IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
e277ab0017599afc19aeb0cacedfdc9382e71189
grafana/pkg/services/accesscontrol/accesscontrol.go

209 lines
6.9 KiB
Go
Raw Normal View History

Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 15:22:48 +03:00
package accesscontrol
import (
"context"
Access control: Delete user permissions when a user is deleted (#46021) * Remove access control related to user on deletion
2022-03-16 10:43:44 +01:00
"fmt"
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-08-23 14:03:20 +02:00
"strings"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 15:22:48 +03:00
"github.com/grafana/grafana/pkg/models"
Chore: Add Usage stats providers registry (#48357) * add usage stats providers * migrate thumbnails service to `registry.ProvidesUsageStats` * snake -> camel * lint fix * migrate accesscontrol to `registry.ProvidesUsageStats` * add accesscontrol to usage stats providers registry * fix test * added a note about errors
2022-04-28 13:06:49 +04:00
"github.com/grafana/grafana/pkg/registry"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user"
Access control: further reduce access control feature toggle checks (#48171) * reduce the usage of access control flag further by removing it from SQL store methods * fixing tests * fix another test * linting * remove AC feature toggle use from API keys * remove unneeded function
2022-05-05 16:31:14 +01:00
"github.com/grafana/grafana/pkg/setting"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 15:22:48 +03:00
)
type AccessControl interface {
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
// Evaluate evaluates access to the given resources.
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
Evaluate(ctx context.Context, user *user.SignedInUser, evaluator Evaluator) (bool, error)
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 09:29:30 +02:00
// RegisterScopeAttributeResolver allows the caller to register a scope resolver for a
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-01-18 17:34:35 +01:00
// specific scope prefix (ex: datasources:name:)
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 13:29:17 +02:00
RegisterScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver)
//IsDisabled returns if access control is enabled or not
IsDisabled() bool
}
Chore: Split delete user method (#52216) * Remove user from preferences, stars, orguser, team member * Fix lint * Add Delete user from org and dashboard acl * Delete user from user auth * Add DeleteUser to quota * Add test files and adjust user auth store * Rename package in wire for user auth * Import Quota Service interface in other services * do the same in tests * fix lint tests * Fix tests * Add some tests * Rename InsertUser and DeleteUser to InsertOrgUser and DeleteOrgUser * Rename DeleteUser to DeleteByUser in quota * changing a method name in few additional places * Fix in other places * Fix lint * Fix tests * Chore: Split Delete User method * Add fakes for userauth * Add mock for access control Delete User permossion, use interface * Use interface for ream guardian * Add simple fake for dashboard acl * Add go routines, clean up, use interfaces * fix lint * Update pkg/services/user/userimpl/user_test.go Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com> * Update pkg/services/user/userimpl/user_test.go Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com> * Update pkg/services/user/userimpl/user_test.go Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com> * Add wrapper for not service account error * fix indentation * Use fmt for error wrapper Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
2022-07-19 16:01:05 +02:00
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 13:29:17 +02:00
type Service interface {
registry.ProvidesUsageStats
// GetUserPermissions returns user permissions with only action and scope fields set.
GetUserPermissions(ctx context.Context, user *user.SignedInUser, options Options) ([]Permission, error)
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
2022-08-17 16:32:02 +02:00
// DeleteUserPermissions removes all permissions user has in org and all permission to that user
// If orgID is set to 0 remove permissions from all orgs
DeleteUserPermissions(ctx context.Context, orgID, userID int64) error
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 13:29:17 +02:00
// DeclareFixedRoles allows the caller to declare, to the service, fixed roles and their
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
DeclareFixedRoles(registrations ...RoleRegistration) error
//IsDisabled returns if access control is enabled or not
IsDisabled() bool
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 15:22:48 +03:00
}
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission()
2021-04-16 16:02:16 +03:00
AccessControl: Cleanup access control interface (#49783) * removed unused function * Rename interface
2022-05-30 17:48:12 +02:00
type RoleRegistry interface {
// RegisterFixedRoles registers all roles declared to AccessControl
RegisterFixedRoles(ctx context.Context) error
}
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 13:29:17 +02:00
type Options struct {
ReloadCache bool
}
type Store interface {
AccessControl: Only return action and scope for user permissions and make them unique (#48939) * Only return action and scope for user permissions and make them unique
2022-05-12 17:15:18 +02:00
// GetUserPermissions returns user permissions with only action and scope fields set.
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 10:17:48 +02:00
GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]Permission, error)
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
2022-08-17 16:32:02 +02:00
DeleteUserPermissions(ctx context.Context, orgID, userID int64) error
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 14:02:53 +01:00
}
AccessControl: Create own interface and impl for each permission service (#48871) * Create own interfaces for team, folder, dashboard and data source permissions services * Remove service container and inject them individually
2022-05-10 15:48:47 +02:00
type TeamPermissionsService interface {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
AccessControl: Create own interface and impl for each permission service (#48871) * Create own interfaces for team, folder, dashboard and data source permissions services * Remove service container and inject them individually
2022-05-10 15:48:47 +02:00
SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
}
type FolderPermissionsService interface {
PermissionsService
}
type DashboardPermissionsService interface {
PermissionsService
}
type DatasourcePermissionsService interface {
PermissionsService
Access control: Set default permissions for data sources when using access control (#45482) * Rename interfaces and use then with wire injection * Set default permissions when creating new data source
2022-02-17 14:03:45 +01:00
}
Service Accounts: Managed permissions for service accounts (#51818) * backend changes * frontend changes * linting * nit * import order * allow SA creator to access the SA page * fix merge * tests * fix frontend tests Co-authored-by: alexanderzobnin alexanderzobnin@gmail.com
2022-07-08 10:53:18 +01:00
type ServiceAccountPermissionsService interface {
PermissionsService
}
Access control: Set default permissions for data sources when using access control (#45482) * Rename interfaces and use then with wire injection * Set default permissions when creating new data source
2022-02-17 14:03:45 +01:00
type PermissionsService interface {
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 09:52:24 +01:00
// GetPermissions returns all permissions for given resourceID
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 09:52:24 +01:00
// SetUserPermission sets permission on resource for a user
Access control: FGAC for team sync endpoints (#44673) * add actions for team group sync * extend the hook to allow specifying whether the user is external * move user struct to type package * interface for permission service to allow mocking it * reuse existing permissions * test fix * refactor * linting
2022-02-03 15:27:05 +00:00
SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 09:52:24 +01:00
// SetTeamPermission sets permission on resource for a team
Access Control: Pass db session to hooks (#44428) * Move hook calls to database and pass session
2022-01-25 17:12:00 +01:00
SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*ResourcePermission, error)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 09:52:24 +01:00
// SetBuiltInRolePermission sets permission on resource for a built-in role (Admin, Editor, Viewer)
Access Control: Pass db session to hooks (#44428) * Move hook calls to database and pass session
2022-01-25 17:12:00 +01:00
SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*ResourcePermission, error)
Access Control: Add function to set several permissions on a resource in one transaction (#44768)
2022-02-07 17:04:32 +01:00
// SetPermissions sets several permissions on resource for either built-in role, team or user
SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...SetResourcePermissionCommand) ([]ResourcePermission, error)
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00
// MapActions will map actions for a ResourcePermissions to it's "friendly" name configured in PermissionsToActions map.
MapActions(permission ResourcePermission) string
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 14:02:53 +01:00
}
Access control: FGAC for team sync endpoints (#44673) * add actions for team group sync * extend the hook to allow specifying whether the user is external * move user struct to type package * interface for permission service to allow mocking it * reuse existing permissions * test fix * refactor * linting
2022-02-03 15:27:05 +00:00
type User struct {
ID int64
IsExternal bool
}
AccessControl: FGAC permissions for orgs endpoint on frontend (#41050) * AccessControl: FGAC permissions for orgs endpoint on frontend Protect org update endpoints add or refactor missing right messages cover org page * removing scopes from orgs * Perform permission control with global org * Perform the error handling in case of 403 * Simplify frontend code by requiring read access for sure * Remove roles I added to decrease the number of changes * Remove the check for server admin to reduce the number of changes * change error message * Cleaning todos * Remove unecessary changes * Fix tests * Update test snapshot * Update pkg/api/roles.go Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Format AdminEditOrgPage for linting * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update public/app/features/admin/AdminListOrgsPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Commit suggestions * Commit suggestion canRead canWrite * fix typo Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2021-11-18 14:10:38 +01:00
// HasGlobalAccess checks user access with globally assigned permissions only
func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
if ac.IsDisabled() {
return fallback(c)
}
userCopy := *c.SignedInUser
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 13:28:55 +02:00
userCopy.OrgID = GlobalOrgID
AccessControl: FGAC permissions for orgs endpoint on frontend (#41050) * AccessControl: FGAC permissions for orgs endpoint on frontend Protect org update endpoints add or refactor missing right messages cover org page * removing scopes from orgs * Perform permission control with global org * Perform the error handling in case of 403 * Simplify frontend code by requiring read access for sure * Remove roles I added to decrease the number of changes * Remove the check for server admin to reduce the number of changes * change error message * Cleaning todos * Remove unecessary changes * Fix tests * Update test snapshot * Update pkg/api/roles.go Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Format AdminEditOrgPage for linting * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update public/app/features/admin/AdminListOrgsPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Commit suggestions * Commit suggestion canRead canWrite * fix typo Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
2021-11-18 14:10:38 +01:00
userCopy.OrgRole = ""
userCopy.OrgName = ""
hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)
if err != nil {
c.Logger.Error("Error from access control system", "error", err)
return false
}
return hasAccess
}
}
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error
2021-04-19 12:23:29 +03:00
if ac.IsDisabled() {
return fallback(c)
}
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, evaluator)
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error
2021-04-19 12:23:29 +03:00
if err != nil {
c.Logger.Error("Error from access control system", "error", err)
return false
}
return hasAccess
}
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00
var ReqSignedIn = func(c *models.ReqContext) bool {
return c.IsSignedIn
}
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error
2021-04-19 12:23:29 +03:00
var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
return c.IsGrafanaAdmin
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
// ReqViewer returns true if the current user has org.RoleViewer. Note: this can be anonymous user as well
Alerting: Fix anonymous access to alerting (#49203) * introduce a fallback handler that checks that role is Viewer. * update UI nav links to allow alerting tabs for anonymous user * update rule api to check for Viewer role instead of SignedIn when RBAC is disabled
2022-05-19 09:22:26 -04:00
var ReqViewer = func(c *models.ReqContext) bool {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
return c.OrgRole.Includes(org.RoleViewer)
Alerting: Fix anonymous access to alerting (#49203) * introduce a fallback handler that checks that role is Viewer. * update UI nav links to allow alerting tabs for anonymous user * update rule api to check for Viewer role instead of SignedIn when RBAC is disabled
2022-05-19 09:22:26 -04:00
}
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 13:19:41 +03:00
var ReqOrgAdmin = func(c *models.ReqContext) bool {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
return c.OrgRole == org.RoleAdmin
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 13:19:41 +03:00
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00
var ReqOrgAdminOrEditor = func(c *models.ReqContext) bool {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 11:56:48 +02:00
return c.OrgRole == org.RoleAdmin || c.OrgRole == org.RoleEditor
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00
}
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 10:17:48 +02:00
func BuildPermissionsMap(permissions []Permission) map[string]bool {
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 13:19:41 +03:00
permissionsMap := make(map[string]bool)
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission()
2021-04-16 16:02:16 +03:00
for _, p := range permissions {
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 13:19:41 +03:00
permissionsMap[p.Action] = true
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission()
2021-04-16 16:02:16 +03:00
}
return permissionsMap
}
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-08-23 14:03:20 +02:00
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
// GroupScopesByAction will group scopes on action
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 10:17:48 +02:00
func GroupScopesByAction(permissions []Permission) map[string][]string {
Access Control: Store permissions on SignedInUser (#43040) * add permission structure to signedinuser * add middleware to load user permissions into signedinuser struct * apply LoadPermissionsMiddleware to http server * check for permissions in signedinuser struct Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-12-14 16:05:59 +01:00
m := make(map[string][]string)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
for _, p := range permissions {
Access Control: Store permissions on SignedInUser (#43040) * add permission structure to signedinuser * add middleware to load user permissions into signedinuser struct * apply LoadPermissionsMiddleware to http server * check for permissions in signedinuser struct Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-12-14 16:05:59 +01:00
m[p.Action] = append(m[p.Action], p.Scope)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
}
return m
}
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-08-23 14:03:20 +02:00
func ValidateScope(scope string) bool {
prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
// verify that last char is either ':' or '/' if last character of scope is '*'
if len(prefix) > 0 && last == '*' {
lastChar := prefix[len(prefix)-1]
if lastChar != ':' && lastChar != '/' {
return false
}
}
return !strings.ContainsAny(prefix, "*?")
}
AccessControl: Add accesscontrol metadata to datasources DTOs (#42675) * AccessControl: Provide scope to frontend * Covering datasources with accesscontrol metadata * Write benchmark tests for GetResourcesMetadata * Add accesscontrol util and interface * Add the hasPermissionInMetadata function in the frontend access control code * Use IsDisabled rather that performing a feature toggle check Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-12-15 12:08:15 +01:00
Access control: Delete user permissions when a user is deleted (#46021) * Remove access control related to user on deletion
2022-03-16 10:43:44 +01:00
func ManagedUserRoleName(userID int64) string {
return fmt.Sprintf("managed:users:%d:permissions", userID)
}
func ManagedTeamRoleName(teamID int64) string {
return fmt.Sprintf("managed:teams:%d:permissions", teamID)
}
func ManagedBuiltInRoleName(builtInRole string) string {
return fmt.Sprintf("managed:builtins:%s:permissions", strings.ToLower(builtInRole))
}
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-21 17:58:18 +01:00
Access control: further reduce access control feature toggle checks (#48171) * reduce the usage of access control flag further by removing it from SQL store methods * fixing tests * fix another test * linting * remove AC feature toggle use from API keys * remove unneeded function
2022-05-05 16:31:14 +01:00
func IsDisabled(cfg *setting.Cfg) bool {
AccessControl: Enable RBAC by default (#48813) * Add RBAC section to settings * Default to RBAC enabled settings to true * Update tests to respect RBAC Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-05-16 03:45:41 -07:00
return !cfg.RBACEnabled
Access control: further reduce access control feature toggle checks (#48171) * reduce the usage of access control flag further by removing it from SQL store methods * fixing tests * fix another test * linting * remove AC feature toggle use from API keys * remove unneeded function
2022-05-05 16:31:14 +01:00
}
RBAC: Extract method from access control impl to a function in domain packge (#49947) * Remove GetUserBuiltInRoles and create it as a util function in accesscontrol domain package
2022-06-02 16:10:41 +02:00
// GetOrgRoles returns legacy org roles for a user
RBAC: Remove builtin role code (#53767) * remove rbacBuiltInRoleAssignmentEnabled from frontendsettings * RBAC: Remove RBACBuiltInRoleAssignmentEnabled * RBAC: Remove code for builtin role * RolePicker: Remove unused prop * RolePicker: Rename builtinRole to basicRole * RolePicker: Rename onBuiltinRoleChange to onBasicRoleChange * RolePicker: Rename properties
2022-08-18 12:25:37 +02:00
func GetOrgRoles(user *user.SignedInUser) []string {
RBAC: Extract method from access control impl to a function in domain packge (#49947) * Remove GetUserBuiltInRoles and create it as a util function in accesscontrol domain package
2022-06-02 16:10:41 +02:00
roles := []string{string(user.OrgRole)}
if user.IsGrafanaAdmin {
roles = append(roles, RoleGrafanaAdmin)
}
return roles
}
Reference in New Issue Copy Permalink