grafana/pkg/services/accesscontrol/roles.go

package accesscontrol

// PredefinedRoles provides a map of permission sets/roles which can be
// assigned to a set of users. When adding a new resource protected by
// Grafana access control the default permissions should be added to a
// new predefined role in this set so that users can access the new
// resource. PredefinedRoleGrants lists which organization roles are
// assigned which predefined roles in this list.
var PredefinedRoles = map[string]RoleDTO{
	// TODO: Add support for inheritance between the predefined roles to
	// make the admin ⊃ editor ⊃ viewer property hold.
	usersAdminRead: {
		Name:    usersAdminRead,
		Version: 1,
		Permissions: []Permission{
			{
				Action: ActionUsersRead,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersTeamRead,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersAuthTokenList,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersQuotasList,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionOrgUsersRead,
				Scope:  ScopeOrgAllUsersAll,
			},
			{
				Action: ActionLDAPUsersRead,
			},
			{
				Action: ActionLDAPStatusRead,
			},
		},
	},
	usersAdminEdit: {
		Name:    usersAdminEdit,
		Version: 1,
		Permissions: []Permission{
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionUsersRead,
				Scope:  ScopeUsersAll,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionUsersTeamRead,
				Scope:  ScopeUsersAll,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionUsersAuthTokenList,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersPasswordUpdate,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersCreate,
			},
			{
				Action: ActionUsersWrite,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersDelete,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersEnable,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersDisable,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersPermissionsUpdate,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersLogout,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersAuthTokenUpdate,
				Scope:  ScopeUsersAll,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionUsersQuotasList,
				Scope:  ScopeUsersAll,
			},
			{
				Action: ActionUsersQuotasUpdate,
				Scope:  ScopeUsersAll,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionOrgUsersRead,
				Scope:  ScopeOrgAllUsersAll,
			},
			{
				Action: ActionOrgUsersAdd,
				Scope:  ScopeOrgAllUsersAll,
			},
			{
				Action: ActionOrgUsersRemove,
				Scope:  ScopeOrgAllUsersAll,
			},
			{
				Action: ActionOrgUsersRoleUpdate,
				Scope:  ScopeOrgAllUsersAll,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionLDAPUsersRead,
			},
			{
				// Inherited from grafana:roles:users:admin:read
				Action: ActionLDAPStatusRead,
			},
			{
				Action: ActionLDAPUsersSync,
			},
		},
	},
}

const (
	usersAdminEdit = "grafana:roles:users:admin:edit"
	usersAdminRead = "grafana:roles:users:admin:read"
)

// PredefinedRoleGrants specifies which organization roles are assigned
// to which set of PredefinedRoles by default. Alphabetically sorted.
var PredefinedRoleGrants = map[string][]string{
	RoleGrafanaAdmin: {
		usersAdminEdit,
		usersAdminRead,
	},
}
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`package accesscontrol`

			`// PredefinedRoles provides a map of permission sets/roles which can be`
			`// assigned to a set of users. When adding a new resource protected by`
			`// Grafana access control the default permissions should be added to a`
			`// new predefined role in this set so that users can access the new`
			`// resource. PredefinedRoleGrants lists which organization roles are`
			`// assigned which predefined roles in this list.`
			`var PredefinedRoles = map[string]RoleDTO{`
			`// TODO: Add support for inheritance between the predefined roles to`
			`// make the admin ⊃ editor ⊃ viewer property hold.`
			`usersAdminRead: {`
			`Name: usersAdminRead,`
			`Version: 1,`
			`Permissions: []Permission{`
			`{`
			`Action: ActionUsersRead,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersTeamRead,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersAuthTokenList,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersQuotasList,`
			`Scope: ScopeUsersAll,`
			`},`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`{`
			`Action: ActionOrgUsersRead,`
			`Scope: ScopeOrgAllUsersAll,`
			`},`
			`{`
			`Action: ActionLDAPUsersRead,`
			`},`
			`{`
			`Action: ActionLDAPStatusRead,`
			`},`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`},`
			`},`
			`usersAdminEdit: {`
			`Name: usersAdminEdit,`
			`Version: 1,`
			`Permissions: []Permission{`
			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionUsersRead,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionUsersTeamRead,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionUsersAuthTokenList,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersPasswordUpdate,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersCreate,`
			`},`
			`{`
			`Action: ActionUsersWrite,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersDelete,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersEnable,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersDisable,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersPermissionsUpdate,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersLogout,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersAuthTokenUpdate,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionUsersQuotasList,`
			`Scope: ScopeUsersAll,`
			`},`
			`{`
			`Action: ActionUsersQuotasUpdate,`
			`Scope: ScopeUsersAll,`
			`},`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionOrgUsersRead,`
			`Scope: ScopeOrgAllUsersAll,`
			`},`
			`{`
			`Action: ActionOrgUsersAdd,`
			`Scope: ScopeOrgAllUsersAll,`
			`},`
			`{`
			`Action: ActionOrgUsersRemove,`
			`Scope: ScopeOrgAllUsersAll,`
			`},`
			`{`
			`Action: ActionOrgUsersRoleUpdate,`
			`Scope: ScopeOrgAllUsersAll,`
			`},`
Access control: Fix predefined roles (#33260) 2021-04-22 05:49:24 -05:00			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionLDAPUsersRead,`
			`},`
			`{`
			`// Inherited from grafana:roles:users:admin:read`
			`Action: ActionLDAPStatusRead,`
			`},`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`{`
			`Action: ActionLDAPUsersSync,`
			`},`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`},`
			`},`
			`}`

			`const (`
			`usersAdminEdit = "grafana:roles:users:admin:edit"`
			`usersAdminRead = "grafana:roles:users:admin:read"`
			`)`

			`// PredefinedRoleGrants specifies which organization roles are assigned`
			`// to which set of PredefinedRoles by default. Alphabetically sorted.`
			`var PredefinedRoleGrants = map[string][]string{`
			`RoleGrafanaAdmin: {`
			`usersAdminEdit,`
			`usersAdminRead,`
			`},`
			`}`