Merge branch 'main' into feat/disable_side_drawer_missing_identifiers

.github/workflows/jsci.yaml

@@ -71,49 +71,3 @@ jobs:
         uses: actions/checkout@v4
       - name: validate md languages
         run: bash frontend/scripts/validate-md-languages.sh
-  authz:
-    if: |
-      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
-      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version: "22"
-
-      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: |
-          yarn install
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
-
-      - name: Install Python dependencies
-        working-directory: ./tests/integration
-        run: |
-          uv sync
-
-      - name: Start test environment
-        run: |
-          make py-test-setup
-
-      - name: Generate permissions.type.ts
-        run: |
-          node frontend/scripts/generate-permissions-type.js
-
-      - name: Teardown test environment
-        if: always()
-        run: |
-          make py-test-teardown
-
-      - name: Check for changes
-        run: |
-          if ! git diff --exit-code frontend/src/hooks/useAuthZ/permissions.type.ts; then
-            echo "::error::frontend/src/hooks/useAuthZ/permissions.type.ts is out of date. Please run the generator locally and commit the changes: npm run generate:permissions-type (from the frontend directory)"
-            exit 1
-          fi

cmd/community/server.go

@@ -18,7 +18,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/query-service/app"
 	"github.com/SigNoz/signoz/pkg/queryparser"
@@ -80,8 +79,8 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, sqlstore sqlstore.SQLStore, _ licensing.Licensing, _ dashboard.Module) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx))
 		},
-		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, _ querier.Querier, _ licensing.Licensing, userGetter user.Getter) dashboard.Module {
-			return impldashboard.NewModule(impldashboard.NewStore(store), settings, analytics, orgGetter, queryParser, userGetter)
+		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, _ querier.Querier, _ licensing.Licensing) dashboard.Module {
+			return impldashboard.NewModule(impldashboard.NewStore(store), settings, analytics, orgGetter, queryParser)
 		},
 		func(_ licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config] {
 			return noopgateway.NewProviderFactory()

cmd/enterprise/server.go

@@ -9,12 +9,12 @@ import (
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/oidccallbackauthn"
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/samlcallbackauthn"
 	"github.com/SigNoz/signoz/ee/authz/openfgaauthz"
+	eequerier "github.com/SigNoz/signoz/ee/querier"
 	"github.com/SigNoz/signoz/ee/authz/openfgaschema"
 	"github.com/SigNoz/signoz/ee/gateway/httpgateway"
 	enterpriselicensing "github.com/SigNoz/signoz/ee/licensing"
 	"github.com/SigNoz/signoz/ee/licensing/httplicensing"
 	"github.com/SigNoz/signoz/ee/modules/dashboard/impldashboard"
-	eequerier "github.com/SigNoz/signoz/ee/querier"
 	enterpriseapp "github.com/SigNoz/signoz/ee/query-service/app"
 	"github.com/SigNoz/signoz/ee/sqlschema/postgressqlschema"
 	"github.com/SigNoz/signoz/ee/sqlstore/postgressqlstore"
@@ -29,7 +29,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	pkgimpldashboard "github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/signoz"
@@ -120,8 +119,8 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e
 		func(ctx context.Context, sqlstore sqlstore.SQLStore, licensing licensing.Licensing, dashboardModule dashboard.Module) factory.ProviderFactory[authz.AuthZ, authz.Config] {
 			return openfgaauthz.NewProviderFactory(sqlstore, openfgaschema.NewSchema().Get(ctx), licensing, dashboardModule)
 		},
-		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing, userGetter user.Getter) dashboard.Module {
-			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, queryParser, querier, licensing, userGetter)
+		func(store sqlstore.SQLStore, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
+			return impldashboard.NewModule(pkgimpldashboard.NewStore(store), settings, analytics, orgGetter, queryParser, querier, licensing)
 		},
 		func(licensing licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config] {
 			return httpgateway.NewProviderFactory(licensing)

docs/api/openapi.yml

@@ -1763,134 +1763,6 @@ components:
       - type
       - orgId
       type: object
-    ServiceaccounttypesFactorAPIKey:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        expires_at:
-          minimum: 0
-          type: integer
-        id:
-          type: string
-        key:
-          type: string
-        last_observed_at:
-          format: date-time
-          type: string
-        name:
-          type: string
-        service_account_id:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - key
-      - expires_at
-      - last_observed_at
-      - service_account_id
-      type: object
-    ServiceaccounttypesGettableFactorAPIKeyWithKey:
-      properties:
-        id:
-          type: string
-        key:
-          type: string
-      required:
-      - id
-      - key
-      type: object
-    ServiceaccounttypesPostableFactorAPIKey:
-      properties:
-        expires_at:
-          minimum: 0
-          type: integer
-        name:
-          type: string
-      required:
-      - name
-      - expires_at
-      type: object
-    ServiceaccounttypesPostableServiceAccount:
-      properties:
-        email:
-          type: string
-        name:
-          type: string
-        roles:
-          items:
-            type: string
-          type: array
-      required:
-      - name
-      - email
-      - roles
-      type: object
-    ServiceaccounttypesServiceAccount:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        email:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgID:
-          type: string
-        roles:
-          items:
-            type: string
-          type: array
-        status:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - name
-      - email
-      - roles
-      - status
-      - orgID
-      type: object
-    ServiceaccounttypesUpdatableFactorAPIKey:
-      properties:
-        expires_at:
-          minimum: 0
-          type: integer
-        name:
-          type: string
-      required:
-      - name
-      - expires_at
-      type: object
-    ServiceaccounttypesUpdatableServiceAccount:
-      properties:
-        email:
-          type: string
-        name:
-          type: string
-        roles:
-          items:
-            type: string
-          type: array
-      required:
-      - name
-      - email
-      - roles
-      type: object
-    ServiceaccounttypesUpdatableServiceAccountStatus:
-      properties:
-        status:
-          type: string
-      required:
-      - status
-      type: object
     TelemetrytypesFieldContext:
       enum:
       - metric
@@ -4665,586 +4537,6 @@ paths:
       summary: Patch objects for a role by relation
       tags:
       - role
-  /api/v1/service_accounts:
-    get:
-      deprecated: false
-      description: This endpoint lists the service accounts for an organisation
-      operationId: ListServiceAccounts
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    items:
-                      $ref: '#/components/schemas/ServiceaccounttypesServiceAccount'
-                    type: array
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: List service accounts
-      tags:
-      - serviceaccount
-    post:
-      deprecated: false
-      description: This endpoint creates a service account
-      operationId: CreateServiceAccount
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesPostableServiceAccount'
-      responses:
-        "201":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesIdentifiable'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: Created
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "409":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Conflict
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create service account
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/{id}:
-    delete:
-      deprecated: false
-      description: This endpoint deletes an existing service account
-      operationId: DeleteServiceAccount
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Deletes a service account
-      tags:
-      - serviceaccount
-    get:
-      deprecated: false
-      description: This endpoint gets an existing service account
-      operationId: GetServiceAccount
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/ServiceaccounttypesServiceAccount'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Gets a service account
-      tags:
-      - serviceaccount
-    put:
-      deprecated: false
-      description: This endpoint updates an existing service account
-      operationId: UpdateServiceAccount
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccount'
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Updates a service account
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/{id}/keys:
-    get:
-      deprecated: false
-      description: This endpoint lists the service account keys
-      operationId: ListServiceAccountKeys
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    items:
-                      $ref: '#/components/schemas/ServiceaccounttypesFactorAPIKey'
-                    type: array
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: List service account keys
-      tags:
-      - serviceaccount
-    post:
-      deprecated: false
-      description: This endpoint creates a service account key
-      operationId: CreateServiceAccountKey
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesPostableFactorAPIKey'
-      responses:
-        "201":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/ServiceaccounttypesGettableFactorAPIKeyWithKey'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: Created
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "409":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Conflict
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create a service account key
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/{id}/keys/{fid}:
-    delete:
-      deprecated: false
-      description: This endpoint revokes an existing service account key
-      operationId: RevokeServiceAccountKey
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      - in: path
-        name: fid
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Revoke a service account key
-      tags:
-      - serviceaccount
-    put:
-      deprecated: false
-      description: This endpoint updates an existing service account key
-      operationId: UpdateServiceAccountKey
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      - in: path
-        name: fid
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesUpdatableFactorAPIKey'
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Updates a service account key
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/{id}/status:
-    put:
-      deprecated: false
-      description: This endpoint updates an existing service account status
-      operationId: UpdateServiceAccountStatus
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccountStatus'
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Updates a service account status
-      tags:
-      - serviceaccount
   /api/v1/user:
     get:
       deprecated: false

ee/authz/openfgaauthz/provider.go

@@ -98,20 +98,16 @@ func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.
 	return provider.pkgAuthzService.ListByOrgIDAndNames(ctx, orgID, names)
 }
 
-func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
-	return provider.pkgAuthzService.ListByOrgIDAndIDs(ctx, orgID, ids)
+func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
+	return provider.pkgAuthzService.Grant(ctx, orgID, name, subject)
 }
 
-func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	return provider.pkgAuthzService.Grant(ctx, orgID, names, subject)
+func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleName string, updatedRoleName string, subject string) error {
+	return provider.pkgAuthzService.ModifyGrant(ctx, orgID, existingRoleName, updatedRoleName, subject)
 }
 
-func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleNames []string, updatedRoleNames []string, subject string) error {
-	return provider.pkgAuthzService.ModifyGrant(ctx, orgID, existingRoleNames, updatedRoleNames, subject)
-}
-
-func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	return provider.pkgAuthzService.Revoke(ctx, orgID, names, subject)
+func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
+	return provider.pkgAuthzService.Revoke(ctx, orgID, name, subject)
 }
 
 func (provider *provider) CreateManagedRoles(ctx context.Context, orgID valuer.UUID, managedRoles []*roletypes.Role) error {

ee/authz/openfgaschema/base.fga

@@ -2,45 +2,39 @@ module base
 
 type organisation 
   relations
-    define read: [user, serviceaccount, role#assignee]
-    define update: [user, serviceaccount, role#assignee]
+    define read: [user, role#assignee]
+    define update: [user, role#assignee]
 
 type user
   relations
-    define read: [user, serviceaccount, role#assignee]
-    define update: [user, serviceaccount, role#assignee]
-    define delete: [user, serviceaccount, role#assignee]
-
-type serviceaccount 
-  relations
-    define read: [user, serviceaccount, role#assignee]
-    define update: [user, serviceaccount, role#assignee]
-    define delete: [user, serviceaccount, role#assignee]  
+    define read: [user, role#assignee]
+    define update: [user, role#assignee]
+    define delete: [user, role#assignee]
 
 type anonymous
 
 type role 
   relations
-    define assignee: [user, serviceaccount, anonymous]
+    define assignee: [user, anonymous]
 
-    define read: [user, serviceaccount, role#assignee]
-    define update: [user, serviceaccount, role#assignee]
-    define delete: [user, serviceaccount, role#assignee]
+    define read: [user, role#assignee]
+    define update: [user, role#assignee]
+    define delete: [user, role#assignee]
 
 type metaresources
   relations
-    define create: [user, serviceaccount, role#assignee]
-    define list: [user, serviceaccount, role#assignee]
+    define create: [user, role#assignee]
+    define list: [user, role#assignee]
 
 type metaresource
   relations
-      define read: [user, serviceaccount, anonymous, role#assignee]
-      define update: [user, serviceaccount, role#assignee]
-      define delete: [user, serviceaccount, role#assignee]
+      define read: [user, anonymous, role#assignee]
+      define update: [user, role#assignee]
+      define delete: [user, role#assignee]
 
-      define block: [user, serviceaccount, role#assignee]
+      define block: [user, role#assignee]
 
 
 type telemetryresource
   relations
-      define read: [user, serviceaccount, role#assignee]
+      define read: [user, role#assignee]

ee/authz/openfgaserver/server.go

@@ -31,22 +31,9 @@ func (server *Server) Stop(ctx context.Context) error {
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
-	subject := ""
-	switch claims.Principal {
-	case authtypes.PrincipalUser.StringValue():
-		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = user
-	case authtypes.PrincipalServiceAccount.StringValue():
-		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = serviceAccount
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		return err
 	}
 
 	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)

ee/modules/dashboard/impldashboard/module.go

@@ -11,7 +11,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	pkgimpldashboard "github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -30,9 +29,9 @@ type module struct {
 	licensing          licensing.Licensing
 }
 
-func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing, userGetter user.Getter) dashboard.Module {
+func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, querier querier.Querier, licensing licensing.Licensing) dashboard.Module {
 	scopedProviderSettings := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/ee/modules/dashboard/impldashboard")
-	pkgDashboardModule := pkgimpldashboard.NewModule(store, settings, analytics, orgGetter, queryParser, userGetter)
+	pkgDashboardModule := pkgimpldashboard.NewModule(store, settings, analytics, orgGetter, queryParser)
 
 	return &module{
 		pkgDashboardModule: pkgDashboardModule,
@@ -209,8 +208,8 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return module.pkgDashboardModule.Update(ctx, orgID, id, updatedBy, data, diff)
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedByUserID valuer.UUID, lock bool) error {
-	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedByUserID, lock)
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
+	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, role, lock)
 }
 
 func (module *module) MustGetTypeables() []authtypes.Typeable {

ee/query-service/app/server.go

@@ -216,7 +216,8 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		}),
 		otelmux.WithPublicEndpoint(),
 	))
-	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ_API_KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap)
+	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.Instrumentation.Logger()).Wrap)
+	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
 	r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(),
 		s.config.APIServer.Timeout.ExcludedRoutes,
 		s.config.APIServer.Timeout.Default,

frontend/.eslintrc.js

@@ -2,11 +2,7 @@
  * ESLint Configuration for SigNoz Frontend
  */
 module.exports = {
-	ignorePatterns: [
-		'src/parser/*.ts',
-		'scripts/update-registry.js',
-		'scripts/generate-permissions-type.js',
-	],
+	ignorePatterns: ['src/parser/*.ts', 'scripts/update-registry.js'],
 	env: {
 		browser: true,
 		es2021: true,

frontend/package.json

@@ -19,8 +19,7 @@
 		"commitlint": "commitlint --edit $1",
 		"test": "jest",
 		"test:changedsince": "jest --changedSince=main --coverage --silent",
-		"generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh",
-		"generate:permissions-type": "node scripts/generate-permissions-type.js"
+		"generate:api": "orval --config ./orval.config.ts && sh scripts/post-types-generation.sh"
 	},
 	"engines": {
 		"node": ">=16.15.0"

frontend/scripts/generate-permissions-type.js

@@ -1,199 +0,0 @@
-#!/usr/bin/env node
-
-const fs = require('fs');
-const path = require('path');
-const { execSync } = require('child_process');
-const axios = require('axios');
-
-const PERMISSIONS_TYPE_FILE = path.join(
-	__dirname,
-	'../src/hooks/useAuthZ/permissions.type.ts',
-);
-
-const SIGNOZ_INTEGRATION_IMAGE = 'signoz:integration';
-const LOCAL_BACKEND_URL = 'http://localhost:8080';
-
-function log(message) {
-	console.log(`[generate-permissions-type] ${message}`);
-}
-
-function getBackendUrlFromDocker() {
-	try {
-		const output = execSync(
-			`docker ps --filter "ancestor=${SIGNOZ_INTEGRATION_IMAGE}" --format "{{.Ports}}"`,
-			{ encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] },
-		).trim();
-
-		if (!output) {
-			return null;
-		}
-
-		const portMatch = output.match(/0\.0\.0\.0:(\d+)->8080\/tcp/);
-		if (portMatch) {
-			return `http://localhost:${portMatch[1]}`;
-		}
-
-		const ipv6Match = output.match(/:::(\d+)->8080\/tcp/);
-		if (ipv6Match) {
-			return `http://localhost:${ipv6Match[1]}`;
-		}
-	} catch (err) {
-		log(`Warning: Could not get port from docker: ${err.message}`);
-	}
-	return null;
-}
-
-async function checkBackendHealth(url, maxAttempts = 3, delayMs = 1000) {
-	for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-		try {
-			await axios.get(`${url}/api/v1/health`, {
-				timeout: 5000,
-				validateStatus: (status) => status === 200,
-			});
-			return true;
-		} catch (err) {
-			if (attempt < maxAttempts) {
-				await new Promise((r) => setTimeout(r, delayMs));
-			}
-		}
-	}
-	return false;
-}
-
-async function discoverBackendUrl() {
-	const dockerUrl = getBackendUrlFromDocker();
-	if (dockerUrl) {
-		log(`Found ${SIGNOZ_INTEGRATION_IMAGE} container, trying ${dockerUrl}...`);
-		if (await checkBackendHealth(dockerUrl)) {
-			log(`Backend found at ${dockerUrl} (from py-test-setup)`);
-			return dockerUrl;
-		}
-		log(`Backend at ${dockerUrl} is not responding`);
-	}
-
-	log(`Trying local backend at ${LOCAL_BACKEND_URL}...`);
-	if (await checkBackendHealth(LOCAL_BACKEND_URL)) {
-		log(`Backend found at ${LOCAL_BACKEND_URL}`);
-		return LOCAL_BACKEND_URL;
-	}
-
-	return null;
-}
-
-async function fetchResources(backendUrl) {
-	log('Fetching resources from API...');
-	const resourcesUrl = `${backendUrl}/api/v1/authz/resources`;
-
-	const { data: response } = await axios.get(resourcesUrl);
-
-	return response;
-}
-
-function transformResponse(apiResponse) {
-	if (!apiResponse.data) {
-		throw new Error('Invalid API response: missing data field');
-	}
-
-	const { resources, relations } = apiResponse.data;
-
-	return {
-		status: apiResponse.status || 'success',
-		data: {
-			resources: resources,
-			relations: relations,
-		},
-	};
-}
-
-function generateTypeScriptFile(data) {
-	const resourcesStr = data.data.resources
-		.map(
-			(r) =>
-				`\t\t\t{\n\t\t\t\tname: '${r.name}',\n\t\t\t\ttype: '${r.type}',\n\t\t\t}`,
-		)
-		.join(',\n');
-
-	const relationsStr = Object.entries(data.data.relations)
-		.map(
-			([type, relations]) =>
-				`\t\t\t${type}: [${relations.map((r) => `'${r}'`).join(', ')}]`,
-		)
-		.join(',\n');
-
-	return `// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
-export default {
-\tstatus: '${data.status}',
-\tdata: {
-\t\tresources: [
-${resourcesStr}
-\t\t],
-\t\trelations: {
-${relationsStr}
-\t\t},
-\t},
-} as const;
-`;
-}
-
-async function main() {
-	try {
-		log('Starting permissions type generation...');
-
-		const backendUrl = await discoverBackendUrl();
-
-		if (!backendUrl) {
-			console.error('\n' + '='.repeat(80));
-			console.error('ERROR: No running SigNoz backend found!');
-			console.error('='.repeat(80));
-			console.error(
-				'\nThe permissions type generator requires a running SigNoz backend.',
-			);
-			console.error('\nFor local development, start the backend with:');
-			console.error('  make go-run-enterprise');
-			console.error(
-				'\nFor CI or integration testing, start the test environment with:',
-			);
-			console.error('  make py-test-setup');
-			console.error(
-				'\nIf running in CI and seeing this error, check that the py-test-setup',
-			);
-			console.error('step completed successfully before this step runs.');
-			console.error('='.repeat(80) + '\n');
-			process.exit(1);
-		}
-
-		log('Fetching resources...');
-		const apiResponse = await fetchResources(backendUrl);
-
-		log('Transforming response...');
-		const transformed = transformResponse(apiResponse);
-
-		log('Generating TypeScript file...');
-		const content = generateTypeScriptFile(transformed);
-
-		log(`Writing to ${PERMISSIONS_TYPE_FILE}...`);
-		fs.writeFileSync(PERMISSIONS_TYPE_FILE, content, 'utf8');
-
-		const rootDir = path.join(__dirname, '../..');
-		const relativePath = path.relative(
-			path.join(rootDir, 'frontend'),
-			PERMISSIONS_TYPE_FILE,
-		);
-		log('Linting generated file...');
-		execSync(`cd frontend && yarn eslint --fix ${relativePath}`, {
-			cwd: rootDir,
-			stdio: 'inherit',
-		});
-
-		log('Successfully generated permissions.type.ts');
-	} catch (error) {
-		log(`Error: ${error.message}`);
-		process.exit(1);
-	}
-}
-
-if (require.main === module) {
-	main();
-}
-
-module.exports = { main };

frontend/src/api/generated/services/serviceaccount/index.ts

@@ -1,973 +0,0 @@
-/**
- * ! Do not edit manually
- * * The file has been auto-generated using Orval for SigNoz
- * * regenerate with 'yarn generate:api'
- * SigNoz
- */
-import type {
-	InvalidateOptions,
-	MutationFunction,
-	QueryClient,
-	QueryFunction,
-	QueryKey,
-	UseMutationOptions,
-	UseMutationResult,
-	UseQueryOptions,
-	UseQueryResult,
-} from 'react-query';
-import { useMutation, useQuery } from 'react-query';
-
-import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
-import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
-import type {
-	CreateServiceAccount201,
-	CreateServiceAccountKey201,
-	CreateServiceAccountKeyPathParameters,
-	DeleteServiceAccountPathParameters,
-	GetServiceAccount200,
-	GetServiceAccountPathParameters,
-	ListServiceAccountKeys200,
-	ListServiceAccountKeysPathParameters,
-	ListServiceAccounts200,
-	RenderErrorResponseDTO,
-	RevokeServiceAccountKeyPathParameters,
-	ServiceaccounttypesPostableFactorAPIKeyDTO,
-	ServiceaccounttypesPostableServiceAccountDTO,
-	ServiceaccounttypesUpdatableFactorAPIKeyDTO,
-	ServiceaccounttypesUpdatableServiceAccountDTO,
-	ServiceaccounttypesUpdatableServiceAccountStatusDTO,
-	UpdateServiceAccountKeyPathParameters,
-	UpdateServiceAccountPathParameters,
-	UpdateServiceAccountStatusPathParameters,
-} from '../sigNoz.schemas';
-
-type AwaitedInput<T> = PromiseLike<T> | T;
-
-type Awaited<O> = O extends AwaitedInput<infer T> ? T : never;
-
-/**
- * This endpoint lists the service accounts for an organisation
- * @summary List service accounts
- */
-export const listServiceAccounts = (signal?: AbortSignal) => {
-	return GeneratedAPIInstance<ListServiceAccounts200>({
-		url: `/api/v1/service_accounts`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getListServiceAccountsQueryKey = () => {
-	return [`/api/v1/service_accounts`] as const;
-};
-
-export const getListServiceAccountsQueryOptions = <
-	TData = Awaited<ReturnType<typeof listServiceAccounts>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof listServiceAccounts>>,
-		TError,
-		TData
-	>;
-}) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey = queryOptions?.queryKey ?? getListServiceAccountsQueryKey();
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof listServiceAccounts>>
-	> = ({ signal }) => listServiceAccounts(signal);
-
-	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
-		Awaited<ReturnType<typeof listServiceAccounts>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type ListServiceAccountsQueryResult = NonNullable<
-	Awaited<ReturnType<typeof listServiceAccounts>>
->;
-export type ListServiceAccountsQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary List service accounts
- */
-
-export function useListServiceAccounts<
-	TData = Awaited<ReturnType<typeof listServiceAccounts>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof listServiceAccounts>>,
-		TError,
-		TData
-	>;
-}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getListServiceAccountsQueryOptions(options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary List service accounts
- */
-export const invalidateListServiceAccounts = async (
-	queryClient: QueryClient,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getListServiceAccountsQueryKey() },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint creates a service account
- * @summary Create service account
- */
-export const createServiceAccount = (
-	serviceaccounttypesPostableServiceAccountDTO: BodyType<ServiceaccounttypesPostableServiceAccountDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<CreateServiceAccount201>({
-		url: `/api/v1/service_accounts`,
-		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesPostableServiceAccountDTO,
-		signal,
-	});
-};
-
-export const getCreateServiceAccountMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccount>>,
-		TError,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof createServiceAccount>>,
-	TError,
-	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-	TContext
-> => {
-	const mutationKey = ['createServiceAccount'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof createServiceAccount>>,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return createServiceAccount(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type CreateServiceAccountMutationResult = NonNullable<
-	Awaited<ReturnType<typeof createServiceAccount>>
->;
-export type CreateServiceAccountMutationBody = BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
-export type CreateServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Create service account
- */
-export const useCreateServiceAccount = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccount>>,
-		TError,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof createServiceAccount>>,
-	TError,
-	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-	TContext
-> => {
-	const mutationOptions = getCreateServiceAccountMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint deletes an existing service account
- * @summary Deletes a service account
- */
-export const deleteServiceAccount = ({
-	id,
-}: DeleteServiceAccountPathParameters) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}`,
-		method: 'DELETE',
-	});
-};
-
-export const getDeleteServiceAccountMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteServiceAccount>>,
-		TError,
-		{ pathParams: DeleteServiceAccountPathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof deleteServiceAccount>>,
-	TError,
-	{ pathParams: DeleteServiceAccountPathParameters },
-	TContext
-> => {
-	const mutationKey = ['deleteServiceAccount'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof deleteServiceAccount>>,
-		{ pathParams: DeleteServiceAccountPathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return deleteServiceAccount(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type DeleteServiceAccountMutationResult = NonNullable<
-	Awaited<ReturnType<typeof deleteServiceAccount>>
->;
-
-export type DeleteServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Deletes a service account
- */
-export const useDeleteServiceAccount = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteServiceAccount>>,
-		TError,
-		{ pathParams: DeleteServiceAccountPathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof deleteServiceAccount>>,
-	TError,
-	{ pathParams: DeleteServiceAccountPathParameters },
-	TContext
-> => {
-	const mutationOptions = getDeleteServiceAccountMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint gets an existing service account
- * @summary Gets a service account
- */
-export const getServiceAccount = (
-	{ id }: GetServiceAccountPathParameters,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<GetServiceAccount200>({
-		url: `/api/v1/service_accounts/${id}`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getGetServiceAccountQueryKey = ({
-	id,
-}: GetServiceAccountPathParameters) => {
-	return [`/api/v1/service_accounts/${id}`] as const;
-};
-
-export const getGetServiceAccountQueryOptions = <
-	TData = Awaited<ReturnType<typeof getServiceAccount>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetServiceAccountPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getServiceAccount>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getGetServiceAccountQueryKey({ id });
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getServiceAccount>>
-	> = ({ signal }) => getServiceAccount({ id }, signal);
-
-	return {
-		queryKey,
-		queryFn,
-		enabled: !!id,
-		...queryOptions,
-	} as UseQueryOptions<
-		Awaited<ReturnType<typeof getServiceAccount>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type GetServiceAccountQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getServiceAccount>>
->;
-export type GetServiceAccountQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Gets a service account
- */
-
-export function useGetServiceAccount<
-	TData = Awaited<ReturnType<typeof getServiceAccount>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetServiceAccountPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getServiceAccount>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetServiceAccountQueryOptions({ id }, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary Gets a service account
- */
-export const invalidateGetServiceAccount = async (
-	queryClient: QueryClient,
-	{ id }: GetServiceAccountPathParameters,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getGetServiceAccountQueryKey({ id }) },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint updates an existing service account
- * @summary Updates a service account
- */
-export const updateServiceAccount = (
-	{ id }: UpdateServiceAccountPathParameters,
-	serviceaccounttypesUpdatableServiceAccountDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>,
-) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesUpdatableServiceAccountDTO,
-	});
-};
-
-export const getUpdateServiceAccountMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccount>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateServiceAccount>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateServiceAccount'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateServiceAccount>>,
-		{
-			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateServiceAccount(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateServiceAccountMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateServiceAccount>>
->;
-export type UpdateServiceAccountMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-export type UpdateServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Updates a service account
- */
-export const useUpdateServiceAccount = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccount>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateServiceAccount>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
-	},
-	TContext
-> => {
-	const mutationOptions = getUpdateServiceAccountMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint lists the service account keys
- * @summary List service account keys
- */
-export const listServiceAccountKeys = (
-	{ id }: ListServiceAccountKeysPathParameters,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<ListServiceAccountKeys200>({
-		url: `/api/v1/service_accounts/${id}/keys`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getListServiceAccountKeysQueryKey = ({
-	id,
-}: ListServiceAccountKeysPathParameters) => {
-	return [`/api/v1/service_accounts/${id}/keys`] as const;
-};
-
-export const getListServiceAccountKeysQueryOptions = <
-	TData = Awaited<ReturnType<typeof listServiceAccountKeys>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: ListServiceAccountKeysPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof listServiceAccountKeys>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getListServiceAccountKeysQueryKey({ id });
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof listServiceAccountKeys>>
-	> = ({ signal }) => listServiceAccountKeys({ id }, signal);
-
-	return {
-		queryKey,
-		queryFn,
-		enabled: !!id,
-		...queryOptions,
-	} as UseQueryOptions<
-		Awaited<ReturnType<typeof listServiceAccountKeys>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type ListServiceAccountKeysQueryResult = NonNullable<
-	Awaited<ReturnType<typeof listServiceAccountKeys>>
->;
-export type ListServiceAccountKeysQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary List service account keys
- */
-
-export function useListServiceAccountKeys<
-	TData = Awaited<ReturnType<typeof listServiceAccountKeys>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: ListServiceAccountKeysPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof listServiceAccountKeys>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getListServiceAccountKeysQueryOptions({ id }, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary List service account keys
- */
-export const invalidateListServiceAccountKeys = async (
-	queryClient: QueryClient,
-	{ id }: ListServiceAccountKeysPathParameters,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getListServiceAccountKeysQueryKey({ id }) },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint creates a service account key
- * @summary Create a service account key
- */
-export const createServiceAccountKey = (
-	{ id }: CreateServiceAccountKeyPathParameters,
-	serviceaccounttypesPostableFactorAPIKeyDTO: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<CreateServiceAccountKey201>({
-		url: `/api/v1/service_accounts/${id}/keys`,
-		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesPostableFactorAPIKeyDTO,
-		signal,
-	});
-};
-
-export const getCreateServiceAccountKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccountKey>>,
-		TError,
-		{
-			pathParams: CreateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof createServiceAccountKey>>,
-	TError,
-	{
-		pathParams: CreateServiceAccountKeyPathParameters;
-		data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['createServiceAccountKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof createServiceAccountKey>>,
-		{
-			pathParams: CreateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return createServiceAccountKey(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type CreateServiceAccountKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof createServiceAccountKey>>
->;
-export type CreateServiceAccountKeyMutationBody = BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-export type CreateServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Create a service account key
- */
-export const useCreateServiceAccountKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccountKey>>,
-		TError,
-		{
-			pathParams: CreateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof createServiceAccountKey>>,
-	TError,
-	{
-		pathParams: CreateServiceAccountKeyPathParameters;
-		data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationOptions = getCreateServiceAccountKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint revokes an existing service account key
- * @summary Revoke a service account key
- */
-export const revokeServiceAccountKey = ({
-	id,
-	fid,
-}: RevokeServiceAccountKeyPathParameters) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}/keys/${fid}`,
-		method: 'DELETE',
-	});
-};
-
-export const getRevokeServiceAccountKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
-		TError,
-		{ pathParams: RevokeServiceAccountKeyPathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof revokeServiceAccountKey>>,
-	TError,
-	{ pathParams: RevokeServiceAccountKeyPathParameters },
-	TContext
-> => {
-	const mutationKey = ['revokeServiceAccountKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
-		{ pathParams: RevokeServiceAccountKeyPathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return revokeServiceAccountKey(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type RevokeServiceAccountKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof revokeServiceAccountKey>>
->;
-
-export type RevokeServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Revoke a service account key
- */
-export const useRevokeServiceAccountKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
-		TError,
-		{ pathParams: RevokeServiceAccountKeyPathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof revokeServiceAccountKey>>,
-	TError,
-	{ pathParams: RevokeServiceAccountKeyPathParameters },
-	TContext
-> => {
-	const mutationOptions = getRevokeServiceAccountKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint updates an existing service account key
- * @summary Updates a service account key
- */
-export const updateServiceAccountKey = (
-	{ id, fid }: UpdateServiceAccountKeyPathParameters,
-	serviceaccounttypesUpdatableFactorAPIKeyDTO: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>,
-) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}/keys/${fid}`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesUpdatableFactorAPIKeyDTO,
-	});
-};
-
-export const getUpdateServiceAccountKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccountKey>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateServiceAccountKey>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountKeyPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateServiceAccountKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateServiceAccountKey>>,
-		{
-			pathParams: UpdateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateServiceAccountKey(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateServiceAccountKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateServiceAccountKey>>
->;
-export type UpdateServiceAccountKeyMutationBody = BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-export type UpdateServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Updates a service account key
- */
-export const useUpdateServiceAccountKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccountKey>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountKeyPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateServiceAccountKey>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountKeyPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationOptions = getUpdateServiceAccountKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint updates an existing service account status
- * @summary Updates a service account status
- */
-export const updateServiceAccountStatus = (
-	{ id }: UpdateServiceAccountStatusPathParameters,
-	serviceaccounttypesUpdatableServiceAccountStatusDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>,
-) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}/status`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesUpdatableServiceAccountStatusDTO,
-	});
-};
-
-export const getUpdateServiceAccountStatusMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountStatusPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountStatusPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateServiceAccountStatus'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
-		{
-			pathParams: UpdateServiceAccountStatusPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateServiceAccountStatus(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateServiceAccountStatusMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateServiceAccountStatus>>
->;
-export type UpdateServiceAccountStatusMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-export type UpdateServiceAccountStatusMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Updates a service account status
- */
-export const useUpdateServiceAccountStatus = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
-		TError,
-		{
-			pathParams: UpdateServiceAccountStatusPathParameters;
-			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
-	TError,
-	{
-		pathParams: UpdateServiceAccountStatusPathParameters;
-		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
-	},
-	TContext
-> => {
-	const mutationOptions = getUpdateServiceAccountStatusMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2090,154 +2090,6 @@ export interface RoletypesRoleDTO {
 	updatedAt?: Date;
 }
 
-export interface ServiceaccounttypesFactorAPIKeyDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type integer
-	 * @minimum 0
-	 */
-	expires_at: number;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	key: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	last_observed_at: Date;
-	/**
-	 * @type string
-	 */
-	name?: string;
-	/**
-	 * @type string
-	 */
-	service_account_id: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-}
-
-export interface ServiceaccounttypesGettableFactorAPIKeyWithKeyDTO {
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	key: string;
-}
-
-export interface ServiceaccounttypesPostableFactorAPIKeyDTO {
-	/**
-	 * @type integer
-	 * @minimum 0
-	 */
-	expires_at: number;
-	/**
-	 * @type string
-	 */
-	name: string;
-}
-
-export interface ServiceaccounttypesPostableServiceAccountDTO {
-	/**
-	 * @type string
-	 */
-	email: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type array
-	 */
-	roles: string[];
-}
-
-export interface ServiceaccounttypesServiceAccountDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	email: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type string
-	 */
-	orgID: string;
-	/**
-	 * @type array
-	 */
-	roles: string[];
-	/**
-	 * @type string
-	 */
-	status: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-}
-
-export interface ServiceaccounttypesUpdatableFactorAPIKeyDTO {
-	/**
-	 * @type integer
-	 * @minimum 0
-	 */
-	expires_at: number;
-	/**
-	 * @type string
-	 */
-	name: string;
-}
-
-export interface ServiceaccounttypesUpdatableServiceAccountDTO {
-	/**
-	 * @type string
-	 */
-	email: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type array
-	 */
-	roles: string[];
-}
-
-export interface ServiceaccounttypesUpdatableServiceAccountStatusDTO {
-	/**
-	 * @type string
-	 */
-	status: string;
-}
-
 export enum TelemetrytypesFieldContextDTO {
 	metric = 'metric',
 	log = 'log',
@@ -3198,78 +3050,6 @@ export type PatchObjectsPathParameters = {
 	id: string;
 	relation: string;
 };
-export type ListServiceAccounts200 = {
-	/**
-	 * @type array
-	 */
-	data: ServiceaccounttypesServiceAccountDTO[];
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type CreateServiceAccount201 = {
-	data: TypesIdentifiableDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type DeleteServiceAccountPathParameters = {
-	id: string;
-};
-export type GetServiceAccountPathParameters = {
-	id: string;
-};
-export type GetServiceAccount200 = {
-	data: ServiceaccounttypesServiceAccountDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type UpdateServiceAccountPathParameters = {
-	id: string;
-};
-export type ListServiceAccountKeysPathParameters = {
-	id: string;
-};
-export type ListServiceAccountKeys200 = {
-	/**
-	 * @type array
-	 */
-	data: ServiceaccounttypesFactorAPIKeyDTO[];
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type CreateServiceAccountKeyPathParameters = {
-	id: string;
-};
-export type CreateServiceAccountKey201 = {
-	data: ServiceaccounttypesGettableFactorAPIKeyWithKeyDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type RevokeServiceAccountKeyPathParameters = {
-	id: string;
-	fid: string;
-};
-export type UpdateServiceAccountKeyPathParameters = {
-	id: string;
-	fid: string;
-};
-export type UpdateServiceAccountStatusPathParameters = {
-	id: string;
-};
 export type ListUsers200 = {
 	/**
 	 * @type array

frontend/src/components/GuardAuthZ/GuardAuthZ.test.tsx

@@ -1,321 +0,0 @@
-import { ReactElement } from 'react';
-import {
-	AuthtypesGettableTransactionDTO,
-	AuthtypesTransactionDTO,
-} from 'api/generated/services/sigNoz.schemas';
-import { ENVIRONMENT } from 'constants/env';
-import { BrandedPermission } from 'hooks/useAuthZ/types';
-import { buildPermission } from 'hooks/useAuthZ/utils';
-import { server } from 'mocks-server/server';
-import { rest } from 'msw';
-import { render, screen, waitFor } from 'tests/test-utils';
-
-import { GuardAuthZ } from './GuardAuthZ';
-
-const BASE_URL = ENVIRONMENT.baseURL || '';
-const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
-
-function authzMockResponse(
-	payload: AuthtypesTransactionDTO[],
-	authorizedByIndex: boolean[],
-): { data: AuthtypesGettableTransactionDTO[]; status: string } {
-	return {
-		data: payload.map((txn, i) => ({
-			relation: txn.relation,
-			object: txn.object,
-			authorized: authorizedByIndex[i] ?? false,
-		})),
-		status: 'success',
-	};
-}
-
-describe('GuardAuthZ', () => {
-	const TestChild = (): ReactElement => <div>Protected Content</div>;
-	const LoadingFallback = (): ReactElement => <div>Loading...</div>;
-	const ErrorFallback = (error: Error): ReactElement => (
-		<div>Error occurred: {error.message}</div>
-	);
-	const NoPermissionFallback = (_response: {
-		requiredPermissionName: BrandedPermission;
-	}): ReactElement => <div>Access denied</div>;
-	const NoPermissionFallbackWithSuggestions = (response: {
-		requiredPermissionName: BrandedPermission;
-	}): ReactElement => (
-		<div>
-			Access denied. Required permission: {response.requiredPermissionName}
-		</div>
-	);
-
-	it('should render children when permission is granted', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		render(
-			<GuardAuthZ relation="read" object="dashboard:*">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(screen.getByText('Protected Content')).toBeInTheDocument();
-		});
-	});
-
-	it('should render fallbackOnLoading when loading', () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
-				return res(
-					ctx.delay('infinite'),
-					ctx.status(200),
-					ctx.json({ data: [], status: 'success' }),
-				);
-			}),
-		);
-
-		render(
-			<GuardAuthZ
-				relation="read"
-				object="dashboard:*"
-				fallbackOnLoading={<LoadingFallback />}
-			>
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		expect(screen.getByText('Loading...')).toBeInTheDocument();
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should render null when loading and no fallbackOnLoading provided', () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
-				return res(
-					ctx.delay('infinite'),
-					ctx.status(200),
-					ctx.json({ data: [], status: 'success' }),
-				);
-			}),
-		);
-
-		const { container } = render(
-			<GuardAuthZ relation="read" object="dashboard:*">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		expect(container.firstChild).toBeNull();
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should render fallbackOnError when API error occurs', async () => {
-		const errorMessage = 'Internal Server Error';
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(500), ctx.json({ error: errorMessage }));
-			}),
-		);
-
-		render(
-			<GuardAuthZ
-				relation="read"
-				object="dashboard:*"
-				fallbackOnError={ErrorFallback}
-			>
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(screen.getByText(/Error occurred:/)).toBeInTheDocument();
-		});
-
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should pass error object to fallbackOnError function', async () => {
-		const errorMessage = 'Network request failed';
-		let receivedError: Error | null = null;
-
-		const errorFallbackWithCapture = (error: Error): ReactElement => {
-			receivedError = error;
-			return <div>Captured error: {error.message}</div>;
-		};
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(500), ctx.json({ error: errorMessage }));
-			}),
-		);
-
-		render(
-			<GuardAuthZ
-				relation="read"
-				object="dashboard:*"
-				fallbackOnError={errorFallbackWithCapture}
-			>
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(receivedError).not.toBeNull();
-		});
-
-		expect(receivedError).toBeInstanceOf(Error);
-		expect(screen.getByText(/Captured error:/)).toBeInTheDocument();
-	});
-
-	it('should render null when error occurs and no fallbackOnError provided', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
-			}),
-		);
-
-		const { container } = render(
-			<GuardAuthZ relation="read" object="dashboard:*">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(container.firstChild).toBeNull();
-		});
-
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should render fallbackOnNoPermissions when permission is denied', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
-			}),
-		);
-
-		render(
-			<GuardAuthZ
-				relation="update"
-				object="dashboard:123"
-				fallbackOnNoPermissions={NoPermissionFallback}
-			>
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(screen.getByText('Access denied')).toBeInTheDocument();
-		});
-
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should render null when permission is denied and no fallbackOnNoPermissions provided', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
-			}),
-		);
-
-		const { container } = render(
-			<GuardAuthZ relation="update" object="dashboard:123">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(container.firstChild).toBeNull();
-		});
-
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should render null when permissions object is null', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(200), ctx.json({ data: [], status: 'success' }));
-			}),
-		);
-
-		const { container } = render(
-			<GuardAuthZ relation="read" object="dashboard:*">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(container.firstChild).toBeNull();
-		});
-
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should pass requiredPermissionName to fallbackOnNoPermissions', async () => {
-		const permission = buildPermission('update', 'dashboard:123');
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
-			}),
-		);
-
-		render(
-			<GuardAuthZ
-				relation="update"
-				object="dashboard:123"
-				fallbackOnNoPermissions={NoPermissionFallbackWithSuggestions}
-			>
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(
-				screen.getByText(/Access denied. Required permission:/),
-			).toBeInTheDocument();
-		});
-
-		expect(
-			screen.getAllByText(
-				new RegExp(permission.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')),
-			).length,
-		).toBeGreaterThan(0);
-		expect(screen.queryByText('Protected Content')).not.toBeInTheDocument();
-	});
-
-	it('should handle different relation and object combinations', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const { rerender } = render(
-			<GuardAuthZ relation="read" object="dashboard:*">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(screen.getByText('Protected Content')).toBeInTheDocument();
-		});
-
-		rerender(
-			<GuardAuthZ relation="delete" object="dashboard:456">
-				<TestChild />
-			</GuardAuthZ>,
-		);
-
-		await waitFor(() => {
-			expect(screen.getByText('Protected Content')).toBeInTheDocument();
-		});
-	});
-});

frontend/src/components/GuardAuthZ/GuardAuthZ.tsx

@@ -1,50 +0,0 @@
-import { ReactElement } from 'react';
-import {
-	AuthZObject,
-	AuthZRelation,
-	BrandedPermission,
-} from 'hooks/useAuthZ/types';
-import { useAuthZ } from 'hooks/useAuthZ/useAuthZ';
-import { buildPermission } from 'hooks/useAuthZ/utils';
-
-export type GuardAuthZProps<R extends AuthZRelation> = {
-	children: ReactElement;
-	relation: R;
-	object: AuthZObject<R>;
-	fallbackOnLoading?: JSX.Element;
-	fallbackOnError?: (error: Error) => JSX.Element;
-	fallbackOnNoPermissions?: (response: {
-		requiredPermissionName: BrandedPermission;
-	}) => JSX.Element;
-};
-
-export function GuardAuthZ<R extends AuthZRelation>({
-	children,
-	relation,
-	object,
-	fallbackOnLoading,
-	fallbackOnError,
-	fallbackOnNoPermissions,
-}: GuardAuthZProps<R>): JSX.Element | null {
-	const permission = buildPermission<R>(relation, object);
-
-	const { permissions, isLoading, error } = useAuthZ([permission]);
-
-	if (isLoading) {
-		return fallbackOnLoading ?? null;
-	}
-
-	if (error) {
-		return fallbackOnError?.(error) ?? null;
-	}
-
-	if (!permissions?.[permission]?.isGranted) {
-		return (
-			fallbackOnNoPermissions?.({
-				requiredPermissionName: permission,
-			}) ?? null
-		);
-	}
-
-	return children;
-}

frontend/src/components/createGuardedRoute/createGuardedRoute.styles.scss

@@ -1,41 +0,0 @@
-.guard-authz-error-no-authz {
-	display: flex;
-	align-items: center;
-	justify-content: center;
-
-	width: 100%;
-	height: 100%;
-
-	padding: 24px;
-
-	.guard-authz-error-no-authz-content {
-		display: flex;
-		flex-direction: column;
-		justify-content: flex-start;
-		gap: 8px;
-		max-width: 500px;
-	}
-
-	img {
-		width: 32px;
-		height: 32px;
-	}
-
-	h3 {
-		font-size: 18px;
-		color: var(--l1-foreground);
-		line-height: 18px;
-	}
-
-	p {
-		font-size: 14px;
-		color: var(--l3-foreground);
-		line-height: 18px;
-
-		span {
-			background-color: var(--l3-background);
-			white-space: nowrap;
-			padding: 0 2px;
-		}
-	}
-}

frontend/src/components/createGuardedRoute/createGuardedRoute.test.tsx

@@ -1,472 +0,0 @@
-import { ReactElement } from 'react';
-import type { RouteComponentProps } from 'react-router-dom';
-import {
-	AuthtypesGettableTransactionDTO,
-	AuthtypesTransactionDTO,
-} from 'api/generated/services/sigNoz.schemas';
-import { ENVIRONMENT } from 'constants/env';
-import { server } from 'mocks-server/server';
-import { rest } from 'msw';
-import { render, screen, waitFor } from 'tests/test-utils';
-
-import { createGuardedRoute } from './createGuardedRoute';
-
-const BASE_URL = ENVIRONMENT.baseURL || '';
-const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
-
-function authzMockResponse(
-	payload: AuthtypesTransactionDTO[],
-	authorizedByIndex: boolean[],
-): { data: AuthtypesGettableTransactionDTO[]; status: string } {
-	return {
-		data: payload.map((txn, i) => ({
-			relation: txn.relation,
-			object: txn.object,
-			authorized: authorizedByIndex[i] ?? false,
-		})),
-		status: 'success',
-	};
-}
-
-describe('createGuardedRoute', () => {
-	const TestComponent = ({ testProp }: { testProp: string }): ReactElement => (
-		<div>Test Component: {testProp}</div>
-	);
-
-	it('should render component when permission is granted', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:*',
-		);
-
-		const mockMatch = {
-			params: {},
-			isExact: true,
-			path: '/dashboard',
-			url: '/dashboard',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
-		});
-	});
-
-	it('should substitute route parameters in object string', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:{id}',
-		);
-
-		const mockMatch = {
-			params: { id: '123' },
-			isExact: true,
-			path: '/dashboard/:id',
-			url: '/dashboard/123',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
-		});
-	});
-
-	it('should handle multiple route parameters', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = (await req.json()) as AuthtypesTransactionDTO[];
-				const txn = payload[0];
-				const responseData: AuthtypesGettableTransactionDTO[] = [
-					{
-						relation: txn.relation,
-						object: {
-							resource: {
-								name: txn.object.resource.name,
-								type: txn.object.resource.type,
-							},
-							selector: '123:456',
-						},
-						authorized: true,
-					},
-				];
-				return res(
-					ctx.status(200),
-					ctx.json({ data: responseData, status: 'success' }),
-				);
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'update',
-			'dashboard:{id}:{version}',
-		);
-
-		const mockMatch = {
-			params: { id: '123', version: '456' },
-			isExact: true,
-			path: '/dashboard/:id/:version',
-			url: '/dashboard/123/456',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
-		});
-	});
-
-	it('should keep placeholder when route parameter is missing', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:{id}',
-		);
-
-		const mockMatch = {
-			params: {},
-			isExact: true,
-			path: '/dashboard',
-			url: '/dashboard',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
-		});
-	});
-
-	it('should render loading fallback when loading', () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (_req, res, ctx) => {
-				return res(
-					ctx.delay('infinite'),
-					ctx.status(200),
-					ctx.json({ data: [], status: 'success' }),
-				);
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:*',
-		);
-
-		const mockMatch = {
-			params: {},
-			isExact: true,
-			path: '/dashboard',
-			url: '/dashboard',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		expect(screen.getByText('SigNoz')).toBeInTheDocument();
-		expect(
-			screen.queryByText('Test Component: test-value'),
-		).not.toBeInTheDocument();
-	});
-
-	it('should render error fallback when API error occurs', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:*',
-		);
-
-		const mockMatch = {
-			params: {},
-			isExact: true,
-			path: '/dashboard',
-			url: '/dashboard',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText(/Something went wrong/i)).toBeInTheDocument();
-		});
-
-		expect(
-			screen.queryByText('Test Component: test-value'),
-		).not.toBeInTheDocument();
-	});
-
-	it('should render no permissions fallback when permission is denied', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [false])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'update',
-			'dashboard:{id}',
-		);
-
-		const mockMatch = {
-			params: { id: '123' },
-			isExact: true,
-			path: '/dashboard/:id',
-			url: '/dashboard/123',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			const heading = document.querySelector('h3');
-			expect(heading).toBeInTheDocument();
-			expect(heading?.textContent).toMatch(/permission to view/i);
-		});
-
-		expect(screen.getByText('update')).toBeInTheDocument();
-		expect(screen.getByText('dashboard:123')).toBeInTheDocument();
-		expect(
-			screen.queryByText('Test Component: test-value'),
-		).not.toBeInTheDocument();
-	});
-
-	it('should pass all props to wrapped component', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const ComponentWithMultipleProps = ({
-			prop1,
-			prop2,
-			prop3,
-		}: {
-			prop1: string;
-			prop2: number;
-			prop3: boolean;
-		}): ReactElement => (
-			<div>
-				{prop1} - {prop2} - {prop3.toString()}
-			</div>
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			ComponentWithMultipleProps,
-			'read',
-			'dashboard:*',
-		);
-
-		const mockMatch = {
-			params: {},
-			isExact: true,
-			path: '/dashboard',
-			url: '/dashboard',
-		};
-
-		const props = {
-			prop1: 'value1',
-			prop2: 42,
-			prop3: true,
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('value1 - 42 - true')).toBeInTheDocument();
-		});
-	});
-
-	it('should memoize resolved object based on route params', async () => {
-		let requestCount = 0;
-		const requestedObjects: string[] = [];
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = (await req.json()) as AuthtypesTransactionDTO[];
-				const obj = payload[0]?.object;
-				const name = obj?.resource?.name;
-				const selector = obj?.selector ?? '*';
-				const objectStr =
-					obj?.resource?.type === 'metaresources' ? name : `${name}:${selector}`;
-				requestedObjects.push(objectStr ?? '');
-
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'read',
-			'dashboard:{id}',
-		);
-
-		const mockMatch1 = {
-			params: { id: '123' },
-			isExact: true,
-			path: '/dashboard/:id',
-			url: '/dashboard/123',
-		};
-
-		const props1 = {
-			testProp: 'test-value-1',
-			match: mockMatch1,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		const { unmount } = render(<GuardedComponent {...props1} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value-1')).toBeInTheDocument();
-		});
-
-		expect(requestCount).toBe(1);
-		expect(requestedObjects).toContain('dashboard:123');
-
-		unmount();
-
-		const mockMatch2 = {
-			params: { id: '456' },
-			isExact: true,
-			path: '/dashboard/:id',
-			url: '/dashboard/456',
-		};
-
-		const props2 = {
-			testProp: 'test-value-2',
-			match: mockMatch2,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props2} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value-2')).toBeInTheDocument();
-		});
-
-		expect(requestCount).toBe(2);
-		expect(requestedObjects).toContain('dashboard:456');
-	});
-
-	it('should handle different relation types', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-			}),
-		);
-
-		const GuardedComponent = createGuardedRoute(
-			TestComponent,
-			'delete',
-			'dashboard:{id}',
-		);
-
-		const mockMatch = {
-			params: { id: '789' },
-			isExact: true,
-			path: '/dashboard/:id',
-			url: '/dashboard/789',
-		};
-
-		const props = {
-			testProp: 'test-value',
-			match: mockMatch,
-			location: ({} as unknown) as RouteComponentProps['location'],
-			history: ({} as unknown) as RouteComponentProps['history'],
-		};
-
-		render(<GuardedComponent {...props} />);
-
-		await waitFor(() => {
-			expect(screen.getByText('Test Component: test-value')).toBeInTheDocument();
-		});
-	});
-});

frontend/src/components/createGuardedRoute/createGuardedRoute.tsx

@@ -1,73 +0,0 @@
-import { ComponentType, ReactElement, useMemo } from 'react';
-import { RouteComponentProps } from 'react-router-dom';
-import {
-	AuthZObject,
-	AuthZRelation,
-	BrandedPermission,
-} from 'hooks/useAuthZ/types';
-import { parsePermission } from 'hooks/useAuthZ/utils';
-
-import ErrorBoundaryFallback from '../../pages/ErrorBoundaryFallback/ErrorBoundaryFallback';
-import AppLoading from '../AppLoading/AppLoading';
-import { GuardAuthZ } from '../GuardAuthZ/GuardAuthZ';
-
-import './createGuardedRoute.styles.scss';
-
-const onErrorFallback = (): JSX.Element => <ErrorBoundaryFallback />;
-
-function OnNoPermissionsFallback(response: {
-	requiredPermissionName: BrandedPermission;
-}): ReactElement {
-	const { relation, object } = parsePermission(response.requiredPermissionName);
-
-	return (
-		<div className="guard-authz-error-no-authz">
-			<div className="guard-authz-error-no-authz-content">
-				<img src="/Icons/no-data.svg" alt="No permission" />
-				<h3>Uh-oh! You don’t have permission to view this page.</h3>
-				<p>
-					You need the following permission to view this page:
-					<br />
-					Relation: <span>{relation}</span>
-					<br />
-					Object: <span>{object}</span>
-					<br />
-					Ask your SigNoz administrator to grant access.
-				</p>
-			</div>
-		</div>
-	);
-}
-
-// eslint-disable-next-line @typescript-eslint/ban-types
-export function createGuardedRoute<P extends object, R extends AuthZRelation>(
-	Component: ComponentType<P>,
-	relation: R,
-	object: AuthZObject<R>,
-): ComponentType<P & RouteComponentProps<Record<string, string>>> {
-	return function GuardedRouteComponent(
-		props: P & RouteComponentProps<Record<string, string>>,
-	): ReactElement {
-		const resolvedObject = useMemo(() => {
-			const paramPattern = /\{([^}]+)\}/g;
-			return object.replace(paramPattern, (match, paramName) => {
-				const paramValue = props.match?.params?.[paramName];
-				return paramValue !== undefined ? paramValue : match;
-			}) as AuthZObject<R>;
-		}, [props.match?.params]);
-
-		return (
-			<GuardAuthZ
-				relation={relation}
-				object={resolvedObject}
-				fallbackOnLoading={<AppLoading />}
-				fallbackOnError={onErrorFallback}
-				fallbackOnNoPermissions={(response): ReactElement => (
-					<OnNoPermissionsFallback {...response} />
-				)}
-			>
-				<Component {...props} />
-			</GuardAuthZ>
-		);
-	};
-}

frontend/src/container/InfraMonitoringK8s/Clusters/K8sClustersList.tsx

@@ -451,6 +451,9 @@ function K8sClustersList({
 
 	const handleRowClick = (record: K8sClustersRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.clusterNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedClusterName(record.clusterUID);
 			setSearchParams({
@@ -515,9 +518,13 @@ function K8sClustersList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedClusterName(record.clusterUID);
+								if (record.clusterNameRaw) {
+									setselectedClusterName(record.clusterUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.clusterNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -707,7 +714,10 @@ function K8sClustersList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.clusterNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Clusters/utils.tsx

@@ -47,6 +47,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sClustersRowData {
 	key: string;
 	clusterUID: string;
+	clusterNameRaw: string;
 	clusterName: React.ReactNode;
 	cpu: React.ReactNode;
 	memory: React.ReactNode;
@@ -175,6 +176,7 @@ export const formatDataForTable = (
 	data.map((cluster, index) => ({
 		key: index.toString(),
 		clusterUID: cluster.meta.k8s_cluster_name,
+		clusterNameRaw: cluster.meta.k8s_cluster_name || '',
 		clusterName: (
 			<Tooltip title={cluster.meta.k8s_cluster_name}>
 				{cluster.meta.k8s_cluster_name}

frontend/src/container/InfraMonitoringK8s/DaemonSets/K8sDaemonSetsList.tsx

@@ -457,6 +457,9 @@ function K8sDaemonSetsList({
 
 	const handleRowClick = (record: K8sDaemonSetsRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.daemonsetNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setSelectedDaemonSetUID(record.daemonsetUID);
 			setSearchParams({
@@ -521,9 +524,13 @@ function K8sDaemonSetsList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setSelectedDaemonSetUID(record.daemonsetUID);
+								if (record.daemonsetNameRaw) {
+									setSelectedDaemonSetUID(record.daemonsetUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.daemonsetNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -715,7 +722,10 @@ function K8sDaemonSetsList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.daemonsetNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/DaemonSets/utils.tsx

@@ -82,6 +82,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sDaemonSetsRowData {
 	key: string;
 	daemonsetUID: string;
+	daemonsetNameRaw: string;
 	daemonsetName: React.ReactNode;
 	cpu_request: React.ReactNode;
 	cpu_limit: React.ReactNode;
@@ -276,6 +277,7 @@ export const formatDataForTable = (
 	data.map((daemonSet, index) => ({
 		key: index.toString(),
 		daemonsetUID: daemonSet.daemonSetName,
+		daemonsetNameRaw: daemonSet.meta.k8s_daemonset_name || '',
 		daemonsetName: (
 			<Tooltip title={daemonSet.meta.k8s_daemonset_name}>
 				{daemonSet.meta.k8s_daemonset_name || ''}

frontend/src/container/InfraMonitoringK8s/Deployments/K8sDeploymentsList.tsx

@@ -463,6 +463,9 @@ function K8sDeploymentsList({
 
 	const handleRowClick = (record: K8sDeploymentsRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.deploymentNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedDeploymentUID(record.deploymentUID);
 			setSearchParams({
@@ -527,9 +530,13 @@ function K8sDeploymentsList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedDeploymentUID(record.deploymentUID);
+								if (record.deploymentNameRaw) {
+									setselectedDeploymentUID(record.deploymentUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.deploymentNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -722,7 +729,10 @@ function K8sDeploymentsList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.deploymentNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Deployments/utils.tsx

@@ -81,6 +81,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sDeploymentsRowData {
 	key: string;
 	deploymentUID: string;
+	deploymentNameRaw: string;
 	deploymentName: React.ReactNode;
 	available_pods: React.ReactNode;
 	desired_pods: React.ReactNode;
@@ -267,6 +268,7 @@ export const formatDataForTable = (
 	data.map((deployment, index) => ({
 		key: index.toString(),
 		deploymentUID: deployment.meta.k8s_deployment_name,
+		deploymentNameRaw: deployment.meta.k8s_deployment_name || '',
 		deploymentName: (
 			<Tooltip title={deployment.meta.k8s_deployment_name}>
 				{deployment.meta.k8s_deployment_name}

frontend/src/container/InfraMonitoringK8s/InfraMonitoringK8s.styles.scss

@@ -337,6 +337,11 @@
 		cursor: pointer;
 	}
 
+	.disabled-row {
+		cursor: default;
+		opacity: 0.6;
+	}
+
 	.k8s-list-table {
 		.ant-table {
 			.ant-table-thead > tr > th {

frontend/src/container/InfraMonitoringK8s/Jobs/K8sJobsList.tsx

@@ -428,6 +428,9 @@ function K8sJobsList({
 
 	const handleRowClick = (record: K8sJobsRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.jobNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedJobUID(record.jobUID);
 			setSearchParams({
@@ -492,9 +495,11 @@ function K8sJobsList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedJobUID(record.jobUID);
+								if (record.jobNameRaw) {
+									setselectedJobUID(record.jobUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.jobNameRaw ? 'expanded-clickable-row' : 'disabled-row',
 						})}
 					/>
 
@@ -684,7 +689,10 @@ function K8sJobsList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.jobNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Jobs/utils.tsx

@@ -94,6 +94,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sJobsRowData {
 	key: string;
 	jobUID: string;
+	jobNameRaw: string;
 	jobName: React.ReactNode;
 	namespaceName: React.ReactNode;
 	successful_pods: React.ReactNode;
@@ -303,6 +304,7 @@ export const formatDataForTable = (
 	data.map((job, index) => ({
 		key: index.toString(),
 		jobUID: job.jobName,
+		jobNameRaw: job.meta.k8s_job_name || '',
 		jobName: (
 			<Tooltip title={job.meta.k8s_job_name}>
 				{job.meta.k8s_job_name || ''}

frontend/src/container/InfraMonitoringK8s/Namespaces/K8sNamespacesList.tsx

@@ -459,6 +459,9 @@ function K8sNamespacesList({
 
 	const handleRowClick = (record: K8sNamespacesRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.namespaceNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedNamespaceUID(record.namespaceUID);
 			setSearchParams({
@@ -523,9 +526,13 @@ function K8sNamespacesList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedNamespaceUID(record.namespaceUID);
+								if (record.namespaceNameRaw) {
+									setselectedNamespaceUID(record.namespaceUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.namespaceNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -716,7 +723,10 @@ function K8sNamespacesList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.namespaceNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Namespaces/utils.tsx

@@ -41,6 +41,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sNamespacesRowData {
 	key: string;
 	namespaceUID: string;
+	namespaceNameRaw: string;
 	namespaceName: string;
 	clusterName: string;
 	cpu: React.ReactNode;
@@ -161,6 +162,7 @@ export const formatDataForTable = (
 	data.map((namespace, index) => ({
 		key: index.toString(),
 		namespaceUID: namespace.namespaceName,
+		namespaceNameRaw: namespace.namespaceName || '',
 		namespaceName: namespace.namespaceName,
 		clusterName: namespace.meta.k8s_cluster_name,
 		cpu: (

frontend/src/container/InfraMonitoringK8s/Nodes/K8sNodesList.tsx

@@ -438,6 +438,9 @@ function K8sNodesList({
 
 	const handleRowClick = (record: K8sNodesRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.nodeNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setSelectedNodeUID(record.nodeUID);
 			setSearchParams({
@@ -503,9 +506,13 @@ function K8sNodesList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setSelectedNodeUID(record.nodeUID);
+								if (record.nodeNameRaw) {
+									setSelectedNodeUID(record.nodeUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.nodeNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -695,7 +702,10 @@ function K8sNodesList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.nodeNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Nodes/utils.tsx

@@ -53,6 +53,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sNodesRowData {
 	key: string;
 	nodeUID: string;
+	nodeNameRaw: string;
 	nodeName: React.ReactNode;
 	clusterName: string;
 	cpu: React.ReactNode;
@@ -193,6 +194,7 @@ export const formatDataForTable = (
 	data.map((node, index) => ({
 		key: `${node.nodeUID}-${index}`,
 		nodeUID: node.nodeUID || '',
+		nodeNameRaw: node.meta.k8s_node_name || '',
 		nodeName: (
 			<Tooltip title={node.meta.k8s_node_name}>
 				{node.meta.k8s_node_name || ''}

frontend/src/container/InfraMonitoringK8s/Pods/K8sPodLists.tsx

@@ -496,6 +496,9 @@ function K8sPodsList({
 
 	const handleRowClick = (record: K8sPodsRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.podNameRaw) {
+				return;
+			}
 			setSelectedPodUID(record.podUID);
 			setSearchParams({
 				...Object.fromEntries(searchParams.entries()),
@@ -616,9 +619,11 @@ function K8sPodsList({
 						}}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setSelectedPodUID(record.podUID);
+								if (record.podNameRaw) {
+									setSelectedPodUID(record.podUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.podNameRaw ? 'expanded-clickable-row' : 'disabled-row',
 						})}
 					/>
 
@@ -753,7 +758,10 @@ function K8sPodsList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.podNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/StatefulSets/K8sStatefulSetsList.tsx

@@ -460,6 +460,9 @@ function K8sStatefulSetsList({
 
 	const handleRowClick = (record: K8sStatefulSetsRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.statefulsetNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedStatefulSetUID(record.statefulsetUID);
 			setSearchParams({
@@ -524,9 +527,13 @@ function K8sStatefulSetsList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedStatefulSetUID(record.statefulsetUID);
+								if (record.statefulsetNameRaw) {
+									setselectedStatefulSetUID(record.statefulsetUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.statefulsetNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -718,7 +725,10 @@ function K8sStatefulSetsList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.statefulsetNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/StatefulSets/utils.tsx

@@ -82,6 +82,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sStatefulSetsRowData {
 	key: string;
 	statefulsetUID: string;
+	statefulsetNameRaw: string;
 	statefulsetName: React.ReactNode;
 	cpu_request: React.ReactNode;
 	cpu_limit: React.ReactNode;
@@ -276,6 +277,7 @@ export const formatDataForTable = (
 	data.map((statefulSet, index) => ({
 		key: index.toString(),
 		statefulsetUID: statefulSet.statefulSetName,
+		statefulsetNameRaw: statefulSet.meta.k8s_statefulset_name || '',
 		statefulsetName: (
 			<Tooltip title={statefulSet.meta.k8s_statefulset_name}>
 				{statefulSet.meta.k8s_statefulset_name || ''}

frontend/src/container/InfraMonitoringK8s/Volumes/K8sVolumesList.tsx

@@ -390,6 +390,9 @@ function K8sVolumesList({
 
 	const handleRowClick = (record: K8sVolumesRowData): void => {
 		if (groupBy.length === 0) {
+			if (!record.volumeNameRaw) {
+				return;
+			}
 			setSelectedRowData(null);
 			setselectedVolumeUID(record.volumeUID);
 			setSearchParams({
@@ -454,9 +457,13 @@ function K8sVolumesList({
 						showHeader={false}
 						onRow={(record): { onClick: () => void; className: string } => ({
 							onClick: (): void => {
-								setselectedVolumeUID(record.volumeUID);
+								if (record.volumeNameRaw) {
+									setselectedVolumeUID(record.volumeUID);
+								}
 							},
-							className: 'expanded-clickable-row',
+							className: record.volumeNameRaw
+								? 'expanded-clickable-row'
+								: 'disabled-row',
 						})}
 					/>
 
@@ -641,7 +648,10 @@ function K8sVolumesList({
 				onChange={handleTableChange}
 				onRow={(record): { onClick: () => void; className: string } => ({
 					onClick: (): void => handleRowClick(record),
-					className: 'clickable-row',
+					className:
+						groupBy.length > 0 || record.volumeNameRaw
+							? 'clickable-row'
+							: 'disabled-row',
 				})}
 				expandable={{
 					expandedRowRender: isGroupedByAttribute ? expandedRowRender : undefined,

frontend/src/container/InfraMonitoringK8s/Volumes/utils.tsx

@@ -47,6 +47,7 @@ export const defaultAddedColumns: IEntityColumn[] = [
 export interface K8sVolumesRowData {
 	key: string;
 	volumeUID: string;
+	volumeNameRaw: string;
 	pvcName: React.ReactNode;
 	namespaceName: React.ReactNode;
 	capacity: React.ReactNode;
@@ -186,6 +187,7 @@ export const formatDataForTable = (
 	data.map((volume, index) => ({
 		key: index.toString(),
 		volumeUID: volume.persistentVolumeClaimName,
+		volumeNameRaw: volume.persistentVolumeClaimName || '',
 		pvcName: (
 			<Tooltip title={volume.persistentVolumeClaimName}>
 				{volume.persistentVolumeClaimName || ''}

frontend/src/container/InfraMonitoringK8s/utils.tsx

@@ -105,6 +105,7 @@ export const defaultAvailableColumns = [
 export interface K8sPodsRowData {
 	key: string;
 	podName: React.ReactNode;
+	podNameRaw: string;
 	podUID: string;
 	cpu_request: React.ReactNode;
 	cpu_limit: React.ReactNode;
@@ -347,6 +348,7 @@ export const formatDataForTable = (
 				{pod.meta.k8s_pod_name || ''}
 			</Tooltip>
 		),
+		podNameRaw: pod.meta.k8s_pod_name || '',
 		podUID: pod.podUID || '',
 		cpu_request: (
 			<ValidateColumnValueWrapper

frontend/src/hooks/useAuthZ/permissions.type.ts

@@ -1,23 +0,0 @@
-// AUTO GENERATED FILE - DO NOT EDIT - GENERATED BY scripts/generate-permissions-type
-export default {
-	status: 'success',
-	data: {
-		resources: [
-			{
-				name: 'dashboard',
-				type: 'metaresource',
-			},
-			{
-				name: 'dashboards',
-				type: 'metaresources',
-			},
-		],
-		relations: {
-			create: ['metaresources'],
-			delete: ['user', 'role', 'organization', 'metaresource'],
-			list: ['metaresources'],
-			read: ['user', 'role', 'organization', 'metaresource'],
-			update: ['user', 'role', 'organization', 'metaresource'],
-		},
-	},
-} as const;

frontend/src/hooks/useAuthZ/types.ts

@@ -1,57 +0,0 @@
-import permissionsType from './permissions.type';
-import { ObjectSeparator } from './utils';
-
-type PermissionsData = typeof permissionsType.data;
-export type Resource = PermissionsData['resources'][number];
-export type ResourceName = Resource['name'];
-export type ResourceType = Resource['type'];
-
-type RelationsByType = PermissionsData['relations'];
-
-type ResourceTypeMap = {
-	[K in ResourceName]: Extract<Resource, { name: K }>['type'];
-};
-
-type RelationName = keyof RelationsByType;
-
-type ResourcesForRelation<R extends RelationName> = Extract<
-	Resource,
-	{ type: RelationsByType[R][number] }
->['name'];
-
-type IsPluralResource<
-	R extends ResourceName
-> = ResourceTypeMap[R] extends 'metaresources' ? true : false;
-
-type ObjectForResource<R extends ResourceName> = R extends infer U
-	? U extends ResourceName
-		? IsPluralResource<U> extends true
-			? U
-			: `${U}${typeof ObjectSeparator}${string}`
-		: never
-	: never;
-
-type RelationToObject<R extends RelationName> = ObjectForResource<
-	ResourcesForRelation<R>
->;
-
-type AllRelations = RelationName;
-
-export type AuthZRelation = AllRelations;
-export type AuthZResource = ResourceName;
-export type AuthZObject<R extends AuthZRelation> = RelationToObject<R>;
-
-export type BrandedPermission = string & { __brandedPermission: true };
-
-export type AuthZCheckResponse = Record<
-	BrandedPermission,
-	{
-		isGranted: boolean;
-	}
->;
-
-export type UseAuthZResult = {
-	isLoading: boolean;
-	error: Error | null;
-	permissions: AuthZCheckResponse | null;
-};

frontend/src/hooks/useAuthZ/useAuthZ.test.tsx

@@ -1,496 +0,0 @@
-import { ReactElement } from 'react';
-import { renderHook, waitFor } from '@testing-library/react';
-import {
-	AuthtypesGettableTransactionDTO,
-	AuthtypesTransactionDTO,
-} from 'api/generated/services/sigNoz.schemas';
-import { ENVIRONMENT } from 'constants/env';
-import { server } from 'mocks-server/server';
-import { rest } from 'msw';
-import { AllTheProviders } from 'tests/test-utils';
-
-import { BrandedPermission } from './types';
-import { useAuthZ } from './useAuthZ';
-import { buildPermission } from './utils';
-
-const BASE_URL = ENVIRONMENT.baseURL || '';
-const AUTHZ_CHECK_URL = `${BASE_URL}/api/v1/authz/check`;
-
-function authzMockResponse(
-	payload: AuthtypesTransactionDTO[],
-	authorizedByIndex: boolean[],
-): { data: AuthtypesGettableTransactionDTO[]; status: string } {
-	return {
-		data: payload.map((txn, i) => ({
-			relation: txn.relation,
-			object: txn.object,
-			authorized: authorizedByIndex[i] ?? false,
-		})),
-		status: 'success',
-	};
-}
-
-const wrapper = ({ children }: { children: ReactElement }): ReactElement => (
-	<AllTheProviders>{children}</AllTheProviders>
-);
-
-describe('useAuthZ', () => {
-	it('should fetch and return permissions successfully', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-
-		const expectedResponse = {
-			[permission1]: {
-				isGranted: true,
-			},
-			[permission2]: {
-				isGranted: false,
-			},
-		};
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, [true, false])),
-				);
-			}),
-		);
-
-		const { result } = renderHook(() => useAuthZ([permission1, permission2]), {
-			wrapper,
-		});
-
-		expect(result.current.isLoading).toBe(true);
-		expect(result.current.permissions).toBeNull();
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(result.current.error).toBeNull();
-		expect(result.current.permissions).toEqual(expectedResponse);
-	});
-
-	it('should handle API errors', async () => {
-		const permission = buildPermission('read', 'dashboard:*');
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(500), ctx.json({ error: 'Internal Server Error' }));
-			}),
-		);
-
-		const { result } = renderHook(() => useAuthZ([permission]), {
-			wrapper,
-		});
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(result.current.error).not.toBeNull();
-		expect(result.current.permissions).toBeNull();
-	});
-
-	it('should refetch when permissions array changes', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-		const permission3 = buildPermission('delete', 'dashboard:456');
-
-		let requestCount = 0;
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = await req.json();
-
-				if (payload.length === 1) {
-					return res(ctx.status(200), ctx.json(authzMockResponse(payload, [true])));
-				}
-
-				const authorized = payload.map(
-					(txn: { relation: string }) =>
-						txn.relation === 'read' || txn.relation === 'delete',
-				);
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, authorized)),
-				);
-			}),
-		);
-
-		const { result, rerender } = renderHook<
-			ReturnType<typeof useAuthZ>,
-			BrandedPermission[]
-		>((permissions) => useAuthZ(permissions), {
-			wrapper,
-			initialProps: [permission1],
-		});
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(requestCount).toBe(1);
-		expect(result.current.permissions).toEqual({
-			[permission1]: {
-				isGranted: true,
-			},
-		});
-
-		rerender([permission1, permission2, permission3]);
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(requestCount).toBe(2);
-		expect(result.current.permissions).toEqual({
-			[permission1]: {
-				isGranted: true,
-			},
-			[permission2]: {
-				isGranted: false,
-			},
-			[permission3]: {
-				isGranted: true,
-			},
-		});
-	});
-
-	it('should not refetch when permissions array order changes but content is the same', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-
-		let requestCount = 0;
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = await req.json();
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, [true, false])),
-				);
-			}),
-		);
-
-		const { result, rerender } = renderHook<
-			ReturnType<typeof useAuthZ>,
-			BrandedPermission[]
-		>((permissions) => useAuthZ(permissions), {
-			wrapper,
-			initialProps: [permission1, permission2],
-		});
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(requestCount).toBe(1);
-
-		rerender([permission2, permission1]);
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(requestCount).toBe(1);
-	});
-
-	it('should handle empty permissions array', async () => {
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, (_req, res, ctx) => {
-				return res(ctx.status(200), ctx.json({ data: [], status: 'success' }));
-			}),
-		);
-
-		const { result } = renderHook(() => useAuthZ([]), {
-			wrapper,
-		});
-
-		expect(result.current.isLoading).toBe(false);
-		expect(result.current.error).toBeNull();
-		expect(result.current.permissions).toEqual({});
-	});
-
-	it('should send correct payload format to API', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-
-		let receivedPayload: any = null;
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				receivedPayload = await req.json();
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(receivedPayload, [true, false])),
-				);
-			}),
-		);
-
-		const { result } = renderHook(() => useAuthZ([permission1, permission2]), {
-			wrapper,
-		});
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(receivedPayload).toHaveLength(2);
-		expect(receivedPayload[0]).toMatchObject({
-			relation: 'read',
-			object: {
-				resource: { name: 'dashboard', type: 'metaresource' },
-				selector: '*',
-			},
-		});
-		expect(receivedPayload[1]).toMatchObject({
-			relation: 'update',
-			object: {
-				resource: { name: 'dashboard', type: 'metaresource' },
-				selector: '123',
-			},
-		});
-	});
-
-	it('should batch multiple hooks into single flight request', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-		const permission3 = buildPermission('delete', 'dashboard:456');
-
-		let requestCount = 0;
-		const receivedPayloads: any[] = [];
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = await req.json();
-				receivedPayloads.push(payload);
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, [true, false, true])),
-				);
-			}),
-		);
-
-		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
-			wrapper,
-		});
-
-		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
-			wrapper,
-		});
-
-		const { result: result3 } = renderHook(() => useAuthZ([permission3]), {
-			wrapper,
-		});
-
-		await waitFor(
-			() => {
-				expect(result1.current.isLoading).toBe(false);
-				expect(result2.current.isLoading).toBe(false);
-				expect(result3.current.isLoading).toBe(false);
-			},
-			{ timeout: 200 },
-		);
-
-		expect(requestCount).toBe(1);
-		expect(receivedPayloads).toHaveLength(1);
-		expect(receivedPayloads[0]).toHaveLength(3);
-		expect(receivedPayloads[0][0]).toMatchObject({
-			relation: 'read',
-			object: {
-				resource: { name: 'dashboard', type: 'metaresource' },
-				selector: '*',
-			},
-		});
-		expect(receivedPayloads[0][1]).toMatchObject({
-			relation: 'update',
-			object: { resource: { name: 'dashboard' }, selector: '123' },
-		});
-		expect(receivedPayloads[0][2]).toMatchObject({
-			relation: 'delete',
-			object: { resource: { name: 'dashboard' }, selector: '456' },
-		});
-
-		expect(result1.current.permissions).toEqual({
-			[permission1]: { isGranted: true },
-		});
-		expect(result2.current.permissions).toEqual({
-			[permission2]: { isGranted: false },
-		});
-		expect(result3.current.permissions).toEqual({
-			[permission3]: { isGranted: true },
-		});
-	});
-
-	it('should create separate batches for calls after single flight window', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-		const permission3 = buildPermission('delete', 'dashboard:456');
-
-		let requestCount = 0;
-		const receivedPayloads: any[] = [];
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = await req.json();
-				receivedPayloads.push(payload);
-				const authorized = payload.length === 1 ? [true] : [false, true];
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, authorized)),
-				);
-			}),
-		);
-
-		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
-			wrapper,
-		});
-
-		await waitFor(
-			() => {
-				expect(result1.current.isLoading).toBe(false);
-			},
-			{ timeout: 200 },
-		);
-
-		expect(requestCount).toBe(1);
-		expect(receivedPayloads[0]).toHaveLength(1);
-
-		await new Promise((resolve) => setTimeout(resolve, 100));
-
-		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
-			wrapper,
-		});
-
-		const { result: result3 } = renderHook(() => useAuthZ([permission3]), {
-			wrapper,
-		});
-
-		await waitFor(
-			() => {
-				expect(result2.current.isLoading).toBe(false);
-				expect(result3.current.isLoading).toBe(false);
-			},
-			{ timeout: 200 },
-		);
-
-		expect(requestCount).toBe(2);
-		expect(receivedPayloads).toHaveLength(2);
-		expect(receivedPayloads[1]).toHaveLength(2);
-		expect(receivedPayloads[1][0]).toMatchObject({
-			relation: 'update',
-			object: { resource: { name: 'dashboard' }, selector: '123' },
-		});
-		expect(receivedPayloads[1][1]).toMatchObject({
-			relation: 'delete',
-			object: { resource: { name: 'dashboard' }, selector: '456' },
-		});
-	});
-
-	it('should map permissions correctly when API returns response out of order', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-		const permission3 = buildPermission('delete', 'dashboard:456');
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				const payload = await req.json();
-				const reversed = [...payload].reverse();
-				const authorizedByReversed = [true, false, true];
-				return res(
-					ctx.status(200),
-					ctx.json({
-						data: reversed.map((txn: any, i: number) => ({
-							relation: txn.relation,
-							object: txn.object,
-							authorized: authorizedByReversed[i],
-						})),
-						status: 'success',
-					}),
-				);
-			}),
-		);
-
-		const { result } = renderHook(
-			() => useAuthZ([permission1, permission2, permission3]),
-			{ wrapper },
-		);
-
-		await waitFor(() => {
-			expect(result.current.isLoading).toBe(false);
-		});
-
-		expect(result.current.permissions).toEqual({
-			[permission1]: { isGranted: true },
-			[permission2]: { isGranted: false },
-			[permission3]: { isGranted: true },
-		});
-	});
-
-	it('should not leak state between separate batches', async () => {
-		const permission1 = buildPermission('read', 'dashboard:*');
-		const permission2 = buildPermission('update', 'dashboard:123');
-
-		let requestCount = 0;
-
-		server.use(
-			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
-				requestCount++;
-				const payload = await req.json();
-				const authorized = payload.map(
-					(txn: { relation: string }) => txn.relation === 'read',
-				);
-				return res(
-					ctx.status(200),
-					ctx.json(authzMockResponse(payload, authorized)),
-				);
-			}),
-		);
-
-		const { result: result1 } = renderHook(() => useAuthZ([permission1]), {
-			wrapper,
-		});
-
-		await waitFor(
-			() => {
-				expect(result1.current.isLoading).toBe(false);
-			},
-			{ timeout: 200 },
-		);
-
-		expect(requestCount).toBe(1);
-		expect(result1.current.permissions).toEqual({
-			[permission1]: { isGranted: true },
-		});
-
-		await new Promise((resolve) => setTimeout(resolve, 100));
-
-		const { result: result2 } = renderHook(() => useAuthZ([permission2]), {
-			wrapper,
-		});
-
-		await waitFor(
-			() => {
-				expect(result2.current.isLoading).toBe(false);
-			},
-			{ timeout: 200 },
-		);
-
-		expect(requestCount).toBe(2);
-		expect(result1.current.permissions).toEqual({
-			[permission1]: { isGranted: true },
-		});
-		expect(result2.current.permissions).toEqual({
-			[permission2]: { isGranted: false },
-		});
-		expect(result1.current.permissions).not.toHaveProperty(permission2);
-		expect(result2.current.permissions).not.toHaveProperty(permission1);
-	});
-});

frontend/src/hooks/useAuthZ/useAuthZ.tsx

@@ -1,129 +0,0 @@
-import { useMemo } from 'react';
-import { useQueries } from 'react-query';
-import { authzCheck } from 'api/generated/services/authz';
-import type {
-	AuthtypesObjectDTO,
-	AuthtypesTransactionDTO,
-} from 'api/generated/services/sigNoz.schemas';
-
-import { AuthZCheckResponse, BrandedPermission, UseAuthZResult } from './types';
-import {
-	gettableTransactionToPermission,
-	permissionToTransactionDto,
-} from './utils';
-
-let ctx: Promise<AuthZCheckResponse> | null;
-let pendingPermissions: BrandedPermission[] = [];
-const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
-const AUTHZ_CACHE_TIME = 20_000;
-
-function dispatchPermission(
-	permission: BrandedPermission,
-): Promise<AuthZCheckResponse> {
-	pendingPermissions.push(permission);
-
-	if (!ctx) {
-		let resolve: (v: AuthZCheckResponse) => void, reject: (reason?: any) => void;
-		ctx = new Promise<AuthZCheckResponse>((r, re) => {
-			resolve = r;
-			reject = re;
-		});
-
-		setTimeout(() => {
-			const copiedPermissions = pendingPermissions.slice();
-			pendingPermissions = [];
-			ctx = null;
-
-			fetchManyPermissions(copiedPermissions).then(resolve).catch(reject);
-		}, SINGLE_FLIGHT_WAIT_TIME_MS);
-	}
-
-	return ctx;
-}
-
-async function fetchManyPermissions(
-	permissions: BrandedPermission[],
-): Promise<AuthZCheckResponse> {
-	const payload: AuthtypesTransactionDTO[] = permissions.map((permission) => {
-		const dto = permissionToTransactionDto(permission);
-		const object: AuthtypesObjectDTO = {
-			resource: {
-				name: dto.object.resource.name,
-				type: dto.object.resource.type,
-			},
-			selector: dto.object.selector,
-		};
-		return { relation: dto.relation, object };
-	});
-
-	const { data } = await authzCheck(payload);
-
-	const fromApi = (data ?? []).reduce<AuthZCheckResponse>((acc, item) => {
-		const permission = gettableTransactionToPermission(item);
-		acc[permission] = { isGranted: !!item.authorized };
-		return acc;
-	}, {} as AuthZCheckResponse);
-
-	return permissions.reduce<AuthZCheckResponse>((acc, permission) => {
-		acc[permission] = fromApi[permission] ?? { isGranted: false };
-		return acc;
-	}, {} as AuthZCheckResponse);
-}
-
-export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
-	const queryResults = useQueries(
-		permissions.map((permission) => {
-			return {
-				queryKey: ['authz', permission],
-				cacheTime: AUTHZ_CACHE_TIME,
-				refetchOnMount: false,
-				refetchIntervalInBackground: false,
-				refetchOnWindowFocus: false,
-				refetchOnReconnect: true,
-				queryFn: async (): Promise<AuthZCheckResponse> => {
-					const response = await dispatchPermission(permission);
-
-					return {
-						[permission]: {
-							isGranted: response[permission].isGranted,
-						},
-					};
-				},
-			};
-		}),
-	);
-
-	const isLoading = useMemo(() => queryResults.some((q) => q.isLoading), [
-		queryResults,
-	]);
-	const error = useMemo(
-		() =>
-			!isLoading
-				? (queryResults.find((q) => !!q.error)?.error as Error) || null
-				: null,
-		[isLoading, queryResults],
-	);
-	const data = useMemo(() => {
-		if (isLoading || error) {
-			return null;
-		}
-
-		return queryResults.reduce((acc, q) => {
-			if (!q.data) {
-				return acc;
-			}
-
-			for (const [key, value] of Object.entries(q.data)) {
-				acc[key as BrandedPermission] = value;
-			}
-
-			return acc;
-		}, {} as AuthZCheckResponse);
-	}, [isLoading, error, queryResults]);
-
-	return {
-		isLoading,
-		error,
-		permissions: data ?? null,
-	};
-}

frontend/src/hooks/useAuthZ/utils.ts

@@ -1,85 +0,0 @@
-import { AuthtypesTransactionDTO } from '../../api/generated/services/sigNoz.schemas';
-import permissionsType from './permissions.type';
-import {
-	AuthZObject,
-	AuthZRelation,
-	AuthZResource,
-	BrandedPermission,
-	ResourceName,
-	ResourceType,
-} from './types';
-
-export const PermissionSeparator = '||__||';
-export const ObjectSeparator = ':';
-
-export function buildPermission<R extends AuthZRelation>(
-	relation: R,
-	object: AuthZObject<R>,
-): BrandedPermission {
-	return `${relation}${PermissionSeparator}${object}` as BrandedPermission;
-}
-
-export function buildObjectString(
-	resource: AuthZResource,
-	objectId: string,
-): `${AuthZResource}${typeof ObjectSeparator}${string}` {
-	return `${resource}${ObjectSeparator}${objectId}` as const;
-}
-
-export function parsePermission(
-	permission: BrandedPermission,
-): {
-	relation: AuthZRelation;
-	object: string;
-} {
-	const [relation, object] = permission.split(PermissionSeparator);
-	return { relation: relation as AuthZRelation, object };
-}
-
-const resourceNameToType = permissionsType.data.resources.reduce((acc, r) => {
-	acc[r.name] = r.type;
-	return acc;
-}, {} as Record<ResourceName, ResourceType>);
-
-export function permissionToTransactionDto(
-	permission: BrandedPermission,
-): AuthtypesTransactionDTO {
-	const { relation, object: objectStr } = parsePermission(permission);
-	const directType = resourceNameToType[objectStr as ResourceName];
-	if (directType === 'metaresources') {
-		return {
-			relation,
-			object: {
-				resource: { name: objectStr, type: directType },
-				selector: '*',
-			},
-		};
-	}
-	const [resourceName, selector] = objectStr.split(ObjectSeparator);
-	const type =
-		resourceNameToType[resourceName as ResourceName] ?? 'metaresource';
-
-	return {
-		relation,
-		object: {
-			resource: { name: resourceName, type },
-			selector: selector || '*',
-		},
-	};
-}
-
-export function gettableTransactionToPermission(
-	item: AuthtypesTransactionDTO,
-): BrandedPermission {
-	const {
-		relation,
-		object: { resource, selector },
-	} = item;
-	const resourceName = String(resource.name);
-	const selectorStr = typeof selector === 'string' ? selector : '*';
-	const objectStr =
-		resource.type === 'metaresources'
-			? resourceName
-			: `${resourceName}${ObjectSeparator}${selectorStr}`;
-	return `${relation}${PermissionSeparator}${objectStr}` as BrandedPermission;
-}

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/TooltipPlugin.tsx

@@ -8,7 +8,6 @@ import {
 	createSetCursorHandler,
 	createSetLegendHandler,
 	createSetSeriesHandler,
-	getPlot,
 	isScrollEventInPlot,
 	updatePlotVisibility,
 	updateWindowSize,
@@ -54,7 +53,7 @@ export default function TooltipPlugin({
 	const [viewState, setState] = useState<TooltipViewState>(
 		createInitialViewState,
 	);
-	const { hasPlot, isHovering, isPinned, contents, style } = viewState;
+	const { plot, isHovering, isPinned, contents, style } = viewState;
 
 	/**
 	 * Merge a partial view update into the current React state.
@@ -73,25 +72,12 @@ export default function TooltipPlugin({
 		layoutRef.current?.observer.disconnect();
 		layoutRef.current = createLayoutObserver(layoutRef);
 
-		/**
-		 * Plot lifecycle and GC: viewState uses hasPlot (boolean), not the plot
-		 * reference; clearPlotReferences runs in cleanup so
-		 * detached canvases can be garbage collected.
-		 */
 		// Controller holds the mutable interaction state for this tooltip
 		// instance. It is intentionally *not* React state so uPlot hooks
 		// and DOM listeners can update it freely without triggering a
 		// render on every mouse move.
 		const controller: TooltipControllerState = createInitialControllerState();
 
-		/**
-		 * Clear plot references so detached canvases can be garbage collected.
-		 */
-		const clearPlotReferences = (): void => {
-			controller.plot = null;
-			updateState({ hasPlot: false });
-		};
-
 		const syncTooltipWithDashboard = syncMode === DashboardCursorSync.Tooltip;
 
 		// Enable uPlot's built-in cursor sync when requested so that
@@ -124,10 +110,9 @@ export default function TooltipPlugin({
 		// Lock uPlot's internal cursor when the tooltip is pinned so
 		// subsequent mouse moves do not move the crosshair.
 		function updateCursorLock(): void {
-			const plot = getPlot(controller);
-			if (plot) {
+			if (controller.plot) {
 				// @ts-ignore uPlot cursor lock is not working as expected
-				plot.cursor._lock = controller.pinned;
+				controller.plot.cursor._lock = controller.pinned;
 			}
 		}
 
@@ -157,9 +142,8 @@ export default function TooltipPlugin({
 			const isPinnedBeforeDismiss = controller.pinned;
 			controller.pinned = false;
 			controller.hoverActive = false;
-			const plot = getPlot(controller);
-			if (plot) {
-				plot.setCursor({ left: -10, top: -10 });
+			if (controller.plot) {
+				controller.plot.setCursor({ left: -10, top: -10 });
 			}
 			scheduleRender(isPinnedBeforeDismiss);
 		}
@@ -167,12 +151,11 @@ export default function TooltipPlugin({
 		// Build the React node to be rendered inside the tooltip by
 		// delegating to the caller-provided `render` function.
 		function createTooltipContents(): React.ReactNode {
-			const plot = getPlot(controller);
-			if (!controller.hoverActive || !plot) {
+			if (!controller.hoverActive || !controller.plot) {
 				return null;
 			}
 			return renderRef.current({
-				uPlotInstance: plot,
+				uPlotInstance: controller.plot,
 				dataIndexes: controller.seriesIndexes,
 				seriesIndex: controller.focusedSeriesIndex,
 				isPinned: controller.pinned,
@@ -257,13 +240,9 @@ export default function TooltipPlugin({
 
 		// When pinning is enabled, a click on the plot overlay while
 		// hovering converts the transient tooltip into a pinned one.
-		// Uses getPlot(controller) to avoid closing over u (plot), which
-		// would retain the plot and detached canvases across unmounts.
-		const handleUPlotOverClick = (event: MouseEvent): void => {
-			const plot = getPlot(controller);
+		const handleUPlotOverClick = (u: uPlot, event: MouseEvent): void => {
 			if (
-				plot &&
-				event.target === plot.over &&
+				event.target === u.over &&
 				controller.hoverActive &&
 				!controller.pinned &&
 				controller.focusedSeriesIndex != null
@@ -281,9 +260,10 @@ export default function TooltipPlugin({
 		// on the controller and optionally attach the pinning handler.
 		const handleInit = (u: uPlot): void => {
 			controller.plot = u;
-			updateState({ hasPlot: true });
+			updateState({ plot: u });
 			if (canPinTooltip) {
-				overClickHandler = handleUPlotOverClick;
+				overClickHandler = (event: MouseEvent): void =>
+					handleUPlotOverClick(u, event);
 				u.over.addEventListener('click', overClickHandler);
 			}
 		};
@@ -319,6 +299,7 @@ export default function TooltipPlugin({
 		const handleSetCursor = createSetCursorHandler(ctx);
 
 		handleWindowResize();
+
 		const removeReadyHook = config.addHook('ready', (): void =>
 			updatePlotVisibility(controller),
 		);
@@ -344,20 +325,16 @@ export default function TooltipPlugin({
 			removeSetSeriesHook();
 			removeSetLegendHook();
 			removeSetCursorHook();
-			if (overClickHandler) {
-				const plot = getPlot(controller);
-				if (plot) {
-					plot.over.removeEventListener('click', overClickHandler);
-				}
+			if (controller.plot && overClickHandler) {
+				controller.plot.over.removeEventListener('click', overClickHandler);
 				overClickHandler = null;
 			}
-			clearPlotReferences();
 		};
 		// eslint-disable-next-line react-hooks/exhaustive-deps
 	}, [config]);
 
 	useLayoutEffect((): void => {
-		if (!hasPlot || !layoutRef.current) {
+		if (!plot || !layoutRef.current) {
 			return;
 		}
 		const layout = layoutRef.current;
@@ -372,9 +349,9 @@ export default function TooltipPlugin({
 			layout.width = 0;
 			layout.height = 0;
 		}
-	}, [isHovering, hasPlot]);
+	}, [isHovering, plot]);
 
-	if (!hasPlot) {
+	if (!plot) {
 		return null;
 	}
 

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/tooltipController.ts

@@ -10,11 +10,6 @@ import {
 
 const WINDOW_OFFSET = 16;
 
-/** Get the plot instance from the controller; returns null if never set or cleared. */
-export function getPlot(controller: TooltipControllerState): uPlot | null {
-	return controller.plot ?? null;
-}
-
 export function createInitialControllerState(): TooltipControllerState {
 	return {
 		plot: null,
@@ -51,13 +46,12 @@ export function updateWindowSize(controller: TooltipControllerState): void {
  * This is used to decide if a synced tooltip should be shown at all.
  */
 export function updatePlotVisibility(controller: TooltipControllerState): void {
-	const plot = getPlot(controller);
-	if (!plot) {
+	if (!controller.plot) {
 		controller.plotWithinViewport = false;
 		return;
 	}
 	controller.plotWithinViewport = isPlotInViewport(
-		plot.rect,
+		controller.plot.rect,
 		controller.windowWidth,
 		controller.windowHeight,
 	);
@@ -72,11 +66,10 @@ export function isScrollEventInPlot(
 	event: Event,
 	controller: TooltipControllerState,
 ): boolean {
-	const plot = getPlot(controller);
 	return (
 		event.target instanceof Node &&
-		plot !== null &&
-		event.target.contains(plot.root)
+		controller.plot !== null &&
+		event.target.contains(controller.plot.root)
 	);
 }
 
@@ -172,12 +165,11 @@ export function createSetLegendHandler(
 ): (u: uPlot) => void {
 	return (u: uPlot): void => {
 		const { controller } = ctx;
-		const plot = getPlot(controller);
-		if (!plot?.cursor?.idxs) {
+		if (!controller.plot?.cursor?.idxs) {
 			return;
 		}
 
-		const newSeriesIndexes = plot.cursor.idxs.slice();
+		const newSeriesIndexes = controller.plot.cursor.idxs.slice();
 		const isAnySeriesActive = newSeriesIndexes.some((v, i) => i > 0 && v != null);
 
 		const previousCursorDrivenBySync = controller.cursorDrivenBySync;

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/types.ts

@@ -18,8 +18,7 @@ export enum DashboardCursorSync {
 }
 
 export interface TooltipViewState {
-	/** Whether a plot instance exists; plot reference is in controller, not state. */
-	hasPlot?: boolean;
+	plot?: uPlot | null;
 	style: Partial<CSSProperties>;
 	isHovering: boolean;
 	isPinned: boolean;

frontend/src/lib/uPlotV2/plugins/TooltipPlugin/utils.ts

@@ -123,7 +123,7 @@ export function createInitialViewState(): TooltipViewState {
 		isHovering: false,
 		isPinned: false,
 		contents: null,
-		hasPlot: false,
+		plot: null,
 		dismiss: (): void => {},
 	};
 }

pkg/apiserver/signozapiserver/provider.go

@@ -18,7 +18,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -49,7 +48,6 @@ type provider struct {
 	authzHandler           authz.Handler
 	zeusHandler            zeus.Handler
 	querierHandler         querier.Handler
-	serviceAccountHandler  serviceaccount.Handler
 }
 
 func NewFactory(
@@ -71,7 +69,6 @@ func NewFactory(
 	authzHandler authz.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
-	serviceAccountHandler serviceaccount.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
 		return newProvider(
@@ -96,7 +93,6 @@ func NewFactory(
 			authzHandler,
 			zeusHandler,
 			querierHandler,
-			serviceAccountHandler,
 		)
 	})
 }
@@ -123,7 +119,6 @@ func newProvider(
 	authzHandler authz.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
-	serviceAccountHandler serviceaccount.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()
@@ -148,7 +143,6 @@ func newProvider(
 		authzHandler:           authzHandler,
 		zeusHandler:            zeusHandler,
 		querierHandler:         querierHandler,
-		serviceAccountHandler:  serviceAccountHandler,
 	}
 
 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -229,10 +223,6 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
-	if err := provider.addServiceAccountRoutes(router); err != nil {
-		return err
-	}
-
 	return nil
 }
 

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -1,184 +0,0 @@
-package signozapiserver
-
-import (
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/gorilla/mux"
-)
-
-func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Create), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account",
-		Description:         "This endpoint creates a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccount),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.List), handler.OpenAPIDef{
-		ID:                  "ListServiceAccounts",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service accounts",
-		Description:         "This endpoint lists the service accounts for an organisation",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Get), handler.OpenAPIDef{
-		ID:                  "GetServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets a service account",
-		Description:         "This endpoint gets an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.ServiceAccount),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Update), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account",
-		Description:         "This endpoint updates an existing service account",
-		Request:             new(serviceaccounttypes.UpdatableServiceAccount),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/status", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateStatus), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccountStatus",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account status",
-		Description:         "This endpoint updates an existing service account status",
-		Request:             new(serviceaccounttypes.UpdatableServiceAccountStatus),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Delete), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Deletes a service account",
-		Description:         "This endpoint deletes an existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.CreateFactorAPIKey), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create a service account key",
-		Description:         "This endpoint creates a service account key",
-		Request:             new(serviceaccounttypes.PostableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.ListFactorAPIKey), handler.OpenAPIDef{
-		ID:                  "ListServiceAccountKeys",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "List service account keys",
-		Description:         "This endpoint lists the service account keys",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.FactorAPIKey, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateFactorAPIKey), handler.OpenAPIDef{
-		ID:                  "UpdateServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates a service account key",
-		Description:         "This endpoint updates an existing service account key",
-		Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.RevokeFactorAPIKey), handler.OpenAPIDef{
-		ID:                  "RevokeServiceAccountKey",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Revoke a service account key",
-		Description:         "This endpoint revokes an existing service account key",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
-	return nil
-}

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
-	return authtypes.NewIdentity(user.ID, orgID, user.Email), nil
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role), nil
 }

pkg/authz/authz.go

@@ -62,17 +62,14 @@ type AuthZ interface {
 	//  Lists all the roles for the organization filtered by name
 	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*roletypes.Role, error)
 
-	//  Lists all the roles for the organization filtered by ids
-	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*roletypes.Role, error)
-
 	// Grants a role to the subject based on role name.
-	Grant(context.Context, valuer.UUID, []string, string) error
+	Grant(context.Context, valuer.UUID, string, string) error
 
 	// Revokes a granted role from the subject based on role name.
-	Revoke(context.Context, valuer.UUID, []string, string) error
+	Revoke(context.Context, valuer.UUID, string, string) error
 
 	// Changes the granted role for the subject based on role name.
-	ModifyGrant(context.Context, valuer.UUID, []string, []string, string) error
+	ModifyGrant(context.Context, valuer.UUID, string, string, string) error
 
 	// Bootstrap the managed roles.
 	CreateManagedRoles(context.Context, valuer.UUID, []*roletypes.Role) error

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -96,39 +96,6 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 		return nil, err
 	}
 
-	if len(roles) != len(names) {
-		return nil, store.sqlstore.WrapNotFoundErrf(
-			nil,
-			roletypes.ErrCodeRoleNotFound,
-			"not all roles found for the provided names: %v", names,
-		)
-	}
-
-	return roles, nil
-}
-
-func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.StorableRole, error) {
-	roles := make([]*roletypes.StorableRole, 0)
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&roles).
-		Where("org_id = ?", orgID).
-		Where("id IN (?)", bun.In(ids)).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(roles) != len(ids) {
-		return nil, store.sqlstore.WrapNotFoundErrf(
-			nil,
-			roletypes.ErrCodeRoleNotFound,
-			"not all roles found for the provided ids: %v", ids,
-		)
-	}
-
 	return roles, nil
 }
 

pkg/authz/openfgaauthz/provider.go

@@ -114,46 +114,28 @@ func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.
 	return roles, nil
 }
 
-func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
-	storableRoles, err := provider.store.ListByOrgIDAndIDs(ctx, orgID, ids)
-	if err != nil {
-		return nil, err
-	}
-
-	roles := make([]*roletypes.Role, len(storableRoles))
-	for idx, storable := range storableRoles {
-		roles[idx] = roletypes.NewRoleFromStorableRole(storable)
-	}
-
-	return roles, nil
-}
-
-func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	selectors := make([]authtypes.Selector, len(names))
-	for idx, name := range names {
-		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
-	}
-
+func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
 	tuples, err := authtypes.TypeableRole.Tuples(
 		subject,
 		authtypes.RelationAssignee,
-		selectors,
+		[]authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, name),
+		},
 		orgID,
 	)
 	if err != nil {
 		return err
 	}
-
 	return provider.Write(ctx, tuples, nil)
 }
 
-func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleNames []string, updatedRoleNames []string, subject string) error {
-	err := provider.Revoke(ctx, orgID, existingRoleNames, subject)
+func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleName string, updatedRoleName string, subject string) error {
+	err := provider.Revoke(ctx, orgID, existingRoleName, subject)
 	if err != nil {
 		return err
 	}
 
-	err = provider.Grant(ctx, orgID, updatedRoleNames, subject)
+	err = provider.Grant(ctx, orgID, updatedRoleName, subject)
 	if err != nil {
 		return err
 	}
@@ -161,16 +143,13 @@ func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, ex
 	return nil
 }
 
-func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
-	selectors := make([]authtypes.Selector, len(names))
-	for idx, name := range names {
-		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
-	}
-
+func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
 	tuples, err := authtypes.TypeableRole.Tuples(
 		subject,
 		authtypes.RelationAssignee,
-		selectors,
+		[]authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, name),
+		},
 		orgID,
 	)
 	if err != nil {
@@ -199,7 +178,7 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 }
 
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
-	return provider.Grant(ctx, orgID, []string{roletypes.SigNozAdminRoleName}, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
+	return provider.Grant(ctx, orgID, roletypes.SigNozAdminRoleName, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }
 
 func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {

pkg/authz/openfgaschema/base.fga

@@ -2,11 +2,9 @@ module base
 
 type user
 
-type serviceaccount 
-
 type role 
   relations
-    define assignee: [user, serviceaccount]
+    define assignee: [user]
 
 type organisation 
   relations

pkg/authz/openfgaserver/server.go

@@ -128,22 +128,9 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
-	subject := ""
-	switch claims.Principal {
-	case authtypes.PrincipalUser.StringValue():
-		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = user
-	case authtypes.PrincipalServiceAccount.StringValue():
-		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = serviceAccount
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		return err
 	}
 
 	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)

pkg/http/middleware/api_key.go

@@ -0,0 +1,143 @@
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/sharder"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"golang.org/x/sync/singleflight"
+)
+
+const (
+	apiKeyCrossOrgMessage string = "::API-KEY-CROSS-ORG::"
+)
+
+type APIKey struct {
+	store   sqlstore.SQLStore
+	uuid    *authtypes.UUID
+	headers []string
+	logger  *slog.Logger
+	sharder sharder.Sharder
+	sfGroup *singleflight.Group
+}
+
+func NewAPIKey(store sqlstore.SQLStore, headers []string, logger *slog.Logger, sharder sharder.Sharder) *APIKey {
+	return &APIKey{
+		store:   store,
+		uuid:    authtypes.NewUUID(),
+		headers: headers,
+		logger:  logger,
+		sharder: sharder,
+		sfGroup: &singleflight.Group{},
+	}
+}
+
+func (a *APIKey) Wrap(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var values []string
+		var apiKeyToken string
+		var apiKey types.StorableAPIKey
+
+		for _, header := range a.headers {
+			values = append(values, r.Header.Get(header))
+		}
+
+		ctx, err := a.uuid.ContextFromRequest(r.Context(), values...)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		apiKeyToken, ok := authtypes.UUIDFromContext(ctx)
+		if !ok {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		err = a.
+			store.
+			BunDB().
+			NewSelect().
+			Model(&apiKey).
+			Where("token = ?", apiKeyToken).
+			Scan(r.Context())
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// allow the APIKey if expires_at is not set
+		if apiKey.ExpiresAt.Before(time.Now()) && !apiKey.ExpiresAt.Equal(types.NEVER_EXPIRES) {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// get user from db
+		user := types.User{}
+		err = a.store.BunDB().NewSelect().Model(&user).Where("id = ?", apiKey.UserID).Scan(r.Context())
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		jwt := authtypes.Claims{
+			UserID: user.ID.String(),
+			Role:   apiKey.Role,
+			Email:  user.Email.String(),
+			OrgID:  user.OrgID.String(),
+		}
+
+		ctx = authtypes.NewContextWithClaims(ctx, jwt)
+
+		claims, err := authtypes.ClaimsFromContext(ctx)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if err := a.sharder.IsMyOwnedKey(r.Context(), types.NewOrganizationKey(valuer.MustNewUUID(claims.OrgID))); err != nil {
+			a.logger.ErrorContext(r.Context(), apiKeyCrossOrgMessage, "claims", claims, "error", err)
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeAPIKey)
+
+		comment := ctxtypes.CommentFromContext(ctx)
+		comment.Set("auth_type", ctxtypes.AuthTypeAPIKey.StringValue())
+		comment.Set("user_id", claims.UserID)
+		comment.Set("org_id", claims.OrgID)
+
+		r = r.WithContext(ctxtypes.NewContextWithComment(ctx, comment))
+
+		next.ServeHTTP(w, r)
+
+		lastUsedCtx := context.WithoutCancel(r.Context())
+		_, _, _ = a.sfGroup.Do(apiKey.ID.StringValue(), func() (any, error) {
+			apiKey.LastUsed = time.Now()
+			_, err = a.
+				store.
+				BunDB().
+				NewUpdate().
+				Model(&apiKey).
+				Column("last_used").
+				Where("token = ?", apiKeyToken).
+				Where("revoked = false").
+				Exec(lastUsedCtx)
+			if err != nil {
+				a.logger.ErrorContext(lastUsedCtx, "failed to update last used of api key", "error", err)
+			}
+
+			return true, nil
+		})
+
+	})
+
+}

pkg/http/middleware/authn.go

@@ -22,50 +22,31 @@ const (
 )
 
 type AuthN struct {
-	tokenizer               tokenizer.Tokenizer
-	serviceAccountTokenizer tokenizer.Tokenizer
-	headers                 []string
-	serviceAccountHeaders   []string
-	sharder                 sharder.Sharder
-	logger                  *slog.Logger
-	sfGroup                 *singleflight.Group
+	tokenizer tokenizer.Tokenizer
+	headers   []string
+	sharder   sharder.Sharder
+	logger    *slog.Logger
+	sfGroup   *singleflight.Group
 }
 
-func NewAuthN(
-	headers []string,
-	serviceAccountHeaders []string,
-	sharder sharder.Sharder,
-	tokenizer tokenizer.Tokenizer,
-	serviceAccountTokenizer tokenizer.Tokenizer,
-	logger *slog.Logger,
-) *AuthN {
+func NewAuthN(headers []string, sharder sharder.Sharder, tokenizer tokenizer.Tokenizer, logger *slog.Logger) *AuthN {
 	return &AuthN{
-		headers:                 headers,
-		serviceAccountHeaders:   serviceAccountHeaders,
-		sharder:                 sharder,
-		tokenizer:               tokenizer,
-		serviceAccountTokenizer: serviceAccountTokenizer,
-		logger:                  logger,
-		sfGroup:                 &singleflight.Group{},
+		headers:   headers,
+		sharder:   sharder,
+		tokenizer: tokenizer,
+		logger:    logger,
+		sfGroup:   &singleflight.Group{},
 	}
 }
 
 func (a *AuthN) Wrap(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var userHeaderValues []string
+		var values []string
 		for _, header := range a.headers {
-			userHeaderValues = append(userHeaderValues, r.Header.Get(header))
-		}
-
-		ctx, authType, activeTokenizer, err := a.authenticateUser(r.Context(), userHeaderValues...)
-		if err != nil {
-			var saHeaderValues []string
-			for _, header := range a.serviceAccountHeaders {
-				saHeaderValues = append(saHeaderValues, r.Header.Get(header))
-			}
-			ctx, authType, activeTokenizer, err = a.authenticateServiceAccount(r.Context(), saHeaderValues...)
+			values = append(values, r.Header.Get(header))
 		}
 
+		ctx, err := a.contextFromRequest(r.Context(), values...)
 		if err != nil {
 			r = r.WithContext(ctx)
 			next.ServeHTTP(w, r)
@@ -86,11 +67,11 @@ func (a *AuthN) Wrap(next http.Handler) http.Handler {
 			return
 		}
 
-		ctx = ctxtypes.SetAuthType(ctx, authType)
+		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeTokenizer)
 
 		comment := ctxtypes.CommentFromContext(ctx)
-		comment.Set("auth_type", authType.StringValue())
-		comment.Set("tokenizer_provider", activeTokenizer.Config().Provider)
+		comment.Set("auth_type", ctxtypes.AuthTypeTokenizer.StringValue())
+		comment.Set("tokenizer_provider", a.tokenizer.Config().Provider)
 		comment.Set("user_id", claims.UserID)
 		comment.Set("org_id", claims.OrgID)
 
@@ -98,20 +79,15 @@ func (a *AuthN) Wrap(next http.Handler) http.Handler {
 
 		next.ServeHTTP(w, r)
 
-		// Track last observed at for the active tokenizer.
-		var token string
-		if authType == ctxtypes.AuthTypeAPIKey {
-			token, err = authtypes.ServiceAccountAPIKeyFromContext(r.Context())
-		} else {
-			token, err = authtypes.AccessTokenFromContext(r.Context())
-		}
+		accessToken, err := authtypes.AccessTokenFromContext(r.Context())
 		if err != nil {
+			next.ServeHTTP(w, r)
 			return
 		}
 
 		lastObservedAtCtx := context.WithoutCancel(r.Context())
-		_, _, _ = a.sfGroup.Do(token, func() (any, error) {
-			if err := activeTokenizer.SetLastObservedAt(lastObservedAtCtx, token, time.Now()); err != nil {
+		_, _, _ = a.sfGroup.Do(accessToken, func() (any, error) {
+			if err := a.tokenizer.SetLastObservedAt(lastObservedAtCtx, accessToken, time.Now()); err != nil {
 				a.logger.ErrorContext(lastObservedAtCtx, "failed to set last observed at", "error", err)
 				return false, err
 			}
@@ -121,60 +97,23 @@ func (a *AuthN) Wrap(next http.Handler) http.Handler {
 	})
 }
 
-func (a *AuthN) authenticateUser(ctx context.Context, values ...string) (context.Context, ctxtypes.AuthType, tokenizer.Tokenizer, error) {
+func (a *AuthN) contextFromRequest(ctx context.Context, values ...string) (context.Context, error) {
 	ctx, err := a.contextFromAccessToken(ctx, values...)
 	if err != nil {
-		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
+		return ctx, err
 	}
 
 	accessToken, err := authtypes.AccessTokenFromContext(ctx)
 	if err != nil {
-		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
+		return ctx, err
 	}
 
-	identity, err := a.tokenizer.GetIdentity(ctx, accessToken)
+	authenticatedUser, err := a.tokenizer.GetIdentity(ctx, accessToken)
 	if err != nil {
-		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
+		return ctx, err
 	}
 
-	ctx = authtypes.NewContextWithClaims(ctx, identity.ToClaims())
-	return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, nil
-}
-
-func (a *AuthN) authenticateServiceAccount(ctx context.Context, values ...string) (context.Context, ctxtypes.AuthType, tokenizer.Tokenizer, error) {
-	ctx, err := a.contextFromServiceAccountAPIKey(ctx, values...)
-	if err != nil {
-		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
-	}
-
-	apiKey, err := authtypes.ServiceAccountAPIKeyFromContext(ctx)
-	if err != nil {
-		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
-	}
-
-	identity, err := a.serviceAccountTokenizer.GetIdentity(ctx, apiKey)
-	if err != nil {
-		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
-	}
-
-	ctx = authtypes.NewContextWithClaims(ctx, identity.ToClaims())
-	return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, nil
-}
-
-func (a *AuthN) contextFromServiceAccountAPIKey(ctx context.Context, values ...string) (context.Context, error) {
-	var value string
-	for _, v := range values {
-		if v != "" {
-			value = v
-			break
-		}
-	}
-
-	if value == "" {
-		return ctx, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "missing api key header")
-	}
-
-	return authtypes.NewContextWithServiceAccountAPIKey(ctx, value), nil
+	return authtypes.NewContextWithClaims(ctx, authenticatedUser.ToClaims()), nil
 }
 
 func (a *AuthN) contextFromAccessToken(ctx context.Context, values ...string) (context.Context, error) {

pkg/http/middleware/authz.go

@@ -9,6 +9,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
@@ -41,6 +42,19 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		commentCtx := ctxtypes.CommentFromContext(ctx)
+		authtype, ok := commentCtx.Map()["auth_type"]
+		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
+			if err := claims.IsViewer(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
@@ -80,6 +94,19 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		commentCtx := ctxtypes.CommentFromContext(ctx)
+		authtype, ok := commentCtx.Map()["auth_type"]
+		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
+			if err := claims.IsEditor(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
@@ -118,6 +145,19 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		commentCtx := ctxtypes.CommentFromContext(ctx)
+		authtype, ok := commentCtx.Map()["auth_type"]
+		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
+			if err := claims.IsAdmin(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 		}

pkg/modules/dashboard/dashboard.go

@@ -43,7 +43,7 @@ type Module interface {
 
 	Update(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, data dashboardtypes.UpdatableDashboard, diff int) (*dashboardtypes.Dashboard, error)
 
-	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedByUserID valuer.UUID, lock bool) error
+	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error
 
 	Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error
 

pkg/modules/dashboard/impldashboard/handler.go

@@ -156,7 +156,7 @@ func (handler *handler) LockUnlock(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.module.LockUnlock(ctx, orgID, dashboardID, valuer.MustNewUUID(claims.UserID), *req.Locked)
+	err = handler.module.LockUnlock(ctx, orgID, dashboardID, claims.Email, claims.Role, *req.Locked)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/dashboard/impldashboard/module.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/queryparser"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
@@ -25,10 +24,9 @@ type module struct {
 	analytics   analytics.Analytics
 	orgGetter   organization.Getter
 	queryParser queryparser.QueryParser
-	userGetter  user.Getter
 }
 
-func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser, userGetter user.Getter) dashboard.Module {
+func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, analytics analytics.Analytics, orgGetter organization.Getter, queryParser queryparser.QueryParser) dashboard.Module {
 	scopedProviderSettings := factory.NewScopedProviderSettings(settings, "github.com/SigNoz/signoz/pkg/modules/dashboard/impldashboard")
 	return &module{
 		store:       store,
@@ -36,7 +34,6 @@ func NewModule(store dashboardtypes.Store, settings factory.ProviderSettings, an
 		analytics:   analytics,
 		orgGetter:   orgGetter,
 		queryParser: queryParser,
-		userGetter:  userGetter,
 	}
 }
 
@@ -102,18 +99,13 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return dashboard, nil
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedByUserID valuer.UUID, lock bool) error {
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
 	dashboard, err := module.Get(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
 
-	user, err := module.userGetter.GetByOrgIDAndID(ctx, orgID, updatedByUserID)
-	if err != nil {
-		return err
-	}
-
-	err = dashboard.LockUnlock(lock, user.Role, user.Email.String())
+	err = dashboard.LockUnlock(lock, role, updatedBy)
 	if err != nil {
 		return err
 	}

pkg/modules/savedview/implsavedview/module.go

@@ -12,7 +12,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/savedviewtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -25,7 +24,7 @@ func NewModule(sqlstore sqlstore.SQLStore) savedview.Module {
 }
 
 func (module *module) GetViewsForFilters(ctx context.Context, orgID string, sourcePage string, name string, category string) ([]*v3.SavedView, error) {
-	var views []savedviewtypes.SavedView
+	var views []types.SavedView
 	var err error
 	if len(category) == 0 {
 		err = module.sqlstore.BunDB().NewSelect().Model(&views).Where("org_id = ? AND source_page = ? AND name LIKE ?", orgID, sourcePage, "%"+name+"%").Scan(ctx)
@@ -77,7 +76,7 @@ func (module *module) CreateView(ctx context.Context, orgID string, view v3.Save
 	createBy := claims.Email
 	updatedBy := claims.Email
 
-	dbView := savedviewtypes.SavedView{
+	dbView := types.SavedView{
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: createdAt,
 			UpdatedAt: updatedAt,
@@ -106,7 +105,7 @@ func (module *module) CreateView(ctx context.Context, orgID string, view v3.Save
 }
 
 func (module *module) GetView(ctx context.Context, orgID string, uuid valuer.UUID) (*v3.SavedView, error) {
-	var view savedviewtypes.SavedView
+	var view types.SavedView
 	err := module.sqlstore.BunDB().NewSelect().Model(&view).Where("org_id = ? AND id = ?", orgID, uuid.StringValue()).Scan(ctx)
 	if err != nil {
 		return nil, errors.WrapInternalf(err, errors.CodeInternal, "error in getting saved view")
@@ -147,7 +146,7 @@ func (module *module) UpdateView(ctx context.Context, orgID string, uuid valuer.
 	updatedBy := claims.Email
 
 	_, err = module.sqlstore.BunDB().NewUpdate().
-		Model(&savedviewtypes.SavedView{}).
+		Model(&types.SavedView{}).
 		Set("updated_at = ?, updated_by = ?, name = ?, category = ?, source_page = ?, tags = ?, data = ?, extra_data = ?",
 			updatedAt, updatedBy, view.Name, view.Category, view.SourcePage, strings.Join(view.Tags, ","), data, view.ExtraData).
 		Where("id = ?", uuid.StringValue()).
@@ -161,7 +160,7 @@ func (module *module) UpdateView(ctx context.Context, orgID string, uuid valuer.
 
 func (module *module) DeleteView(ctx context.Context, orgID string, uuid valuer.UUID) error {
 	_, err := module.sqlstore.BunDB().NewDelete().
-		Model(&savedviewtypes.SavedView{}).
+		Model(&types.SavedView{}).
 		Where("id = ?", uuid.StringValue()).
 		Where("org_id = ?", orgID).
 		Exec(ctx)
@@ -172,7 +171,7 @@ func (module *module) DeleteView(ctx context.Context, orgID string, uuid valuer.
 }
 
 func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
-	savedViews := []*savedviewtypes.SavedView{}
+	savedViews := []*types.SavedView{}
 
 	err := module.
 		sqlstore.
@@ -185,5 +184,5 @@ func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 		return nil, err
 	}
 
-	return savedviewtypes.NewStatsFromSavedViews(savedViews), nil
+	return types.NewStatsFromSavedViews(savedViews), nil
 }

pkg/modules/serviceaccount/implserviceaccount/handler.go

@@ -1,335 +0,0 @@
-package implserviceaccount
-
-import (
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/http/binding"
-	"github.com/SigNoz/signoz/pkg/http/render"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/gorilla/mux"
-)
-
-type handler struct {
-	module serviceaccount.Module
-}
-
-func NewHandler(module serviceaccount.Module) serviceaccount.Handler {
-	return &handler{module: module}
-}
-
-func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.PostableServiceAccount)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount := serviceaccounttypes.NewServiceAccount(req.Name, req.Email, req.Roles, serviceaccounttypes.StatusActive, valuer.MustNewUUID(claims.OrgID))
-	err = handler.module.Create(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusCreated, types.Identifiable{ID: serviceAccount.ID})
-}
-
-func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, serviceAccount)
-}
-
-func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccounts, err := handler.module.List(ctx, valuer.MustNewUUID(claims.OrgID))
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, serviceAccounts)
-}
-
-func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.UpdatableServiceAccount)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount.Update(req.Name, req.Email, req.Roles)
-	err = handler.module.Update(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) UpdateStatus(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.UpdatableServiceAccountStatus)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount.UpdateStatus(req.Status)
-	err = handler.module.UpdateStatus(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.module.Delete(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) CreateFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.PostableFactorAPIKey)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	// this takes care of checking the existence of service account and the org constraint.
-	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKey, err := serviceAccount.NewFactorAPIKey(req.Name, req.ExpiresAt)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.module.CreateFactorAPIKey(ctx, factorAPIKey)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusCreated, serviceaccounttypes.NewGettableFactorAPIKeyWithKey(factorAPIKey.ID, factorAPIKey.Key))
-}
-
-func (handler *handler) ListFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKeys, err := handler.module.ListFactorAPIKey(ctx, serviceAccount.ID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, serviceaccounttypes.NewGettableFactorAPIKeys(factorAPIKeys))
-}
-
-func (handler *handler) UpdateFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKeyID, err := valuer.NewUUID(mux.Vars(r)["fid"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.UpdatableFactorAPIKey)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKey, err := handler.module.GetFactorAPIKey(ctx, serviceAccount.ID, factorAPIKeyID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKey.Update(req.Name, req.ExpiresAt)
-	err = handler.module.UpdateFactorAPIKey(ctx, serviceAccount.ID, factorAPIKey)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) RevokeFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	factorAPIKeyID, err := valuer.NewUUID(mux.Vars(r)["fid"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.module.RevokeFactorAPIKey(ctx, serviceAccount.ID, factorAPIKeyID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}

pkg/modules/serviceaccount/implserviceaccount/module.go

@@ -1,351 +0,0 @@
-package implserviceaccount
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/authz"
-	"github.com/SigNoz/signoz/pkg/emailing"
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/emailtypes"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type module struct {
-	store    serviceaccounttypes.Store
-	authz    authz.AuthZ
-	emailing emailing.Emailing
-	settings factory.ScopedProviderSettings
-}
-
-func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, emailing emailing.Emailing, providerSettings factory.ProviderSettings) serviceaccount.Module {
-	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount")
-	return &module{store: store, authz: authz, emailing: emailing, settings: settings}
-}
-
-func (module *module) Create(ctx context.Context, orgID valuer.UUID, serviceAccount *serviceaccounttypes.ServiceAccount) error {
-	// validates the presence of all roles passed in the create request
-	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, serviceAccount.Roles)
-	if err != nil {
-		return err
-	}
-
-	// authz actions cannot run in sql transactions
-	err = module.authz.Grant(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, serviceAccount.ID.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	storableServiceAccount := serviceaccounttypes.NewStorableServiceAccount(serviceAccount)
-	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
-	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		err := module.store.Create(ctx, storableServiceAccount)
-		if err != nil {
-			return err
-		}
-
-		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
-	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	// did the orchestration on application layer instead of DB as the ORM also does it anyways for many to many tables.
-	storableServiceAccountRoles, err := module.store.GetServiceAccountRoles(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-
-	roleIDs := make([]valuer.UUID, len(storableServiceAccountRoles))
-	for idx, sar := range storableServiceAccountRoles {
-		roleIDs[idx] = valuer.MustNewUUID(sar.RoleID)
-	}
-
-	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
-	if err != nil {
-		return nil, err
-	}
-
-	rolesNames, err := serviceaccounttypes.NewRolesFromStorableServiceAccountRoles(storableServiceAccountRoles, roles)
-	if err != nil {
-		return nil, err
-	}
-
-	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, rolesNames)
-	return serviceAccount, nil
-}
-
-func (module *module) GetWithoutRoles(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
-	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	// passing []string{} (not nil to prevent panics) roles as the function isn't supposed to put roles.
-	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, []string{})
-	return serviceAccount, nil
-}
-
-func (module *module) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
-	storableServiceAccounts, err := module.store.List(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	storableServiceAccountRoles, err := module.store.ListServiceAccountRolesByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	// convert the service account roles to structured data
-	saIDToRoleIDs, roleIDs := serviceaccounttypes.GetUniqueRolesAndServiceAccountMapping(storableServiceAccountRoles)
-	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
-	if err != nil {
-		return nil, err
-	}
-
-	// fill in the role fetched data back to service account
-	serviceAccounts := serviceaccounttypes.NewServiceAccountsFromRoles(storableServiceAccounts, roles, saIDToRoleIDs)
-	return serviceAccounts, nil
-}
-
-func (module *module) Update(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
-	serviceAccount, err := module.Get(ctx, orgID, input.ID)
-	if err != nil {
-		return err
-	}
-
-	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, input.Roles)
-	if err != nil {
-		return err
-	}
-
-	// gets the role diff if any to modify grants.
-	grants, revokes := serviceAccount.PatchRoles(input)
-	err = module.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, serviceAccount.ID.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
-	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		err := module.store.Update(ctx, orgID, serviceaccounttypes.NewStorableServiceAccount(input))
-		if err != nil {
-			return err
-		}
-
-		// delete all the service account roles and create new rather than diff here.
-		err = module.store.DeleteServiceAccountRoles(ctx, input.ID)
-		if err != nil {
-			return err
-		}
-
-		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (module *module) UpdateStatus(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
-	serviceAccount, err := module.Get(ctx, orgID, input.ID)
-	if err != nil {
-		return err
-	}
-
-	if input.Status == serviceAccount.Status {
-		return nil
-	}
-
-	switch input.Status {
-	case serviceaccounttypes.StatusActive:
-		err := module.activateServiceAccount(ctx, orgID, input)
-		if err != nil {
-			return err
-		}
-	case serviceaccounttypes.StatusDisabled:
-		err := module.disableServiceAccount(ctx, orgID, input)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
-	serviceAccount, err := module.Get(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	// revoke from authz first as this cannot run in sql transaction
-	err = module.authz.Revoke(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, serviceAccount.ID.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		err := module.store.DeleteServiceAccountRoles(ctx, serviceAccount.ID)
-		if err != nil {
-			return err
-		}
-
-		err = module.store.RevokeAllFactorAPIKeys(ctx, serviceAccount.ID)
-		if err != nil {
-			return err
-		}
-
-		err = module.store.Delete(ctx, serviceAccount.OrgID, serviceAccount.ID)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (module *module) CreateFactorAPIKey(ctx context.Context, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
-	storableFactorAPIKey := serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey)
-
-	err := module.store.CreateFactorAPIKey(ctx, storableFactorAPIKey)
-	if err != nil {
-		return err
-	}
-
-	serviceAccount, err := module.store.GetByID(ctx, factorAPIKey.ServiceAccountID)
-	if err != nil {
-		return err
-	}
-
-	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "New API Key created for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
-		"Name":         serviceAccount.Name,
-		"KeyName":      factorAPIKey.Name,
-		"KeyID":        factorAPIKey.ID.String(),
-		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
-	}); err != nil {
-		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
-	}
-
-	return nil
-}
-
-func (module *module) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error) {
-	storableFactorAPIKey, err := module.store.GetFactorAPIKey(ctx, serviceAccountID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return serviceaccounttypes.NewFactorAPIKeyFromStorable(storableFactorAPIKey), nil
-}
-
-func (module *module) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error) {
-	storables, err := module.store.ListFactorAPIKey(ctx, serviceAccountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return serviceaccounttypes.NewFactorAPIKeyFromStorables(storables), nil
-}
-
-func (module *module) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
-	return module.store.UpdateFactorAPIKey(ctx, serviceAccountID, serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey))
-}
-
-func (module *module) RevokeFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) error {
-	factorAPIKey, err := module.GetFactorAPIKey(ctx, serviceAccountID, id)
-	if err != nil {
-		return err
-	}
-
-	err = module.store.RevokeFactorAPIKey(ctx, serviceAccountID, id)
-	if err != nil {
-		return err
-	}
-
-	serviceAccount, err := module.store.GetByID(ctx, serviceAccountID)
-	if err != nil {
-		return err
-	}
-
-	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "API Key revoked for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
-		"Name":         serviceAccount.Name,
-		"KeyName":      factorAPIKey.Name,
-		"KeyID":        factorAPIKey.ID.String(),
-		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
-	}); err != nil {
-		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
-	}
-
-	return nil
-}
-
-func (module *module) disableServiceAccount(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
-	err := module.authz.Revoke(ctx, orgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		// revoke all the API keys on disable
-		err := module.store.RevokeAllFactorAPIKeys(ctx, input.ID)
-		if err != nil {
-			return err
-		}
-
-		// update the status but do not delete the role mappings as we will reuse them on activation.
-		err = module.Update(ctx, orgID, input)
-		if err != nil {
-			return err
-		}
-
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (module *module) activateServiceAccount(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
-	err := module.authz.Grant(ctx, orgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	err = module.Update(ctx, orgID, input)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}

pkg/modules/serviceaccount/implserviceaccount/store.go

@@ -1,342 +0,0 @@
-package implserviceaccount
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type store struct {
-	sqlstore sqlstore.SQLStore
-}
-
-func NewStore(sqlstore sqlstore.SQLStore) serviceaccounttypes.Store {
-	return &store{sqlstore: sqlstore}
-}
-
-func (store *store) Create(ctx context.Context, storable *serviceaccounttypes.StorableServiceAccount) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewInsert().
-		Model(storable).
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountAlreadyExists, "service account with id: %s already exists", storable.ID)
-	}
-
-	return nil
-}
-
-func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
-	storable := new(serviceaccounttypes.StorableServiceAccount)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("id = ?", id).
-		Where("org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist in org: %s", id, orgID)
-	}
-
-	return storable, nil
-}
-
-func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
-	storable := new(serviceaccounttypes.StorableServiceAccount)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("id = ?", id).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist", id)
-	}
-
-	return storable, nil
-}
-
-func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccount, error) {
-	storables := make([]*serviceaccounttypes.StorableServiceAccount, 0)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&storables).
-		Where("org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storables, nil
-}
-
-func (store *store) Update(ctx context.Context, orgID valuer.UUID, storable *serviceaccounttypes.StorableServiceAccount) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewUpdate().
-		Model(storable).
-		WherePK().
-		Where("org_id = ?", orgID).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewDelete().
-		Model(new(serviceaccounttypes.StorableServiceAccount)).
-		Where("id = ?", id).
-		Where("org_id = ?", orgID).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) CreateServiceAccountRoles(ctx context.Context, storables []*serviceaccounttypes.StorableServiceAccountRole) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewInsert().
-		Model(&storables).
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountRoleAlreadyExists, "duplicate role assignments for service account")
-	}
-
-	return nil
-}
-
-func (store *store) GetServiceAccountRoles(ctx context.Context, id valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
-	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&storables).
-		Where("service_account_id = ?", id).
-		Scan(ctx)
-	if err != nil {
-		// no need to wrap not found here as this is many to many table
-		return nil, err
-	}
-
-	return storables, nil
-}
-
-func (store *store) ListServiceAccountRolesByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
-	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&storables).
-		Join("JOIN service_account").
-		JoinOn("service_account.id = service_account_role.service_account_id").
-		Where("service_account.org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storables, nil
-}
-
-func (store *store) DeleteServiceAccountRoles(ctx context.Context, id valuer.UUID) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewDelete().
-		Model(new(serviceaccounttypes.StorableServiceAccountRole)).
-		Where("service_account_id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) CreateFactorAPIKey(ctx context.Context, storable *serviceaccounttypes.StorableFactorAPIKey) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewInsert().
-		Model(storable).
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeAPIKeyAlreadyExists, "api key with name: %s already exists for service account: %s", storable.Name, storable.ServiceAccountID)
-	}
-
-	return nil
-}
-
-func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableFactorAPIKey, error) {
-	storable := new(serviceaccounttypes.StorableFactorAPIKey)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("id = ?", id).
-		Where("service_account_id = ?", serviceAccountID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeAPIKeytNotFound, "api key with id: %s doesn't exist for service account: %s", id, serviceAccountID)
-	}
-
-	return storable, nil
-}
-
-func (store *store) GetFactorAPIKeyByKey(ctx context.Context, key string) (*serviceaccounttypes.StorableFactorAPIKey, error) {
-	storable := new(serviceaccounttypes.StorableFactorAPIKey)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("key = ?", key).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeAPIKeytNotFound, "api key with key: %s doesn't exist", key)
-	}
-
-	return storable, nil
-}
-
-func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
-	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&storables).
-		Where("service_account_id = ?", serviceAccountID).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storables, nil
-}
-
-func (store *store) ListFactorAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
-	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&storables).
-		Join("JOIN service_account").
-		JoinOn("service_account.id = factor_api_key.service_account_id").
-		Where("service_account.org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return storables, nil
-}
-
-func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, storable *serviceaccounttypes.StorableFactorAPIKey) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewUpdate().
-		Model(storable).
-		Where("service_account_id = ?", serviceAccountID).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) UpdateLastObservedAtByKey(ctx context.Context, apiKeyToLastObservedAt []map[string]any) error {
-	values := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewValues(&apiKeyToLastObservedAt)
-
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewUpdate().
-		With("update_cte", values).
-		Model((*serviceaccounttypes.StorableFactorAPIKey)(nil)).
-		TableExpr("update_cte").
-		Set("last_observed_at = update_cte.last_observed_at").
-		Where("factor_api_key.key = update_cte.key").
-		Where("factor_api_key.service_account_id = update_cte.service_account_id").
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) RevokeFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewDelete().
-		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
-		Where("service_account_id = ?", serviceAccountID).
-		Where("id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) RevokeAllFactorAPIKeys(ctx context.Context, serviceAccountID valuer.UUID) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewDelete().
-		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
-		Where("service_account_id = ?", serviceAccountID).
-		Exec(ctx)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (store *store) RunInTx(ctx context.Context, cb func(context.Context) error) error {
-	return store.sqlstore.RunInTxCtx(ctx, nil, func(ctx context.Context) error {
-		return cb(ctx)
-	})
-}

pkg/modules/serviceaccount/serviceaccount.go

@@ -1,69 +0,0 @@
-package serviceaccount
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-)
-
-type Module interface {
-	// Creates a new service account for an organization.
-	Create(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
-
-	// Gets a service account by id.
-	Get(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
-
-	// Gets a service account by id without fetching roles.
-	GetWithoutRoles(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
-
-	// List all service accounts for an organization.
-	List(context.Context, valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error)
-
-	// Updates an existing service account
-	Update(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
-
-	// Updates an existing service account status
-	UpdateStatus(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
-
-	// Deletes an existing service account by id
-	Delete(context.Context, valuer.UUID, valuer.UUID) error
-
-	// Creates a new API key for a service account
-	CreateFactorAPIKey(context.Context, *serviceaccounttypes.FactorAPIKey) error
-
-	// Gets a factor API key by id
-	GetFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error)
-
-	// Lists all the API keys for a service account
-	ListFactorAPIKey(context.Context, valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error)
-
-	// Updates an existing API key for a service account
-	UpdateFactorAPIKey(context.Context, valuer.UUID, *serviceaccounttypes.FactorAPIKey) error
-
-	// Revokes an existing API key for a service account
-	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
-}
-
-type Handler interface {
-	Create(http.ResponseWriter, *http.Request)
-
-	Get(http.ResponseWriter, *http.Request)
-
-	List(http.ResponseWriter, *http.Request)
-
-	Update(http.ResponseWriter, *http.Request)
-
-	UpdateStatus(http.ResponseWriter, *http.Request)
-
-	Delete(http.ResponseWriter, *http.Request)
-
-	CreateFactorAPIKey(http.ResponseWriter, *http.Request)
-
-	ListFactorAPIKey(http.ResponseWriter, *http.Request)
-
-	UpdateFactorAPIKey(http.ResponseWriter, *http.Request)
-
-	RevokeFactorAPIKey(http.ResponseWriter, *http.Request)
-}

pkg/modules/session/implsession/module.go

@@ -155,7 +155,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}
 
-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email), map[string]string{})
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role), map[string]string{})
 	if err != nil {
 		return "", err
 	}

pkg/modules/user/impluser/handler.go

@@ -13,7 +13,6 @@ import (
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -463,7 +462,7 @@ func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(createdByUser.Email.String())) {
 		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
 		return
 	}
@@ -508,7 +507,7 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(createdByUser.Email.String())) {
 		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
 		return
 	}

pkg/modules/user/impluser/module.go

@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
@@ -175,7 +174,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 	createUserOpts := root.NewCreateUserOptions(opts...)
 
 	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	err := module.authz.Grant(ctx, input.OrgID, roletypes.MustGetSigNozManagedRoleFromExistingRole(input.Role), authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
 	if err != nil {
 		return err
 	}
@@ -237,8 +236,8 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 	if user.Role != "" && user.Role != existingUser.Role {
 		err = m.authz.ModifyGrant(ctx,
 			orgID,
-			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
-			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role),
+			roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role),
 			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
 		)
 		if err != nil {
@@ -280,7 +279,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return errors.WithAdditionalf(err, "cannot delete root user")
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(user.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(user.Email.String())) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "integration user cannot be deleted")
 	}
 
@@ -295,7 +294,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role), authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}

pkg/modules/user/impluser/service.go

@@ -159,8 +159,8 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		if oldRole != types.RoleAdmin {
 			if err := s.authz.ModifyGrant(ctx,
 				orgID,
-				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
+				roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole),
+				roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin),
 				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
 			); err != nil {
 				return err

pkg/query-service/app/cloudintegrations/accountsRepo.go

@@ -10,16 +10,15 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type cloudProviderAccountsRepository interface {
-	listConnected(ctx context.Context, orgId string, provider string) ([]integrationtypes.CloudIntegration, *model.ApiError)
+	listConnected(ctx context.Context, orgId string, provider string) ([]types.CloudIntegration, *model.ApiError)
 
-	get(ctx context.Context, orgId string, provider string, id string) (*integrationtypes.CloudIntegration, *model.ApiError)
+	get(ctx context.Context, orgId string, provider string, id string) (*types.CloudIntegration, *model.ApiError)
 
-	getConnectedCloudAccount(ctx context.Context, orgId string, provider string, accountID string) (*integrationtypes.CloudIntegration, *model.ApiError)
+	getConnectedCloudAccount(ctx context.Context, orgId string, provider string, accountID string) (*types.CloudIntegration, *model.ApiError)
 
 	// Insert an account or update it by (cloudProvider, id)
 	// for specified non-empty fields
@@ -28,11 +27,11 @@ type cloudProviderAccountsRepository interface {
 		orgId string,
 		provider string,
 		id *string,
-		config *integrationtypes.AccountConfig,
+		config *types.AccountConfig,
 		accountId *string,
-		agentReport *integrationtypes.AgentReport,
+		agentReport *types.AgentReport,
 		removedAt *time.Time,
-	) (*integrationtypes.CloudIntegration, *model.ApiError)
+	) (*types.CloudIntegration, *model.ApiError)
 }
 
 func newCloudProviderAccountsRepository(store sqlstore.SQLStore) (
@@ -49,8 +48,8 @@ type cloudProviderAccountsSQLRepository struct {
 
 func (r *cloudProviderAccountsSQLRepository) listConnected(
 	ctx context.Context, orgId string, cloudProvider string,
-) ([]integrationtypes.CloudIntegration, *model.ApiError) {
-	accounts := []integrationtypes.CloudIntegration{}
+) ([]types.CloudIntegration, *model.ApiError) {
+	accounts := []types.CloudIntegration{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&accounts).
@@ -73,8 +72,8 @@ func (r *cloudProviderAccountsSQLRepository) listConnected(
 
 func (r *cloudProviderAccountsSQLRepository) get(
 	ctx context.Context, orgId string, provider string, id string,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
-	var result integrationtypes.CloudIntegration
+) (*types.CloudIntegration, *model.ApiError) {
+	var result types.CloudIntegration
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -98,8 +97,8 @@ func (r *cloudProviderAccountsSQLRepository) get(
 
 func (r *cloudProviderAccountsSQLRepository) getConnectedCloudAccount(
 	ctx context.Context, orgId string, provider string, accountId string,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
-	var result integrationtypes.CloudIntegration
+) (*types.CloudIntegration, *model.ApiError) {
+	var result types.CloudIntegration
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -128,11 +127,11 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 	orgId string,
 	provider string,
 	id *string,
-	config *integrationtypes.AccountConfig,
+	config *types.AccountConfig,
 	accountId *string,
-	agentReport *integrationtypes.AgentReport,
+	agentReport *types.AgentReport,
 	removedAt *time.Time,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
+) (*types.CloudIntegration, *model.ApiError) {
 	// Insert
 	if id == nil {
 		temp := valuer.GenerateUUID().StringValue()
@@ -182,7 +181,7 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 		)
 	}
 
-	integration := integrationtypes.CloudIntegration{
+	integration := types.CloudIntegration{
 		OrgID:        orgId,
 		Provider:     provider,
 		Identifiable: types.Identifiable{ID: valuer.MustNewUUID(*id)},

pkg/query-service/app/cloudintegrations/controller.go

@@ -14,7 +14,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"golang.org/x/exp/maps"
 )
@@ -53,7 +52,7 @@ func NewController(sqlStore sqlstore.SQLStore) (*Controller, error) {
 }
 
 type ConnectedAccountsListResponse struct {
-	Accounts []integrationtypes.Account `json:"accounts"`
+	Accounts []types.Account `json:"accounts"`
 }
 
 func (c *Controller) ListConnectedAccounts(ctx context.Context, orgId string, cloudProvider string) (
@@ -68,7 +67,7 @@ func (c *Controller) ListConnectedAccounts(ctx context.Context, orgId string, cl
 		return nil, model.WrapApiError(apiErr, "couldn't list cloud accounts")
 	}
 
-	connectedAccounts := []integrationtypes.Account{}
+	connectedAccounts := []types.Account{}
 	for _, a := range accountRecords {
 		connectedAccounts = append(connectedAccounts, a.Account())
 	}
@@ -82,7 +81,7 @@ type GenerateConnectionUrlRequest struct {
 	// Optional. To be specified for updates.
 	AccountId *string `json:"account_id,omitempty"`
 
-	AccountConfig integrationtypes.AccountConfig `json:"account_config"`
+	AccountConfig types.AccountConfig `json:"account_config"`
 
 	AgentConfig SigNozAgentConfig `json:"agent_config"`
 }
@@ -150,9 +149,9 @@ func (c *Controller) GenerateConnectionUrl(ctx context.Context, orgId string, cl
 }
 
 type AccountStatusResponse struct {
-	Id             string                         `json:"id"`
-	CloudAccountId *string                        `json:"cloud_account_id,omitempty"`
-	Status         integrationtypes.AccountStatus `json:"status"`
+	Id             string              `json:"id"`
+	CloudAccountId *string             `json:"cloud_account_id,omitempty"`
+	Status         types.AccountStatus `json:"status"`
 }
 
 func (c *Controller) GetAccountStatus(ctx context.Context, orgId string, cloudProvider string, accountId string) (
@@ -218,7 +217,7 @@ func (c *Controller) CheckInAsAgent(ctx context.Context, orgId string, cloudProv
 		))
 	}
 
-	agentReport := integrationtypes.AgentReport{
+	agentReport := types.AgentReport{
 		TimestampMillis: time.Now().UnixMilli(),
 		Data:            req.Data,
 	}
@@ -287,10 +286,10 @@ func (c *Controller) CheckInAsAgent(ctx context.Context, orgId string, cloudProv
 }
 
 type UpdateAccountConfigRequest struct {
-	Config integrationtypes.AccountConfig `json:"config"`
+	Config types.AccountConfig `json:"config"`
 }
 
-func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, cloudProvider string, accountId string, req UpdateAccountConfigRequest) (*integrationtypes.Account, *model.ApiError) {
+func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, cloudProvider string, accountId string, req UpdateAccountConfigRequest) (*types.Account, *model.ApiError) {
 	if apiErr := validateCloudProviderName(cloudProvider); apiErr != nil {
 		return nil, apiErr
 	}
@@ -307,7 +306,7 @@ func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, clou
 	return &account, nil
 }
 
-func (c *Controller) DisconnectAccount(ctx context.Context, orgId string, cloudProvider string, accountId string) (*integrationtypes.CloudIntegration, *model.ApiError) {
+func (c *Controller) DisconnectAccount(ctx context.Context, orgId string, cloudProvider string, accountId string) (*types.CloudIntegration, *model.ApiError) {
 	if apiErr := validateCloudProviderName(cloudProvider); apiErr != nil {
 		return nil, apiErr
 	}
@@ -347,7 +346,7 @@ func (c *Controller) ListServices(
 		return nil, model.WrapApiError(apiErr, "couldn't list cloud services")
 	}
 
-	svcConfigs := map[string]*integrationtypes.CloudServiceConfig{}
+	svcConfigs := map[string]*types.CloudServiceConfig{}
 	if cloudAccountId != nil {
 		activeAccount, apiErr := c.accountsRepo.getConnectedCloudAccount(
 			ctx, orgID, cloudProvider, *cloudAccountId,
@@ -442,8 +441,8 @@ func (c *Controller) GetServiceDetails(
 }
 
 type UpdateServiceConfigRequest struct {
-	CloudAccountId string                              `json:"cloud_account_id"`
-	Config         integrationtypes.CloudServiceConfig `json:"config"`
+	CloudAccountId string                   `json:"cloud_account_id"`
+	Config         types.CloudServiceConfig `json:"config"`
 }
 
 func (u *UpdateServiceConfigRequest) Validate(def *services.Definition) error {
@@ -461,8 +460,8 @@ func (u *UpdateServiceConfigRequest) Validate(def *services.Definition) error {
 }
 
 type UpdateServiceConfigResponse struct {
-	Id     string                              `json:"id"`
-	Config integrationtypes.CloudServiceConfig `json:"config"`
+	Id     string                   `json:"id"`
+	Config types.CloudServiceConfig `json:"config"`
 }
 
 func (c *Controller) UpdateServiceConfig(

pkg/query-service/app/cloudintegrations/models.go

@@ -3,20 +3,20 @@ package cloudintegrations
 import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/query-service/app/cloudintegrations/services"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
+	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type ServiceSummary struct {
 	services.Metadata
 
-	Config *integrationtypes.CloudServiceConfig `json:"config"`
+	Config *types.CloudServiceConfig `json:"config"`
 }
 
 type ServiceDetails struct {
 	services.Definition
 
-	Config           *integrationtypes.CloudServiceConfig `json:"config"`
-	ConnectionStatus *ServiceConnectionStatus             `json:"status,omitempty"`
+	Config           *types.CloudServiceConfig `json:"config"`
+	ConnectionStatus *ServiceConnectionStatus  `json:"status,omitempty"`
 }
 
 type AccountStatus struct {
@@ -61,7 +61,7 @@ func NewCompiledCollectionStrategy(provider string) (*CompiledCollectionStrategy
 
 // Helper for accumulating strategies for enabled services.
 func AddServiceStrategy(serviceType string, cs *CompiledCollectionStrategy,
-	definitionStrat *services.CollectionStrategy, config *integrationtypes.CloudServiceConfig) error {
+	definitionStrat *services.CollectionStrategy, config *types.CloudServiceConfig) error {
 	if definitionStrat.Provider != cs.Provider {
 		return errors.NewInternalf(CodeMismatchCloudProvider, "can't add %s service strategy to compiled strategy for %s",
 			definitionStrat.Provider, cs.Provider)

pkg/query-service/app/cloudintegrations/serviceconfig_db.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -19,7 +18,7 @@ type ServiceConfigDatabase interface {
 		orgID string,
 		cloudAccountId string,
 		serviceType string,
-	) (*integrationtypes.CloudServiceConfig, *model.ApiError)
+	) (*types.CloudServiceConfig, *model.ApiError)
 
 	upsert(
 		ctx context.Context,
@@ -27,15 +26,15 @@ type ServiceConfigDatabase interface {
 		cloudProvider string,
 		cloudAccountId string,
 		serviceId string,
-		config integrationtypes.CloudServiceConfig,
-	) (*integrationtypes.CloudServiceConfig, *model.ApiError)
+		config types.CloudServiceConfig,
+	) (*types.CloudServiceConfig, *model.ApiError)
 
 	getAllForAccount(
 		ctx context.Context,
 		orgID string,
 		cloudAccountId string,
 	) (
-		configsBySvcId map[string]*integrationtypes.CloudServiceConfig,
+		configsBySvcId map[string]*types.CloudServiceConfig,
 		apiErr *model.ApiError,
 	)
 }
@@ -57,9 +56,9 @@ func (r *serviceConfigSQLRepository) get(
 	orgID string,
 	cloudAccountId string,
 	serviceType string,
-) (*integrationtypes.CloudServiceConfig, *model.ApiError) {
+) (*types.CloudServiceConfig, *model.ApiError) {
 
-	var result integrationtypes.CloudIntegrationService
+	var result types.CloudIntegrationService
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -90,14 +89,14 @@ func (r *serviceConfigSQLRepository) upsert(
 	cloudProvider string,
 	cloudAccountId string,
 	serviceId string,
-	config integrationtypes.CloudServiceConfig,
-) (*integrationtypes.CloudServiceConfig, *model.ApiError) {
+	config types.CloudServiceConfig,
+) (*types.CloudServiceConfig, *model.ApiError) {
 
 	// get cloud integration id from account id
 	// if the account is not connected, we don't need to upsert the config
 	var cloudIntegrationId string
 	err := r.store.BunDB().NewSelect().
-		Model((*integrationtypes.CloudIntegration)(nil)).
+		Model((*types.CloudIntegration)(nil)).
 		Column("id").
 		Where("provider = ?", cloudProvider).
 		Where("account_id = ?", cloudAccountId).
@@ -112,7 +111,7 @@ func (r *serviceConfigSQLRepository) upsert(
 		))
 	}
 
-	serviceConfig := integrationtypes.CloudIntegrationService{
+	serviceConfig := types.CloudIntegrationService{
 		Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: time.Now(),
@@ -140,8 +139,8 @@ func (r *serviceConfigSQLRepository) getAllForAccount(
 	ctx context.Context,
 	orgID string,
 	cloudAccountId string,
-) (map[string]*integrationtypes.CloudServiceConfig, *model.ApiError) {
-	serviceConfigs := []integrationtypes.CloudIntegrationService{}
+) (map[string]*types.CloudServiceConfig, *model.ApiError) {
+	serviceConfigs := []types.CloudIntegrationService{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&serviceConfigs).
@@ -155,7 +154,7 @@ func (r *serviceConfigSQLRepository) getAllForAccount(
 		))
 	}
 
-	result := map[string]*integrationtypes.CloudServiceConfig{}
+	result := map[string]*types.CloudServiceConfig{}
 
 	for _, r := range serviceConfigs {
 		result[r.Type] = &r.Config

pkg/query-service/app/integrations/manager.go

@@ -11,7 +11,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/types/pipelinetypes"
 	ruletypes "github.com/SigNoz/signoz/pkg/types/ruletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -108,7 +107,7 @@ type IntegrationsListItem struct {
 
 type Integration struct {
 	IntegrationDetails
-	Installation *integrationtypes.InstalledIntegration `json:"installation"`
+	Installation *types.InstalledIntegration `json:"installation"`
 }
 
 type Manager struct {
@@ -224,7 +223,7 @@ func (m *Manager) InstallIntegration(
 	ctx context.Context,
 	orgId string,
 	integrationId string,
-	config integrationtypes.InstalledIntegrationConfig,
+	config types.InstalledIntegrationConfig,
 ) (*IntegrationsListItem, *model.ApiError) {
 	integrationDetails, apiErr := m.getIntegrationDetails(ctx, integrationId)
 	if apiErr != nil {
@@ -430,7 +429,7 @@ func (m *Manager) getInstalledIntegration(
 	ctx context.Context,
 	orgId string,
 	integrationId string,
-) (*integrationtypes.InstalledIntegration, *model.ApiError) {
+) (*types.InstalledIntegration, *model.ApiError) {
 	iis, apiErr := m.installedIntegrationsRepo.get(
 		ctx, orgId, []string{integrationId},
 	)
@@ -458,7 +457,7 @@ func (m *Manager) getInstalledIntegrations(
 		return nil, apiErr
 	}
 
-	installedTypes := utils.MapSlice(installations, func(i integrationtypes.InstalledIntegration) string {
+	installedTypes := utils.MapSlice(installations, func(i types.InstalledIntegration) string {
 		return i.Type
 	})
 	integrationDetails, apiErr := m.availableIntegrationsRepo.get(ctx, installedTypes)

pkg/query-service/app/integrations/repo.go

@@ -4,22 +4,22 @@ import (
 	"context"
 
 	"github.com/SigNoz/signoz/pkg/query-service/model"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
+	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type InstalledIntegrationsRepo interface {
-	list(ctx context.Context, orgId string) ([]integrationtypes.InstalledIntegration, *model.ApiError)
+	list(ctx context.Context, orgId string) ([]types.InstalledIntegration, *model.ApiError)
 
 	get(
 		ctx context.Context, orgId string, integrationTypes []string,
-	) (map[string]integrationtypes.InstalledIntegration, *model.ApiError)
+	) (map[string]types.InstalledIntegration, *model.ApiError)
 
 	upsert(
 		ctx context.Context,
 		orgId string,
 		integrationType string,
-		config integrationtypes.InstalledIntegrationConfig,
-	) (*integrationtypes.InstalledIntegration, *model.ApiError)
+		config types.InstalledIntegrationConfig,
+	) (*types.InstalledIntegration, *model.ApiError)
 
 	delete(ctx context.Context, orgId string, integrationType string) *model.ApiError
 }

pkg/query-service/app/integrations/sqlite_repo.go

@@ -7,7 +7,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
@@ -27,8 +26,8 @@ func NewInstalledIntegrationsSqliteRepo(store sqlstore.SQLStore) (
 func (r *InstalledIntegrationsSqliteRepo) list(
 	ctx context.Context,
 	orgId string,
-) ([]integrationtypes.InstalledIntegration, *model.ApiError) {
-	integrations := []integrationtypes.InstalledIntegration{}
+) ([]types.InstalledIntegration, *model.ApiError) {
+	integrations := []types.InstalledIntegration{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&integrations).
@@ -45,8 +44,8 @@ func (r *InstalledIntegrationsSqliteRepo) list(
 
 func (r *InstalledIntegrationsSqliteRepo) get(
 	ctx context.Context, orgId string, integrationTypes []string,
-) (map[string]integrationtypes.InstalledIntegration, *model.ApiError) {
-	integrations := []integrationtypes.InstalledIntegration{}
+) (map[string]types.InstalledIntegration, *model.ApiError) {
+	integrations := []types.InstalledIntegration{}
 
 	typeValues := []interface{}{}
 	for _, integrationType := range integrationTypes {
@@ -63,7 +62,7 @@ func (r *InstalledIntegrationsSqliteRepo) get(
 		))
 	}
 
-	result := map[string]integrationtypes.InstalledIntegration{}
+	result := map[string]types.InstalledIntegration{}
 	for _, ii := range integrations {
 		result[ii.Type] = ii
 	}
@@ -75,10 +74,10 @@ func (r *InstalledIntegrationsSqliteRepo) upsert(
 	ctx context.Context,
 	orgId string,
 	integrationType string,
-	config integrationtypes.InstalledIntegrationConfig,
-) (*integrationtypes.InstalledIntegration, *model.ApiError) {
+	config types.InstalledIntegrationConfig,
+) (*types.InstalledIntegration, *model.ApiError) {
 
-	integration := integrationtypes.InstalledIntegration{
+	integration := types.InstalledIntegration{
 		Identifiable: types.Identifiable{
 			ID: valuer.GenerateUUID(),
 		},
@@ -115,7 +114,7 @@ func (r *InstalledIntegrationsSqliteRepo) delete(
 	ctx context.Context, orgId string, integrationType string,
 ) *model.ApiError {
 	_, dbErr := r.store.BunDB().NewDelete().
-		Model(&integrationtypes.InstalledIntegration{}).
+		Model(&types.InstalledIntegration{}).
 		Where("type = ?", integrationType).
 		Where("org_id = ?", orgId).
 		Exec(ctx)

pkg/query-service/app/server.go

@@ -195,12 +195,13 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		}),
 		otelmux.WithPublicEndpoint(),
 	))
-	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ_API_KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap)
+	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(),
 		s.config.APIServer.Timeout.ExcludedRoutes,
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
+	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
 	r.Use(middleware.NewLogging(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

pkg/signoz/handler.go

@@ -24,8 +24,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/services"
 	"github.com/SigNoz/signoz/pkg/modules/services/implservices"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile"
@@ -38,23 +36,22 @@ import (
 )
 
 type Handlers struct {
-	SavedView             savedview.Handler
-	Apdex                 apdex.Handler
-	Dashboard             dashboard.Handler
-	QuickFilter           quickfilter.Handler
-	TraceFunnel           tracefunnel.Handler
-	RawDataExport         rawdataexport.Handler
-	SpanPercentile        spanpercentile.Handler
-	Services              services.Handler
-	MetricsExplorer       metricsexplorer.Handler
-	Global                global.Handler
-	FlaggerHandler        flagger.Handler
-	GatewayHandler        gateway.Handler
-	Fields                fields.Handler
-	AuthzHandler          authz.Handler
-	ZeusHandler           zeus.Handler
-	QuerierHandler        querier.Handler
-	ServiceAccountHandler serviceaccount.Handler
+	SavedView       savedview.Handler
+	Apdex           apdex.Handler
+	Dashboard       dashboard.Handler
+	QuickFilter     quickfilter.Handler
+	TraceFunnel     tracefunnel.Handler
+	RawDataExport   rawdataexport.Handler
+	SpanPercentile  spanpercentile.Handler
+	Services        services.Handler
+	MetricsExplorer metricsexplorer.Handler
+	Global          global.Handler
+	FlaggerHandler  flagger.Handler
+	GatewayHandler  gateway.Handler
+	Fields          fields.Handler
+	AuthzHandler    authz.Handler
+	ZeusHandler     zeus.Handler
+	QuerierHandler  querier.Handler
 }
 
 func NewHandlers(
@@ -71,22 +68,21 @@ func NewHandlers(
 	zeusService zeus.Zeus,
 ) Handlers {
 	return Handlers{
-		SavedView:             implsavedview.NewHandler(modules.SavedView),
-		Apdex:                 implapdex.NewHandler(modules.Apdex),
-		Dashboard:             impldashboard.NewHandler(modules.Dashboard, providerSettings),
-		QuickFilter:           implquickfilter.NewHandler(modules.QuickFilter),
-		TraceFunnel:           impltracefunnel.NewHandler(modules.TraceFunnel),
-		RawDataExport:         implrawdataexport.NewHandler(modules.RawDataExport),
-		Services:              implservices.NewHandler(modules.Services),
-		MetricsExplorer:       implmetricsexplorer.NewHandler(modules.MetricsExplorer),
-		SpanPercentile:        implspanpercentile.NewHandler(modules.SpanPercentile),
-		Global:                signozglobal.NewHandler(global),
-		FlaggerHandler:        flagger.NewHandler(flaggerService),
-		GatewayHandler:        gateway.NewHandler(gatewayService),
-		Fields:                implfields.NewHandler(providerSettings, telemetryMetadataStore),
-		AuthzHandler:          signozauthzapi.NewHandler(authz),
-		ZeusHandler:           zeus.NewHandler(zeusService, licensing),
-		QuerierHandler:        querierHandler,
-		ServiceAccountHandler: implserviceaccount.NewHandler(modules.ServiceAccount),
+		SavedView:       implsavedview.NewHandler(modules.SavedView),
+		Apdex:           implapdex.NewHandler(modules.Apdex),
+		Dashboard:       impldashboard.NewHandler(modules.Dashboard, providerSettings),
+		QuickFilter:     implquickfilter.NewHandler(modules.QuickFilter),
+		TraceFunnel:     impltracefunnel.NewHandler(modules.TraceFunnel),
+		RawDataExport:   implrawdataexport.NewHandler(modules.RawDataExport),
+		Services:        implservices.NewHandler(modules.Services),
+		MetricsExplorer: implmetricsexplorer.NewHandler(modules.MetricsExplorer),
+		SpanPercentile:  implspanpercentile.NewHandler(modules.SpanPercentile),
+		Global:          signozglobal.NewHandler(global),
+		FlaggerHandler:  flagger.NewHandler(flaggerService),
+		GatewayHandler:  gateway.NewHandler(gatewayService),
+		Fields:          implfields.NewHandler(providerSettings, telemetryMetadataStore),
+		AuthzHandler:    signozauthzapi.NewHandler(authz),
+		ZeusHandler:     zeus.NewHandler(zeusService, licensing),
+		QuerierHandler:  querierHandler,
 	}
 }

pkg/signoz/handler_test.go

@@ -43,11 +43,12 @@ func TestNewHandlers(t *testing.T) {
 	emailing := emailingtest.New()
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
+	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
+
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
-	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser, userGetter)
 
 	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 

pkg/signoz/module.go

@@ -27,8 +27,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/services"
 	"github.com/SigNoz/signoz/pkg/modules/services/implservices"
 	"github.com/SigNoz/signoz/pkg/modules/session"
@@ -68,7 +66,6 @@ type Modules struct {
 	SpanPercentile  spanpercentile.Module
 	MetricsExplorer metricsexplorer.Module
 	Promote         promote.Module
-	ServiceAccount  serviceaccount.Module
 }
 
 func NewModules(
@@ -113,6 +110,5 @@ func NewModules(
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:         implpromote.NewModule(telemetryMetadataStore, telemetryStore),
-		ServiceAccount:  implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, emailing, providerSettings),
 	}
 }

pkg/signoz/module_test.go

@@ -42,12 +42,12 @@ func TestNewModules(t *testing.T) {
 	emailing := emailingtest.New()
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
+	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
-	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser, userGetter)
 
 	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 

pkg/signoz/openapi.go

@@ -22,7 +22,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -60,7 +59,6 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ authz.Handler }{},
 		struct{ zeus.Handler }{},
 		struct{ querier.Handler }{},
-		struct{ serviceaccount.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err

pkg/signoz/provider.go

@@ -27,7 +27,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/preference/implpreference"
 	"github.com/SigNoz/signoz/pkg/modules/promote/implpromote"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session/implsession"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -56,7 +55,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/jwttokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/opaquetokenizer"
-	"github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/tokenizerstore/sqltokenizerstore"
 	"github.com/SigNoz/signoz/pkg/types/alertmanagertypes"
 	"github.com/SigNoz/signoz/pkg/types/featuretypes"
@@ -172,8 +170,6 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewAddRootUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewAddUserEmailOrgIDIndexFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
-		sqlmigration.NewAddServiceAccountFactory(sqlstore, sqlschema),
-		sqlmigration.NewDeprecateAPIKeyFactory(sqlstore, sqlschema),
 	)
 }
 
@@ -259,18 +255,15 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.AuthzHandler,
 			handlers.ZeusHandler,
 			handlers.QuerierHandler,
-			handlers.ServiceAccountHandler,
 		),
 	)
 }
 
 func NewTokenizerProviderFactories(cache cache.Cache, sqlstore sqlstore.SQLStore, orgGetter organization.Getter) factory.NamedMap[factory.ProviderFactory[tokenizer.Tokenizer, tokenizer.Config]] {
 	tokenStore := sqltokenizerstore.NewStore(sqlstore)
-	apiKeyStore := implserviceaccount.NewStore(sqlstore)
 	return factory.MustNewNamedMap(
 		opaquetokenizer.NewFactory(cache, tokenStore, orgGetter),
 		jwttokenizer.NewFactory(cache, tokenStore),
-		serviceaccounttokenizer.NewFactory(cache, apiKeyStore, orgGetter),
 	)
 }
 

pkg/signoz/signoz.go

@@ -21,8 +21,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
 	"github.com/SigNoz/signoz/pkg/prometheus"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -40,7 +38,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
 	"github.com/SigNoz/signoz/pkg/telemetrytraces"
 	pkgtokenizer "github.com/SigNoz/signoz/pkg/tokenizer"
-	"github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/version"
@@ -51,30 +48,29 @@ import (
 
 type SigNoz struct {
 	*factory.Registry
-	Instrumentation         instrumentation.Instrumentation
-	Analytics               analytics.Analytics
-	Cache                   cache.Cache
-	Web                     web.Web
-	SQLStore                sqlstore.SQLStore
-	TelemetryStore          telemetrystore.TelemetryStore
-	TelemetryMetadataStore  telemetrytypes.MetadataStore
-	Prometheus              prometheus.Prometheus
-	Alertmanager            alertmanager.Alertmanager
-	Querier                 querier.Querier
-	APIServer               apiserver.APIServer
-	Zeus                    zeus.Zeus
-	Licensing               licensing.Licensing
-	Emailing                emailing.Emailing
-	Sharder                 sharder.Sharder
-	StatsReporter           statsreporter.StatsReporter
-	Tokenizer               pkgtokenizer.Tokenizer
-	ServiceAccountTokenizer pkgtokenizer.Tokenizer
-	Authz                   authz.AuthZ
-	Modules                 Modules
-	Handlers                Handlers
-	QueryParser             queryparser.QueryParser
-	Flagger                 flagger.Flagger
-	Gateway                 gateway.Gateway
+	Instrumentation        instrumentation.Instrumentation
+	Analytics              analytics.Analytics
+	Cache                  cache.Cache
+	Web                    web.Web
+	SQLStore               sqlstore.SQLStore
+	TelemetryStore         telemetrystore.TelemetryStore
+	TelemetryMetadataStore telemetrytypes.MetadataStore
+	Prometheus             prometheus.Prometheus
+	Alertmanager           alertmanager.Alertmanager
+	Querier                querier.Querier
+	APIServer              apiserver.APIServer
+	Zeus                   zeus.Zeus
+	Licensing              licensing.Licensing
+	Emailing               emailing.Emailing
+	Sharder                sharder.Sharder
+	StatsReporter          statsreporter.StatsReporter
+	Tokenizer              pkgtokenizer.Tokenizer
+	Authz                  authz.AuthZ
+	Modules                Modules
+	Handlers               Handlers
+	QueryParser            queryparser.QueryParser
+	Flagger                flagger.Flagger
+	Gateway                gateway.Gateway
 }
 
 func New(
@@ -92,7 +88,7 @@ func New(
 	telemetrystoreProviderFactories factory.NamedMap[factory.ProviderFactory[telemetrystore.TelemetryStore, telemetrystore.Config]],
 	authNsCallback func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error),
 	authzCallback func(context.Context, sqlstore.SQLStore, licensing.Licensing, dashboard.Module) factory.ProviderFactory[authz.AuthZ, authz.Config],
-	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, queryparser.QueryParser, querier.Querier, licensing.Licensing, user.Getter) dashboard.Module,
+	dashboardModuleCallback func(sqlstore.SQLStore, factory.ProviderSettings, analytics.Analytics, organization.Getter, queryparser.QueryParser, querier.Querier, licensing.Licensing) dashboard.Module,
 	gatewayProviderFactory func(licensing.Licensing) factory.ProviderFactory[gateway.Gateway, gateway.Config],
 	querierHandlerCallback func(factory.ProviderSettings, querier.Querier, analytics.Analytics) querier.Handler,
 ) (*SigNoz, error) {
@@ -283,12 +279,6 @@ func New(
 		return nil, err
 	}
 
-	apiKeyStore := implserviceaccount.NewStore(sqlstore)
-	serviceAccountTokenizer, err := serviceaccounttokenizer.New(ctx, providerSettings, config.Tokenizer, cache, apiKeyStore, orgGetter)
-	if err != nil {
-		return nil, err
-	}
-
 	// Initialize user getter
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
 
@@ -306,7 +296,7 @@ func New(
 	queryParser := queryparser.New(providerSettings)
 
 	// Initialize dashboard module (needed for authz registry)
-	dashboard := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, queryParser, querier, licensing, userGetter)
+	dashboard := dashboardModuleCallback(sqlstore, providerSettings, analytics, orgGetter, queryParser, querier, licensing)
 
 	// Initialize authz
 	authzProviderFactory := authzCallback(ctx, sqlstore, licensing, dashboard)
@@ -453,7 +443,6 @@ func New(
 		factory.NewNamedService(factory.MustNewName("licensing"), licensing),
 		factory.NewNamedService(factory.MustNewName("statsreporter"), statsReporter),
 		factory.NewNamedService(factory.MustNewName("tokenizer"), tokenizer),
-		factory.NewNamedService(factory.MustNewName("serviceaccounttokenizer"), serviceAccountTokenizer),
 		factory.NewNamedService(factory.MustNewName("authz"), authz),
 		factory.NewNamedService(factory.MustNewName("user"), userService),
 	)
@@ -462,29 +451,28 @@ func New(
 	}
 
 	return &SigNoz{
-		Registry:                registry,
-		Analytics:               analytics,
-		Instrumentation:         instrumentation,
-		Cache:                   cache,
-		Web:                     web,
-		SQLStore:                sqlstore,
-		TelemetryStore:          telemetrystore,
-		TelemetryMetadataStore:  telemetryMetadataStore,
-		Prometheus:              prometheus,
-		Alertmanager:            alertmanager,
-		Querier:                 querier,
-		APIServer:               apiserver,
-		Zeus:                    zeus,
-		Licensing:               licensing,
-		Emailing:                emailing,
-		Sharder:                 sharder,
-		Tokenizer:               tokenizer,
-		ServiceAccountTokenizer: serviceAccountTokenizer,
-		Authz:                   authz,
-		Modules:                 modules,
-		Handlers:                handlers,
-		QueryParser:             queryParser,
-		Flagger:                 flagger,
-		Gateway:                 gateway,
+		Registry:               registry,
+		Analytics:              analytics,
+		Instrumentation:        instrumentation,
+		Cache:                  cache,
+		Web:                    web,
+		SQLStore:               sqlstore,
+		TelemetryStore:         telemetrystore,
+		TelemetryMetadataStore: telemetryMetadataStore,
+		Prometheus:             prometheus,
+		Alertmanager:           alertmanager,
+		Querier:                querier,
+		APIServer:              apiserver,
+		Zeus:                   zeus,
+		Licensing:              licensing,
+		Emailing:               emailing,
+		Sharder:                sharder,
+		Tokenizer:              tokenizer,
+		Authz:                  authz,
+		Modules:                modules,
+		Handlers:               handlers,
+		QueryParser:            queryParser,
+		Flagger:                flagger,
+		Gateway:                gateway,
 	}, nil
 }

pkg/sqlmigration/067_add_service_account.go

@@ -1,117 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlschema"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-type addServiceAccount struct {
-	sqlschema sqlschema.SQLSchema
-	sqlstore  sqlstore.SQLStore
-}
-
-func NewAddServiceAccountFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("add_service_account"), func(_ context.Context, _ factory.ProviderSettings, _ Config) (SQLMigration, error) {
-		return &addServiceAccount{
-			sqlschema: sqlschema,
-			sqlstore:  sqlstore,
-		}, nil
-	})
-}
-
-func (migration *addServiceAccount) Register(migrations *migrate.Migrations) error {
-	err := migrations.Register(migration.Up, migration.Down)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *addServiceAccount) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	sqls := [][]byte{}
-
-	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
-		Name: "service_account",
-		Columns: []*sqlschema.Column{
-			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "email", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "status", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "org_id", DataType: sqlschema.DataTypeText, Nullable: false},
-		},
-		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
-			ColumnNames: []sqlschema.ColumnName{"id"},
-		},
-		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
-			{
-				ReferencingColumnName: sqlschema.ColumnName("org_id"),
-				ReferencedTableName:   sqlschema.TableName("organizations"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-		},
-	})
-	sqls = append(sqls, tableSQLs...)
-
-	tableSQLs = migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
-		Name: "service_account_role",
-		Columns: []*sqlschema.Column{
-			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
-		},
-		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
-			ColumnNames: []sqlschema.ColumnName{"id"},
-		},
-		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
-			{
-				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
-				ReferencedTableName:   sqlschema.TableName("service_account"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-			{
-				ReferencingColumnName: sqlschema.ColumnName("role_id"),
-				ReferencedTableName:   sqlschema.TableName("role"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-		},
-	})
-	sqls = append(sqls, tableSQLs...)
-
-	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "service_account_role", ColumnNames: []sqlschema.ColumnName{"service_account_id", "role_id"}})
-	sqls = append(sqls, indexSQLs...)
-
-	for _, sql := range sqls {
-		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
-			return err
-		}
-	}
-
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (a *addServiceAccount) Down(context.Context, *bun.DB) error {
-	return nil
-}

pkg/sqlmigration/068_deprecate_api_key.go

@@ -1,338 +0,0 @@
-package sqlmigration
-
-import (
-	"context"
-	"database/sql"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/sqlschema"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/roletypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-	"github.com/uptrace/bun/migrate"
-)
-
-type oldFactorAPIKey68 struct {
-	bun.BaseModel `bun:"table:factor_api_key"`
-
-	types.Identifiable
-	CreatedAt time.Time `bun:"created_at"`
-	UpdatedAt time.Time `bun:"updated_at"`
-	Token     string    `bun:"token"`
-	Role      string    `bun:"role"`
-	Name      string    `bun:"name"`
-	ExpiresAt time.Time `bun:"expires_at"`
-	LastUsed  time.Time `bun:"last_used"`
-	Revoked   bool      `bun:"revoked"`
-	UserID    string    `bun:"user_id"`
-}
-
-type oldUser68 struct {
-	bun.BaseModel `bun:"table:users"`
-
-	types.Identifiable
-	DisplayName string `bun:"display_name"`
-	Email       string `bun:"email"`
-	OrgID       string `bun:"org_id"`
-}
-
-type oldRole68 struct {
-	bun.BaseModel `bun:"table:role"`
-
-	types.Identifiable
-	Name  string `bun:"name"`
-	OrgID string `bun:"org_id"`
-}
-
-type newServiceAccount68 struct {
-	bun.BaseModel `bun:"table:service_account"`
-
-	types.Identifiable
-	CreatedAt time.Time `bun:"created_at"`
-	UpdatedAt time.Time `bun:"updated_at"`
-	Name      string    `bun:"name"`
-	Email     string    `bun:"email"`
-	Status    string    `bun:"status"`
-	OrgID     string    `bun:"org_id"`
-}
-
-type newServiceAccountRole68 struct {
-	bun.BaseModel `bun:"table:service_account_role"`
-
-	types.Identifiable
-	CreatedAt        time.Time `bun:"created_at"`
-	UpdatedAt        time.Time `bun:"updated_at"`
-	ServiceAccountID string    `bun:"service_account_id"`
-	RoleID           string    `bun:"role_id"`
-}
-
-type newFactorAPIKey68 struct {
-	bun.BaseModel `bun:"table:factor_api_key"`
-
-	types.Identifiable
-	CreatedAt        time.Time `bun:"created_at"`
-	UpdatedAt        time.Time `bun:"updated_at"`
-	Name             string    `bun:"name"`
-	Key              string    `bun:"key"`
-	ExpiresAt        uint64    `bun:"expires_at"`
-	LastObservedAt   time.Time `bun:"last_observed_at"`
-	ServiceAccountID string    `bun:"service_account_id"`
-}
-
-type deprecateAPIKey struct {
-	sqlstore  sqlstore.SQLStore
-	sqlschema sqlschema.SQLSchema
-}
-
-func NewDeprecateAPIKeyFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
-	return factory.NewProviderFactory(factory.MustNewName("deprecate_api_key"), func(_ context.Context, _ factory.ProviderSettings, c Config) (SQLMigration, error) {
-		return &deprecateAPIKey{
-			sqlstore:  sqlstore,
-			sqlschema: sqlschema,
-		}, nil
-	})
-}
-
-func (migration *deprecateAPIKey) Register(migrations *migrate.Migrations) error {
-	err := migrations.Register(migration.Up, migration.Down)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *deprecateAPIKey) Up(ctx context.Context, db *bun.DB) error {
-	tx, err := db.BeginTx(ctx, nil)
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = tx.Rollback()
-	}()
-
-	// Step 1: Read all old API keys (skip revoked ones).
-	oldKeys := make([]*oldFactorAPIKey68, 0)
-	err = tx.NewSelect().Model(&oldKeys).Where("revoked = ?", false).Scan(ctx)
-	if err != nil && err != sql.ErrNoRows {
-		return err
-	}
-
-	// Step 2: Collect unique user IDs from old keys.
-	userIDs := make(map[string]struct{})
-	for _, key := range oldKeys {
-		userIDs[key.UserID] = struct{}{}
-	}
-
-	// Step 3: Load users that own API keys.
-	userIDList := make([]string, 0, len(userIDs))
-	for uid := range userIDs {
-		userIDList = append(userIDList, uid)
-	}
-
-	userMap := make(map[string]*oldUser68)
-	if len(userIDList) > 0 {
-		users := make([]*oldUser68, 0)
-		err = tx.NewSelect().Model(&users).Where("id IN (?)", bun.In(userIDList)).Scan(ctx)
-		if err != nil && err != sql.ErrNoRows {
-			return err
-		}
-		for _, u := range users {
-			userMap[u.ID.String()] = u
-		}
-	}
-
-	// Step 4: Load managed roles to map old role names to role IDs.
-	// Build a lookup of (org_id, role_name) -> role_id.
-	type orgRoleKey struct {
-		OrgID    string
-		RoleName string
-	}
-	roleMap := make(map[orgRoleKey]string)
-	if len(userMap) > 0 {
-		orgIDs := make(map[string]struct{})
-		for _, u := range userMap {
-			orgIDs[u.OrgID] = struct{}{}
-		}
-		orgIDList := make([]string, 0, len(orgIDs))
-		for oid := range orgIDs {
-			orgIDList = append(orgIDList, oid)
-		}
-
-		roles := make([]*oldRole68, 0)
-		err = tx.NewSelect().Model(&roles).Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx)
-		if err != nil && err != sql.ErrNoRows {
-			return err
-		}
-		for _, r := range roles {
-			roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID.String()
-		}
-	}
-
-	// Step 5: Create a service account per user that has API keys, and collect migrated data.
-	// One service account per user, all their API keys point to it.
-	userIDToServiceAccountID := make(map[string]string)
-	serviceAccounts := make([]*newServiceAccount68, 0)
-	serviceAccountRoles := make([]*newServiceAccountRole68, 0)
-	newKeys := make([]*newFactorAPIKey68, 0)
-
-	// Track which (serviceAccountID, roleID) pairs we've already added.
-	type saRoleKey struct {
-		ServiceAccountID string
-		RoleID           string
-	}
-	addedRoles := make(map[saRoleKey]struct{})
-
-	now := time.Now()
-
-	for _, oldKey := range oldKeys {
-		user, ok := userMap[oldKey.UserID]
-		if !ok {
-			// User not found — skip this key.
-			continue
-		}
-
-		// Create service account for this user if not already created.
-		saID, exists := userIDToServiceAccountID[oldKey.UserID]
-		if !exists {
-			saID = valuer.GenerateUUID().String()
-			userIDToServiceAccountID[oldKey.UserID] = saID
-
-			serviceAccounts = append(serviceAccounts, &newServiceAccount68{
-				Identifiable: types.Identifiable{ID: valuer.MustNewUUID(saID)},
-				CreatedAt:    now,
-				UpdatedAt:    now,
-				Name:         oldKey.Name,
-				Email:        user.Email,
-				Status:       "active",
-				OrgID:        user.OrgID,
-			})
-		}
-
-		// Map the old role (ADMIN, EDITOR, VIEWER) to the managed role name.
-		managedRoleName, ok := roletypes.ExistingRoleToSigNozManagedRoleMap[types.Role(oldKey.Role)]
-		if !ok {
-			managedRoleName = roletypes.SigNozViewerRoleName
-		}
-
-		roleID, ok := roleMap[orgRoleKey{OrgID: user.OrgID, RoleName: managedRoleName}]
-		if ok {
-			key := saRoleKey{ServiceAccountID: saID, RoleID: roleID}
-			if _, added := addedRoles[key]; !added {
-				addedRoles[key] = struct{}{}
-				serviceAccountRoles = append(serviceAccountRoles, &newServiceAccountRole68{
-					Identifiable:     types.Identifiable{ID: valuer.GenerateUUID()},
-					CreatedAt:        now,
-					UpdatedAt:        now,
-					ServiceAccountID: saID,
-					RoleID:           roleID,
-				})
-			}
-		}
-
-		// Convert expires_at from time.Time to unix seconds (0 = never expires).
-		var expiresAtUnix uint64
-		if !oldKey.ExpiresAt.IsZero() && oldKey.ExpiresAt.Unix() > 0 {
-			expiresAtUnix = uint64(oldKey.ExpiresAt.Unix())
-		}
-
-		// Convert last_used to last_observed_at.
-		lastObservedAt := oldKey.LastUsed
-		if lastObservedAt.IsZero() {
-			lastObservedAt = oldKey.CreatedAt
-		}
-
-		newKeys = append(newKeys, &newFactorAPIKey68{
-			Identifiable:     oldKey.Identifiable,
-			CreatedAt:        oldKey.CreatedAt,
-			UpdatedAt:        oldKey.UpdatedAt,
-			Name:             oldKey.Name,
-			Key:              oldKey.Token,
-			ExpiresAt:        expiresAtUnix,
-			LastObservedAt:   lastObservedAt,
-			ServiceAccountID: saID,
-		})
-	}
-
-	// Step 6: Insert migrated service accounts and roles.
-	if len(serviceAccounts) > 0 {
-		if _, err := tx.NewInsert().Model(&serviceAccounts).Exec(ctx); err != nil {
-			return err
-		}
-	}
-
-	if len(serviceAccountRoles) > 0 {
-		if _, err := tx.NewInsert().Model(&serviceAccountRoles).Exec(ctx); err != nil {
-			return err
-		}
-	}
-
-	// Step 7: Drop old table, create new table, and insert migrated keys.
-	sqls := [][]byte{}
-
-	deprecatedFactorAPIKey, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("factor_api_key"))
-	if err != nil {
-		return err
-	}
-
-	dropTableSQLS := migration.sqlschema.Operator().DropTable(deprecatedFactorAPIKey)
-	sqls = append(sqls, dropTableSQLS...)
-
-	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
-		Name: "factor_api_key",
-		Columns: []*sqlschema.Column{
-			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "key", DataType: sqlschema.DataTypeText, Nullable: false},
-			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "expires_at", DataType: sqlschema.DataTypeInteger, Nullable: false},
-			{Name: "last_observed_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
-			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
-		},
-		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
-			ColumnNames: []sqlschema.ColumnName{"id"},
-		},
-		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
-			{
-				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
-				ReferencedTableName:   sqlschema.TableName("service_account"),
-				ReferencedColumnName:  sqlschema.ColumnName("id"),
-			},
-		},
-	})
-	sqls = append(sqls, tableSQLs...)
-
-	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"key"}})
-	sqls = append(sqls, indexSQLs...)
-
-	indexSQLs = migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"name", "service_account_id"}})
-	sqls = append(sqls, indexSQLs...)
-
-	for _, sql := range sqls {
-		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
-			return err
-		}
-	}
-
-	// Step 8: Insert migrated keys into the new table.
-	if len(newKeys) > 0 {
-		if _, err := tx.NewInsert().Model(&newKeys).Exec(ctx); err != nil {
-			return err
-		}
-	}
-
-	if err := tx.Commit(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (migration *deprecateAPIKey) Down(context.Context, *bun.DB) error {
-	return nil
-}

pkg/telemetrymetrics/statement_builder.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/querybuilder"
@@ -188,7 +189,9 @@ func (b *MetricQueryStatementBuilder) buildPipelineStatement(
 		}
 
 		// spatial_aggregation_cte
-		if frag, args := b.buildSpatialAggregationCTE(ctx, start, end, query, keys); frag != "" {
+		if frag, args, err := b.buildSpatialAggregationCTE(ctx, start, end, query, keys); err != nil {
+			return nil, err
+		} else if frag != "" {
 			cteFragments = append(cteFragments, frag)
 			cteArgs = append(cteArgs, args)
 		}
@@ -519,7 +522,14 @@ func (b *MetricQueryStatementBuilder) buildSpatialAggregationCTE(
 	_ uint64,
 	query qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation],
 	_ map[string][]*telemetrytypes.TelemetryFieldKey,
-) (string, []any) {
+) (string, []any, error) {
+	if query.Aggregations[0].SpaceAggregation.IsZero() {
+		return "", nil, errors.Newf(
+			errors.TypeInvalidInput,
+			errors.CodeInvalidInput,
+			"invalid space aggregation, should be one of the following: [`sum`, `avg`, `min`, `max`, `count`, `p50`, `p75`, `p90`, `p95`, `p99`]",
+		)
+	}
 	sb := sqlbuilder.NewSelectBuilder()
 
 	sb.Select("ts")
@@ -536,7 +546,7 @@ func (b *MetricQueryStatementBuilder) buildSpatialAggregationCTE(
 	sb.GroupBy(querybuilder.GroupByKeys(query.GroupBy)...)
 
 	q, args := sb.BuildWithFlavor(sqlbuilder.ClickHouse)
-	return fmt.Sprintf("__spatial_aggregation_cte AS (%s)", q), args
+	return fmt.Sprintf("__spatial_aggregation_cte AS (%s)", q), args, nil
 }
 
 func (b *MetricQueryStatementBuilder) BuildFinalSelect(

pkg/telemetrymetrics/stmt_builder_test.go

@@ -122,7 +122,7 @@ func TestStatementBuilder(t *testing.T) {
 			expectedErr: nil,
 		},
 		{
-			name:        "test_histogram_percentile1",
+			name:        "test_histogram_percentile",
 			requestType: qbtypes.RequestTypeTimeSeries,
 			query: qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]{
 				Signal:       telemetrytypes.SignalMetrics,
@@ -132,7 +132,6 @@ func TestStatementBuilder(t *testing.T) {
 						MetricName:       "signoz_latency",
 						Type:             metrictypes.HistogramType,
 						Temporality:      metrictypes.Delta,
-						TimeAggregation:  metrictypes.TimeAggregationRate,
 						SpaceAggregation: metrictypes.SpaceAggregationPercentile95,
 					},
 				},
@@ -188,7 +187,7 @@ func TestStatementBuilder(t *testing.T) {
 			expectedErr: nil,
 		},
 		{
-			name:        "test_histogram_percentile2",
+			name:        "test_histogram_percentile",
 			requestType: qbtypes.RequestTypeTimeSeries,
 			query: qbtypes.QueryBuilderQuery[qbtypes.MetricAggregation]{
 				Signal:       telemetrytypes.SignalMetrics,
@@ -198,7 +197,6 @@ func TestStatementBuilder(t *testing.T) {
 						MetricName:       "http_server_duration_bucket",
 						Type:             metrictypes.HistogramType,
 						Temporality:      metrictypes.Cumulative,
-						TimeAggregation:  metrictypes.TimeAggregationRate,
 						SpaceAggregation: metrictypes.SpaceAggregationPercentile95,
 					},
 				},
@@ -213,7 +211,7 @@ func TestStatementBuilder(t *testing.T) {
 			},
 			expected: qbtypes.Statement{
 				Query: "WITH __temporal_aggregation_cte AS (SELECT ts, `service.name`, `le`, multiIf(row_number() OVER rate_window = 1, nan, (per_series_value - lagInFrame(per_series_value, 1) OVER rate_window) < 0, per_series_value / (ts - lagInFrame(ts, 1) OVER rate_window), (per_series_value - lagInFrame(per_series_value, 1) OVER rate_window) / (ts - lagInFrame(ts, 1) OVER rate_window)) AS per_series_value FROM (SELECT fingerprint, toStartOfInterval(toDateTime(intDiv(unix_milli, 1000)), toIntervalSecond(30)) AS ts, `service.name`, `le`, max(value) AS per_series_value FROM signoz_metrics.distributed_samples_v4 AS points INNER JOIN (SELECT fingerprint, JSONExtractString(labels, 'service.name') AS `service.name`, JSONExtractString(labels, 'le') AS `le` FROM signoz_metrics.time_series_v4_6hrs WHERE metric_name IN (?) AND unix_milli >= ? AND unix_milli <= ? AND LOWER(temporality) LIKE LOWER(?) AND __normalized = ? GROUP BY fingerprint, `service.name`, `le`) AS filtered_time_series ON points.fingerprint = filtered_time_series.fingerprint WHERE metric_name IN (?) AND unix_milli >= ? AND unix_milli < ? GROUP BY fingerprint, ts, `service.name`, `le` ORDER BY fingerprint, ts) WINDOW rate_window AS (PARTITION BY fingerprint ORDER BY fingerprint, ts)), __spatial_aggregation_cte AS (SELECT ts, `service.name`, `le`, sum(per_series_value) AS value FROM __temporal_aggregation_cte WHERE isNaN(per_series_value) = ? GROUP BY ts, `service.name`, `le`) SELECT ts, `service.name`, histogramQuantile(arrayMap(x -> toFloat64(x), groupArray(le)), groupArray(value), 0.950) AS value FROM __spatial_aggregation_cte GROUP BY `service.name`, ts ORDER BY `service.name`, ts",
-				Args:  []any{"http_server_duration_bucket", uint64(1747936800000), uint64(1747983420000), "cumulative", false, "http_server_duration_bucket", uint64(1747947360000), uint64(1747983420000), 0},
+				Args:  []any{"http_server_duration_bucket", uint64(1747936800000), uint64(1747983420000), "cumulative", false, "http_server_duration_bucket", uint64(1747947390000), uint64(1747983420000), 0},
 			},
 			expectedErr: nil,
 		},

pkg/tokenizer/config.go

@@ -17,9 +17,6 @@ type Config struct {
 	// Config for the JWT tokenizer.
 	JWT JWTConfig `mapstructure:"jwt"`
 
-	// Config for the serviceAccount tokenizer.
-	ServiceAccount ServiceAccountConfig `mapstructure:"service_account"`
-
 	// Rotation config
 	Rotation RotationConfig `mapstructure:"rotation"`
 
@@ -40,11 +37,6 @@ type JWTConfig struct {
 	Secret string `mapstructure:"secret"`
 }
 
-type ServiceAccountConfig struct {
-	// GC config
-	GC GCConfig `mapstructure:"gc"`
-}
-
 type GCConfig struct {
 	// The interval to perform garbage collection.
 	Interval time.Duration `mapstructure:"interval"`
@@ -89,11 +81,6 @@ func newConfig() factory.Config {
 		JWT: JWTConfig{
 			Secret: "",
 		},
-		ServiceAccount: ServiceAccountConfig{
-			GC: GCConfig{
-				Interval: 1 * time.Hour, // 1 hour
-			},
-		},
 		Rotation: RotationConfig{
 			Interval: 30 * time.Minute, // 30 minutes
 			Duration: 60 * time.Second, // 60 seconds

pkg/tokenizer/jwttokenizer/claims.go

@@ -2,6 +2,7 @@ package jwttokenizer
 
 import (
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/golang-jwt/jwt/v5"
 )
 
@@ -9,15 +10,21 @@ var _ jwt.ClaimsValidator = (*Claims)(nil)
 
 type Claims struct {
 	jwt.RegisteredClaims
-	UserID string `json:"id"`
-	Email  string `json:"email"`
-	OrgID  string `json:"orgId"`
+	UserID string     `json:"id"`
+	Email  string     `json:"email"`
+	Role   types.Role `json:"role"`
+	OrgID  string     `json:"orgId"`
 }
 
 func (c *Claims) Validate() error {
 	if c.UserID == "" {
 		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "id is required")
 	}
+	// The problem is that when the "role" field is missing entirely from the JSON (as opposed to being present but empty), the UnmarshalJSON method for Role isn't called at all.
+	// The JSON decoder just sets the Role field to its zero value ("").
+	if c.Role == "" {
+		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "role is required")
+	}
 
 	if c.OrgID == "" {
 		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "orgId is required")

pkg/tokenizer/jwttokenizer/provider.go

@@ -76,6 +76,7 @@ func (provider *provider) Start(ctx context.Context) error {
 func (provider *provider) CreateToken(ctx context.Context, identity *authtypes.Identity, meta map[string]string) (*authtypes.Token, error) {
 	accessTokenClaims := Claims{
 		UserID: identity.UserID.String(),
+		Role:   identity.Role,
 		Email:  identity.Email.String(),
 		OrgID:  identity.OrgID.String(),
 		RegisteredClaims: jwt.RegisteredClaims{
@@ -91,6 +92,7 @@ func (provider *provider) CreateToken(ctx context.Context, identity *authtypes.I
 
 	refreshTokenClaims := Claims{
 		UserID: identity.UserID.String(),
+		Role:   identity.Role,
 		Email:  identity.Email.String(),
 		OrgID:  identity.OrgID.String(),
 		RegisteredClaims: jwt.RegisteredClaims{
@@ -113,7 +115,17 @@ func (provider *provider) GetIdentity(ctx context.Context, accessToken string) (
 		return nil, err
 	}
 
-	return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email)), nil
+	// check claimed role
+	identity, err := provider.getOrSetIdentity(ctx, emptyOrgID, valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		return nil, err
+	}
+
+	if identity.Role != claims.Role {
+		return nil, errors.Newf(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "claim role mismatch")
+	}
+
+	return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email), claims.Role), nil
 }
 
 func (provider *provider) DeleteToken(ctx context.Context, accessToken string) error {

pkg/tokenizer/jwttokenizer/provider_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore/sqlstoretest"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/tokenizerstore/sqltokenizerstore"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/stretchr/testify/assert"
@@ -61,6 +62,7 @@ func TestLastObservedAt_Concurrent(t *testing.T) {
 		&authtypes.Identity{
 			UserID: valuer.GenerateUUID(),
 			OrgID:  orgID,
+			Role:   types.RoleAdmin,
 			Email:  valuer.MustNewEmail("test@test.com"),
 		},
 		map[string]string{},
@@ -72,6 +74,7 @@ func TestLastObservedAt_Concurrent(t *testing.T) {
 		&authtypes.Identity{
 			UserID: valuer.GenerateUUID(),
 			OrgID:  orgID,
+			Role:   types.RoleAdmin,
 			Email:  valuer.MustNewEmail("test@test.com"),
 		},
 		map[string]string{},

pkg/tokenizer/serviceaccounttokenizer/provider.go

@@ -1,353 +0,0 @@
-package serviceaccounttokenizer
-
-import (
-	"context"
-	"slices"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/cache"
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/tokenizer"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/cachetypes"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/dgraph-io/ristretto/v2"
-	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/trace"
-)
-
-var (
-	emptyOrgID valuer.UUID = valuer.UUID{}
-)
-
-const (
-	expectedLastObservedAtCacheEntries int64 = 5000 // 1000 serviceAccounts * Max 5 keys per account
-)
-
-type provider struct {
-	config              tokenizer.Config
-	settings            factory.ScopedProviderSettings
-	cache               cache.Cache
-	apiKeyStore         serviceaccounttypes.Store
-	orgGetter           organization.Getter
-	stopC               chan struct{}
-	lastObservedAtCache *ristretto.Cache[string, time.Time]
-}
-
-func NewFactory(cache cache.Cache, apiKeyStore serviceaccounttypes.Store, orgGetter organization.Getter) factory.ProviderFactory[tokenizer.Tokenizer, tokenizer.Config] {
-	return factory.NewProviderFactory(factory.MustNewName("serviceaccount"), func(ctx context.Context, providerSettings factory.ProviderSettings, config tokenizer.Config) (tokenizer.Tokenizer, error) {
-		return New(ctx, providerSettings, config, cache, apiKeyStore, orgGetter)
-	})
-}
-
-func New(ctx context.Context, providerSettings factory.ProviderSettings, config tokenizer.Config, cache cache.Cache, apiKeyStore serviceaccounttypes.Store, orgGetter organization.Getter) (tokenizer.Tokenizer, error) {
-	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer")
-
-	// * move these hardcoded values to a config based value when needed
-	lastObservedAtCache, err := ristretto.NewCache(&ristretto.Config[string, time.Time]{
-		NumCounters: 10 * expectedLastObservedAtCacheEntries, // 10x of expected entries
-		MaxCost:     1 << 19,                                 // ~ 512 KB
-		BufferItems: 64,
-		Metrics:     false,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return tokenizer.NewWrappedTokenizer(settings, &provider{
-		config:              config,
-		settings:            settings,
-		cache:               cache,
-		apiKeyStore:         apiKeyStore,
-		orgGetter:           orgGetter,
-		stopC:               make(chan struct{}),
-		lastObservedAtCache: lastObservedAtCache,
-	}), nil
-}
-
-func (provider *provider) Start(ctx context.Context) error {
-	ticker := time.NewTicker(provider.config.ServiceAccount.GC.Interval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-provider.stopC:
-			return nil
-		case <-ticker.C:
-			ctx, span := provider.settings.Tracer().Start(ctx, "tokenizer.LastObservedAt", trace.WithAttributes(attribute.String("tokenizer.provider", "serviceaccount")))
-
-			orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
-			if err != nil {
-				provider.settings.Logger().ErrorContext(ctx, "failed to get orgs data", "error", err)
-				span.End()
-				continue
-			}
-
-			for _, org := range orgs {
-				if err := provider.flushLastObservedAt(ctx, org); err != nil {
-					span.RecordError(err)
-					provider.settings.Logger().ErrorContext(ctx, "failed to flush api keys", "error", err, "org_id", org.ID)
-				}
-			}
-
-			span.End()
-		}
-	}
-}
-
-func (provider *provider) CreateToken(_ context.Context, _ *authtypes.Identity, _ map[string]string) (*authtypes.Token, error) {
-	return nil, errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
-}
-
-func (provider *provider) GetIdentity(ctx context.Context, key string) (*authtypes.Identity, error) {
-	apiKey, err := provider.getOrGetSetAPIKey(ctx, key)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := apiKey.IsExpired(); err != nil {
-		return nil, err
-	}
-
-	identity, err := provider.getOrGetSetIdentity(ctx, apiKey.ServiceAccountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return identity, nil
-}
-
-func (provider *provider) RotateToken(_ context.Context, _ string, _ string) (*authtypes.Token, error) {
-	return nil, errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
-}
-
-func (provider *provider) DeleteToken(_ context.Context, _ string) error {
-	return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
-}
-
-func (provider *provider) DeleteTokensByUserID(_ context.Context, _ valuer.UUID) error {
-	return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
-}
-
-func (provider *provider) DeleteIdentity(ctx context.Context, serviceAccountID valuer.UUID) error {
-	provider.cache.Delete(ctx, emptyOrgID, identityCacheKey(serviceAccountID))
-	return nil
-}
-
-func (provider *provider) Stop(ctx context.Context) error {
-	close(provider.stopC)
-
-	orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
-	if err != nil {
-		return err
-	}
-
-	for _, org := range orgs {
-		// flush api keys on stop
-		if err := provider.flushLastObservedAt(ctx, org); err != nil {
-			provider.settings.Logger().ErrorContext(ctx, "failed to flush tokens", "error", err, "org_id", org.ID)
-		}
-	}
-
-	return nil
-}
-
-func (provider *provider) SetLastObservedAt(ctx context.Context, key string, lastObservedAt time.Time) error {
-	apiKey, err := provider.getOrGetSetAPIKey(ctx, key)
-	if err != nil {
-		return err
-	}
-
-	// If we can't update the last observed at, we return nil.
-	if err := apiKey.UpdateLastObservedAt(lastObservedAt); err != nil {
-		return nil
-	}
-
-	if ok := provider.lastObservedAtCache.Set(lastObservedAtCacheKey(key, apiKey.ServiceAccountID), lastObservedAt, 24); !ok {
-		provider.settings.Logger().ErrorContext(ctx, "error caching last observed at timestamp", "service_account_id", apiKey.ServiceAccountID)
-	}
-
-	err = provider.cache.Set(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey, provider.config.Lifetime.Max)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (provider *provider) Config() tokenizer.Config {
-	return provider.config
-}
-
-func (provider *provider) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
-	apiKeys, err := provider.apiKeyStore.ListFactorAPIKeyByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	stats := make(map[string]any)
-	stats["api_key.count"] = len(apiKeys)
-
-	keyToLastObservedAt, err := provider.listLastObservedAtDesc(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(keyToLastObservedAt) == 0 {
-		return stats, nil
-	}
-
-	keyToLastObservedAtMax := keyToLastObservedAt[0]
-
-	if lastObservedAt, ok := keyToLastObservedAtMax["last_observed_at"].(time.Time); ok {
-		if !lastObservedAt.IsZero() {
-			stats["api_key.last_observed_at.max.time"] = lastObservedAt.UTC()
-			stats["api_key.last_observed_at.max.time_unix"] = lastObservedAt.Unix()
-		}
-	}
-
-	return stats, nil
-}
-
-func (provider *provider) ListMaxLastObservedAtByOrgID(ctx context.Context, orgID valuer.UUID) (map[valuer.UUID]time.Time, error) {
-	apiKeyToLastObservedAts, err := provider.listLastObservedAtDesc(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	maxLastObservedAtPerServiceAccountID := make(map[valuer.UUID]time.Time)
-
-	for _, apiKeyToLastObservedAt := range apiKeyToLastObservedAts {
-		serviceAccountID, ok := apiKeyToLastObservedAt["service_account_id"].(valuer.UUID)
-		if !ok {
-			continue
-		}
-
-		lastObservedAt, ok := apiKeyToLastObservedAt["last_observed_at"].(time.Time)
-		if !ok {
-			continue
-		}
-
-		if lastObservedAt.IsZero() {
-			continue
-		}
-
-		if _, ok := maxLastObservedAtPerServiceAccountID[serviceAccountID]; !ok {
-			maxLastObservedAtPerServiceAccountID[serviceAccountID] = lastObservedAt.UTC()
-			continue
-		}
-
-		if lastObservedAt.UTC().After(maxLastObservedAtPerServiceAccountID[serviceAccountID]) {
-			maxLastObservedAtPerServiceAccountID[serviceAccountID] = lastObservedAt.UTC()
-		}
-	}
-
-	return maxLastObservedAtPerServiceAccountID, nil
-
-}
-
-func (provider *provider) flushLastObservedAt(ctx context.Context, org *types.Organization) error {
-	apiKeyToLastObservedAt, err := provider.listLastObservedAtDesc(ctx, org.ID)
-	if err != nil {
-		return err
-	}
-
-	if err := provider.apiKeyStore.UpdateLastObservedAtByKey(ctx, apiKeyToLastObservedAt); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (provider *provider) getOrGetSetAPIKey(ctx context.Context, key string) (*serviceaccounttypes.FactorAPIKey, error) {
-	apiKey := new(serviceaccounttypes.FactorAPIKey)
-	err := provider.cache.Get(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if err == nil {
-		return apiKey, nil
-	}
-
-	storable, err := provider.apiKeyStore.GetFactorAPIKeyByKey(ctx, key)
-	if err != nil {
-		return nil, err
-	}
-	apiKey = serviceaccounttypes.NewFactorAPIKeyFromStorable(storable)
-
-	err = provider.cache.Set(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey, provider.config.Lifetime.Max)
-	if err != nil {
-		return nil, err
-	}
-
-	return apiKey, nil
-}
-
-func (provider *provider) getOrGetSetIdentity(ctx context.Context, serviceAccountID valuer.UUID) (*authtypes.Identity, error) {
-	identity := new(authtypes.Identity)
-	err := provider.cache.Get(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if err == nil {
-		return identity, nil
-	}
-
-	storableServiceAccount, err := provider.apiKeyStore.GetByID(ctx, serviceAccountID)
-	if err != nil {
-		return nil, err
-	}
-
-	identity = storableServiceAccount.ToIdentity()
-	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity, 0)
-	if err != nil {
-		return nil, err
-	}
-
-	return identity, nil
-}
-
-func (provider *provider) listLastObservedAtDesc(ctx context.Context, orgID valuer.UUID) ([]map[string]any, error) {
-	apiKeys, err := provider.apiKeyStore.ListFactorAPIKeyByOrgID(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	var keyToLastObservedAt []map[string]any
-
-	for _, key := range apiKeys {
-		keyCachedLastObservedAt, ok := provider.lastObservedAtCache.Get(lastObservedAtCacheKey(key.Key, valuer.MustNewUUID(key.ServiceAccountID)))
-		if ok {
-			keyToLastObservedAt = append(keyToLastObservedAt, map[string]any{
-				"service_account_id": key.ServiceAccountID,
-				"key":                key.Key,
-				"last_observed_at":   keyCachedLastObservedAt,
-			})
-		}
-	}
-
-	// sort by descending order of last_observed_at
-	slices.SortFunc(keyToLastObservedAt, func(a, b map[string]any) int {
-		return b["last_observed_at"].(time.Time).Compare(a["last_observed_at"].(time.Time))
-	})
-
-	return keyToLastObservedAt, nil
-}
-
-func apiKeyCacheKey(apiKey string) string {
-	return "api_key::" + cachetypes.NewSha1CacheKey(apiKey)
-}
-
-func identityCacheKey(serviceAccountID valuer.UUID) string {
-	return "identity::" + serviceAccountID.String()
-}
-
-func lastObservedAtCacheKey(apiKey string, serviceAccountID valuer.UUID) string {
-	return "api_key::" + apiKey + "::" + serviceAccountID.String()
-}

pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go

@@ -47,7 +47,7 @@ func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID)
 		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with id: %s does not exist", userID)
 	}
 
-	return authtypes.NewIdentity(userID, user.OrgID, user.Email), nil
+	return authtypes.NewIdentity(userID, user.OrgID, user.Email, types.Role(user.Role)), nil
 }
 
 func (store *store) GetByAccessToken(ctx context.Context, accessToken string) (*authtypes.StorableToken, error) {

pkg/types/authtypes/authn.go

@@ -25,11 +25,10 @@ var (
 type AuthNProvider struct{ valuer.String }
 
 type Identity struct {
-	UserID           valuer.UUID  `json:"userId"`
-	ServiceAccountID valuer.UUID  `json:"serviceAccountId"`
-	Principal        Principal    `json:"principal"`
-	OrgID            valuer.UUID  `json:"orgId"`
-	Email            valuer.Email `json:"email"`
+	UserID valuer.UUID  `json:"userId"`
+	OrgID  valuer.UUID  `json:"orgId"`
+	Email  valuer.Email `json:"email"`
+	Role   types.Role   `json:"role"`
 }
 
 type CallbackIdentity struct {
@@ -79,11 +78,12 @@ func NewStateFromString(state string) (State, error) {
 	}, nil
 }
 
-func NewIdentity(userID valuer.UUID, orgID valuer.UUID, email valuer.Email) *Identity {
+func NewIdentity(userID valuer.UUID, orgID valuer.UUID, email valuer.Email, role types.Role) *Identity {
 	return &Identity{
 		UserID: userID,
 		OrgID:  orgID,
 		Email:  email,
+		Role:   role,
 	}
 }
 
@@ -116,11 +116,10 @@ func (typ *Identity) UnmarshalBinary(data []byte) error {
 
 func (typ *Identity) ToClaims() Claims {
 	return Claims{
-		UserID:           typ.UserID.String(),
-		ServiceAccountID: typ.ServiceAccountID.String(),
-		Principal:        typ.Principal.StringValue(),
-		Email:            typ.Email.String(),
-		OrgID:            typ.OrgID.String(),
+		UserID: typ.UserID.String(),
+		Email:  typ.Email.String(),
+		Role:   typ.Role,
+		OrgID:  typ.OrgID.String(),
 	}
 }
 

pkg/types/authtypes/claims.go

@@ -3,20 +3,20 @@ package authtypes
 import (
 	"context"
 	"log/slog"
+	"slices"
 
 	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type claimsKey struct{}
 type accessTokenKey struct{}
-type serviceAccountAPIKeyKey struct{}
 
 type Claims struct {
-	UserID           string
-	ServiceAccountID string
-	Principal        string
-	Email            string
-	OrgID            string
+	UserID string
+	Email  string
+	Role   types.Role
+	OrgID  string
 }
 
 // NewContextWithClaims attaches individual claims to the context.
@@ -47,36 +47,47 @@ func AccessTokenFromContext(ctx context.Context) (string, error) {
 	return accessToken, nil
 }
 
-func NewContextWithServiceAccountAPIKey(ctx context.Context, apiKey string) context.Context {
-	return context.WithValue(ctx, serviceAccountAPIKeyKey{}, apiKey)
-}
-
-func ServiceAccountAPIKeyFromContext(ctx context.Context) (string, error) {
-	apiKey, ok := ctx.Value(serviceAccountAPIKeyKey{}).(string)
-	if !ok {
-		return "", errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "unauthenticated")
-	}
-
-	return apiKey, nil
-}
-
 func (c *Claims) LogValue() slog.Value {
 	return slog.GroupValue(
 		slog.String("user_id", c.UserID),
 		slog.String("email", c.Email),
+		slog.String("role", c.Role.String()),
 		slog.String("org_id", c.OrgID),
 	)
 }
 
+func (c *Claims) IsViewer() error {
+	if slices.Contains([]types.Role{types.RoleViewer, types.RoleEditor, types.RoleAdmin}, c.Role) {
+		return nil
+	}
+
+	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only viewers/editors/admins can access this resource")
+}
+
+func (c *Claims) IsEditor() error {
+	if slices.Contains([]types.Role{types.RoleEditor, types.RoleAdmin}, c.Role) {
+		return nil
+	}
+
+	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only editors/admins can access this resource")
+}
+
+func (c *Claims) IsAdmin() error {
+	if c.Role == types.RoleAdmin {
+		return nil
+	}
+
+	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can access this resource")
+}
+
 func (c *Claims) IsSelfAccess(id string) error {
 	if c.UserID == id {
 		return nil
 	}
 
-	// TODO[@vikrantgupta25]: check this
-	// if c.Role == types.RoleAdmin {
-	// 	return nil
-	// }
+	if c.Role == types.RoleAdmin {
+		return nil
+	}
 
 	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only the user/admin can access their own resource")
 }

pkg/types/authtypes/principal.go

@@ -1,10 +0,0 @@
-package authtypes
-
-import "github.com/SigNoz/signoz/pkg/valuer"
-
-var (
-	PrincipalUser           = Principal{valuer.NewString("user")}
-	PrincipalServiceAccount = Principal{valuer.NewString("service_account")}
-)
-
-type Principal struct{ valuer.String }

pkg/types/authtypes/relation.go

@@ -20,20 +20,19 @@ var (
 )
 
 var TypeableRelations = map[Type][]Relation{
-	TypeUser:           {RelationRead, RelationUpdate, RelationDelete},
-	TypeServiceAccount: {RelationRead, RelationUpdate, RelationDelete},
-	TypeRole:           {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
-	TypeOrganization:   {RelationRead, RelationUpdate, RelationDelete},
-	TypeMetaResource:   {RelationRead, RelationUpdate, RelationDelete},
-	TypeMetaResources:  {RelationCreate, RelationList},
+	TypeUser:          {RelationRead, RelationUpdate, RelationDelete},
+	TypeRole:          {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
+	TypeOrganization:  {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResources: {RelationCreate, RelationList},
 }
 
 var RelationsTypeable = map[Relation][]Type{
 	RelationCreate: {TypeMetaResources},
-	RelationRead:   {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationRead:   {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
 	RelationList:   {TypeMetaResources},
-	RelationUpdate: {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
-	RelationDelete: {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationUpdate: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationDelete: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
 }
 
 type Relation struct{ valuer.String }

pkg/types/authtypes/selector.go

@@ -23,12 +23,11 @@ var (
 )
 
 var (
-	typeUserSelectorRegex           = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
-	typeServiceAccountSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
-	typeRoleSelectorRegex           = regexp.MustCompile(`^([a-z-]{1,50}|\*)$`)
-	typeAnonymousSelectorRegex      = regexp.MustCompile(`^\*$`)
-	typeOrganizationSelectorRegex   = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
-	typeMetaResourceSelectorRegex   = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeUserSelectorRegex         = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeRoleSelectorRegex         = regexp.MustCompile(`^([a-z-]{1,50}|\*)$`)
+	typeAnonymousSelectorRegex    = regexp.MustCompile(`^\*$`)
+	typeOrganizationSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeMetaResourceSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
 	// metaresources selectors are used to select either all or none until we introduce some hierarchy here.
 	typeMetaResourcesSelectorRegex = regexp.MustCompile(`^\*$`)
 )
@@ -99,11 +98,6 @@ func IsValidSelector(typed Type, selector string) error {
 			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeUserSelectorRegex.String())
 		}
 		return nil
-	case TypeServiceAccount:
-		if !typeServiceAccountSelectorRegex.MatchString(selector) {
-			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeServiceAccountSelectorRegex.String())
-		}
-		return nil
 	case TypeRole:
 		if !typeRoleSelectorRegex.MatchString(selector) {
 			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeRoleSelectorRegex.String())