From 1d15686bdf8cd5a67ede33081e1739911ff7aa20 Mon Sep 17 00:00:00 2001
From: Vardan Torosyan <vardants@gmail.com>
Date: Mon, 10 May 2021 11:46:42 +0200
Subject: [PATCH] Access control: Add a role for provisioning admins (#33787)

---
 pkg/services/accesscontrol/models.go |  7 +++++++
 pkg/services/accesscontrol/roles.go  | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go
index ac9b8ea5e24..8dfeb898f68 100644
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@@ -42,6 +42,10 @@ func (p RoleDTO) Role() Role {
 const (
 	// Permission actions
 
+	// Actions
+	// Provisioning actions
+	ActionProvisioningReload = "provisioning:reload"
+
 	// Users actions
 	ActionUsersRead     = "users:read"
 	ActionUsersWrite    = "users:write"
@@ -80,6 +84,9 @@ const (
 
 	ScopeUsersSelf = "users:self"
 	ScopeUsersAll  = "users:*"
+
+	// Services Scopes
+	ScopeServicesAll = "service:*"
 )
 
 const RoleGrafanaAdmin = "Grafana Admin"
diff --git a/pkg/services/accesscontrol/roles.go b/pkg/services/accesscontrol/roles.go
index 074059c5b6b..3a3d503b4ed 100644
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@@ -124,6 +124,17 @@ var usersAdminEditRole = RoleDTO{
 	}),
 }
 
+var provisioningAdminRole = RoleDTO{
+	Name:    provisioningAdmin,
+	Version: 1,
+	Permissions: []Permission{
+		{
+			Action: ActionProvisioningReload,
+			Scope:  ScopeServicesAll,
+		},
+	},
+}
+
 // PredefinedRoles provides a map of permission sets/roles which can be
 // assigned to a set of users. When adding a new resource protected by
 // Grafana access control the default permissions should be added to a
@@ -139,6 +150,8 @@ var PredefinedRoles = map[string]RoleDTO{
 
 	ldapAdminRead: ldapAdminReadRole,
 	ldapAdminEdit: ldapAdminEditRole,
+
+	provisioningAdmin: provisioningAdminRole,
 }
 
 const (
@@ -150,6 +163,8 @@ const (
 
 	ldapAdminEdit = "grafana:roles:ldap:admin:edit"
 	ldapAdminRead = "grafana:roles:ldap:admin:read"
+
+	provisioningAdmin = "grafana:roles:provisioning:admin"
 )
 
 // PredefinedRoleGrants specifies which organization roles are assigned
@@ -158,6 +173,7 @@ var PredefinedRoleGrants = map[string][]string{
 	RoleGrafanaAdmin: {
 		ldapAdminEdit,
 		ldapAdminRead,
+		provisioningAdmin,
 		usersAdminEdit,
 		usersAdminRead,
 		usersOrgEdit,