mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Alerting: fixed roles for fine-grained access control (#46553)
* move alerting actions to accesscontrol to avoid cycledeps * define new actions and fixed roles for alerting * add folder permission to alert reader role
This commit is contained in:
Yuriy Tseretyan
GitHub
188
pkg/services/ngalert/accesscontrol.go
Normal file
188
pkg/services/ngalert/accesscontrol.go
Normal file
@@ -0,0 +1,188 @@
|
||||
package ngalert
|
||||
|
||||
import (
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
)
|
||||
|
||||
const AlertRolesGroup = "Alerting"
|
||||
|
||||
var (
|
||||
rulesReaderRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.rules:reader",
|
||||
DisplayName: "Rules Reader",
|
||||
Description: "Can read alert rules in all Grafana folders and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleRead,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: dashboards.ActionFoldersRead,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleExternalRead,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
rulesEditorRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.rules:editor",
|
||||
DisplayName: "Rules Editor",
|
||||
Description: "Can add, update, and delete rules in any Grafana folder and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: accesscontrol.ConcatPermissions(rulesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleCreate,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleUpdate,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleDelete,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingRuleExternalWrite,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
}),
|
||||
},
|
||||
Grants: []string{string(models.ROLE_EDITOR)},
|
||||
}
|
||||
|
||||
instancesReaderRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.instances:reader",
|
||||
DisplayName: "Instances and Silences Reader",
|
||||
Description: "Can read instances and silences of Grafana and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingInstanceRead,
|
||||
Scope: dashboards.ScopeFoldersAll,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingInstancesExternalRead,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
},
|
||||
},
|
||||
Grants: []string{string(models.ROLE_VIEWER)},
|
||||
}
|
||||
|
||||
instancesEditorRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.instances:editor",
|
||||
DisplayName: "Silences Editor",
|
||||
Description: "Can add and update silences in Grafana and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: accesscontrol.ConcatPermissions(instancesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingInstanceCreate,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingInstanceUpdate,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingInstancesExternalWrite,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
}),
|
||||
},
|
||||
Grants: []string{string(models.ROLE_EDITOR)},
|
||||
}
|
||||
|
||||
notificationsReaderRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.notifications:reader",
|
||||
DisplayName: "Notifications Reader",
|
||||
Description: "Can read notification policies and contact points in Grafana and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsRead,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsExternalRead,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
},
|
||||
},
|
||||
Grants: []string{string(models.ROLE_VIEWER)},
|
||||
}
|
||||
|
||||
notificationsEditorRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting.notifications:editor",
|
||||
DisplayName: "Notifications Editor",
|
||||
Description: "Can add, update, and delete contact points and notification policies in Grafana and external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: accesscontrol.ConcatPermissions(notificationsReaderRole.Role.Permissions, []accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsCreate,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsUpdate,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsDelete,
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionAlertingNotificationsExternalWrite,
|
||||
Scope: datasources.ScopeDatasourcesAll,
|
||||
},
|
||||
}),
|
||||
},
|
||||
Grants: []string{string(models.ROLE_EDITOR)},
|
||||
}
|
||||
|
||||
alertingReaderRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting:reader",
|
||||
DisplayName: "Full read-only access",
|
||||
Description: "Can read alert rules, instances, silences, contact points, and notification policies in Grafana and all external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: accesscontrol.ConcatPermissions(rulesReaderRole.Role.Permissions, instancesReaderRole.Role.Permissions, notificationsReaderRole.Role.Permissions),
|
||||
},
|
||||
Grants: []string{string(models.ROLE_VIEWER)},
|
||||
}
|
||||
|
||||
alertingWriterRole = accesscontrol.RoleRegistration{
|
||||
Role: accesscontrol.RoleDTO{
|
||||
Name: accesscontrol.FixedRolePrefix + "alerting:editor",
|
||||
DisplayName: "Full access",
|
||||
Description: "Can add,update and delete alert rules, instances, silences, contact points, and notification policies in Grafana and all external providers",
|
||||
Group: AlertRolesGroup,
|
||||
Version: 1,
|
||||
Permissions: accesscontrol.ConcatPermissions(rulesEditorRole.Role.Permissions, instancesEditorRole.Role.Permissions, notificationsEditorRole.Role.Permissions),
|
||||
},
|
||||
Grants: []string{string(models.ROLE_EDITOR)},
|
||||
}
|
||||
)
|
||||
|
||||
func DeclareFixedRoles(ac accesscontrol.AccessControl) error {
|
||||
return ac.DeclareFixedRoles(
|
||||
rulesReaderRole, rulesEditorRole,
|
||||
instancesReaderRole, instancesEditorRole,
|
||||
notificationsReaderRole, notificationsEditorRole,
|
||||
alertingReaderRole, alertingWriterRole,
|
||||
)
|
||||
}
|
||||
Reference in New Issue
Block a user