2021-04-14 09:31:27 -05:00
package accesscontrol
2021-08-04 07:44:37 -05:00
import (
"fmt"
"strings"
"sync"
2021-07-02 07:43:12 -05:00
2022-08-10 04:56:48 -05:00
"github.com/grafana/grafana/pkg/services/org"
2021-08-04 07:44:37 -05:00
)
2021-04-23 08:44:42 -05:00
2021-08-04 07:44:37 -05:00
// Roles definition
var (
2021-11-17 08:40:39 -06:00
ldapReaderRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:ldap:reader" ,
2021-11-17 08:40:39 -06:00
DisplayName : "LDAP reader" ,
Description : "Read LDAP configuration and status." ,
2021-11-18 03:16:18 -06:00
Group : "LDAP" ,
2021-08-04 07:44:37 -05:00
Permissions : [ ] Permission {
{
Action : ActionLDAPUsersRead ,
} ,
{
Action : ActionLDAPStatusRead ,
} ,
2021-06-14 10:36:48 -05:00
} ,
2021-08-04 07:44:37 -05:00
}
2021-06-14 10:36:48 -05:00
2021-11-17 08:40:39 -06:00
ldapWriterRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:ldap:writer" ,
2021-11-17 08:40:39 -06:00
DisplayName : "LDAP writer" ,
Description : "Read and update LDAP configuration and read LDAP status." ,
2021-11-18 03:16:18 -06:00
Group : "LDAP" ,
2021-11-17 08:40:39 -06:00
Permissions : ConcatPermissions ( ldapReaderRole . Permissions , [ ] Permission {
2021-08-04 07:44:37 -05:00
{
Action : ActionLDAPUsersSync ,
} ,
{
Action : ActionLDAPConfigReload ,
} ,
} ) ,
}
2021-06-14 10:36:48 -05:00
2021-11-17 08:40:39 -06:00
orgUsersWriterRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:org.users:writer" ,
2021-11-17 08:40:39 -06:00
DisplayName : "Organization user writer" ,
Description : "Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user." ,
2021-11-18 03:16:18 -06:00
Group : "User administration (organizational)" ,
2021-11-17 08:40:39 -06:00
Permissions : ConcatPermissions ( orgUsersReaderRole . Permissions , [ ] Permission {
2021-08-04 07:44:37 -05:00
{
2021-11-17 08:40:39 -06:00
Action : ActionOrgUsersAdd ,
Scope : ScopeUsersAll ,
2021-08-04 07:44:37 -05:00
} ,
{
2022-06-02 07:14:48 -05:00
Action : ActionOrgUsersWrite ,
2021-11-17 08:40:39 -06:00
Scope : ScopeUsersAll ,
2021-08-04 07:44:37 -05:00
} ,
2021-11-17 08:40:39 -06:00
{
Action : ActionOrgUsersRemove ,
Scope : ScopeUsersAll ,
} ,
} ) ,
2021-08-04 07:44:37 -05:00
}
2021-04-23 08:44:42 -05:00
2021-11-17 08:40:39 -06:00
orgUsersReaderRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:org.users:reader" ,
2021-11-17 08:40:39 -06:00
DisplayName : "Organization user reader" ,
Description : "Read users within a single organization." ,
2021-11-18 03:16:18 -06:00
Group : "User administration (organizational)" ,
2021-08-04 07:44:37 -05:00
Permissions : [ ] Permission {
{
Action : ActionOrgUsersRead ,
Scope : ScopeUsersAll ,
} ,
2022-11-30 08:38:49 -06:00
{
Action : ActionUsersPermissionsRead ,
Scope : ScopeUsersAll ,
} ,
2021-07-30 06:58:49 -05:00
} ,
2021-08-04 07:44:37 -05:00
}
2021-04-23 08:44:42 -05:00
2022-04-06 02:31:14 -05:00
SettingsReaderRole = RoleDTO {
Name : "fixed:settings:reader" ,
2021-11-17 08:40:39 -06:00
DisplayName : "Setting reader" ,
Description : "Read Grafana instance settings." ,
2021-11-18 03:16:18 -06:00
Group : "Settings" ,
2021-11-17 08:40:39 -06:00
Permissions : [ ] Permission {
2021-08-04 07:44:37 -05:00
{
2021-11-17 08:40:39 -06:00
Action : ActionSettingsRead ,
Scope : ScopeSettingsAll ,
2021-08-04 07:44:37 -05:00
} ,
2021-11-17 08:40:39 -06:00
} ,
}
statsReaderRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:stats:reader" ,
2021-11-17 08:40:39 -06:00
DisplayName : "Statistics reader" ,
Description : "Read Grafana instance statistics." ,
2021-11-18 03:16:18 -06:00
Group : "Statistics" ,
2021-11-17 08:40:39 -06:00
Permissions : [ ] Permission {
2021-08-04 07:44:37 -05:00
{
2021-11-17 08:40:39 -06:00
Action : ActionServerStatsRead ,
2021-08-04 07:44:37 -05:00
} ,
2021-11-17 08:40:39 -06:00
} ,
2021-08-04 07:44:37 -05:00
}
2021-04-23 08:44:42 -05:00
2021-11-17 08:40:39 -06:00
usersReaderRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:users:reader" ,
2021-11-17 08:40:39 -06:00
DisplayName : "User reader" ,
Description : "Read all users and their information, such as team memberships, authentication tokens, and quotas." ,
2021-11-18 03:16:18 -06:00
Group : "User administration (global)" ,
2021-08-04 07:44:37 -05:00
Permissions : [ ] Permission {
{
Action : ActionUsersRead ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersAuthTokenList ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersQuotasList ,
Scope : ScopeGlobalUsersAll ,
} ,
2021-05-10 04:46:42 -05:00
} ,
2021-08-04 07:44:37 -05:00
}
2021-07-30 06:58:49 -05:00
2021-11-17 08:40:39 -06:00
usersWriterRole = RoleDTO {
2022-04-06 02:31:14 -05:00
Name : "fixed:users:writer" ,
2021-11-17 08:40:39 -06:00
DisplayName : "User writer" ,
Description : "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’ ,
2021-11-18 03:16:18 -06:00
Group : "User administration (global)" ,
2021-11-17 08:40:39 -06:00
Permissions : ConcatPermissions ( usersReaderRole . Permissions , [ ] Permission {
2021-08-04 07:44:37 -05:00
{
Action : ActionUsersPasswordUpdate ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersCreate ,
} ,
{
Action : ActionUsersWrite ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersDelete ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersEnable ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersDisable ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersPermissionsUpdate ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersLogout ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersAuthTokenUpdate ,
Scope : ScopeGlobalUsersAll ,
} ,
{
Action : ActionUsersQuotasUpdate ,
Scope : ScopeGlobalUsersAll ,
} ,
} ) ,
}
)
2021-04-14 09:31:27 -05:00
2022-04-06 02:31:14 -05:00
// Declare OSS roles to the accesscontrol service
2022-08-24 06:29:17 -05:00
func DeclareFixedRoles ( service Service ) error {
2022-04-06 02:31:14 -05:00
ldapReader := RoleRegistration {
Role : ldapReaderRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
2021-08-04 07:44:37 -05:00
}
2022-04-06 02:31:14 -05:00
ldapWriter := RoleRegistration {
Role : ldapWriterRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
2021-08-04 07:44:37 -05:00
}
2022-04-06 02:31:14 -05:00
orgUsersReader := RoleRegistration {
Role : orgUsersReaderRole ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { RoleGrafanaAdmin , string ( org . RoleAdmin ) } ,
2022-04-06 02:31:14 -05:00
}
orgUsersWriter := RoleRegistration {
Role : orgUsersWriterRole ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { RoleGrafanaAdmin , string ( org . RoleAdmin ) } ,
2022-04-06 02:31:14 -05:00
}
settingsReader := RoleRegistration {
Role : SettingsReaderRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
}
statsReader := RoleRegistration {
Role : statsReaderRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
}
usersReader := RoleRegistration {
Role : usersReaderRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
}
usersWriter := RoleRegistration {
Role : usersWriterRole ,
Grants : [ ] string { RoleGrafanaAdmin } ,
}
2022-08-24 06:29:17 -05:00
return service . DeclareFixedRoles ( ldapReader , ldapWriter , orgUsersReader , orgUsersWriter ,
2022-04-06 02:31:14 -05:00
settingsReader , statsReader , usersReader , usersWriter )
}
2021-07-30 06:58:49 -05:00
2021-04-27 11:22:18 -05:00
func ConcatPermissions ( permissions ... [ ] Permission ) [ ] Permission {
2021-04-23 08:44:42 -05:00
if permissions == nil {
return nil
}
perms := make ( [ ] Permission , 0 )
for _ , p := range permissions {
pCopy := make ( [ ] Permission , 0 , len ( p ) )
copy ( pCopy , p )
perms = append ( perms , p ... )
}
return perms
2021-04-14 09:31:27 -05:00
}
2021-08-04 07:44:37 -05:00
// ValidateFixedRole errors when a fixed role does not match expected pattern
func ValidateFixedRole ( role RoleDTO ) error {
if ! strings . HasPrefix ( role . Name , FixedRolePrefix ) {
return ErrFixedRolePrefixMissing
}
return nil
}
// ValidateBuiltInRoles errors when a built-in role does not match expected pattern
func ValidateBuiltInRoles ( builtInRoles [ ] string ) error {
for _ , br := range builtInRoles {
2022-08-10 04:56:48 -05:00
if ! org . RoleType ( br ) . IsValid ( ) && br != RoleGrafanaAdmin {
2021-08-04 07:44:37 -05:00
return fmt . Errorf ( "'%s' %w" , br , ErrInvalidBuiltinRole )
}
}
return nil
}
type RegistrationList struct {
mx sync . RWMutex
registrations [ ] RoleRegistration
}
func ( m * RegistrationList ) Append ( regs ... RoleRegistration ) {
m . mx . Lock ( )
defer m . mx . Unlock ( )
m . registrations = append ( m . registrations , regs ... )
}
func ( m * RegistrationList ) Range ( f func ( registration RoleRegistration ) bool ) {
m . mx . RLock ( )
defer m . mx . RUnlock ( )
for _ , registration := range m . registrations {
if ok := f ( registration ) ; ! ok {
return
}
}
}
2022-04-12 02:53:43 -05:00
2022-05-03 06:59:16 -05:00
func BuildBasicRoleDefinitions ( ) map [ string ] * RoleDTO {
2022-04-12 02:53:43 -05:00
return map [ string ] * RoleDTO {
2022-08-10 04:56:48 -05:00
string ( org . RoleAdmin ) : {
2022-05-03 06:59:16 -05:00
Name : BasicRolePrefix + "admin" ,
UID : BasicRoleUIDPrefix + "admin" ,
2022-04-12 02:53:43 -05:00
OrgID : GlobalOrgID ,
Version : 1 ,
2022-08-10 04:56:48 -05:00
DisplayName : string ( org . RoleAdmin ) ,
2022-04-12 02:53:43 -05:00
Description : "Admin role" ,
Group : "Basic" ,
Permissions : [ ] Permission { } ,
2022-04-29 10:35:41 -05:00
Hidden : true ,
2022-04-12 02:53:43 -05:00
} ,
2022-08-10 04:56:48 -05:00
string ( org . RoleEditor ) : {
2022-05-03 06:59:16 -05:00
Name : BasicRolePrefix + "editor" ,
UID : BasicRoleUIDPrefix + "editor" ,
2022-04-12 02:53:43 -05:00
OrgID : GlobalOrgID ,
Version : 1 ,
2022-08-10 04:56:48 -05:00
DisplayName : string ( org . RoleEditor ) ,
2022-04-12 02:53:43 -05:00
Description : "Editor role" ,
Group : "Basic" ,
Permissions : [ ] Permission { } ,
2022-04-29 10:35:41 -05:00
Hidden : true ,
2022-04-12 02:53:43 -05:00
} ,
2022-08-10 04:56:48 -05:00
string ( org . RoleViewer ) : {
2022-05-03 06:59:16 -05:00
Name : BasicRolePrefix + "viewer" ,
UID : BasicRoleUIDPrefix + "viewer" ,
2022-04-12 02:53:43 -05:00
OrgID : GlobalOrgID ,
Version : 1 ,
2022-08-10 04:56:48 -05:00
DisplayName : string ( org . RoleViewer ) ,
2022-04-12 02:53:43 -05:00
Description : "Viewer role" ,
Group : "Basic" ,
Permissions : [ ] Permission { } ,
2022-04-29 10:35:41 -05:00
Hidden : true ,
2022-04-12 02:53:43 -05:00
} ,
RoleGrafanaAdmin : {
2022-05-03 06:59:16 -05:00
Name : BasicRolePrefix + "grafana_admin" ,
UID : BasicRoleUIDPrefix + "grafana_admin" ,
2022-04-12 02:53:43 -05:00
OrgID : GlobalOrgID ,
Version : 1 ,
DisplayName : RoleGrafanaAdmin ,
Description : "Grafana Admin role" ,
Group : "Basic" ,
Permissions : [ ] Permission { } ,
2022-04-29 10:35:41 -05:00
Hidden : true ,
2022-04-12 02:53:43 -05:00
} ,
}
}
