RBAC: Remove the option to disable RBAC and add automated permission migrations for instances that had RBAC disabled (#66652)

* RBAC: Stop reading enabeld from ini file and always set to true

* Migrations: Add a migration for rbac to reset data migrations if rbac
was disabled

* If rbac was disabled we reset the data and data migrations that rbac
  has to perform to get it to a correct state

* Migrator: Store migration logs on migrator and add function to clear it from the
in-memory stored logs

* update tests

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
This commit is contained in:
Ieva 2023-04-19 16:34:19 +01:00 committed by GitHub
parent 772d00b28f
commit 035bf29146
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 110 additions and 6 deletions

View File

@ -0,0 +1,87 @@
package accesscontrol
import (
"fmt"
"xorm.io/xorm"
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
)
const (
disabledMigrationID = "rbac disabled migrator"
teamMigrationID = "teams permissions migration"
dashboardMigrationID = "dashboard permissions"
dashboardsUIDMigrationID = "dashboard permissions uid scopes"
datasourceMigrationID = "data source permissions"
datasourceUIDMigrationID = "data source uid permissions"
managedPermissionsMigrationID = "managed permissions migration"
alertFolderMigrationID = "managed folder permissions alert actions repeated migration"
managedPermissionsEnterpriseMigrationID = "managed permissions migration enterprise"
)
var migrations = [...]string{
teamMigrationID,
dashboardMigrationID,
dashboardsUIDMigrationID,
datasourceMigrationID,
datasourceUIDMigrationID,
managedPermissionsMigrationID,
alertFolderMigrationID,
managedPermissionsEnterpriseMigrationID,
}
func AddDisabledMigrator(mg *migrator.Migrator) {
mg.AddMigration(disabledMigrationID, &DisabledMigrator{})
}
type DisabledMigrator struct {
migrator.MigrationBase
}
func (m *DisabledMigrator) SQL(dialect migrator.Dialect) string {
return CodeMigrationSQL
}
func (m *DisabledMigrator) Exec(sess *xorm.Session, mg *migrator.Migrator) error {
enabled := mg.Cfg.Raw.Section("rbac").Key("enabled").MustBool(true)
if enabled {
// if the flag is enabled we skip the reset of data migrations
mg.Logger.Debug("skip reset of rbac data migrations")
return nil
}
if _, err := sess.Exec("DELETE FROM builtin_role WHERE role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%')"); err != nil {
return fmt.Errorf("failed to remove basic role bindings: %w", err)
}
if _, err := sess.Exec("DELETE FROM team_role WHERE role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%')"); err != nil {
return fmt.Errorf("failed to remove team role bindings: %w", err)
}
if _, err := sess.Exec("DELETE FROM user_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%')"); err != nil {
return fmt.Errorf("failed to remove user role bindings: %w", err)
}
if _, err := sess.Exec("DELETE FROM permission WHERE role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%');"); err != nil {
return fmt.Errorf("failed to remove managed rbac permission: %w", err)
}
if _, err := sess.Exec("DELETE FROM role WHERE name LIKE 'managed:%';"); err != nil {
return fmt.Errorf("failed to remove managed rbac roles: %w", err)
}
params := []interface{}{"DELETE FROM migration_log WHERE migration_id IN (?, ?, ?, ?, ?, ?, ?, ?)"}
for _, m := range migrations {
params = append(params, m)
}
if _, err := sess.Exec(params...); err != nil {
return fmt.Errorf("failed to remove managed permissions migrations: %w", err)
}
// Note: we also need to clear migration from the in-memory representation of migration log
mg.RemoveMigrationLogs(migrations[:]...)
return nil
}

View File

@ -8,6 +8,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/ini.v1"
"xorm.io/xorm"
"github.com/grafana/grafana/pkg/infra/log"
@ -153,6 +154,7 @@ func TestMigrations(t *testing.T) {
config: &setting.Cfg{
EditorsCanAdmin: true,
IsFeatureToggleEnabled: func(key string) bool { return key == "accesscontrol" },
Raw: ini.Empty(),
},
expectedRolePerms: map[string][]rawPermission{
"managed:users:1:permissions": {{Action: "teams:read", Scope: team1Scope}},
@ -181,6 +183,7 @@ func TestMigrations(t *testing.T) {
desc: "without editors can admin",
config: &setting.Cfg{
IsFeatureToggleEnabled: func(key string) bool { return key == "accesscontrol" },
Raw: ini.Empty(),
},
expectedRolePerms: map[string][]rawPermission{
"managed:users:1:permissions": {{Action: "teams:read", Scope: team1Scope}},
@ -256,7 +259,10 @@ func setupTestDB(t *testing.T) *xorm.Engine {
err = migrator.NewDialect(x).CleanDB()
require.NoError(t, err)
mg := migrator.NewMigrator(x, &setting.Cfg{Logger: log.New("acmigration.test")})
mg := migrator.NewMigrator(x, &setting.Cfg{
Logger: log.New("acmigration.test"),
Raw: ini.Empty(),
})
migrations := &migrations.OSSMigrations{}
migrations.AddMigration(mg)

View File

@ -61,6 +61,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
accesscontrol.AddMigration(mg)
addQueryHistoryMigrations(mg)
accesscontrol.AddDisabledMigrator(mg)
accesscontrol.AddTeamMembershipMigrations(mg)
accesscontrol.AddDashboardPermissionsMigrator(mg)
accesscontrol.AddAlertingPermissionsMigrator(mg)

View File

@ -12,6 +12,7 @@ import (
"github.com/go-sql-driver/mysql"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/ini.v1"
"xorm.io/xorm"
. "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
@ -33,7 +34,7 @@ func TestMigrations(t *testing.T) {
_, err = x.SQL(query).Get(&result)
require.Error(t, err)
mg := NewMigrator(x, &setting.Cfg{})
mg := NewMigrator(x, &setting.Cfg{Raw: ini.Empty()})
migrations := &OSSMigrations{}
migrations.AddMigration(mg)
expectedMigrations := mg.GetMigrationIDs(true)

View File

@ -11,6 +11,7 @@ import (
"github.com/prometheus/alertmanager/pkg/labels"
"github.com/prometheus/common/model"
"github.com/stretchr/testify/require"
"gopkg.in/ini.v1"
"xorm.io/xorm"
"github.com/grafana/grafana/pkg/components/simplejson"
@ -629,7 +630,7 @@ func setupTestDB(t *testing.T) *xorm.Engine {
err = migrator.NewDialect(x).CleanDB()
require.NoError(t, err)
mg := migrator.NewMigrator(x, &setting.Cfg{})
mg := migrator.NewMigrator(x, &setting.Cfg{Raw: ini.Empty()})
migrations := &migrations.OSSMigrations{}
migrations.AddMigration(mg)

View File

@ -27,6 +27,7 @@ type Migrator struct {
Logger log.Logger
Cfg *setting.Cfg
isLocked atomic.Bool
logMap map[string]MigrationLog
}
type MigrationLog struct {
@ -97,9 +98,16 @@ func (mg *Migrator) GetMigrationLog() (map[string]MigrationLog, error) {
logMap[logItem.MigrationID] = logItem
}
mg.logMap = logMap
return logMap, nil
}
func (mg *Migrator) RemoveMigrationLogs(migrationsIDs ...string) {
for _, id := range migrationsIDs {
delete(mg.logMap, id)
}
}
func (mg *Migrator) Start(isDatabaseLockingEnabled bool, lockAttemptTimeout int) (err error) {
if !isDatabaseLockingEnabled {
return mg.run()
@ -128,7 +136,7 @@ func (mg *Migrator) Start(isDatabaseLockingEnabled bool, lockAttemptTimeout int)
func (mg *Migrator) run() (err error) {
mg.Logger.Info("Starting DB migrations")
logMap, err := mg.GetMigrationLog()
_, err = mg.GetMigrationLog()
if err != nil {
return err
}
@ -138,7 +146,7 @@ func (mg *Migrator) run() (err error) {
start := time.Now()
for _, m := range mg.migrations {
m := m
_, exists := logMap[m.Id()]
_, exists := mg.logMap[m.Id()]
if exists {
mg.Logger.Debug("Skipping migration: Already executed", "id", m.Id())
migrationsSkipped++

View File

@ -1564,7 +1564,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
rbac := iniFile.Section("rbac")
cfg.RBACEnabled = rbac.Key("enabled").MustBool(true)
cfg.RBACEnabled = true
cfg.RBACPermissionCache = rbac.Key("permission_cache").MustBool(true)
cfg.RBACPermissionValidationEnabled = rbac.Key("permission_validation_enabled").MustBool(false)
cfg.RBACResetBasicRoles = rbac.Key("reset_basic_roles").MustBool(false)