Alerting: Add fgac support to alert list panel (#47934)

* Add fgac support to alert list panel * Fix typo * test: fix test suite for UnifiedAlertStatesWorker * Update worker permission check * Update alert worker tests Co-authored-by: gillesdemey <gilles.de.mey@gmail.com>
2025-01-18 12:33:37 -06:00 · 2022-05-31 14:27:08 +02:00 · 2022-05-31 14:27:08 +02:00 · 4c28d09d6d
commit 4c28d09d6d
parent 389eec089e
3 changed files with 50 additions and 1 deletions
--- a/public/app/features/query/state/DashboardQueryRunner/UnifiedAlertStatesWorker.test.ts
+++ b/public/app/features/query/state/DashboardQueryRunner/UnifiedAlertStatesWorker.test.ts
@ -2,7 +2,9 @@ import { lastValueFrom } from 'rxjs';

 import { AlertState, getDefaultTimeRange, TimeRange } from '@grafana/data';
 import { backendSrv } from 'app/core/services/backend_srv';
+import { disableRBAC, enableRBAC, grantUserPermissions } from 'app/features/alerting/unified/mocks';
 import { Annotation } from 'app/features/alerting/unified/utils/constants';
+import { AccessControlAction } from 'app/types/accessControl';
 import { PromAlertingRuleState, PromRuleDTO, PromRulesResponse, PromRuleType } from 'app/types/unified-alerting-dto';

 import { silenceConsoleOutput } from '../../../../../test/core/utils/silenceConsoleOutput';
@ -35,6 +37,10 @@ function getTestContext() {
 describe('UnifiedAlertStatesWorker', () => {
  const worker = new UnifiedAlertStatesWorker();

+  beforeAll(() => {
+    disableRBAC();
+  });
+
  describe('when canWork is called with correct props', () => {
    it('then it should return true', () => {
      const options = getDefaultOptions();
@ -200,3 +206,25 @@ describe('UnifiedAlertStatesWorker', () => {
    });
  });
 });
+
+describe('UnifiedAlertStateWorker with RBAC', () => {
+  beforeAll(() => {
+    enableRBAC();
+    grantUserPermissions([]);
+  });
+
+  it('should not do work with insufficient permissions', () => {
+    const worker = new UnifiedAlertStatesWorker();
+    const options = getDefaultOptions();
+
+    expect(worker.canWork(options)).toBe(false);
+  });
+
+  it('should do work with correct permissions', () => {
+    grantUserPermissions([AccessControlAction.AlertingRuleRead, AccessControlAction.AlertingRuleExternalRead]);
+    const workerWithPermissions = new UnifiedAlertStatesWorker();
+
+    const options = getDefaultOptions();
+    expect(workerWithPermissions.canWork(options)).toBe(true);
+  });
+});
--- a/public/app/features/query/state/DashboardQueryRunner/UnifiedAlertStatesWorker.ts
+++ b/public/app/features/query/state/DashboardQueryRunner/UnifiedAlertStatesWorker.ts
@ -3,8 +3,10 @@ import { catchError, map } from 'rxjs/operators';

 import { AlertState, AlertStateInfo } from '@grafana/data';
 import { getBackendSrv } from '@grafana/runtime';
+import { contextSrv } from 'app/core/services/context_srv';
 import { Annotation } from 'app/features/alerting/unified/utils/constants';
 import { isAlertingRule } from 'app/features/alerting/unified/utils/rules';
+import { AccessControlAction } from 'app/types';
 import { PromAlertingRuleState, PromRulesResponse } from 'app/types/unified-alerting-dto';

 import { DashboardQueryRunnerOptions, DashboardQueryRunnerWorker, DashboardQueryRunnerWorkerResult } from './types';
@ -29,6 +31,14 @@ export class UnifiedAlertStatesWorker implements DashboardQueryRunnerWorker {
      return false;
    }

+    const hasRuleReadPermission =
+      contextSrv.hasPermission(AccessControlAction.AlertingRuleRead) &&
+      contextSrv.hasPermission(AccessControlAction.AlertingRuleExternalRead);
+
+    if (!hasRuleReadPermission) {
+      return false;
+    }
+
    return true;
  }

--- a/public/app/plugins/panel/alertlist/UnifiedAlertList.tsx
+++ b/public/app/plugins/panel/alertlist/UnifiedAlertList.tsx
@ -4,7 +4,8 @@ import React, { useEffect, useMemo } from 'react';
 import { useDispatch } from 'react-redux';

 import { GrafanaTheme2, PanelProps } from '@grafana/data';
-import { CustomScrollbar, LoadingPlaceholder, useStyles2 } from '@grafana/ui';
+import { Alert, CustomScrollbar, LoadingPlaceholder, useStyles2 } from '@grafana/ui';
+import { contextSrv } from 'app/core/services/context_srv';
 import alertDef from 'app/features/alerting/state/alertDef';
 import { useUnifiedAlertingSelector } from 'app/features/alerting/unified/hooks/useUnifiedAlertingSelector';
 import { fetchAllPromRulesAction } from 'app/features/alerting/unified/state/actions';
@ -17,6 +18,7 @@ import {
 } from 'app/features/alerting/unified/utils/datasource';
 import { flattenRules, getFirstActiveAt } from 'app/features/alerting/unified/utils/rules';
 import { getDashboardSrv } from 'app/features/dashboard/services/DashboardSrv';
+import { AccessControlAction } from 'app/types';
 import { PromRuleWithLocation } from 'app/types/unified-alerting';
 import { PromAlertingRuleState } from 'app/types/unified-alerting-dto';

@ -60,6 +62,15 @@ export function UnifiedAlertList(props: PanelProps<UnifiedAlertListOptions>) {

  const noAlertsMessage = rules.length ? '' : 'No alerts';

+  if (
+    !contextSrv.hasPermission(AccessControlAction.AlertingRuleRead) &&
+    !contextSrv.hasPermission(AccessControlAction.AlertingRuleExternalRead)
+  ) {
+    return (
+      <Alert title="Permission required">Sorry, you do not have the required permissions to read alert rules</Alert>
+    );
+  }
+
  return (
    <CustomScrollbar autoHeightMin="100%" autoHeightMax="100%">
      <div className={styles.container}>