mirror of
https://github.com/grafana/grafana.git
synced 2026-02-03 20:49:50 -05:00
31f062cb49
Some checks failed
Actionlint / Lint GitHub Actions files (push) Has been cancelled
Backend Code Checks / Detect whether code changed (push) Has been cancelled
Backend Unit Tests / Detect whether code changed (push) Has been cancelled
CodeQL checks / Detect whether code changed (push) Has been cancelled
Deploy Storybook / Detect whether code changed (push) Has been cancelled
Lint Frontend / Detect whether code changed (push) Has been cancelled
Lint Frontend / Verify API clients (push) Has been cancelled
Lint Frontend / Verify API clients (enterprise) (push) Has been cancelled
golangci-lint / Detect whether code changed (push) Has been cancelled
Verify i18n / verify-i18n (push) Has been cancelled
Documentation / Build & Verify Docs (push) Has been cancelled
End-to-end tests / Detect whether code changed (push) Has been cancelled
Frontend tests / Detect whether code changed (push) Has been cancelled
Integration Tests / Detect whether code changed (push) Has been cancelled
publish-technical-documentation-next / sync (push) Has been cancelled
Reject GitHub secrets / reject-gh-secrets (push) Has been cancelled
Build Release Packages / setup (push) Has been cancelled
Run dashboard schema v2 e2e / dashboard-schema-v2-e2e (push) Has been cancelled
Shellcheck / Shellcheck scripts (push) Has been cancelled
Run Storybook a11y tests / Detect whether code changed (push) Has been cancelled
Swagger generated code / Detect whether code changed (push) Has been cancelled
Dispatch sync to mirror / dispatch-job (push) Has been cancelled
Backend Code Checks / Validate Backend Configs (push) Has been cancelled
Backend Unit Tests / Grafana (1/8) (push) Has been cancelled
Backend Unit Tests / Grafana (2/8) (push) Has been cancelled
Backend Unit Tests / Grafana (3/8) (push) Has been cancelled
Backend Unit Tests / Grafana (4/8) (push) Has been cancelled
Backend Unit Tests / Grafana (5/8) (push) Has been cancelled
Backend Unit Tests / Grafana (6/8) (push) Has been cancelled
Backend Unit Tests / Grafana (7/8) (push) Has been cancelled
Backend Unit Tests / Grafana (8/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (1/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (2/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (3/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (4/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (5/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (6/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (7/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (8/8) (push) Has been cancelled
Backend Unit Tests / All backend unit tests complete (push) Has been cancelled
CodeQL checks / Analyze (push) Has been cancelled
Deploy Storybook / Deploy Storybook (push) Has been cancelled
Lint Frontend / Lint (push) Has been cancelled
Lint Frontend / Typecheck (push) Has been cancelled
Lint Frontend / Verify packed frontend packages (push) Has been cancelled
golangci-lint / go-fmt (push) Has been cancelled
golangci-lint / lint-go (push) Has been cancelled
End-to-end tests / Build & Package Grafana (push) Has been cancelled
End-to-end tests / Build E2E test runner (push) Has been cancelled
End-to-end tests / push-docker-image (push) Has been cancelled
End-to-end tests / dashboards-suite (old arch) (push) Has been cancelled
End-to-end tests / panels-suite (old arch) (push) Has been cancelled
End-to-end tests / smoke-tests-suite (old arch) (push) Has been cancelled
End-to-end tests / various-suite (old arch) (push) Has been cancelled
End-to-end tests / Verify Storybook (Playwright) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (1/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (2/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (3/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (4/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (5/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (6/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (7/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (8/8) (push) Has been cancelled
End-to-end tests / run-azure-monitor-e2e (push) Has been cancelled
End-to-end tests / All Playwright tests complete (push) Has been cancelled
End-to-end tests / A11y test (push) Has been cancelled
End-to-end tests / Publish metrics (push) Has been cancelled
End-to-end tests / All E2E tests complete (push) Has been cancelled
Frontend tests / Unit tests (1 / 16) (push) Has been cancelled
Frontend tests / Unit tests (10 / 16) (push) Has been cancelled
Frontend tests / Unit tests (11 / 16) (push) Has been cancelled
Frontend tests / Unit tests (12 / 16) (push) Has been cancelled
Frontend tests / Unit tests (13 / 16) (push) Has been cancelled
Frontend tests / Unit tests (14 / 16) (push) Has been cancelled
Frontend tests / Unit tests (15 / 16) (push) Has been cancelled
Frontend tests / Unit tests (16 / 16) (push) Has been cancelled
Frontend tests / Unit tests (2 / 16) (push) Has been cancelled
Frontend tests / Unit tests (3 / 16) (push) Has been cancelled
Frontend tests / Unit tests (4 / 16) (push) Has been cancelled
Frontend tests / Unit tests (5 / 16) (push) Has been cancelled
Frontend tests / Unit tests (6 / 16) (push) Has been cancelled
Frontend tests / Unit tests (7 / 16) (push) Has been cancelled
Frontend tests / Unit tests (8 / 16) (push) Has been cancelled
Frontend tests / Unit tests (9 / 16) (push) Has been cancelled
Frontend tests / Decoupled plugin tests (push) Has been cancelled
Frontend tests / Packages unit tests (push) Has been cancelled
Frontend tests / All frontend unit tests complete (push) Has been cancelled
Frontend tests / Devenv frontend-service build (push) Has been cancelled
Integration Tests / Sqlite (1/4) (push) Has been cancelled
Integration Tests / Sqlite (2/4) (push) Has been cancelled
Integration Tests / Sqlite (3/4) (push) Has been cancelled
Integration Tests / Sqlite (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (1/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (2/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (3/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (profiled) (push) Has been cancelled
Integration Tests / MySQL (1/16) (push) Has been cancelled
Integration Tests / MySQL (10/16) (push) Has been cancelled
Integration Tests / MySQL (11/16) (push) Has been cancelled
Integration Tests / MySQL (12/16) (push) Has been cancelled
Integration Tests / MySQL (13/16) (push) Has been cancelled
Integration Tests / MySQL (14/16) (push) Has been cancelled
Integration Tests / MySQL (15/16) (push) Has been cancelled
Integration Tests / MySQL (16/16) (push) Has been cancelled
Integration Tests / MySQL (2/16) (push) Has been cancelled
Integration Tests / MySQL (3/16) (push) Has been cancelled
Integration Tests / MySQL (4/16) (push) Has been cancelled
Integration Tests / MySQL (5/16) (push) Has been cancelled
Integration Tests / MySQL (6/16) (push) Has been cancelled
Integration Tests / MySQL (7/16) (push) Has been cancelled
Integration Tests / MySQL (8/16) (push) Has been cancelled
Integration Tests / MySQL (9/16) (push) Has been cancelled
Integration Tests / Postgres (1/16) (push) Has been cancelled
Integration Tests / Postgres (10/16) (push) Has been cancelled
Integration Tests / Postgres (11/16) (push) Has been cancelled
Integration Tests / Postgres (12/16) (push) Has been cancelled
Integration Tests / Postgres (13/16) (push) Has been cancelled
Integration Tests / Postgres (14/16) (push) Has been cancelled
Integration Tests / Postgres (15/16) (push) Has been cancelled
Integration Tests / Postgres (16/16) (push) Has been cancelled
Integration Tests / Postgres (2/16) (push) Has been cancelled
Integration Tests / Postgres (3/16) (push) Has been cancelled
Integration Tests / Postgres (4/16) (push) Has been cancelled
Integration Tests / Postgres (5/16) (push) Has been cancelled
Integration Tests / Postgres (6/16) (push) Has been cancelled
Integration Tests / Postgres (7/16) (push) Has been cancelled
Integration Tests / Postgres (8/16) (push) Has been cancelled
Integration Tests / Postgres (9/16) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (1/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (2/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (3/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (1/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (2/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (3/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (profiled) (push) Has been cancelled
Integration Tests / MySQL Enterprise (1/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (10/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (11/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (12/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (13/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (14/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (15/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (16/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (2/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (3/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (4/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (5/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (6/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (7/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (8/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (9/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (1/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (10/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (11/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (12/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (13/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (14/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (15/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (16/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (2/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (3/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (4/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (5/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (6/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (7/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (8/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (9/16) (push) Has been cancelled
Integration Tests / All backend integration tests complete (push) Has been cancelled
Build Release Packages / Dispatch grafana-enterprise build (push) Has been cancelled
Build Release Packages / / darwin-amd64 (push) Has been cancelled
Build Release Packages / / darwin-arm64 (push) Has been cancelled
Build Release Packages / / linux-amd64 (push) Has been cancelled
Build Release Packages / / linux-armv6 (push) Has been cancelled
Build Release Packages / / linux-armv7 (push) Has been cancelled
Build Release Packages / / linux-arm64 (push) Has been cancelled
Build Release Packages / / linux-s390x (push) Has been cancelled
Build Release Packages / / windows-amd64 (push) Has been cancelled
Build Release Packages / / windows-arm64 (push) Has been cancelled
Build Release Packages / Upload artifacts (push) Has been cancelled
Build Release Packages / publish-dockerhub (push) Has been cancelled
Build Release Packages / Dispatch publish NPM canaries (push) Has been cancelled
Build Release Packages / notify-pr (push) Has been cancelled
Run Storybook a11y tests / Run Storybook a11y tests (light theme) (push) Has been cancelled
Run Storybook a11y tests / Run Storybook a11y tests (dark theme) (push) Has been cancelled
Swagger generated code / Verify committed API specs match (push) Has been cancelled
* Remove fully rolled out ft annotationPermissionUpdate * fix annot test and lint * fix frontend tests * fix integration test * fix flaky test
628 lines
22 KiB
Go
628 lines
22 KiB
Go
package api
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/datasources"
|
|
"github.com/grafana/grafana/pkg/services/folder"
|
|
"github.com/grafana/grafana/pkg/services/libraryelements"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
|
|
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
|
)
|
|
|
|
// API related actions
|
|
const (
|
|
ActionProvisioningReload = "provisioning:reload"
|
|
)
|
|
|
|
// API related scopes
|
|
var (
|
|
ScopeProvisionersAll = ac.Scope("provisioners", "*")
|
|
ScopeProvisionersDashboards = ac.Scope("provisioners", "dashboards")
|
|
ScopeProvisionersPlugins = ac.Scope("provisioners", "plugins")
|
|
ScopeProvisionersDatasources = ac.Scope("provisioners", "datasources")
|
|
ScopeProvisionersNotifications = ac.Scope("provisioners", "notifications")
|
|
ScopeProvisionersAlertRules = ac.Scope("provisioners", "alerting")
|
|
)
|
|
|
|
// declareFixedRoles declares to the AccessControl service fixed roles and their
|
|
// grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
|
|
// that HTTPServer needs
|
|
func (hs *HTTPServer) declareFixedRoles() error {
|
|
// Declare plugins roles
|
|
if err := pluginaccesscontrol.DeclareRBACRoles(hs.accesscontrolService, hs.Cfg, hs.Features); err != nil {
|
|
return err
|
|
}
|
|
|
|
provisioningWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:provisioning:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Reload provisioning.",
|
|
Group: "Provisioning",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: ActionProvisioningReload,
|
|
Scope: ScopeProvisionersAll,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{ac.RoleGrafanaAdmin},
|
|
}
|
|
|
|
datasourcesExplorerRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources:explorer",
|
|
DisplayName: "Explorer",
|
|
Description: "Enable the Explore and Drilldown features. Data source permissions still apply; you can only query data sources for which you have query permissions.",
|
|
Group: "Data sources",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: ac.ActionDatasourcesExplore,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
//nolint:staticcheck // ViewersCanEdit is deprecated but still used for backward compatibility
|
|
if hs.Cfg.ViewersCanEdit {
|
|
datasourcesExplorerRole.Grants = append(datasourcesExplorerRole.Grants, string(org.RoleViewer))
|
|
}
|
|
|
|
datasourcesReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read and query all data sources.",
|
|
Group: "Data sources",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: datasources.ActionRead,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
{
|
|
Action: datasources.ActionQuery,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
builtInDatasourceReader := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources.builtin:reader",
|
|
DisplayName: "Built in data source reader",
|
|
Description: "Read and query Grafana's built in test data sources.",
|
|
Group: "Data sources",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: datasources.ActionRead,
|
|
Scope: fmt.Sprintf("%s%s", datasources.ScopePrefix, grafanads.DatasourceUID),
|
|
},
|
|
{
|
|
Action: datasources.ActionQuery,
|
|
Scope: fmt.Sprintf("%s%s", datasources.ScopePrefix, grafanads.DatasourceUID),
|
|
},
|
|
},
|
|
Hidden: true,
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
// when running oss or enterprise without a license all users should be able to query data sources
|
|
if !hs.License.FeatureEnabled("dspermissions.enforcement") {
|
|
datasourcesReaderRole.Grants = []string{string(org.RoleViewer)}
|
|
}
|
|
|
|
datasourcesCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create data sources.",
|
|
Group: "Data sources",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: datasources.ActionCreate,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{},
|
|
}
|
|
|
|
datasourcesWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Create, update, delete, read, or query data sources.",
|
|
Group: "Data sources",
|
|
Permissions: ac.ConcatPermissions(datasourcesReaderRole.Role.Permissions, []ac.Permission{
|
|
{
|
|
Action: datasources.ActionWrite,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
{
|
|
Action: datasources.ActionCreate,
|
|
},
|
|
{
|
|
Action: datasources.ActionDelete,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
}),
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
datasourcesIdReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:datasources.id:reader",
|
|
DisplayName: "Data source ID reader",
|
|
Description: "Read the ID of a data source based on its name.",
|
|
Group: "Infrequently used",
|
|
Permissions: []ac.Permission{
|
|
{
|
|
Action: datasources.ActionIDRead,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
orgReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:organization:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read an organization, such as its ID, name, address, or quotas.",
|
|
Group: "Organizations",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionOrgsRead},
|
|
{Action: ac.ActionOrgsQuotasRead},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer), ac.RoleGrafanaAdmin},
|
|
}
|
|
|
|
orgWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:organization:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.",
|
|
Group: "Organizations",
|
|
Permissions: ac.ConcatPermissions(orgReaderRole.Role.Permissions, []ac.Permission{
|
|
{Action: ac.ActionOrgsPreferencesRead},
|
|
{Action: ac.ActionOrgsWrite},
|
|
{Action: ac.ActionOrgsPreferencesWrite},
|
|
}),
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
orgMaintainerRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:organization:maintainer",
|
|
DisplayName: "Maintainer",
|
|
Description: "Create, read, write, or delete an organization. Read or write an organization's quotas. Needs to be assigned globally.",
|
|
Group: "Organizations",
|
|
Permissions: ac.ConcatPermissions(orgReaderRole.Role.Permissions, []ac.Permission{
|
|
{Action: ac.ActionOrgsCreate},
|
|
{Action: ac.ActionOrgsWrite},
|
|
{Action: ac.ActionOrgsDelete},
|
|
{Action: ac.ActionOrgsQuotasWrite},
|
|
}),
|
|
},
|
|
Grants: []string{string(ac.RoleGrafanaAdmin)},
|
|
}
|
|
|
|
teamCreatorGrants := []string{string(org.RoleAdmin)}
|
|
|
|
teamsCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:teams:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create teams and read organisation users (required to manage the created teams).",
|
|
Group: "Teams",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionTeamsCreate},
|
|
{Action: ac.ActionOrgUsersRead, Scope: ac.ScopeUsersAll},
|
|
},
|
|
},
|
|
Grants: teamCreatorGrants,
|
|
}
|
|
|
|
teamsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:teams:read",
|
|
DisplayName: "Reader",
|
|
Description: "List all teams.",
|
|
Group: "Teams",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionTeamsRead, Scope: ac.ScopeTeamsAll},
|
|
},
|
|
},
|
|
Grants: []string{},
|
|
}
|
|
|
|
teamsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:teams:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Create, read, write, or delete a team as well as controlling team memberships.",
|
|
Group: "Teams",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionTeamsCreate},
|
|
{Action: ac.ActionTeamsDelete, Scope: ac.ScopeTeamsAll},
|
|
{Action: ac.ActionTeamsPermissionsRead, Scope: ac.ScopeTeamsAll},
|
|
{Action: ac.ActionTeamsPermissionsWrite, Scope: ac.ScopeTeamsAll},
|
|
{Action: ac.ActionTeamsRead, Scope: ac.ScopeTeamsAll},
|
|
{Action: ac.ActionTeamsWrite, Scope: ac.ScopeTeamsAll},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
|
|
annotationsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:annotations:reader",
|
|
DisplayName: "Reader (organization)",
|
|
Description: "Read organization annotations and annotation tags",
|
|
Group: "Annotations",
|
|
Permissions: []ac.Permission{
|
|
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
|
|
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
|
|
// https://github.com/grafana/identity-access-team/issues/524
|
|
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsAll},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
|
|
annotationsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:annotations:writer",
|
|
DisplayName: "Writer (organization)",
|
|
Description: "Update organization annotations.",
|
|
Group: "Annotations",
|
|
Permissions: []ac.Permission{
|
|
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
|
|
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
|
|
// https://github.com/grafana/identity-access-team/issues/524
|
|
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsAll},
|
|
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsAll},
|
|
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsAll},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
dashboardsCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:dashboards:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create dashboards under the root folder.",
|
|
Group: "Dashboards",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
},
|
|
},
|
|
Grants: []string{"Editor"},
|
|
}
|
|
|
|
dashboardsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:dashboards:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read all dashboards.",
|
|
Group: "Dashboards",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
dashboardsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:dashboards:writer",
|
|
DisplayName: "Writer",
|
|
Group: "Dashboards",
|
|
Description: "Create, read, write or delete all dashboards and their permissions.",
|
|
Permissions: ac.ConcatPermissions(dashboardsReaderRole.Role.Permissions, []ac.Permission{
|
|
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeDashboardsAll},
|
|
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeDashboardsAll},
|
|
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeDashboardsAll},
|
|
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeDashboardsAll},
|
|
}),
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
foldersCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:folders:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create folders under root level",
|
|
Group: "Folders",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionFoldersCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
|
|
},
|
|
},
|
|
Grants: []string{"Editor"},
|
|
// Don't grant fixed:folders:creator to Admin
|
|
Exclude: []string{"Admin"},
|
|
}
|
|
|
|
foldersReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:folders:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read all folders and dashboards.",
|
|
Group: "Folders",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
// Needed to be able to list permissions on the general folder for viewers, doesn't actually grant access to any resources
|
|
generalFolderReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:folders.general:reader",
|
|
DisplayName: "Reader (root)",
|
|
Description: "Access the general (root) folder.",
|
|
Group: "Folders",
|
|
Hidden: true,
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
foldersWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:folders:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Create, read, write or delete all folders and dashboards and their permissions.",
|
|
Group: "Folders",
|
|
Permissions: ac.ConcatPermissions(
|
|
foldersReaderRole.Role.Permissions,
|
|
[]ac.Permission{
|
|
{Action: dashboards.ActionFoldersCreate, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionFoldersDelete, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
|
|
}),
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
libraryPanelsCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:library.panels:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create library panel under the root folder.",
|
|
Group: "Library panels",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
},
|
|
},
|
|
Grants: []string{"Editor"},
|
|
}
|
|
|
|
libraryPanelsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:library.panels:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read all library panels.",
|
|
Group: "Library panels",
|
|
Permissions: []ac.Permission{
|
|
{Action: libraryelements.ActionLibraryPanelsRead, Scope: dashboards.ScopeFoldersAll},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
libraryPanelsGeneralReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:library.panels:general.reader",
|
|
DisplayName: "Reader (root)",
|
|
Description: "Read all library panels under the root folder.",
|
|
Group: "Library panels",
|
|
Permissions: []ac.Permission{
|
|
{Action: libraryelements.ActionLibraryPanelsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
},
|
|
},
|
|
Grants: []string{"Viewer"},
|
|
}
|
|
|
|
libraryPanelsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:library.panels:writer",
|
|
DisplayName: "Writer",
|
|
Group: "Library panels",
|
|
Description: "Create, read, write or delete all library panels and their permissions.",
|
|
Permissions: ac.ConcatPermissions(libraryPanelsReaderRole.Role.Permissions, []ac.Permission{
|
|
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersAll},
|
|
}),
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
libraryPanelsGeneralWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:library.panels:general.writer",
|
|
DisplayName: "Writer (root)",
|
|
Group: "Library panels",
|
|
Description: "Create, read, write or delete all library panels and their permissions under the root folder.",
|
|
Permissions: ac.ConcatPermissions(libraryPanelsGeneralReaderRole.Role.Permissions, []ac.Permission{
|
|
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
|
}),
|
|
},
|
|
Grants: []string{"Editor"},
|
|
}
|
|
|
|
publicDashboardsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:dashboards.public:writer",
|
|
DisplayName: "Writer (public)",
|
|
Description: "Create, write or disable a public dashboard.",
|
|
Group: "Dashboards",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionDashboardsPublicWrite, Scope: dashboards.ScopeDashboardsAll},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
featuremgmtReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:featuremgmt:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read feature toggles",
|
|
Group: "Feature Management",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionFeatureManagementRead},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
featuremgmtWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:featuremgmt:writer",
|
|
DisplayName: "Writer",
|
|
Description: "Write feature toggles",
|
|
Group: "Feature Management",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionFeatureManagementWrite},
|
|
},
|
|
},
|
|
Grants: []string{"Admin"},
|
|
}
|
|
|
|
snapshotsCreatorRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:snapshots:creator",
|
|
DisplayName: "Creator",
|
|
Description: "Create snapshots",
|
|
Group: "Snapshots",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionSnapshotsCreate},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
snapshotsDeleterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:snapshots:deleter",
|
|
DisplayName: "Deleter",
|
|
Description: "Delete snapshots",
|
|
Group: "Snapshots",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionSnapshotsDelete},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
snapshotsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:snapshots:reader",
|
|
DisplayName: "Reader",
|
|
Description: "Read snapshots",
|
|
Group: "Snapshots",
|
|
Permissions: []ac.Permission{
|
|
{Action: dashboards.ActionSnapshotsRead},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
allAnnotationsReaderRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:annotations.all:reader",
|
|
DisplayName: "Reader (all)",
|
|
Description: "Read all annotations and tags",
|
|
Group: "Annotations",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsTypeOrganization},
|
|
{Action: ac.ActionAnnotationsRead, Scope: dashboards.ScopeFoldersAll},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
allAnnotationsWriterRole := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: "fixed:annotations.all:writer",
|
|
DisplayName: "Writer (all)",
|
|
Description: "Update all annotations.",
|
|
Group: "Annotations",
|
|
Permissions: []ac.Permission{
|
|
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeOrganization},
|
|
{Action: ac.ActionAnnotationsCreate, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeOrganization},
|
|
{Action: ac.ActionAnnotationsDelete, Scope: dashboards.ScopeFoldersAll},
|
|
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeOrganization},
|
|
{Action: ac.ActionAnnotationsWrite, Scope: dashboards.ScopeFoldersAll},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
roles := []ac.RoleRegistration{provisioningWriterRole, datasourcesReaderRole, builtInDatasourceReader, datasourcesWriterRole,
|
|
datasourcesIdReaderRole, datasourcesCreatorRole, orgReaderRole, orgWriterRole,
|
|
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, teamsReaderRole, datasourcesExplorerRole,
|
|
annotationsReaderRole, annotationsWriterRole,
|
|
dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
|
|
foldersCreatorRole, foldersReaderRole, generalFolderReaderRole, foldersWriterRole,
|
|
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole, libraryPanelsCreatorRole,
|
|
libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole,
|
|
snapshotsCreatorRole, snapshotsDeleterRole, snapshotsReaderRole, allAnnotationsReaderRole, allAnnotationsWriterRole}
|
|
|
|
return hs.accesscontrolService.DeclareFixedRoles(roles...)
|
|
}
|
|
|
|
// Metadata helpers
|
|
// getAccessControlMetadata returns the accesscontrol metadata associated with a given resource
|
|
func getAccessControlMetadata(c *contextmodel.ReqContext,
|
|
prefix string, resourceID string) ac.Metadata {
|
|
ids := map[string]bool{resourceID: true}
|
|
return getMultiAccessControlMetadata(c, prefix, ids)[resourceID]
|
|
}
|
|
|
|
// getMultiAccessControlMetadata returns the accesscontrol metadata associated with a given set of resources
|
|
// Context must contain permissions in the given org (see LoadPermissionsMiddleware or AuthorizeInOrgMiddleware)
|
|
func getMultiAccessControlMetadata(c *contextmodel.ReqContext,
|
|
prefix string, resourceIDs map[string]bool) map[string]ac.Metadata {
|
|
if !c.QueryBool("accesscontrol") {
|
|
return map[string]ac.Metadata{}
|
|
}
|
|
|
|
if len(c.GetPermissions()) == 0 {
|
|
return map[string]ac.Metadata{}
|
|
}
|
|
|
|
return ac.GetResourcesMetadata(c.Req.Context(), c.GetPermissions(), prefix, resourceIDs)
|
|
}
|