grafana/pkg/plugins/accesscontrol.go

76 lines
2.3 KiB
Go
Raw Normal View History

package plugins
import (
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/setting"
)
const (
// Plugins actions
ActionInstall = "plugins:install"
ActionWrite = "plugins:write"
// App Plugins actions
ActionAppAccess = "plugins.app:access"
)
var (
ScopeProvider = ac.NewScopeProvider("plugins")
// Protects access to the Configuration > Plugins page
AdminAccessEvaluator = ac.EvalAny(ac.EvalPermission(ActionWrite), ac.EvalPermission(ActionInstall))
)
func ReqCanAdminPlugins(cfg *setting.Cfg) func(rc *models.ReqContext) bool {
// Legacy handler that protects access to the Configuration > Plugins page
return func(rc *models.ReqContext) bool {
return rc.OrgRole == org.RoleAdmin || cfg.PluginAdminEnabled && rc.IsGrafanaAdmin
}
}
func DeclareRBACRoles(service ac.Service, cfg *setting.Cfg) error {
AppPluginsReader := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: ac.FixedRolePrefix + "plugins.app:reader",
DisplayName: "Application Plugins Access",
Description: "Access application plugins (still enforcing the organization role)",
Group: "Plugins",
Permissions: []ac.Permission{
{Action: ActionAppAccess, Scope: ScopeProvider.GetResourceAllScope()},
},
},
Grants: []string{string(org.RoleViewer)},
}
PluginsWriter := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: ac.FixedRolePrefix + "plugins:writer",
DisplayName: "Plugin Writer",
Description: "Enable and disable plugins and edit plugins' settings",
Group: "Plugins",
Permissions: []ac.Permission{
{Action: ActionWrite, Scope: ScopeProvider.GetResourceAllScope()},
},
},
Grants: []string{string(org.RoleAdmin)},
}
PluginsMaintainer := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: ac.FixedRolePrefix + "plugins:maintainer",
DisplayName: "Plugin Maintainer",
Description: "Install, uninstall plugins",
Group: "Plugins",
Permissions: []ac.Permission{
{Action: ActionInstall},
},
},
Grants: []string{ac.RoleGrafanaAdmin},
}
if !cfg.PluginAdminEnabled || cfg.PluginAdminExternalManageEnabled {
PluginsMaintainer.Grants = []string{}
}
return service.DeclareFixedRoles(AppPluginsReader, PluginsWriter, PluginsMaintainer)
}