2021-11-11 09:10:24 -06:00
|
|
|
package manager
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2022-08-10 04:56:48 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2021-11-11 09:10:24 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
|
|
|
|
)
|
|
|
|
|
|
2022-08-26 02:59:34 -05:00
|
|
|
func RegisterRoles(service accesscontrol.Service) error {
|
2022-04-14 08:09:55 -05:00
|
|
|
saReader := accesscontrol.RoleRegistration{
|
|
|
|
|
Role: accesscontrol.RoleDTO{
|
|
|
|
|
Name: "fixed:serviceaccounts:reader",
|
|
|
|
|
DisplayName: "Service accounts reader",
|
|
|
|
|
Description: "Read service accounts and service account tokens.",
|
|
|
|
|
Group: "Service accounts",
|
|
|
|
|
Permissions: []accesscontrol.Permission{
|
|
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionRead,
|
|
|
|
|
Scope: serviceaccounts.ScopeAll,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-08-10 04:56:48 -05:00
|
|
|
Grants: []string{string(org.RoleAdmin)},
|
2022-04-14 08:09:55 -05:00
|
|
|
}
|
|
|
|
|
|
2022-07-08 04:53:18 -05:00
|
|
|
saCreator := accesscontrol.RoleRegistration{
|
|
|
|
|
Role: accesscontrol.RoleDTO{
|
|
|
|
|
Name: "fixed:serviceaccounts:creator",
|
|
|
|
|
DisplayName: "Service accounts creator",
|
|
|
|
|
Description: "Create service accounts.",
|
|
|
|
|
Group: "Service accounts",
|
|
|
|
|
Permissions: []accesscontrol.Permission{
|
|
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionCreate,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-08-10 04:56:48 -05:00
|
|
|
Grants: []string{string(org.RoleAdmin)},
|
2022-07-08 04:53:18 -05:00
|
|
|
}
|
|
|
|
|
|
2022-04-14 08:09:55 -05:00
|
|
|
saWriter := accesscontrol.RoleRegistration{
|
2021-11-11 09:10:24 -06:00
|
|
|
Role: accesscontrol.RoleDTO{
|
|
|
|
|
Name: "fixed:serviceaccounts:writer",
|
2021-11-19 05:39:50 -06:00
|
|
|
DisplayName: "Service accounts writer",
|
2022-07-08 04:53:18 -05:00
|
|
|
Description: "Create, delete and read service accounts, manage service account permissions.",
|
2021-11-18 03:16:18 -06:00
|
|
|
Group: "Service accounts",
|
2022-04-20 02:45:45 -05:00
|
|
|
Permissions: accesscontrol.ConcatPermissions(saReader.Role.Permissions, []accesscontrol.Permission{
|
2022-02-08 05:35:15 -06:00
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionWrite,
|
|
|
|
|
Scope: serviceaccounts.ScopeAll,
|
|
|
|
|
},
|
2021-11-19 05:39:50 -06:00
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionCreate,
|
|
|
|
|
},
|
2021-11-11 09:10:24 -06:00
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionDelete,
|
|
|
|
|
Scope: serviceaccounts.ScopeAll,
|
|
|
|
|
},
|
2022-07-08 04:53:18 -05:00
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionPermissionsRead,
|
|
|
|
|
Scope: serviceaccounts.ScopeAll,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: serviceaccounts.ActionPermissionsWrite,
|
|
|
|
|
Scope: serviceaccounts.ScopeAll,
|
|
|
|
|
},
|
2022-04-20 02:45:45 -05:00
|
|
|
}),
|
2021-11-11 09:10:24 -06:00
|
|
|
},
|
2022-08-10 04:56:48 -05:00
|
|
|
Grants: []string{string(org.RoleAdmin)},
|
2021-11-11 09:10:24 -06:00
|
|
|
}
|
2022-01-04 08:37:40 -06:00
|
|
|
|
2022-08-26 02:59:34 -05:00
|
|
|
if err := service.DeclareFixedRoles(saReader, saCreator, saWriter); err != nil {
|
2022-01-04 08:37:40 -06:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
