2021-08-04 07:44:37 -05:00
package api
import (
2023-12-01 08:50:55 -06:00
"context"
2022-08-05 02:19:50 -05:00
"fmt"
2022-02-18 04:27:00 -06:00
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
2023-01-27 01:50:36 -06:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
2022-03-09 10:57:50 -06:00
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/datasources"
2023-12-01 08:50:55 -06:00
"github.com/grafana/grafana/pkg/services/featuremgmt"
2023-10-11 18:30:50 -05:00
"github.com/grafana/grafana/pkg/services/libraryelements"
2022-08-10 04:56:48 -05:00
"github.com/grafana/grafana/pkg/services/org"
2023-03-27 04:15:37 -05:00
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
2022-08-05 02:19:50 -05:00
"github.com/grafana/grafana/pkg/tsdb/grafanads"
2021-08-04 07:44:37 -05:00
)
// API related actions
const (
ActionProvisioningReload = "provisioning:reload"
)
// API related scopes
2021-10-06 06:15:09 -05:00
var (
2022-02-18 04:27:00 -06:00
ScopeProvisionersAll = ac . Scope ( "provisioners" , "*" )
ScopeProvisionersDashboards = ac . Scope ( "provisioners" , "dashboards" )
ScopeProvisionersPlugins = ac . Scope ( "provisioners" , "plugins" )
ScopeProvisionersDatasources = ac . Scope ( "provisioners" , "datasources" )
ScopeProvisionersNotifications = ac . Scope ( "provisioners" , "notifications" )
2022-07-14 16:53:13 -05:00
ScopeProvisionersAlertRules = ac . Scope ( "provisioners" , "alerting" )
2021-08-04 07:44:37 -05:00
)
// declareFixedRoles declares to the AccessControl service fixed roles and their
// grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
// that HTTPServer needs
func ( hs * HTTPServer ) declareFixedRoles ( ) error {
2022-07-08 06:24:09 -05:00
// Declare plugins roles
2024-01-28 17:22:45 -06:00
if err := pluginaccesscontrol . DeclareRBACRoles ( hs . accesscontrolService , hs . Cfg , hs . Features ) ; err != nil {
2022-07-08 06:24:09 -05:00
return err
}
2022-02-18 04:27:00 -06:00
provisioningWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-17 08:40:39 -06:00
Name : "fixed:provisioning:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2021-11-17 08:40:39 -06:00
Description : "Reload provisioning." ,
2021-11-18 03:16:18 -06:00
Group : "Provisioning" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
2021-11-17 08:40:39 -06:00
{
Action : ActionProvisioningReload ,
Scope : ScopeProvisionersAll ,
2021-09-01 08:18:17 -05:00
} ,
} ,
} ,
2022-02-18 04:27:00 -06:00
Grants : [ ] string { ac . RoleGrafanaAdmin } ,
2021-11-17 08:40:39 -06:00
}
2022-02-18 04:27:00 -06:00
datasourcesExplorerRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2022-01-31 09:33:41 -06:00
Name : "fixed:datasources:explorer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Explorer" ,
2022-01-31 09:33:41 -06:00
Description : "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions." ,
Group : "Data sources" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
2022-01-31 09:33:41 -06:00
{
2022-02-18 04:27:00 -06:00
Action : ac . ActionDatasourcesExplore ,
2022-01-31 09:33:41 -06:00
} ,
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleEditor ) } ,
2022-01-31 09:33:41 -06:00
}
2023-03-16 04:54:01 -05:00
if hs . Cfg . ViewersCanEdit {
2022-08-10 04:56:48 -05:00
datasourcesExplorerRole . Grants = append ( datasourcesExplorerRole . Grants , string ( org . RoleViewer ) )
2022-01-31 09:33:41 -06:00
}
2022-02-18 04:27:00 -06:00
datasourcesReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-17 08:40:39 -06:00
Name : "fixed:datasources:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2021-11-17 08:40:39 -06:00
Description : "Read and query all data sources." ,
2021-11-18 03:16:18 -06:00
Group : "Data sources" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
2021-11-17 08:40:39 -06:00
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionRead ,
Scope : datasources . ScopeAll ,
2021-11-17 08:40:39 -06:00
} ,
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionQuery ,
Scope : datasources . ScopeAll ,
2021-09-01 08:18:17 -05:00
} ,
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2021-11-17 08:40:39 -06:00
}
2022-08-05 02:19:50 -05:00
builtInDatasourceReader := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:datasources.builtin:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Built in reader" ,
2022-08-05 02:19:50 -05:00
Description : "Read and query Grafana's built in test data sources." ,
Group : "Data sources" ,
Permissions : [ ] ac . Permission {
{
Action : datasources . ActionRead ,
Scope : fmt . Sprintf ( "%s%s" , datasources . ScopePrefix , grafanads . DatasourceUID ) ,
} ,
{
Action : datasources . ActionQuery ,
Scope : fmt . Sprintf ( "%s%s" , datasources . ScopePrefix , grafanads . DatasourceUID ) ,
} ,
} ,
Hidden : true ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleViewer ) } ,
2022-08-05 02:19:50 -05:00
}
2022-05-25 06:43:58 -05:00
// when running oss or enterprise without a license all users should be able to query data sources
2022-12-02 06:19:14 -06:00
if ! hs . License . FeatureEnabled ( "dspermissions.enforcement" ) {
2022-08-10 04:56:48 -05:00
datasourcesReaderRole . Grants = [ ] string { string ( org . RoleViewer ) }
2022-05-25 06:43:58 -05:00
}
2023-10-19 08:36:41 -05:00
datasourcesCreatorRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:datasources:creator" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Creator" ,
2023-10-19 08:36:41 -05:00
Description : "Create data sources." ,
Group : "Data sources" ,
Permissions : [ ] ac . Permission {
{
Action : datasources . ActionCreate ,
} ,
} ,
} ,
Grants : [ ] string { } ,
}
2022-02-18 04:27:00 -06:00
datasourcesWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-17 08:40:39 -06:00
Name : "fixed:datasources:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2021-11-17 08:40:39 -06:00
Description : "Create, update, delete, read, or query data sources." ,
2021-11-18 03:16:18 -06:00
Group : "Data sources" ,
2022-02-18 04:27:00 -06:00
Permissions : ac . ConcatPermissions ( datasourcesReaderRole . Role . Permissions , [ ] ac . Permission {
2021-11-17 08:40:39 -06:00
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionWrite ,
Scope : datasources . ScopeAll ,
2021-08-04 07:44:37 -05:00
} ,
2021-11-17 08:40:39 -06:00
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionCreate ,
2021-11-17 08:40:39 -06:00
} ,
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionDelete ,
Scope : datasources . ScopeAll ,
2021-11-17 08:40:39 -06:00
} ,
} ) ,
2021-08-04 07:44:37 -05:00
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2021-11-17 08:40:39 -06:00
}
2022-02-18 04:27:00 -06:00
datasourcesIdReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-17 08:40:39 -06:00
Name : "fixed:datasources.id:reader" ,
DisplayName : "Data source ID reader" ,
Description : "Read the ID of a data source based on its name." ,
2021-11-18 03:16:18 -06:00
Group : "Infrequently used" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
2021-11-17 08:40:39 -06:00
{
2022-03-16 09:11:03 -05:00
Action : datasources . ActionIDRead ,
Scope : datasources . ScopeAll ,
2021-10-21 08:41:40 -05:00
} ,
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleViewer ) } ,
2021-11-17 08:40:39 -06:00
}
2022-04-14 08:09:55 -05:00
apikeyReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:apikeys:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2022-04-14 08:09:55 -05:00
Description : "Gives access to read api keys." ,
Group : "API Keys" ,
Permissions : [ ] ac . Permission {
{
Action : ac . ActionAPIKeyRead ,
Scope : ac . ScopeAPIKeysAll ,
} ,
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2022-04-14 08:09:55 -05:00
}
2022-03-04 12:01:03 -06:00
apikeyWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:apikeys:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2022-03-04 12:01:03 -06:00
Description : "Gives access to add and delete api keys." ,
Group : "API Keys" ,
2022-04-20 02:45:45 -05:00
Permissions : ac . ConcatPermissions ( apikeyReaderRole . Role . Permissions , [ ] ac . Permission {
2022-03-04 12:01:03 -06:00
{
Action : ac . ActionAPIKeyCreate ,
} ,
{
Action : ac . ActionAPIKeyDelete ,
Scope : ac . ScopeAPIKeysAll ,
} ,
2022-04-20 02:45:45 -05:00
} ) ,
2022-03-04 12:01:03 -06:00
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2022-03-04 12:01:03 -06:00
}
2022-02-18 04:27:00 -06:00
orgReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-24 03:08:42 -06:00
Name : "fixed:organization:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2021-11-24 03:08:42 -06:00
Description : "Read an organization, such as its ID, name, address, or quotas." ,
2021-11-18 03:16:18 -06:00
Group : "Organizations" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
2022-09-22 15:04:48 -05:00
{ Action : ac . ActionOrgsRead } ,
{ Action : ac . ActionOrgsQuotasRead } ,
2021-10-27 04:01:21 -05:00
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleViewer ) , ac . RoleGrafanaAdmin } ,
2021-11-17 08:40:39 -06:00
}
2022-02-18 04:27:00 -06:00
orgWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-24 03:08:42 -06:00
Name : "fixed:organization:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2021-11-24 03:08:42 -06:00
Description : "Read an organization, its quotas, or its preferences. Update organization properties, or its preferences." ,
2021-11-18 03:16:18 -06:00
Group : "Organizations" ,
2022-02-18 04:27:00 -06:00
Permissions : ac . ConcatPermissions ( orgReaderRole . Role . Permissions , [ ] ac . Permission {
2022-09-22 15:04:48 -05:00
{ Action : ac . ActionOrgsPreferencesRead } ,
{ Action : ac . ActionOrgsWrite } ,
{ Action : ac . ActionOrgsPreferencesWrite } ,
2021-11-17 08:40:39 -06:00
} ) ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2021-11-17 08:40:39 -06:00
}
2022-02-18 04:27:00 -06:00
orgMaintainerRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2021-11-24 03:08:42 -06:00
Name : "fixed:organization:maintainer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Maintainer" ,
2021-11-24 03:08:42 -06:00
Description : "Create, read, write, or delete an organization. Read or write an organization's quotas. Needs to be assigned globally." ,
2021-11-18 03:16:18 -06:00
Group : "Organizations" ,
2022-02-18 04:27:00 -06:00
Permissions : ac . ConcatPermissions ( orgReaderRole . Role . Permissions , [ ] ac . Permission {
2022-09-22 15:04:48 -05:00
{ Action : ac . ActionOrgsCreate } ,
{ Action : ac . ActionOrgsWrite } ,
{ Action : ac . ActionOrgsDelete } ,
{ Action : ac . ActionOrgsQuotasWrite } ,
2021-11-17 08:40:39 -06:00
} ) ,
} ,
2022-02-18 04:27:00 -06:00
Grants : [ ] string { string ( ac . RoleGrafanaAdmin ) } ,
2021-08-04 07:44:37 -05:00
}
2022-08-10 04:56:48 -05:00
teamCreatorGrants := [ ] string { string ( org . RoleAdmin ) }
2022-01-11 04:58:40 -06:00
if hs . Cfg . EditorsCanAdmin {
2022-08-10 04:56:48 -05:00
teamCreatorGrants = append ( teamCreatorGrants , string ( org . RoleEditor ) )
2022-01-11 04:58:40 -06:00
}
2022-02-18 04:27:00 -06:00
teamsCreatorRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2022-01-26 08:48:41 -06:00
Name : "fixed:teams:creator" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Creator" ,
2022-07-26 03:43:29 -05:00
Description : "Create teams and read organisation users (required to manage the created teams)." ,
2022-01-11 04:58:40 -06:00
Group : "Teams" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
{ Action : ac . ActionTeamsCreate } ,
{ Action : ac . ActionOrgUsersRead , Scope : ac . ScopeUsersAll } ,
2022-01-11 04:58:40 -06:00
} ,
} ,
2022-01-26 08:48:41 -06:00
Grants : teamCreatorGrants ,
2022-01-11 04:58:40 -06:00
}
2023-10-19 08:36:41 -05:00
teamsReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:teams:read" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2023-10-19 08:36:41 -05:00
Description : "List all teams." ,
Group : "Teams" ,
Permissions : [ ] ac . Permission {
{ Action : ac . ActionTeamsRead , Scope : ac . ScopeTeamsAll } ,
} ,
} ,
Grants : [ ] string { } ,
}
2022-02-18 04:27:00 -06:00
teamsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2022-01-27 09:16:44 -06:00
Name : "fixed:teams:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2022-01-27 09:16:44 -06:00
Description : "Create, read, write, or delete a team as well as controlling team memberships." ,
Group : "Teams" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
{ Action : ac . ActionTeamsCreate } ,
{ Action : ac . ActionTeamsDelete , Scope : ac . ScopeTeamsAll } ,
{ Action : ac . ActionTeamsPermissionsRead , Scope : ac . ScopeTeamsAll } ,
{ Action : ac . ActionTeamsPermissionsWrite , Scope : ac . ScopeTeamsAll } ,
{ Action : ac . ActionTeamsRead , Scope : ac . ScopeTeamsAll } ,
{ Action : ac . ActionTeamsWrite , Scope : ac . ScopeTeamsAll } ,
2022-01-27 09:16:44 -06:00
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleAdmin ) } ,
2022-01-27 09:16:44 -06:00
}
2022-02-18 04:27:00 -06:00
annotationsReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
2022-02-11 12:43:29 -06:00
Name : "fixed:annotations:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2022-02-11 12:43:29 -06:00
Description : "Read annotations and tags" ,
Group : "Annotations" ,
2022-02-18 04:27:00 -06:00
Permissions : [ ] ac . Permission {
{ Action : ac . ActionAnnotationsRead , Scope : ac . ScopeAnnotationsAll } ,
2022-02-11 12:43:29 -06:00
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleViewer ) } ,
2022-02-11 12:43:29 -06:00
}
2023-12-01 08:50:55 -06:00
// TODO this role can be removed once we have rolled out FlagAnnotationPermissionUpdate to all users
// keeping it in for now for backwards compatibility
2022-03-21 12:28:39 -05:00
dashboardAnnotationsWriterRole := ac . RoleRegistration {
2022-03-18 11:33:21 -05:00
Role : ac . RoleDTO {
2022-03-21 12:28:39 -05:00
Name : "fixed:annotations.dashboard:writer" ,
DisplayName : "Dashboard annotation writer" ,
2022-03-18 11:33:21 -05:00
Description : "Update annotations associated with dashboards." ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
2022-03-23 16:39:00 -05:00
{ Action : ac . ActionAnnotationsCreate , Scope : ac . ScopeAnnotationsTypeDashboard } ,
2022-03-21 12:28:39 -05:00
{ Action : ac . ActionAnnotationsDelete , Scope : ac . ScopeAnnotationsTypeDashboard } ,
{ Action : ac . ActionAnnotationsWrite , Scope : ac . ScopeAnnotationsTypeDashboard } ,
2022-03-18 11:33:21 -05:00
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleViewer ) } ,
2022-03-18 11:33:21 -05:00
}
annotationsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:annotations:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2022-03-18 11:33:21 -05:00
Description : "Update all annotations." ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
2022-03-23 16:39:00 -05:00
{ Action : ac . ActionAnnotationsCreate , Scope : ac . ScopeAnnotationsAll } ,
2022-03-21 12:28:39 -05:00
{ Action : ac . ActionAnnotationsDelete , Scope : ac . ScopeAnnotationsAll } ,
2022-03-18 11:33:21 -05:00
{ Action : ac . ActionAnnotationsWrite , Scope : ac . ScopeAnnotationsAll } ,
} ,
} ,
2022-08-10 04:56:48 -05:00
Grants : [ ] string { string ( org . RoleEditor ) } ,
2022-03-18 11:33:21 -05:00
}
2023-12-01 08:50:55 -06:00
if hs . Features . IsEnabled ( context . Background ( ) , featuremgmt . FlagAnnotationPermissionUpdate ) {
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsReaderRole = ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:annotations:reader" ,
DisplayName : "Organization annotation reader" ,
Description : "Read organization annotations and annotation tags" ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
2023-12-12 01:51:08 -06:00
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
// https://github.com/grafana/identity-access-team/issues/524
{ Action : ac . ActionAnnotationsRead , Scope : ac . ScopeAnnotationsAll } ,
2023-12-01 08:50:55 -06:00
} ,
} ,
Grants : [ ] string { string ( org . RoleViewer ) } ,
}
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsWriterRole = ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:annotations:writer" ,
DisplayName : "Organization annotation writer" ,
Description : "Update organization annotations." ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
2023-12-12 01:51:08 -06:00
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
// https://github.com/grafana/identity-access-team/issues/524
{ Action : ac . ActionAnnotationsCreate , Scope : ac . ScopeAnnotationsAll } ,
{ Action : ac . ActionAnnotationsDelete , Scope : ac . ScopeAnnotationsAll } ,
{ Action : ac . ActionAnnotationsWrite , Scope : ac . ScopeAnnotationsAll } ,
2023-12-01 08:50:55 -06:00
} ,
} ,
Grants : [ ] string { string ( org . RoleEditor ) } ,
}
}
2022-03-03 08:05:47 -06:00
dashboardsCreatorRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:dashboards:creator" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Creator" ,
2022-03-03 08:05:47 -06:00
Description : "Create dashboard in general folder." ,
Group : "Dashboards" ,
Permissions : [ ] ac . Permission {
2022-03-30 08:14:26 -05:00
{ Action : dashboards . ActionFoldersRead , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
2022-05-04 09:12:09 -05:00
{ Action : dashboards . ActionDashboardsCreate , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
2022-03-03 08:05:47 -06:00
} ,
} ,
Grants : [ ] string { "Editor" } ,
}
dashboardsReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:dashboards:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2022-03-03 08:05:47 -06:00
Description : "Read all dashboards." ,
Group : "Dashboards" ,
Permissions : [ ] ac . Permission {
2022-05-04 09:12:09 -05:00
{ Action : dashboards . ActionDashboardsRead , Scope : dashboards . ScopeDashboardsAll } ,
2022-03-03 08:05:47 -06:00
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
dashboardsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:dashboards:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2022-03-03 08:05:47 -06:00
Group : "Dashboards" ,
Description : "Create, read, write or delete all dashboards and their permissions." ,
Permissions : ac . ConcatPermissions ( dashboardsReaderRole . Role . Permissions , [ ] ac . Permission {
2022-05-04 09:12:09 -05:00
{ Action : dashboards . ActionDashboardsWrite , Scope : dashboards . ScopeDashboardsAll } ,
{ Action : dashboards . ActionDashboardsDelete , Scope : dashboards . ScopeDashboardsAll } ,
{ Action : dashboards . ActionDashboardsCreate , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionDashboardsPermissionsRead , Scope : dashboards . ScopeDashboardsAll } ,
{ Action : dashboards . ActionDashboardsPermissionsWrite , Scope : dashboards . ScopeDashboardsAll } ,
2022-03-03 08:05:47 -06:00
} ) ,
} ,
Grants : [ ] string { "Admin" } ,
}
foldersCreatorRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:folders:creator" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Creator" ,
2022-03-03 08:05:47 -06:00
Description : "Create folders." ,
Group : "Folders" ,
Permissions : [ ] ac . Permission {
2022-03-09 10:57:50 -06:00
{ Action : dashboards . ActionFoldersCreate } ,
2022-03-03 08:05:47 -06:00
} ,
} ,
Grants : [ ] string { "Editor" } ,
}
foldersReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:folders:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2022-03-03 08:05:47 -06:00
Description : "Read all folders and dashboards." ,
Group : "Folders" ,
Permissions : [ ] ac . Permission {
2022-03-09 10:57:50 -06:00
{ Action : dashboards . ActionFoldersRead , Scope : dashboards . ScopeFoldersAll } ,
2022-05-04 09:12:09 -05:00
{ Action : dashboards . ActionDashboardsRead , Scope : dashboards . ScopeFoldersAll } ,
2022-03-03 08:05:47 -06:00
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
2024-02-15 10:13:14 -06:00
// Needed to be able to list permissions on the general folder for viewers, doesn't actually grant access to any resources
generalFolderReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:folders.general:reader" ,
DisplayName : "General folder reader" ,
Description : "Access the general (root) folder." ,
Group : "Folders" ,
Hidden : true ,
Permissions : [ ] ac . Permission {
{ Action : dashboards . ActionFoldersRead , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
} ,
} ,
Grants : [ ] string { string ( org . RoleViewer ) } ,
}
2022-03-03 08:05:47 -06:00
foldersWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:folders:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2022-03-03 08:05:47 -06:00
Description : "Create, read, write or delete all folders and dashboards and their permissions." ,
Group : "Folders" ,
Permissions : ac . ConcatPermissions (
foldersReaderRole . Role . Permissions ,
[ ] ac . Permission {
2022-03-09 10:57:50 -06:00
{ Action : dashboards . ActionFoldersCreate } ,
{ Action : dashboards . ActionFoldersWrite , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionFoldersDelete , Scope : dashboards . ScopeFoldersAll } ,
2022-05-04 09:12:09 -05:00
{ Action : dashboards . ActionDashboardsWrite , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionDashboardsDelete , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionDashboardsCreate , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionDashboardsPermissionsRead , Scope : dashboards . ScopeFoldersAll } ,
{ Action : dashboards . ActionDashboardsPermissionsWrite , Scope : dashboards . ScopeFoldersAll } ,
2022-03-03 08:05:47 -06:00
} ) ,
} ,
Grants : [ ] string { "Admin" } ,
}
2023-10-11 18:30:50 -05:00
libraryPanelsCreatorRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:library.panels:creator" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Creator" ,
2023-10-11 18:30:50 -05:00
Description : "Create library panel in general folder." ,
Group : "Library panels" ,
Permissions : [ ] ac . Permission {
{ Action : dashboards . ActionFoldersRead , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
{ Action : libraryelements . ActionLibraryPanelsCreate , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
} ,
} ,
Grants : [ ] string { "Editor" } ,
}
libraryPanelsReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:library.panels:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2023-10-11 18:30:50 -05:00
Description : "Read all library panels." ,
Group : "Library panels" ,
Permissions : [ ] ac . Permission {
2023-10-25 12:44:55 -05:00
{ Action : libraryelements . ActionLibraryPanelsRead , Scope : dashboards . ScopeFoldersAll } ,
2023-10-11 18:30:50 -05:00
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
libraryPanelsGeneralReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:library.panels:general.reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "General reader" ,
2023-10-11 18:30:50 -05:00
Description : "Read all library panels in general folder." ,
Group : "Library panels" ,
Permissions : [ ] ac . Permission {
{ Action : libraryelements . ActionLibraryPanelsRead , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
} ,
} ,
Grants : [ ] string { "Viewer" } ,
}
libraryPanelsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:library.panels:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2023-10-11 18:30:50 -05:00
Group : "Library panels" ,
Description : "Create, read, write or delete all library panels and their permissions." ,
Permissions : ac . ConcatPermissions ( libraryPanelsReaderRole . Role . Permissions , [ ] ac . Permission {
2023-10-25 12:44:55 -05:00
{ Action : libraryelements . ActionLibraryPanelsWrite , Scope : dashboards . ScopeFoldersAll } ,
{ Action : libraryelements . ActionLibraryPanelsDelete , Scope : dashboards . ScopeFoldersAll } ,
{ Action : libraryelements . ActionLibraryPanelsCreate , Scope : dashboards . ScopeFoldersAll } ,
2023-10-11 18:30:50 -05:00
} ) ,
} ,
Grants : [ ] string { "Admin" } ,
}
libraryPanelsGeneralWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:library.panels:general.writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "General writer" ,
2023-10-11 18:30:50 -05:00
Group : "Library panels" ,
Description : "Create, read, write or delete all library panels and their permissions in the general folder." ,
Permissions : ac . ConcatPermissions ( libraryPanelsGeneralReaderRole . Role . Permissions , [ ] ac . Permission {
{ Action : libraryelements . ActionLibraryPanelsWrite , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
{ Action : libraryelements . ActionLibraryPanelsDelete , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
{ Action : libraryelements . ActionLibraryPanelsCreate , Scope : dashboards . ScopeFoldersProvider . GetResourceScopeUID ( ac . GeneralFolderUID ) } ,
} ) ,
} ,
Grants : [ ] string { "Editor" } ,
}
2022-09-05 10:22:39 -05:00
publicDashboardsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:dashboards.public:writer" ,
DisplayName : "Public Dashboard writer" ,
Description : "Create, write or disable a public dashboard." ,
Group : "Dashboards" ,
Permissions : [ ] ac . Permission {
2022-09-07 16:29:01 -05:00
{ Action : dashboards . ActionDashboardsPublicWrite , Scope : dashboards . ScopeDashboardsAll } ,
2022-09-05 10:22:39 -05:00
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
2023-07-24 15:12:59 -05:00
featuremgmtReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:featuremgmt:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2023-07-24 15:12:59 -05:00
Description : "Read feature toggles" ,
Group : "Feature Management" ,
Permissions : [ ] ac . Permission {
{ Action : ac . ActionFeatureManagementRead } ,
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
2023-08-09 10:32:28 -05:00
featuremgmtWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:featuremgmt:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2023-08-09 10:32:28 -05:00
Description : "Write feature toggles" ,
Group : "Feature Management" ,
Permissions : [ ] ac . Permission {
{ Action : ac . ActionFeatureManagementWrite } ,
} ,
} ,
Grants : [ ] string { "Admin" } ,
}
2023-10-11 18:30:50 -05:00
roles := [ ] ac . RoleRegistration { provisioningWriterRole , datasourcesReaderRole , builtInDatasourceReader , datasourcesWriterRole ,
2023-10-19 08:36:41 -05:00
datasourcesIdReaderRole , datasourcesCreatorRole , orgReaderRole , orgWriterRole ,
orgMaintainerRole , teamsCreatorRole , teamsWriterRole , teamsReaderRole , datasourcesExplorerRole ,
2022-03-21 12:28:39 -05:00
annotationsReaderRole , dashboardAnnotationsWriterRole , annotationsWriterRole ,
2022-03-03 08:05:47 -06:00
dashboardsCreatorRole , dashboardsReaderRole , dashboardsWriterRole ,
2024-02-15 10:13:14 -06:00
foldersCreatorRole , foldersReaderRole , generalFolderReaderRole , foldersWriterRole , apikeyReaderRole , apikeyWriterRole ,
2023-10-25 12:44:55 -05:00
publicDashboardsWriterRole , featuremgmtReaderRole , featuremgmtWriterRole , libraryPanelsCreatorRole ,
libraryPanelsReaderRole , libraryPanelsWriterRole , libraryPanelsGeneralReaderRole , libraryPanelsGeneralWriterRole }
2023-10-11 18:30:50 -05:00
2023-12-01 08:50:55 -06:00
if hs . Features . IsEnabled ( context . Background ( ) , featuremgmt . FlagAnnotationPermissionUpdate ) {
allAnnotationsReaderRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:annotations.all:reader" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Reader" ,
2023-12-01 08:50:55 -06:00
Description : "Read all annotations and tags" ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
{ Action : ac . ActionAnnotationsRead , Scope : ac . ScopeAnnotationsTypeOrganization } ,
2024-01-26 11:17:29 -06:00
{ Action : ac . ActionAnnotationsRead , Scope : dashboards . ScopeFoldersAll } ,
2023-12-01 08:50:55 -06:00
} ,
} ,
Grants : [ ] string { string ( org . RoleAdmin ) } ,
}
allAnnotationsWriterRole := ac . RoleRegistration {
Role : ac . RoleDTO {
Name : "fixed:annotations.all:writer" ,
2024-01-18 08:20:28 -06:00
DisplayName : "Writer" ,
2023-12-01 08:50:55 -06:00
Description : "Update all annotations." ,
Group : "Annotations" ,
Permissions : [ ] ac . Permission {
{ Action : ac . ActionAnnotationsCreate , Scope : ac . ScopeAnnotationsTypeOrganization } ,
2024-01-26 11:17:29 -06:00
{ Action : ac . ActionAnnotationsCreate , Scope : dashboards . ScopeFoldersAll } ,
2023-12-01 08:50:55 -06:00
{ Action : ac . ActionAnnotationsDelete , Scope : ac . ScopeAnnotationsTypeOrganization } ,
2024-01-26 11:17:29 -06:00
{ Action : ac . ActionAnnotationsDelete , Scope : dashboards . ScopeFoldersAll } ,
2023-12-01 08:50:55 -06:00
{ Action : ac . ActionAnnotationsWrite , Scope : ac . ScopeAnnotationsTypeOrganization } ,
2024-01-26 11:17:29 -06:00
{ Action : ac . ActionAnnotationsWrite , Scope : dashboards . ScopeFoldersAll } ,
2023-12-01 08:50:55 -06:00
} ,
} ,
Grants : [ ] string { string ( org . RoleAdmin ) } ,
}
roles = append ( roles , allAnnotationsReaderRole , allAnnotationsWriterRole )
}
2023-10-11 18:30:50 -05:00
return hs . accesscontrolService . DeclareFixedRoles ( roles ... )
2021-08-04 07:44:37 -05:00
}
2021-09-22 06:50:21 -05:00
2022-02-18 04:27:00 -06:00
// Metadata helpers
// getAccessControlMetadata returns the accesscontrol metadata associated with a given resource
2023-01-27 01:50:36 -06:00
func ( hs * HTTPServer ) getAccessControlMetadata ( c * contextmodel . ReqContext ,
2024-03-01 05:08:00 -06:00
prefix string , resourceID string ) ac . Metadata {
2022-03-21 11:58:18 -05:00
ids := map [ string ] bool { resourceID : true }
2023-08-18 05:42:18 -05:00
return hs . getMultiAccessControlMetadata ( c , prefix , ids ) [ resourceID ]
2022-02-18 04:27:00 -06:00
}
// getMultiAccessControlMetadata returns the accesscontrol metadata associated with a given set of resources
2022-03-24 02:58:10 -05:00
// Context must contain permissions in the given org (see LoadPermissionsMiddleware or AuthorizeInOrgMiddleware)
2023-01-27 01:50:36 -06:00
func ( hs * HTTPServer ) getMultiAccessControlMetadata ( c * contextmodel . ReqContext ,
2023-08-18 05:42:18 -05:00
prefix string , resourceIDs map [ string ] bool ) map [ string ] ac . Metadata {
2023-05-31 03:58:57 -05:00
if ! c . QueryBool ( "accesscontrol" ) {
2022-02-18 04:27:00 -06:00
return map [ string ] ac . Metadata { }
}
2023-08-18 05:42:18 -05:00
if len ( c . SignedInUser . GetPermissions ( ) ) == 0 {
2022-02-18 04:27:00 -06:00
return map [ string ] ac . Metadata { }
}
2023-08-18 05:42:18 -05:00
return ac . GetResourcesMetadata ( c . Req . Context ( ) , c . SignedInUser . GetPermissions ( ) , prefix , resourceIDs )
2022-02-18 04:27:00 -06:00
}
