -0,0 +1,199 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const axios = require('axios');
+
+const PERMISSIONS_TYPE_FILE = path.join(
+	__dirname,
+	'../src/hooks/useAuthZ/permissions.type.ts',
+);
+
+const SIGNOZ_INTEGRATION_IMAGE = 'signoz:integration';
+const LOCAL_BACKEND_URL = 'http://localhost:8080';
+
+function log(message) {
+	console.log(`[generate-permissions-type] ${message}`);
+}
+
+function getBackendUrlFromDocker() {
+	try {
+		const output = execSync(
+			`docker ps --filter "ancestor=${SIGNOZ_INTEGRATION_IMAGE}" --format "{{.Ports}}"`,
+			{ encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] },
+		).trim();
+
+		if (!output) {
+			return null;
+		}
+
+		const portMatch = output.match(/0\.0\.0\.0:(\d+)->8080\/tcp/);
+		if (portMatch) {
+			return `http://localhost:${portMatch[1]}`;
+		}
+
+		const ipv6Match = output.match(/:::(\d+)->8080\/tcp/);
+		if (ipv6Match) {
+			return `http://localhost:${ipv6Match[1]}`;
+		}
+	} catch (err) {
+		log(`Warning: Could not get port from docker: ${err.message}`);
+	}
+	return null;
+}
+
+async function checkBackendHealth(url, maxAttempts = 3, delayMs = 1000) {
+	for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+		try {
+			await axios.get(`${url}/api/v1/health`, {
+				timeout: 5000,
+				validateStatus: (status) => status === 200,
+			});
+			return true;
+		} catch (err) {
+			if (attempt < maxAttempts) {
+				await new Promise((r) => setTimeout(r, delayMs));
+			}
+		}
+	}
+	return false;
+}
+
+async function discoverBackendUrl() {
+	const dockerUrl = getBackendUrlFromDocker();
+	if (dockerUrl) {
+		log(`Found ${SIGNOZ_INTEGRATION_IMAGE} container, trying ${dockerUrl}...`);
+		if (await checkBackendHealth(dockerUrl)) {
+			log(`Backend found at ${dockerUrl} (from py-test-setup)`);
+			return dockerUrl;
+		}
+		log(`Backend at ${dockerUrl} is not responding`);
+	}
+
+	log(`Trying local backend at ${LOCAL_BACKEND_URL}...`);
+	if (await checkBackendHealth(LOCAL_BACKEND_URL)) {
+		log(`Backend found at ${LOCAL_BACKEND_URL}`);
+		return LOCAL_BACKEND_URL;
+	}
+
+	return null;
+}
+
+async function fetchResources(backendUrl) {
+	log('Fetching resources from API...');
+	const resourcesUrl = `${backendUrl}/api/v1/authz/resources`;
+
+	const { data: response } = await axios.get(resourcesUrl);
+
+	return response;
+}
+
+function transformResponse(apiResponse) {
+	if (!apiResponse.data) {
+		throw new Error('Invalid API response: missing data field');
+	}
+
+	const { resources, relations } = apiResponse.data;
+
+	return {
+		status: apiResponse.status || 'success',
+		data: {
+			resources: resources,
+			relations: relations,
+		},
+	};
+}
+
+function generateTypeScriptFile(data) {
+	const resourcesStr = data.data.resources
+		.map(
+			(r) =>
+				`\t\t\t{\n\t\t\t\tname: '${r.name}',\n\t\t\t\ttype: '${r.type}',\n\t\t\t}`,
+		)
+		.join(',\n');
+
+	const relationsStr = Object.entries(data.data.relations)
+		.map(
+			([type, relations]) =>
+				`\t\t\t${type}: [${relations.map((r) => `'${r}'`).join(', ')}]`,
+		)
+		.join(',\n');
+
+	return `// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
+export default {
+\tstatus: '${data.status}',
+\tdata: {
+\t\tresources: [
+${resourcesStr}
+\t\t],
+\t\trelations: {
+${relationsStr}
+\t\t},
+\t},
+} as const;
+`;
+}
+
+async function main() {
+	try {
+		log('Starting permissions type generation...');
+
+		const backendUrl = await discoverBackendUrl();
+
+		if (!backendUrl) {
+			console.error('\n' + '='.repeat(80));
+			console.error('ERROR: No running SigNoz backend found!');
+			console.error('='.repeat(80));
+			console.error(
+				'\nThe permissions type generator requires a running SigNoz backend.',
+			);
+			console.error('\nFor local development, start the backend with:');
+			console.error('  make go-run-enterprise');
+			console.error(
+				'\nFor CI or integration testing, start the test environment with:',
+			);
+			console.error('  make py-test-setup');
+			console.error(
+				'\nIf running in CI and seeing this error, check that the py-test-setup',
+			);
+			console.error('step completed successfully before this step runs.');
+			console.error('='.repeat(80) + '\n');
+			process.exit(1);
+		}
+
+		log('Fetching resources...');
+		const apiResponse = await fetchResources(backendUrl);
+
+		log('Transforming response...');
+		const transformed = transformResponse(apiResponse);
+
+		log('Generating TypeScript file...');
+		const content = generateTypeScriptFile(transformed);
+
+		log(`Writing to ${PERMISSIONS_TYPE_FILE}...`);
+		fs.writeFileSync(PERMISSIONS_TYPE_FILE, content, 'utf8');
+
+		const rootDir = path.join(__dirname, '../..');
+		const relativePath = path.relative(
+			path.join(rootDir, 'frontend'),
+			PERMISSIONS_TYPE_FILE,
+		);
+		log('Linting generated file...');
+		execSync(`cd frontend && yarn eslint --fix ${relativePath}`, {
+			cwd: rootDir,
+			stdio: 'inherit',
+		});
+
+		log('Successfully generated permissions.type.ts');
+	} catch (error) {
+		log(`Error: ${error.message}`);
+		process.exit(1);
+	}
+}
+
+if (require.main === module) {
+	main();
+}
+
+module.exports = { main };

frontend/src/AppRoutes/routes.ts

@@ -1,6 +1,7 @@
 import { RouteProps } from 'react-router-dom';
 import ROUTES from 'constants/routes';
 
+import { createGuardedRoute } from '../components/createGuardedRoute/createGuardedRoute';
 import {
 	AlertHistory,
 	AlertOverview,
@@ -84,7 +85,11 @@ const routes: AppRoutes[] = [
 	{
 		path: ROUTES.HOME,
 		exact: true,
-		component: Home,
+		component: createGuardedRoute(
+			Home,
+			'delete',
+			'dashboard:e6dbc08b-976d-4c41-8572-93c990c3b297',
+		),
 		isPrivate: true,
 		key: 'HOME',
 	},

frontend/src/components/GuardAuthZ/GuardAuthZ.test.tsx

@@ -0,0 +1,321 @@
+import { ReactElement } from 'react';
+import {
+	AuthtypesGettableTransactionDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { ENVIRONMENT } from 'constants/env';
+import { BrandedPermission } from 'hooks/useAuthZ/types';
+import { buildPermission } from 'hooks/useAuthZ/utils';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { render, screen, waitFor } from 'tests/test-utils';
+
+import { GuardAuthZ } from './GuardAuthZ';
+
+const BASE_URL = ENVIRONMENT.baseURL || '';
+const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
+
+function authzMockResponse(
+	payload: AuthtypesTransactionDTO[],
+	authorizedByIndex: boolean[],
+): { data: AuthtypesGettableTransactionDTO[]; status: string } {
+	return {
+		data: payload.map((txn, i) => ({
+			relation: txn.relation,
+			object: txn.object,
+			authorized: authorizedByIndex[i] ?? false,
+		})),
+		status: 'success',
+	};
+}
+
+describe('GuardAuthZ', () => {
+	const TestChild = (): ReactElement => <div>Protected Content</div>;
+	const LoadingFallback = (): ReactElement => <div>Loading...</div>;
+	const ErrorFallback = (error: Error): ReactElement => (
+		<div>Error occurred: {error.message}</div>
+	);
+	const NoPermissionFallback = (_response: {
+		requiredPermissionName: BrandedPermission;
+	}): ReactElement => <div>Access denied</div>;
+	const NoPermissionFallbackWithSuggestions = (response: {
+		requiredPermissionName: BrandedPermission;
+	}): ReactElement => (
+		<div>
+			Access denied. Required permission: {response.requiredPermissionName}
+		</div>
+	);
+
+	it('should render children when permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		render(
+			<GuardAuthZ relation="read" object="dashboard:*">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText('Protected Content')).toBeInTheDocument();
+		});
+	});
+
+	it('should render fallbackOnLoading when loading', () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
+				return res(
+					ctx.delay('infinite'),
+					ctx.status(200),
+					ctx.json({ data: [], status: 'success' }),
+				);
+			}),
+		);
+
+		render(
+			<GuardAuthZ
+				relation="read"
+				object="dashboard:*"
+				fallbackOnLoading={<LoadingFallback />}
+			>
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		expect(screen.getByText('Loading...')).toBeInTheDocument();
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should render null when loading and no fallbackOnLoading provided', () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
+				return res(
+					ctx.delay('infinite'),
+					ctx.status(200),
+					ctx.json({ data: [], status: 'success' }),
+				);
+			}),
+		);
+
+		const { container } = render(
+			<GuardAuthZ relation="read" object="dashboard:*">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		expect(container.firstChild).toBeNull();
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should render fallbackOnError when API error occurs', async () => {
+		const errorMessage = 'Internal Server Error';
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(500), ctx.json({ error: errorMessage }));
+			}),
+		);
+
+		render(
+			<GuardAuthZ
+				relation="read"
+				object="dashboard:*"
+				fallbackOnError={ErrorFallback}
+			>
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText(/Error occurred:/)).toBeInTheDocument();
+		});
+
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should pass error object to fallbackOnError function', async () => {
+		const errorMessage = 'Network request failed';
+		let receivedError: Error | null = null;
+
+		const errorFallbackWithCapture = (error: Error): ReactElement => {
+			receivedError = error;
+			return <div>Captured error: {error.message}</div>;
+		};
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(500), ctx.json({ error: errorMessage }));
+			}),
+		);
+
+		render(
+			<GuardAuthZ
+				relation="read"
+				object="dashboard:*"
+				fallbackOnError={errorFallbackWithCapture}
+			>
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(receivedError).not.toBeNull();
+		});
+
+		expect(receivedError).toBeInstanceOf(Error);
+		expect(screen.getByText(/Captured error:/)).toBeInTheDocument();
+	});
+
+	it('should render null when error occurs and no fallbackOnError provided', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
+			}),
+		);
+
+		const { container } = render(
+			<GuardAuthZ relation="read" object="dashboard:*">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(container.firstChild).toBeNull();
+		});
+
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should render fallbackOnNoPermissions when permission is denied', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
+			}),
+		);
+
+		render(
+			<GuardAuthZ
+				relation="update"
+				object="dashboard:123"
+				fallbackOnNoPermissions={NoPermissionFallback}
+			>
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText('Access denied')).toBeInTheDocument();
+		});
+
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should render null when permission is denied and no fallbackOnNoPermissions provided', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
+			}),
+		);
+
+		const { container } = render(
+			<GuardAuthZ relation="update" object="dashboard:123">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(container.firstChild).toBeNull();
+		});
+
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should render null when permissions object is null', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(200), ctx.json({ data: [], status: 'success' }));
+			}),
+		);
+
+		const { container } = render(
+			<GuardAuthZ relation="read" object="dashboard:*">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(container.firstChild).toBeNull();
+		});
+
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should pass requiredPermissionName to fallbackOnNoPermissions', async () => {
+		const permission = buildPermission('update', 'dashboard:123');
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
+			}),
+		);
+
+		render(
+			<GuardAuthZ
+				relation="update"
+				object="dashboard:123"
+				fallbackOnNoPermissions={NoPermissionFallbackWithSuggestions}
+			>
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(
+				screen.getByText(/Access denied. Required permission:/),
+			).toBeInTheDocument();
+		});
+
+		expect(
+			screen.getAllByText(
+				new RegExp(permission.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')),
+			).length,
+		).toBeGreaterThan(0);
+		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
+	});
+
+	it('should handle different relation and object combinations', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const { rerender } = render(
+			<GuardAuthZ relation="read" object="dashboard:*">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText('Protected Content')).toBeInTheDocument();
+		});
+
+		rerender(
+			<GuardAuthZ relation="delete" object="dashboard:456">
+				<TestChild />
+			</GuardAuthZ>,
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText('Protected Content')).toBeInTheDocument();
+		});
+	});
+});

frontend/src/components/GuardAuthZ/GuardAuthZ.tsx

@@ -0,0 +1,50 @@
+import { ReactElement } from 'react';
+import {
+	AuthZObject,
+	AuthZRelation,
+	BrandedPermission,
+} from 'hooks/useAuthZ/types';
+import { useAuthZ } from 'hooks/useAuthZ/useAuthZ';
+import { buildPermission } from 'hooks/useAuthZ/utils';
+
+export type GuardAuthZProps<R extends AuthZRelation> = {
+	children: ReactElement;
+	relation: R;
+	object: AuthZObject<R>;
+	fallbackOnLoading?: JSX.Element;
+	fallbackOnError?: (error: Error) => JSX.Element;
+	fallbackOnNoPermissions?: (response: {
+		requiredPermissionName: BrandedPermission;
+	}) => JSX.Element;
+};
+
+export function GuardAuthZ<R extends AuthZRelation>({
+	children,
+	relation,
+	object,
+	fallbackOnLoading,
+	fallbackOnError,
+	fallbackOnNoPermissions,
+}: GuardAuthZProps<R>): JSX.Element | null {
+	const permission = buildPermission<R>(relation, object);
+
+	const { permissions, isLoading, error } = useAuthZ([permission]);
+
+	if (isLoading) {
+		return fallbackOnLoading ?? null;
+	}
+
+	if (error) {
+		return fallbackOnError?.(error) ?? null;
+	}
+
+	if (!permissions?.[permission]?.isGranted) {
+		return (
+			fallbackOnNoPermissions?.({
+				requiredPermissionName: permission,
+			}) ?? null
+		);
+	}
+
+	return children;
+}

frontend/src/components/createGuardedRoute/createGuardedRoute.styles.scss

@@ -0,0 +1,41 @@
+.guard-authz-error-no-authz {
+	display: flex;
+	align-items: center;
+	justify-content: center;
+
+	width: 100%;
+	height: 100%;
+
+	padding: 24px;
+
+	.guard-authz-error-no-authz-content {
+		display: flex;
+		flex-direction: column;
+		justify-content: flex-start;
+		gap: 8px;
+		max-width: 500px;
+	}
+
+	img {
+		width: 32px;
+		height: 32px;
+	}
+
+	h3 {
+		font-size: 18px;
+		color: var(--l1-foreground);
+		line-height: 18px;
+	}
+
+	p {
+		font-size: 14px;
+		color: var(--l3-foreground);
+		line-height: 18px;
+
+		span {
+			background-color: var(--l3-background);
+			white-space: nowrap;
+			padding: 0 2px;
+		}
+	}
+}

frontend/src/components/createGuardedRoute/createGuardedRoute.test.tsx

@@ -0,0 +1,472 @@
+import { ReactElement } from 'react';
+import type { RouteComponentProps } from 'react-router-dom';
+import {
+	AuthtypesGettableTransactionDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { ENVIRONMENT } from 'constants/env';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { render, screen, waitFor } from 'tests/test-utils';
+
+import { createGuardedRoute } from './createGuardedRoute';
+
+const BASE_URL = ENVIRONMENT.baseURL || '';
+const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
+
+function authzMockResponse(
+	payload: AuthtypesTransactionDTO[],
+	authorizedByIndex: boolean[],
+): { data: AuthtypesGettableTransactionDTO[]; status: string } {
+	return {
+		data: payload.map((txn, i) => ({
+			relation: txn.relation,
+			object: txn.object,
+			authorized: authorizedByIndex[i] ?? false,
+		})),
+		status: 'success',
+	};
+}
+
+describe('createGuardedRoute', () => {
+	const TestComponent = ({ testProp }: { testProp: string }): ReactElement => (
+		<div>Test Component: {testProp}</div>
+	);
+
+	it('should render component when permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);
+
+		const mockMatch = {
+			params: {},
+			isExact: true,
+			path: '/dashboard',
+			url: '/dashboard',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
+		});
+	});
+
+	it('should substitute route parameters in object string', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:{id}',
+		);
+
+		const mockMatch = {
+			params: { id: '123' },
+			isExact: true,
+			path: '/dashboard/:id',
+			url: '/dashboard/123',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
+		});
+	});
+
+	it('should handle multiple route parameters', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = (await req.json()) as AuthtypesTransactionDTO[];
+				const txn = payload[0];
+				const responseData: AuthtypesGettableTransactionDTO[] = [
+					{
+						relation: txn.relation,
+						object: {
+							resource: {
+								name: txn.object.resource.name,
+								type: txn.object.resource.type,
+							},
+							selector: '123:456',
+						},
+						authorized: true,
+					},
+				];
+				return res(
+					ctx.status(200),
+					ctx.json({ data: responseData, status: 'success' }),
+				);
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'update',
+			'dashboard:{id}:{version}',
+		);
+
+		const mockMatch = {
+			params: { id: '123', version: '456' },
+			isExact: true,
+			path: '/dashboard/:id/:version',
+			url: '/dashboard/123/456',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
+		});
+	});
+
+	it('should keep placeholder when route parameter is missing', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:{id}',
+		);
+
+		const mockMatch = {
+			params: {},
+			isExact: true,
+			path: '/dashboard',
+			url: '/dashboard',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
+		});
+	});
+
+	it('should render loading fallback when loading', () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
+				return res(
+					ctx.delay('infinite'),
+					ctx.status(200),
+					ctx.json({ data: [], status: 'success' }),
+				);
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);
+
+		const mockMatch = {
+			params: {},
+			isExact: true,
+			path: '/dashboard',
+			url: '/dashboard',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		expect(screen.getByText('SigNoz')).toBeInTheDocument();
+		expect(
+			screen.queryByText('Test Component: test-value'),
+		).not.toBeInTheDocument();
+	});
+
+	it('should render error fallback when API error occurs', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:*',
+		);
+
+		const mockMatch = {
+			params: {},
+			isExact: true,
+			path: '/dashboard',
+			url: '/dashboard',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText(/Something went wrong/i)).toBeInTheDocument();
+		});
+
+		expect(
+			screen.queryByText('Test Component: test-value'),
+		).not.toBeInTheDocument();
+	});
+
+	it('should render no permissions fallback when permission is denied', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'update',
+			'dashboard:{id}',
+		);
+
+		const mockMatch = {
+			params: { id: '123' },
+			isExact: true,
+			path: '/dashboard/:id',
+			url: '/dashboard/123',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			const heading = document.querySelector('h3');
+			expect(heading).toBeInTheDocument();
+			expect(heading?.textContent).toMatch(/permission to view/i);
+		});
+
+		expect(screen.getByText('update')).toBeInTheDocument();
+		expect(screen.getByText('dashboard:123')).toBeInTheDocument();
+		expect(
+			screen.queryByText('Test Component: test-value'),
+		).not.toBeInTheDocument();
+	});
+
+	it('should pass all props to wrapped component', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const ComponentWithMultipleProps = ({
+			prop1,
+			prop2,
+			prop3,
+		}: {
+			prop1: string;
+			prop2: number;
+			prop3: boolean;
+		}): ReactElement => (
+			<div>
+				{prop1} - {prop2} - {prop3.toString()}
+			</div>
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			ComponentWithMultipleProps,
+			'read',
+			'dashboard:*',
+		);
+
+		const mockMatch = {
+			params: {},
+			isExact: true,
+			path: '/dashboard',
+			url: '/dashboard',
+		};
+
+		const props = {
+			prop1: 'value1',
+			prop2: 42,
+			prop3: true,
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('value1 - 42 - true')).toBeInTheDocument();
+		});
+	});
+
+	it('should memoize resolved object based on route params', async () => {
+		let requestCount = 0;
+		const requestedObjects: string[] = [];
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = (await req.json()) as AuthtypesTransactionDTO[];
+				const obj = payload[0]?.object;
+				const name = obj?.resource?.name;
+				const selector = obj?.selector ?? '*';
+				const objectStr =
+					obj?.resource?.type === 'metaresources' ? name : `${name}:${selector}`;
+				requestedObjects.push(objectStr ?? '');
+
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'read',
+			'dashboard:{id}',
+		);
+
+		const mockMatch1 = {
+			params: { id: '123' },
+			isExact: true,
+			path: '/dashboard/:id',
+			url: '/dashboard/123',
+		};
+
+		const props1 = {
+			testProp: 'test-value-1',
+			match: mockMatch1,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		const { unmount } = render(<GuardedComponent {...props1} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value-1')).toBeInTheDocument();
+		});
+
+		expect(requestCount).toBe(1);
+		expect(requestedObjects).toContain('dashboard:123');
+
+		unmount();
+
+		const mockMatch2 = {
+			params: { id: '456' },
+			isExact: true,
+			path: '/dashboard/:id',
+			url: '/dashboard/456',
+		};
+
+		const props2 = {
+			testProp: 'test-value-2',
+			match: mockMatch2,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props2} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value-2')).toBeInTheDocument();
+		});
+
+		expect(requestCount).toBe(2);
+		expect(requestedObjects).toContain('dashboard:456');
+	});
+
+	it('should handle different relation types', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+			}),
+		);
+
+		const GuardedComponent = createGuardedRoute(
+			TestComponent,
+			'delete',
+			'dashboard:{id}',
+		);
+
+		const mockMatch = {
+			params: { id: '789' },
+			isExact: true,
+			path: '/dashboard/:id',
+			url: '/dashboard/789',
+		};
+
+		const props = {
+			testProp: 'test-value',
+			match: mockMatch,
+			location: ({} as unknown) as RouteComponentProps['location'],
+			history: ({} as unknown) as RouteComponentProps['history'],
+		};
+
+		render(<GuardedComponent {...props} />);
+
+		await waitFor(() => {
+			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
+		});
+	});
+});

frontend/src/components/createGuardedRoute/createGuardedRoute.tsx

@@ -0,0 +1,73 @@
+import { ComponentType, ReactElement, useMemo } from 'react';
+import { RouteComponentProps } from 'react-router-dom';
+import {
+	AuthZObject,
+	AuthZRelation,
+	BrandedPermission,
+} from 'hooks/useAuthZ/types';
+import { parsePermission } from 'hooks/useAuthZ/utils';
+
+import ErrorBoundaryFallback from '../../pages/ErrorBoundaryFallback/ErrorBoundaryFallback';
+import AppLoading from '../AppLoading/AppLoading';
+import { GuardAuthZ } from '../GuardAuthZ/GuardAuthZ';
+
+import './createGuardedRoute.styles.scss';
+
+const onErrorFallback = (): JSX.Element => <ErrorBoundaryFallback />;
+
+function OnNoPermissionsFallback(response: {
+	requiredPermissionName: BrandedPermission;
+}): ReactElement {
+	const { relation, object } = parsePermission(response.requiredPermissionName);
+
+	return (
+		<div className="guard-authz-error-no-authz">
+			<div className="guard-authz-error-no-authz-content">
+				<img src="/Icons/no-data.svg" alt="No permission" />
+				<h3>Uh-oh! You don’t have permission to view this page.</h3>
+				<p>
+					You need the following permission to view this page:
+					<br />
+					Relation: <span>{relation}</span>
+					<br />
+					Object: <span>{object}</span>
+					<br />
+					Ask your SigNoz administrator to grant access.
+				</p>
+			</div>
+		</div>
+	);
+}
+
+// eslint-disable-next-line @typescript-eslint/ban-types
+export function createGuardedRoute<P extends object, R extends AuthZRelation>(
+	Component: ComponentType<P>,
+	relation: R,
+	object: AuthZObject<R>,
+): ComponentType<P & RouteComponentProps<Record<string, string>>> {
+	return function GuardedRouteComponent(
+		props: P & RouteComponentProps<Record<string, string>>,
+	): ReactElement {
+		const resolvedObject = useMemo(() => {
+			const paramPattern = /\{([^}]+)\}/g;
+			return object.replace(paramPattern, (match, paramName) => {
+				const paramValue = props.match?.params?.[paramName];
+				return paramValue !== undefined ? paramValue : match;
+			}) as AuthZObject<R>;
+		}, [props.match?.params]);
+
+		return (
+			<GuardAuthZ
+				relation={relation}
+				object={resolvedObject}
+				fallbackOnLoading={<AppLoading />}
+				fallbackOnError={onErrorFallback}
+				fallbackOnNoPermissions={(response): ReactElement => (
+					<OnNoPermissionsFallback {...response} />
+				)}
+			>
+				<Component {...props} />
+			</GuardAuthZ>
+		);
+	};
+}

frontend/src/hooks/useAuthZ/permissions.type.ts

@@ -0,0 +1,23 @@
+// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
+export default {
+	status: 'success',
+	data: {
+		resources: [
+			{
+				name: 'dashboard',
+				type: 'metaresource',
+			},
+			{
+				name: 'dashboards',
+				type: 'metaresources',
+			},
+		],
+		relations: {
+			create: ['metaresources'],
+			delete: ['user', 'role', 'organization', 'metaresource'],
+			list: ['metaresources'],
+			read: ['user', 'role', 'organization', 'metaresource'],
+			update: ['user', 'role', 'organization', 'metaresource'],
+		},
+	},
+} as const;

frontend/src/hooks/useAuthZ/types.ts

@@ -0,0 +1,57 @@
+import permissionsType from './permissions.type';
+import { ObjectSeparator } from './utils';
+
+type PermissionsData = typeof permissionsType.data;
+export type Resource = PermissionsData['resources'][number];
+export type ResourceName = Resource['name'];
+export type ResourceType = Resource['type'];
+
+type RelationsByType = PermissionsData['relations'];
+
+type ResourceTypeMap = {
+	[K in ResourceName]: Extract<Resource, { name: K }>['type'];
+};
+
+type RelationName = keyof RelationsByType;
+
+type ResourcesForRelation<R extends RelationName> = Extract<
+	Resource,
+	{ type: RelationsByType[R][number] }
+>['name'];
+
+type IsPluralResource<
+	R extends ResourceName
+> = ResourceTypeMap[R] extends 'metaresources' ? true : false;
+
+type ObjectForResource<R extends ResourceName> = R extends infer U
+	? U extends ResourceName
+		? IsPluralResource<U> extends true
+			? U
+			: `${U}${typeof ObjectSeparator}${string}`
+		: never
+	: never;
+
+type RelationToObject<R extends RelationName> = ObjectForResource<
+	ResourcesForRelation<R>
+>;
+
+type AllRelations = RelationName;
+
+export type AuthZRelation = AllRelations;
+export type AuthZResource = ResourceName;
+export type AuthZObject<R extends AuthZRelation> = RelationToObject<R>;
+
+export type BrandedPermission = string & { __brandedPermission: true };
+
+export type AuthZCheckResponse = Record<
+	BrandedPermission,
+	{
+		isGranted: boolean;
+	}
+>;
+
+export type UseAuthZResult = {
+	isLoading: boolean;
+	error: Error | null;
+	permissions: AuthZCheckResponse | null;
+};

frontend/src/hooks/useAuthZ/useAuthZ.test.tsx

@@ -0,0 +1,496 @@
+import { ReactElement } from 'react';
+import { renderHook, waitFor } from '@testing-library/react';
+import {
+	AuthtypesGettableTransactionDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { ENVIRONMENT } from 'constants/env';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { AllTheProviders } from 'tests/test-utils';
+
+import { BrandedPermission } from './types';
+import { useAuthZ } from './useAuthZ';
+import { buildPermission } from './utils';
+
+const BASE_URL = ENVIRONMENT.baseURL || '';
+const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
+
+function authzMockResponse(
+	payload: AuthtypesTransactionDTO[],
+	authorizedByIndex: boolean[],
+): { data: AuthtypesGettableTransactionDTO[]; status: string } {
+	return {
+		data: payload.map((txn, i) => ({
+			relation: txn.relation,
+			object: txn.object,
+			authorized: authorizedByIndex[i] ?? false,
+		})),
+		status: 'success',
+	};
+}
+
+const wrapper = ({ children }: { children: ReactElement }): ReactElement => (
+	<AllTheProviders>{children}</AllTheProviders>
+);
+
+describe('useAuthZ', () => {
+	it('should fetch and return permissions successfully', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+
+		const expectedResponse = {
+			[permission1]: {
+				isGranted: true,
+			},
+			[permission2]: {
+				isGranted: false,
+			},
+		};
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [true, false])),
+				);
+			}),
+		);
+
+		const { result } = renderHook(() => useAuthZ([permission1, permission2]), {
+			wrapper,
+		});
+
+		expect(result.current.isLoading).toBe(true);
+		expect(result.current.permissions).toBeNull();
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(result.current.error).toBeNull();
+		expect(result.current.permissions).toEqual(expectedResponse);
+	});
+
+	it('should handle API errors', async () => {
+		const permission = buildPermission('read', 'dashboard:*');
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
+			}),
+		);
+
+		const { result } = renderHook(() => useAuthZ([permission]), {
+			wrapper,
+		});
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(result.current.error).not.toBeNull();
+		expect(result.current.permissions).toBeNull();
+	});
+
+	it('should refetch when permissions array changes', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');
+
+		let requestCount = 0;
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = await req.json();
+
+				if (payload.length === 1) {
+					return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
+				}
+
+				const authorized = payload.map(
+					(txn: { relation: string }) =>
+						txn.relation === 'read' || txn.relation === 'delete',
+				);
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, authorized)),
+				);
+			}),
+		);
+
+		const { result, rerender } = renderHook<
+			ReturnType<typeof useAuthZ>,
+			BrandedPermission[]
+		>((permissions) => useAuthZ(permissions), {
+			wrapper,
+			initialProps: [permission1],
+		});
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(requestCount).toBe(1);
+		expect(result.current.permissions).toEqual({
+			[permission1]: {
+				isGranted: true,
+			},
+		});
+
+		rerender([permission1, permission2, permission3]);
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(requestCount).toBe(2);
+		expect(result.current.permissions).toEqual({
+			[permission1]: {
+				isGranted: true,
+			},
+			[permission2]: {
+				isGranted: false,
+			},
+			[permission3]: {
+				isGranted: true,
+			},
+		});
+	});
+
+	it('should not refetch when permissions array order changes but content is the same', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+
+		let requestCount = 0;
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [true, false])),
+				);
+			}),
+		);
+
+		const { result, rerender } = renderHook<
+			ReturnType<typeof useAuthZ>,
+			BrandedPermission[]
+		>((permissions) => useAuthZ(permissions), {
+			wrapper,
+			initialProps: [permission1, permission2],
+		});
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(requestCount).toBe(1);
+
+		rerender([permission2, permission1]);
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(requestCount).toBe(1);
+	});
+
+	it('should handle empty permissions array', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
+				return res(ctx.status(200), ctx.json({ data: [], status: 'success' }));
+			}),
+		);
+
+		const { result } = renderHook(() => useAuthZ([]), {
+			wrapper,
+		});
+
+		expect(result.current.isLoading).toBe(false);
+		expect(result.current.error).toBeNull();
+		expect(result.current.permissions).toEqual({});
+	});
+
+	it('should send correct payload format to API', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+
+		let receivedPayload: any = null;
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				receivedPayload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(receivedPayload, [true, false])),
+				);
+			}),
+		);
+
+		const { result } = renderHook(() => useAuthZ([permission1, permission2]), {
+			wrapper,
+		});
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(receivedPayload).toHaveLength(2);
+		expect(receivedPayload[0]).toMatchObject({
+			relation: 'read',
+			object: {
+				resource: { name: 'dashboard', type: 'metaresource' },
+				selector: '*',
+			},
+		});
+		expect(receivedPayload[1]).toMatchObject({
+			relation: 'update',
+			object: {
+				resource: { name: 'dashboard', type: 'metaresource' },
+				selector: '123',
+			},
+		});
+	});
+
+	it('should batch multiple hooks into single flight request', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');
+
+		let requestCount = 0;
+		const receivedPayloads: any[] = [];
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = await req.json();
+				receivedPayloads.push(payload);
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [true, false, true])),
+				);
+			}),
+		);
+
+		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
+			wrapper,
+		});
+
+		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
+			wrapper,
+		});
+
+		const { result: result3 } = renderHook(() => useAuthZ([permission3]), {
+			wrapper,
+		});
+
+		await waitFor(
+			() => {
+				expect(result1.current.isLoading).toBe(false);
+				expect(result2.current.isLoading).toBe(false);
+				expect(result3.current.isLoading).toBe(false);
+			},
+			{ timeout: 200 },
+		);
+
+		expect(requestCount).toBe(1);
+		expect(receivedPayloads).toHaveLength(1);
+		expect(receivedPayloads[0]).toHaveLength(3);
+		expect(receivedPayloads[0][0]).toMatchObject({
+			relation: 'read',
+			object: {
+				resource: { name: 'dashboard', type: 'metaresource' },
+				selector: '*',
+			},
+		});
+		expect(receivedPayloads[0][1]).toMatchObject({
+			relation: 'update',
+			object: { resource: { name: 'dashboard' }, selector: '123' },
+		});
+		expect(receivedPayloads[0][2]).toMatchObject({
+			relation: 'delete',
+			object: { resource: { name: 'dashboard' }, selector: '456' },
+		});
+
+		expect(result1.current.permissions).toEqual({
+			[permission1]: { isGranted: true },
+		});
+		expect(result2.current.permissions).toEqual({
+			[permission2]: { isGranted: false },
+		});
+		expect(result3.current.permissions).toEqual({
+			[permission3]: { isGranted: true },
+		});
+	});
+
+	it('should create separate batches for calls after single flight window', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');
+
+		let requestCount = 0;
+		const receivedPayloads: any[] = [];
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = await req.json();
+				receivedPayloads.push(payload);
+				const authorized = payload.length === 1 ? [true] : [false, true];
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, authorized)),
+				);
+			}),
+		);
+
+		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
+			wrapper,
+		});
+
+		await waitFor(
+			() => {
+				expect(result1.current.isLoading).toBe(false);
+			},
+			{ timeout: 200 },
+		);
+
+		expect(requestCount).toBe(1);
+		expect(receivedPayloads[0]).toHaveLength(1);
+
+		await new Promise((resolve) => setTimeout(resolve, 100));
+
+		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
+			wrapper,
+		});
+
+		const { result: result3 } = renderHook(() => useAuthZ([permission3]), {
+			wrapper,
+		});
+
+		await waitFor(
+			() => {
+				expect(result2.current.isLoading).toBe(false);
+				expect(result3.current.isLoading).toBe(false);
+			},
+			{ timeout: 200 },
+		);
+
+		expect(requestCount).toBe(2);
+		expect(receivedPayloads).toHaveLength(2);
+		expect(receivedPayloads[1]).toHaveLength(2);
+		expect(receivedPayloads[1][0]).toMatchObject({
+			relation: 'update',
+			object: { resource: { name: 'dashboard' }, selector: '123' },
+		});
+		expect(receivedPayloads[1][1]).toMatchObject({
+			relation: 'delete',
+			object: { resource: { name: 'dashboard' }, selector: '456' },
+		});
+	});
+
+	it('should map permissions correctly when API returns response out of order', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+		const permission3 = buildPermission('delete', 'dashboard:456');
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				const reversed = [...payload].reverse();
+				const authorizedByReversed = [true, false, true];
+				return res(
+					ctx.status(200),
+					ctx.json({
+						data: reversed.map((txn: any, i: number) => ({
+							relation: txn.relation,
+							object: txn.object,
+							authorized: authorizedByReversed[i],
+						})),
+						status: 'success',
+					}),
+				);
+			}),
+		);
+
+		const { result } = renderHook(
+			() => useAuthZ([permission1, permission2, permission3]),
+			{ wrapper },
+		);
+
+		await waitFor(() => {
+			expect(result.current.isLoading).toBe(false);
+		});
+
+		expect(result.current.permissions).toEqual({
+			[permission1]: { isGranted: true },
+			[permission2]: { isGranted: false },
+			[permission3]: { isGranted: true },
+		});
+	});
+
+	it('should not leak state between separate batches', async () => {
+		const permission1 = buildPermission('read', 'dashboard:*');
+		const permission2 = buildPermission('update', 'dashboard:123');
+
+		let requestCount = 0;
+
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				requestCount++;
+				const payload = await req.json();
+				const authorized = payload.map(
+					(txn: { relation: string }) => txn.relation === 'read',
+				);
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, authorized)),
+				);
+			}),
+		);
+
+		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
+			wrapper,
+		});
+
+		await waitFor(
+			() => {
+				expect(result1.current.isLoading).toBe(false);
+			},
+			{ timeout: 200 },
+		);
+
+		expect(requestCount).toBe(1);
+		expect(result1.current.permissions).toEqual({
+			[permission1]: { isGranted: true },
+		});
+
+		await new Promise((resolve) => setTimeout(resolve, 100));
+
+		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
+			wrapper,
+		});
+
+		await waitFor(
+			() => {
+				expect(result2.current.isLoading).toBe(false);
+			},
+			{ timeout: 200 },
+		);
+
+		expect(requestCount).toBe(2);
+		expect(result1.current.permissions).toEqual({
+			[permission1]: { isGranted: true },
+		});
+		expect(result2.current.permissions).toEqual({
+			[permission2]: { isGranted: false },
+		});
+		expect(result1.current.permissions).not.toHaveProperty(permission2);
+		expect(result2.current.permissions).not.toHaveProperty(permission1);
+	});
+});

frontend/src/hooks/useAuthZ/useAuthZ.tsx

@@ -0,0 +1,129 @@
+import { useMemo } from 'react';
+import { useQueries } from 'react-query';
+import { authzCheck } from 'api/generated/services/authz';
+import type {
+	AuthtypesObjectDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+
+import { AuthZCheckResponse, BrandedPermission, UseAuthZResult } from './types';
+import {
+	gettableTransactionToPermission,
+	permissionToTransactionDto,
+} from './utils';
+
+let ctx: Promise<AuthZCheckResponse> | null;
+let pendingPermissions: BrandedPermission[] = [];
+const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
+const AUTHZ_CACHE_TIME = 20_000;
+
+function dispatchPermission(
+	permission: BrandedPermission,
+): Promise<AuthZCheckResponse> {
+	pendingPermissions.push(permission);
+
+	if (!ctx) {
+		let resolve: (v: AuthZCheckResponse) => void, reject: (reason?: any) => void;
+		ctx = new Promise<AuthZCheckResponse>((r, re) => {
+			resolve = r;
+			reject = re;
+		});
+
+		setTimeout(() => {
+			const copiedPermissions = pendingPermissions.slice();
+			pendingPermissions = [];
+			ctx = null;
+
+			fetchManyPermissions(copiedPermissions).then(resolve).catch(reject);
+		}, SINGLE_FLIGHT_WAIT_TIME_MS);
+	}
+
+	return ctx;
+}
+
+async function fetchManyPermissions(
+	permissions: BrandedPermission[],
+): Promise<AuthZCheckResponse> {
+	const payload: AuthtypesTransactionDTO[] = permissions.map((permission) => {
+		const dto = permissionToTransactionDto(permission);
+		const object: AuthtypesObjectDTO = {
+			resource: {
+				name: dto.object.resource.name,
+				type: dto.object.resource.type,
+			},
+			selector: dto.object.selector,
+		};
+		return { relation: dto.relation, object };
+	});
+
+	const { data } = await authzCheck(payload);
+
+	const fromApi = (data ?? []).reduce<AuthZCheckResponse>((acc, item) => {
+		const permission = gettableTransactionToPermission(item);
+		acc[permission] = { isGranted: !!item.authorized };
+		return acc;
+	}, {} as AuthZCheckResponse);
+
+	return permissions.reduce<AuthZCheckResponse>((acc, permission) => {
+		acc[permission] = fromApi[permission] ?? { isGranted: false };
+		return acc;
+	}, {} as AuthZCheckResponse);
+}
+
+export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
+	const queryResults = useQueries(
+		permissions.map((permission) => {
+			return {
+				queryKey: ['authz', permission],
+				cacheTime: AUTHZ_CACHE_TIME,
+				refetchOnMount: false,
+				refetchIntervalInBackground: false,
+				refetchOnWindowFocus: false,
+				refetchOnReconnect: true,
+				queryFn: async (): Promise<AuthZCheckResponse> => {
+					const response = await dispatchPermission(permission);
+
+					return {
+						[permission]: {
+							isGranted: response[permission].isGranted,
+						},
+					};
+				},
+			};
+		}),
+	);
+
+	const isLoading = useMemo(() => queryResults.some((q) => q.isLoading), [
+		queryResults,
+	]);
+	const error = useMemo(
+		() =>
+			!isLoading
+				? (queryResults.find((q) => !!q.error)?.error as Error) || null
+				: null,
+		[isLoading, queryResults],
+	);
+	const data = useMemo(() => {
+		if (isLoading || error) {
+			return null;
+		}
+
+		return queryResults.reduce((acc, q) => {
+			if (!q.data) {
+				return acc;
+			}
+
+			for (const [key, value] of Object.entries(q.data)) {
+				acc[key as BrandedPermission] = value;
+			}
+
+			return acc;
+		}, {} as AuthZCheckResponse);
+	}, [isLoading, error, queryResults]);
+
+	return {
+		isLoading,
+		error,
+		permissions: data ?? null,
+	};
+}

frontend/src/hooks/useAuthZ/utils.ts

@@ -0,0 +1,85 @@
+import { AuthtypesTransactionDTO } from '../../api/generated/services/sigNoz.schemas';
+import permissionsType from './permissions.type';
+import {
+	AuthZObject,
+	AuthZRelation,
+	AuthZResource,
+	BrandedPermission,
+	ResourceName,
+	ResourceType,
+} from './types';
+
+export const PermissionSeparator = '||__||';
+export const ObjectSeparator = ':';
+
+export function buildPermission<R extends AuthZRelation>(
+	relation: R,
+	object: AuthZObject<R>,
+): BrandedPermission {
+	return `${relation}${PermissionSeparator}${object}` as BrandedPermission;
+}
+
+export function buildObjectString(
+	resource: AuthZResource,
+	objectId: string,
+): `${AuthZResource}${typeof ObjectSeparator}${string}` {
+	return `${resource}${ObjectSeparator}${objectId}` as const;
+}
+
+export function parsePermission(
+	permission: BrandedPermission,
+): {
+	relation: AuthZRelation;
+	object: string;
+} {
+	const [relation, object] = permission.split(PermissionSeparator);
+	return { relation: relation as AuthZRelation, object };
+}
+
+const resourceNameToType = permissionsType.data.resources.reduce((acc, r) => {
+	acc[r.name] = r.type;
+	return acc;
+}, {} as Record<ResourceName, ResourceType>);
+
+export function permissionToTransactionDto(
+	permission: BrandedPermission,
+): AuthtypesTransactionDTO {
+	const { relation, object: objectStr } = parsePermission(permission);
+	const directType = resourceNameToType[objectStr as ResourceName];
+	if (directType === 'metaresources') {
+		return {
+			relation,
+			object: {
+				resource: { name: objectStr, type: directType },
+				selector: '*',
+			},
+		};
+	}
+	const [resourceName, selector] = objectStr.split(ObjectSeparator);
+	const type =
+		resourceNameToType[resourceName as ResourceName] ?? 'metaresource';
+
+	return {
+		relation,
+		object: {
+			resource: { name: resourceName, type },
+			selector: selector || '*',
+		},
+	};
+}
+
+export function gettableTransactionToPermission(
+	item: AuthtypesTransactionDTO,
+): BrandedPermission {
+	const {
+		relation,
+		object: { resource, selector },
+	} = item;
+	const resourceName = String(resource.name);
+	const selectorStr = typeof selector === 'string' ? selector : '*';
+	const objectStr =
+		resource.type === 'metaresources'
+			? resourceName
+			: `${resourceName}${ObjectSeparator}${selectorStr}`;
+	return `${relation}${PermissionSeparator}${objectStr}` as BrandedPermission;
+}

pkg/modules/metricsexplorer/implmetricsexplorer/module.go

@@ -513,7 +513,7 @@ func (m *module) fetchTimeseriesMetadata(ctx context.Context, orgID valuer.UUID,
 		"metric_name",
 		"anyLast(description) AS description",
 		"anyLast(type) AS metric_type",
-		"anyLast(unit) AS metric_unit",
+		"argMax(unit, unix_milli) AS metric_unit",
 		"anyLast(temporality) AS temporality",
 		"anyLast(is_monotonic) AS is_monotonic",
 	)

pkg/query-service/app/clickhouseReader/reader.go

@@ -5441,7 +5441,7 @@ func (r *ClickHouseReader) ListSummaryMetrics(ctx context.Context, orgID valuer.
 		    t.metric_name AS metric_name,
 		    ANY_VALUE(t.description) AS description,
 		    ANY_VALUE(t.type) AS metric_type,
-		    ANY_VALUE(t.unit) AS metric_unit,
+		    argMax(t.unit, unix_milli) AS metric_unit,
 		    uniq(t.fingerprint) AS timeseries,
 			uniq(metric_name) OVER() AS total
 		FROM %s.%s AS t

pkg/query-service/formatter/data.go

@@ -1,86 +0,0 @@
-package formatter
-
-import (
-	"fmt"
-
-	"github.com/SigNoz/signoz/pkg/query-service/converter"
-	"github.com/dustin/go-humanize"
-)
-
-type dataFormatter struct {
-}
-
-func NewDataFormatter() Formatter {
-	return &dataFormatter{}
-}
-
-func (*dataFormatter) Name() string {
-	return "data"
-}
-
-func (f *dataFormatter) Format(value float64, unit string) string {
-	switch unit {
-	case "bytes", "By":
-		return humanize.IBytes(uint64(value))
-	case "decbytes":
-		return humanize.Bytes(uint64(value))
-	case "bits", "bit":
-		// humanize.IBytes/Bytes doesn't support bits
-		// and returns 0 B for values less than a byte
-		if value < 8 {
-			return fmt.Sprintf("%v b", value)
-		}
-		return humanize.IBytes(uint64(value / 8))
-	case "decbits":
-		if value < 8 {
-			return fmt.Sprintf("%v b", value)
-		}
-		return humanize.Bytes(uint64(value / 8))
-	case "kbytes", "KiBy":
-		return humanize.IBytes(uint64(value * converter.Kibibit))
-	case "Kibit":
-		return humanize.IBytes(uint64(value * converter.Kibibit / 8))
-	case "decKbytes", "deckbytes", "kBy":
-		return humanize.Bytes(uint64(value * converter.Kilobit))
-	case "kbit":
-		return humanize.Bytes(uint64(value * converter.Kilobit / 8))
-	case "mbytes", "MiBy":
-		return humanize.IBytes(uint64(value * converter.Mebibit))
-	case "Mibit":
-		return humanize.IBytes(uint64(value * converter.Mebibit / 8))
-	case "decMbytes", "decmbytes", "MBy":
-		return humanize.Bytes(uint64(value * converter.Megabit))
-	case "Mbit":
-		return humanize.Bytes(uint64(value * converter.Megabit / 8))
-	case "gbytes", "GiBy":
-		return humanize.IBytes(uint64(value * converter.Gibibit))
-	case "Gibit":
-		return humanize.IBytes(uint64(value * converter.Gibibit / 8))
-	case "decGbytes", "decgbytes", "GBy":
-		return humanize.Bytes(uint64(value * converter.Gigabit))
-	case "Gbit":
-		return humanize.Bytes(uint64(value * converter.Gigabit / 8))
-	case "tbytes", "TiBy":
-		return humanize.IBytes(uint64(value * converter.Tebibit))
-	case "Tibit":
-		return humanize.IBytes(uint64(value * converter.Tebibit / 8))
-	case "decTbytes", "dectbytes", "TBy":
-		return humanize.Bytes(uint64(value * converter.Terabit))
-	case "Tbit":
-		return humanize.Bytes(uint64(value * converter.Terabit / 8))
-	case "pbytes", "PiBy":
-		return humanize.IBytes(uint64(value * converter.Pebibit))
-	case "Pbit":
-		return humanize.Bytes(uint64(value * converter.Petabit / 8))
-	case "decPbytes", "decpbytes", "PBy":
-		return humanize.Bytes(uint64(value * converter.Petabit))
-	case "EiBy":
-		return humanize.IBytes(uint64(value * converter.Exbibit))
-	case "Ebit":
-		return humanize.Bytes(uint64(value * converter.Exabit / 8))
-	case "EBy":
-		return humanize.Bytes(uint64(value * converter.Exabit))
-	}
-	// When unit is not matched, return the value as it is.
-	return fmt.Sprintf("%v", value)
-}

pkg/query-service/formatter/data_rate.go

@@ -1,91 +0,0 @@
-package formatter
-
-import (
-	"fmt"
-
-	"github.com/SigNoz/signoz/pkg/query-service/converter"
-	"github.com/dustin/go-humanize"
-)
-
-type dataRateFormatter struct {
-}
-
-func NewDataRateFormatter() Formatter {
-	return &dataRateFormatter{}
-}
-
-func (*dataRateFormatter) Name() string {
-	return "data_rate"
-}
-
-func (f *dataRateFormatter) Format(value float64, unit string) string {
-	switch unit {
-	case "binBps":
-		return humanize.IBytes(uint64(value)) + "/s"
-	case "Bps", "By/s":
-		return humanize.Bytes(uint64(value)) + "/s"
-	case "binbps":
-		// humanize.IBytes/Bytes doesn't support bits
-		// and returns 0 B for values less than a byte
-		if value < 8 {
-			return fmt.Sprintf("%v b/s", value)
-		}
-		return humanize.IBytes(uint64(value/8)) + "/s"
-	case "bps", "bit/s":
-		if value < 8 {
-			return fmt.Sprintf("%v b/s", value)
-		}
-		return humanize.Bytes(uint64(value/8)) + "/s"
-	case "KiBs", "KiBy/s":
-		return humanize.IBytes(uint64(value*converter.KibibitPerSecond)) + "/s"
-	case "Kibits", "Kibit/s":
-		return humanize.IBytes(uint64(value*converter.KibibitPerSecond/8)) + "/s"
-	case "KBs", "kBy/s":
-		return humanize.IBytes(uint64(value*converter.KilobitPerSecond)) + "/s"
-	case "Kbits", "kbit/s":
-		return humanize.Bytes(uint64(value*converter.KilobitPerSecond/8)) + "/s"
-	case "MiBs", "MiBy/s":
-		return humanize.IBytes(uint64(value*converter.MebibitPerSecond)) + "/s"
-	case "Mibits", "Mibit/s":
-		return humanize.IBytes(uint64(value*converter.MebibitPerSecond/8)) + "/s"
-	case "MBs", "MBy/s":
-		return humanize.IBytes(uint64(value*converter.MegabitPerSecond)) + "/s"
-	case "Mbits", "Mbit/s":
-		return humanize.Bytes(uint64(value*converter.MegabitPerSecond/8)) + "/s"
-	case "GiBs", "GiBy/s":
-		return humanize.IBytes(uint64(value*converter.GibibitPerSecond)) + "/s"
-	case "Gibits", "Gibit/s":
-		return humanize.IBytes(uint64(value*converter.GibibitPerSecond/8)) + "/s"
-	case "GBs", "GBy/s":
-		return humanize.IBytes(uint64(value*converter.GigabitPerSecond)) + "/s"
-	case "Gbits", "Gbit/s":
-		return humanize.Bytes(uint64(value*converter.GigabitPerSecond/8)) + "/s"
-	case "TiBs", "TiBy/s":
-		return humanize.IBytes(uint64(value*converter.TebibitPerSecond)) + "/s"
-	case "Tibits", "Tibit/s":
-		return humanize.IBytes(uint64(value*converter.TebibitPerSecond/8)) + "/s"
-	case "TBs", "TBy/s":
-		return humanize.IBytes(uint64(value*converter.TerabitPerSecond)) + "/s"
-	case "Tbits", "Tbit/s":
-		return humanize.Bytes(uint64(value*converter.TerabitPerSecond/8)) + "/s"
-	case "PiBs", "PiBy/s":
-		return humanize.IBytes(uint64(value*converter.PebibitPerSecond)) + "/s"
-	case "Pibits", "Pibit/s":
-		return humanize.IBytes(uint64(value*converter.PebibitPerSecond/8)) + "/s"
-	case "PBs", "PBy/s":
-		return humanize.IBytes(uint64(value*converter.PetabitPerSecond)) + "/s"
-	case "Pbits", "Pbit/s":
-		return humanize.Bytes(uint64(value*converter.PetabitPerSecond/8)) + "/s"
-	// Exa units
-	case "EBy/s":
-		return humanize.Bytes(uint64(value*converter.ExabitPerSecond)) + "/s"
-	case "Ebit/s":
-		return humanize.Bytes(uint64(value*converter.ExabitPerSecond/8)) + "/s"
-	case "EiBy/s":
-		return humanize.IBytes(uint64(value*converter.ExbibitPerSecond)) + "/s"
-	case "Eibit/s":
-		return humanize.IBytes(uint64(value*converter.ExbibitPerSecond/8)) + "/s"
-	}
-	// When unit is not matched, return the value as it is.
-	return fmt.Sprintf("%v", value)
-}

pkg/query-service/rules/prom_rule.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/prometheus"
-	"github.com/SigNoz/signoz/pkg/query-service/formatter"
+	"github.com/SigNoz/signoz/pkg/units"
 	"github.com/SigNoz/signoz/pkg/query-service/interfaces"
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
@@ -185,7 +185,7 @@ func (r *PromRule) buildAndRunQuery(ctx context.Context, ts time.Time) (ruletype
 
 func (r *PromRule) Eval(ctx context.Context, ts time.Time) (int, error) {
 	prevState := r.State()
-	valueFormatter := formatter.FromUnit(r.Unit())
+	valueFormatter := units.FormatterFromUnit(r.Unit())
 
 	// prepare query, run query get data and filter the data based on the threshold
 	results, err := r.buildAndRunQuery(ctx, ts)

pkg/query-service/rules/threshold_rule.go

@@ -33,7 +33,7 @@ import (
 
 	logsv3 "github.com/SigNoz/signoz/pkg/query-service/app/logs/v3"
 	tracesV4 "github.com/SigNoz/signoz/pkg/query-service/app/traces/v4"
-	"github.com/SigNoz/signoz/pkg/query-service/formatter"
+	"github.com/SigNoz/signoz/pkg/units"
 
 	querierV5 "github.com/SigNoz/signoz/pkg/querier"
 
@@ -571,7 +571,7 @@ func (r *ThresholdRule) buildAndRunQueryV5(ctx context.Context, orgID valuer.UUI
 func (r *ThresholdRule) Eval(ctx context.Context, ts time.Time) (int, error) {
 	prevState := r.State()
 
-	valueFormatter := formatter.FromUnit(r.Unit())
+	valueFormatter := units.FormatterFromUnit(r.Unit())
 
 	var res ruletypes.Vector
 	var err error

pkg/types/ruletypes/threshold.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/query-service/converter"
+	"github.com/SigNoz/signoz/pkg/units"
 	v3 "github.com/SigNoz/signoz/pkg/query-service/model/v3"
 	"github.com/SigNoz/signoz/pkg/query-service/utils/labels"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -201,12 +201,12 @@ func sortThresholds(thresholds []BasicRuleThreshold) {
 
 // convertToRuleUnit converts the given value from the target unit to the rule unit
 func (b BasicRuleThreshold) convertToRuleUnit(val float64, ruleUnit string) float64 {
-	unitConverter := converter.FromUnit(converter.Unit(b.TargetUnit))
+	unitConverter := units.ConverterFromUnit(units.Unit(b.TargetUnit))
 	// convert the target value to the y-axis unit
-	value := unitConverter.Convert(converter.Value{
+	value := unitConverter.Convert(units.Value{
 		F: val,
-		U: converter.Unit(b.TargetUnit),
-	}, converter.Unit(ruleUnit))
+		U: units.Unit(b.TargetUnit),
+	}, units.Unit(ruleUnit))
 	return value.F
 }
 

pkg/units/converter.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 // Unit represents a unit of measurement
 type Unit string
@@ -40,8 +40,8 @@ var (
 	NoneConverter       = &noneConverter{}
 )
 
-// FromUnit returns a converter for the given unit
-func FromUnit(u Unit) Converter {
+// ConverterFromUnit returns a converter for the given unit
+func ConverterFromUnit(u Unit) Converter {
 	switch u {
 	case "ns", "us", "µs", "ms", "s", "m", "h", "d", "min", "w", "wk":
 		return DurationConverter

pkg/units/converter_bool.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 // boolConverter is a Converter implementation for bool
 type boolConverter struct{}

pkg/units/converter_data.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 const (
 	// base 10 (SI prefixes)

pkg/units/converter_data_rate.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 const (
 	// base 10 (SI prefixes)

pkg/units/converter_data_rate_test.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 import (
 	"testing"

pkg/units/converter_data_test.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 import (
 	"testing"

pkg/units/converter_percent.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 // percentConverter is a converter for percent unit
 type percentConverter struct{}

pkg/units/converter_percent_test.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 import (
 	"testing"

pkg/units/converter_throughput.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 // throughputConverter is an implementation of Converter that converts throughput
 type throughputConverter struct {

pkg/units/converter_time.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 type Duration float64
 

pkg/units/converter_time_test.go

@@ -1,4 +1,4 @@
-package converter
+package units
 
 import (
 	"testing"

pkg/units/formatter.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 type Formatter interface {
 	Format(value float64, unit string) string
@@ -16,7 +16,7 @@ var (
 	ThroughputFormatter = NewThroughputFormatter()
 )
 
-func FromUnit(u string) Formatter {
+func FormatterFromUnit(u string) Formatter {
 	switch u {
 	case "ns", "us", "µs", "ms", "s", "m", "h", "d", "min", "w", "wk":
 		return DurationFormatter

pkg/units/formatter_bool.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import "fmt"
 

pkg/units/formatter_data.go

@@ -0,0 +1,85 @@
+package units
+
+import (
+	"fmt"
+
+	"github.com/dustin/go-humanize"
+)
+
+type dataFormatter struct {
+}
+
+func NewDataFormatter() Formatter {
+	return &dataFormatter{}
+}
+
+func (*dataFormatter) Name() string {
+	return "data"
+}
+
+func (f *dataFormatter) Format(value float64, unit string) string {
+	switch unit {
+	case "bytes", "By":
+		return humanize.IBytes(uint64(value))
+	case "decbytes":
+		return humanize.Bytes(uint64(value))
+	case "bits", "bit":
+		// humanize.IBytes/Bytes doesn't support bits
+		// and returns 0 B for values less than a byte
+		if value < 8 {
+			return fmt.Sprintf("%v b", value)
+		}
+		return humanize.IBytes(uint64(value / 8))
+	case "decbits":
+		if value < 8 {
+			return fmt.Sprintf("%v b", value)
+		}
+		return humanize.Bytes(uint64(value / 8))
+	case "kbytes", "KiBy":
+		return humanize.IBytes(uint64(value * Kibibit))
+	case "Kibit":
+		return humanize.IBytes(uint64(value * Kibibit / 8))
+	case "decKbytes", "deckbytes", "kBy":
+		return humanize.Bytes(uint64(value * Kilobit))
+	case "kbit":
+		return humanize.Bytes(uint64(value * Kilobit / 8))
+	case "mbytes", "MiBy":
+		return humanize.IBytes(uint64(value * Mebibit))
+	case "Mibit":
+		return humanize.IBytes(uint64(value * Mebibit / 8))
+	case "decMbytes", "decmbytes", "MBy":
+		return humanize.Bytes(uint64(value * Megabit))
+	case "Mbit":
+		return humanize.Bytes(uint64(value * Megabit / 8))
+	case "gbytes", "GiBy":
+		return humanize.IBytes(uint64(value * Gibibit))
+	case "Gibit":
+		return humanize.IBytes(uint64(value * Gibibit / 8))
+	case "decGbytes", "decgbytes", "GBy":
+		return humanize.Bytes(uint64(value * Gigabit))
+	case "Gbit":
+		return humanize.Bytes(uint64(value * Gigabit / 8))
+	case "tbytes", "TiBy":
+		return humanize.IBytes(uint64(value * Tebibit))
+	case "Tibit":
+		return humanize.IBytes(uint64(value * Tebibit / 8))
+	case "decTbytes", "dectbytes", "TBy":
+		return humanize.Bytes(uint64(value * Terabit))
+	case "Tbit":
+		return humanize.Bytes(uint64(value * Terabit / 8))
+	case "pbytes", "PiBy":
+		return humanize.IBytes(uint64(value * Pebibit))
+	case "Pbit":
+		return humanize.Bytes(uint64(value * Petabit / 8))
+	case "decPbytes", "decpbytes", "PBy":
+		return humanize.Bytes(uint64(value * Petabit))
+	case "EiBy":
+		return humanize.IBytes(uint64(value * Exbibit))
+	case "Ebit":
+		return humanize.Bytes(uint64(value * Exabit / 8))
+	case "EBy":
+		return humanize.Bytes(uint64(value * Exabit))
+	}
+	// When unit is not matched, return the value as it is.
+	return fmt.Sprintf("%v", value)
+}

pkg/units/formatter_data_rate.go

@@ -0,0 +1,90 @@
+package units
+
+import (
+	"fmt"
+
+	"github.com/dustin/go-humanize"
+)
+
+type dataRateFormatter struct {
+}
+
+func NewDataRateFormatter() Formatter {
+	return &dataRateFormatter{}
+}
+
+func (*dataRateFormatter) Name() string {
+	return "data_rate"
+}
+
+func (f *dataRateFormatter) Format(value float64, unit string) string {
+	switch unit {
+	case "binBps":
+		return humanize.IBytes(uint64(value)) + "/s"
+	case "Bps", "By/s":
+		return humanize.Bytes(uint64(value)) + "/s"
+	case "binbps":
+		// humanize.IBytes/Bytes doesn't support bits
+		// and returns 0 B for values less than a byte
+		if value < 8 {
+			return fmt.Sprintf("%v b/s", value)
+		}
+		return humanize.IBytes(uint64(value/8)) + "/s"
+	case "bps", "bit/s":
+		if value < 8 {
+			return fmt.Sprintf("%v b/s", value)
+		}
+		return humanize.Bytes(uint64(value/8)) + "/s"
+	case "KiBs", "KiBy/s":
+		return humanize.IBytes(uint64(value*KibibitPerSecond)) + "/s"
+	case "Kibits", "Kibit/s":
+		return humanize.IBytes(uint64(value*KibibitPerSecond/8)) + "/s"
+	case "KBs", "kBy/s":
+		return humanize.IBytes(uint64(value*KilobitPerSecond)) + "/s"
+	case "Kbits", "kbit/s":
+		return humanize.Bytes(uint64(value*KilobitPerSecond/8)) + "/s"
+	case "MiBs", "MiBy/s":
+		return humanize.IBytes(uint64(value*MebibitPerSecond)) + "/s"
+	case "Mibits", "Mibit/s":
+		return humanize.IBytes(uint64(value*MebibitPerSecond/8)) + "/s"
+	case "MBs", "MBy/s":
+		return humanize.IBytes(uint64(value*MegabitPerSecond)) + "/s"
+	case "Mbits", "Mbit/s":
+		return humanize.Bytes(uint64(value*MegabitPerSecond/8)) + "/s"
+	case "GiBs", "GiBy/s":
+		return humanize.IBytes(uint64(value*GibibitPerSecond)) + "/s"
+	case "Gibits", "Gibit/s":
+		return humanize.IBytes(uint64(value*GibibitPerSecond/8)) + "/s"
+	case "GBs", "GBy/s":
+		return humanize.IBytes(uint64(value*GigabitPerSecond)) + "/s"
+	case "Gbits", "Gbit/s":
+		return humanize.Bytes(uint64(value*GigabitPerSecond/8)) + "/s"
+	case "TiBs", "TiBy/s":
+		return humanize.IBytes(uint64(value*TebibitPerSecond)) + "/s"
+	case "Tibits", "Tibit/s":
+		return humanize.IBytes(uint64(value*TebibitPerSecond/8)) + "/s"
+	case "TBs", "TBy/s":
+		return humanize.IBytes(uint64(value*TerabitPerSecond)) + "/s"
+	case "Tbits", "Tbit/s":
+		return humanize.Bytes(uint64(value*TerabitPerSecond/8)) + "/s"
+	case "PiBs", "PiBy/s":
+		return humanize.IBytes(uint64(value*PebibitPerSecond)) + "/s"
+	case "Pibits", "Pibit/s":
+		return humanize.IBytes(uint64(value*PebibitPerSecond/8)) + "/s"
+	case "PBs", "PBy/s":
+		return humanize.IBytes(uint64(value*PetabitPerSecond)) + "/s"
+	case "Pbits", "Pbit/s":
+		return humanize.Bytes(uint64(value*PetabitPerSecond/8)) + "/s"
+	// Exa units
+	case "EBy/s":
+		return humanize.Bytes(uint64(value*ExabitPerSecond)) + "/s"
+	case "Ebit/s":
+		return humanize.Bytes(uint64(value*ExabitPerSecond/8)) + "/s"
+	case "EiBy/s":
+		return humanize.IBytes(uint64(value*ExbibitPerSecond)) + "/s"
+	case "Eibit/s":
+		return humanize.IBytes(uint64(value*ExbibitPerSecond/8)) + "/s"
+	}
+	// When unit is not matched, return the value as it is.
+	return fmt.Sprintf("%v", value)
+}

pkg/units/formatter_data_rate_test.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"testing"

pkg/units/formatter_data_test.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"testing"
@@ -6,7 +6,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestData(t *testing.T) {
+func TestFormatterData(t *testing.T) {
 	dataFormatter := NewDataFormatter()
 
 	assert.Equal(t, "1 B", dataFormatter.Format(1, "bytes"))

pkg/units/formatter_none.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import "fmt"
 

pkg/units/formatter_percent.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import "fmt"
 

pkg/units/formatter_scale.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"fmt"
@@ -14,36 +14,36 @@ type IntervalsInSecondsType map[Interval]int
 type Interval string
 
 const (
-	Year        Interval = "year"
-	Month       Interval = "month"
-	Week        Interval = "week"
-	Day         Interval = "day"
-	Hour        Interval = "hour"
-	Minute      Interval = "minute"
-	Second      Interval = "second"
-	Millisecond Interval = "millisecond"
+	IntervalYear        Interval = "year"
+	IntervalMonth       Interval = "month"
+	IntervalWeek        Interval = "week"
+	IntervalDay         Interval = "day"
+	IntervalHour        Interval = "hour"
+	IntervalMinute      Interval = "minute"
+	IntervalSecond      Interval = "second"
+	IntervalMillisecond Interval = "millisecond"
 )
 
 var Units = []Interval{
-	Year,
-	Month,
-	Week,
-	Day,
-	Hour,
-	Minute,
-	Second,
-	Millisecond,
+	IntervalYear,
+	IntervalMonth,
+	IntervalWeek,
+	IntervalDay,
+	IntervalHour,
+	IntervalMinute,
+	IntervalSecond,
+	IntervalMillisecond,
 }
 
 var IntervalsInSeconds = IntervalsInSecondsType{
-	Year:        31536000,
-	Month:       2592000,
-	Week:        604800,
-	Day:         86400,
-	Hour:        3600,
-	Minute:      60,
-	Second:      1,
-	Millisecond: 1,
+	IntervalYear:        31536000,
+	IntervalMonth:       2592000,
+	IntervalWeek:        604800,
+	IntervalDay:         86400,
+	IntervalHour:        3600,
+	IntervalMinute:      60,
+	IntervalSecond:      1,
+	IntervalMillisecond: 1,
 }
 
 type DecimalCount *int
@@ -78,9 +78,8 @@ func toFixed(value float64, decimals DecimalCount) string {
 	}
 
 	decimalPos := strings.Index(formatted, ".")
-	precision := 0
 	if decimalPos != -1 {
-		precision = len(formatted) - decimalPos - 1
+		precision := len(formatted) - decimalPos - 1
 		if precision < *decimals {
 			return formatted + strings.Repeat("0", *decimals-precision)
 		}
@@ -89,8 +88,8 @@ func toFixed(value float64, decimals DecimalCount) string {
 	return formatted
 }
 
-func toFixedScaled(value float64, decimals DecimalCount, scaleFormat string) string {
-	return toFixed(value, decimals) + scaleFormat
+func toFixedScaled(value float64, scaleFormat string) string {
+	return toFixed(value, nil) + scaleFormat
 }
 
 func getDecimalsForValue(value float64) int {

pkg/units/formatter_scale_test.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"testing"

pkg/units/formatter_throughput.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import "fmt"
 
@@ -13,35 +13,35 @@ func (*throughputFormatter) Name() string {
 	return "throughput"
 }
 
-func simpleCountUnit(value float64, decimals *int, symbol string) string {
+func simpleCountUnit(value float64, symbol string) string {
 	units := []string{"", "K", "M", "B", "T"}
 	scaler := scaledUnits(1000, units, 0)
 
-	return scaler(value, decimals) + " " + symbol
+	return scaler(value, nil) + " " + symbol
 }
 
 func (f *throughputFormatter) Format(value float64, unit string) string {
 	switch unit {
 	case "cps", "{count}/s":
-		return simpleCountUnit(value, nil, "c/s")
+		return simpleCountUnit(value, "c/s")
 	case "ops", "{ops}/s":
-		return simpleCountUnit(value, nil, "op/s")
+		return simpleCountUnit(value, "op/s")
 	case "reqps", "{req}/s":
-		return simpleCountUnit(value, nil, "req/s")
+		return simpleCountUnit(value, "req/s")
 	case "rps", "{read}/s":
-		return simpleCountUnit(value, nil, "r/s")
+		return simpleCountUnit(value, "r/s")
 	case "wps", "{write}/s":
-		return simpleCountUnit(value, nil, "w/s")
+		return simpleCountUnit(value, "w/s")
 	case "iops", "{iops}/s":
-		return simpleCountUnit(value, nil, "iops")
+		return simpleCountUnit(value, "iops")
 	case "cpm", "{count}/min":
-		return simpleCountUnit(value, nil, "c/m")
+		return simpleCountUnit(value, "c/m")
 	case "opm", "{ops}/min":
-		return simpleCountUnit(value, nil, "op/m")
+		return simpleCountUnit(value, "op/m")
 	case "rpm", "{read}/min":
-		return simpleCountUnit(value, nil, "r/m")
+		return simpleCountUnit(value, "r/m")
 	case "wpm", "{write}/min":
-		return simpleCountUnit(value, nil, "w/m")
+		return simpleCountUnit(value, "w/m")
 	}
 	// When unit is not matched, return the value as it is.
 	return fmt.Sprintf("%v", value)

pkg/units/formatter_throughput_test.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"testing"

pkg/units/formatter_time.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"fmt"
@@ -46,17 +46,17 @@ func toNanoSeconds(value float64) string {
 	if absValue < 1000 {
 		return toFixed(value, nil) + " ns"
 	} else if absValue < 1000000 { // 2000 ns is better represented as 2 µs
-		return toFixedScaled(value/1000, nil, " µs")
+		return toFixedScaled(value/1000, " µs")
 	} else if absValue < 1000000000 { // 2000000 ns is better represented as 2 ms
-		return toFixedScaled(value/1000000, nil, " ms")
+		return toFixedScaled(value/1000000, " ms")
 	} else if absValue < 60000000000 {
-		return toFixedScaled(value/1000000000, nil, " s")
+		return toFixedScaled(value/1000000000, " s")
 	} else if absValue < 3600000000000 {
-		return toFixedScaled(value/60000000000, nil, " min")
+		return toFixedScaled(value/60000000000, " min")
 	} else if absValue < 86400000000000 {
-		return toFixedScaled(value/3600000000000, nil, " hour")
+		return toFixedScaled(value/3600000000000, " hour")
 	} else {
-		return toFixedScaled(value/86400000000000, nil, " day")
+		return toFixedScaled(value/86400000000000, " day")
 	}
 }
 
@@ -66,9 +66,9 @@ func toMicroSeconds(value float64) string {
 	if absValue < 1000 {
 		return toFixed(value, nil) + " µs"
 	} else if absValue < 1000000 { // 2000 µs is better represented as 2 ms
-		return toFixedScaled(value/1000, nil, " ms")
+		return toFixedScaled(value/1000, " ms")
 	} else {
-		return toFixedScaled(value/1000000, nil, " s")
+		return toFixedScaled(value/1000000, " s")
 	}
 }
 
@@ -80,16 +80,16 @@ func toMilliSeconds(value float64) string {
 	if absValue < 1000 {
 		return toFixed(value, nil) + " ms"
 	} else if absValue < 60000 {
-		return toFixedScaled(value/1000, nil, " s")
+		return toFixedScaled(value/1000, " s")
 	} else if absValue < 3600000 {
-		return toFixedScaled(value/60000, nil, " min")
+		return toFixedScaled(value/60000, " min")
 	} else if absValue < 86400000 { // 172800000 ms is better represented as 2 day
-		return toFixedScaled(value/3600000, nil, " hour")
+		return toFixedScaled(value/3600000, " hour")
 	} else if absValue < 31536000000 {
-		return toFixedScaled(value/86400000, nil, " day")
+		return toFixedScaled(value/86400000, " day")
 	}
 
-	return toFixedScaled(value/31536000000, nil, " year")
+	return toFixedScaled(value/31536000000, " year")
 }
 
 // toSeconds returns a easy to read string representation of the given value in seconds
@@ -97,24 +97,24 @@ func toSeconds(value float64) string {
 	absValue := math.Abs(value)
 
 	if absValue < 0.000001 {
-		return toFixedScaled(value*1e9, nil, " ns")
+		return toFixedScaled(value*1e9, " ns")
 	} else if absValue < 0.001 {
-		return toFixedScaled(value*1e6, nil, " µs")
+		return toFixedScaled(value*1e6, " µs")
 	} else if absValue < 1 {
-		return toFixedScaled(value*1e3, nil, " ms")
+		return toFixedScaled(value*1e3, " ms")
 	} else if absValue < 60 {
 		return toFixed(value, nil) + " s"
 	} else if absValue < 3600 {
-		return toFixedScaled(value/60, nil, " min")
+		return toFixedScaled(value/60, " min")
 	} else if absValue < 86400 { // 56000 s is better represented as 15.56 hour
-		return toFixedScaled(value/3600, nil, " hour")
+		return toFixedScaled(value/3600, " hour")
 	} else if absValue < 604800 {
-		return toFixedScaled(value/86400, nil, " day")
+		return toFixedScaled(value/86400, " day")
 	} else if absValue < 31536000 {
-		return toFixedScaled(value/604800, nil, " week")
+		return toFixedScaled(value/604800, " week")
 	}
 
-	return toFixedScaled(value/3.15569e7, nil, " year")
+	return toFixedScaled(value/3.15569e7, " year")
 }
 
 // toMinutes returns a easy to read string representation of the given value in minutes
@@ -124,13 +124,13 @@ func toMinutes(value float64) string {
 	if absValue < 60 {
 		return toFixed(value, nil) + " min"
 	} else if absValue < 1440 {
-		return toFixedScaled(value/60, nil, " hour")
+		return toFixedScaled(value/60, " hour")
 	} else if absValue < 10080 {
-		return toFixedScaled(value/1440, nil, " day")
+		return toFixedScaled(value/1440, " day")
 	} else if absValue < 604800 {
-		return toFixedScaled(value/10080, nil, " week")
+		return toFixedScaled(value/10080, " week")
 	} else {
-		return toFixedScaled(value/5.25948e5, nil, " year")
+		return toFixedScaled(value/5.25948e5, " year")
 	}
 }
 
@@ -142,11 +142,11 @@ func toHours(value float64) string {
 	if absValue < 24 {
 		return toFixed(value, nil) + " hour"
 	} else if absValue < 168 {
-		return toFixedScaled(value/24, nil, " day")
+		return toFixedScaled(value/24, " day")
 	} else if absValue < 8760 {
-		return toFixedScaled(value/168, nil, " week")
+		return toFixedScaled(value/168, " week")
 	} else {
-		return toFixedScaled(value/8760, nil, " year")
+		return toFixedScaled(value/8760, " year")
 	}
 }
 
@@ -157,9 +157,9 @@ func toDays(value float64) string {
 	if absValue < 7 {
 		return toFixed(value, nil) + " day"
 	} else if absValue < 365 {
-		return toFixedScaled(value/7, nil, " week")
+		return toFixedScaled(value/7, " week")
 	} else {
-		return toFixedScaled(value/365, nil, " year")
+		return toFixedScaled(value/365, " year")
 	}
 }
 
@@ -170,6 +170,6 @@ func toWeeks(value float64) string {
 	if absValue < 52 {
 		return toFixed(value, nil) + " week"
 	} else {
-		return toFixedScaled(value/52, nil, " year")
+		return toFixedScaled(value/52, " year")
 	}
 }

pkg/units/formatter_time_test.go

@@ -1,4 +1,4 @@
-package formatter
+package units
 
 import (
 	"testing"