From 510c69ec912dd19f8adffa4af94f68b8c4f51956 Mon Sep 17 00:00:00 2001 From: Ieva Date: Tue, 15 Mar 2022 13:17:45 +0000 Subject: [PATCH] Access control: allow hiding roles (#46358) * allow hiding roles * extend docs * docs feedback * extend provisioning docs * formatting Co-authored-by: Leonard Gram --- .../enterprise/access-control/provisioning.md | 4 +- docs/sources/http_api/access_control.md | 52 +++++++++++++------ pkg/services/accesscontrol/models.go | 3 ++ .../migrations/accesscontrol/migrations.go | 4 ++ 4 files changed, 46 insertions(+), 17 deletions(-) diff --git a/docs/sources/enterprise/access-control/provisioning.md b/docs/sources/enterprise/access-control/provisioning.md index 31f89051184..8280b0828d1 100644 --- a/docs/sources/enterprise/access-control/provisioning.md +++ b/docs/sources/enterprise/access-control/provisioning.md @@ -50,7 +50,8 @@ roles: scope: 'users:*' ``` -Here is an example YAML file to create a global role with a set of permissions, where the `global:true` option makes a role global: +Here is an example YAML file to create a hidden global role with a set of permissions. +`global:true` option makes a role global, and `hidden:true` option hides the role from the role picker: ```yaml # config file version @@ -62,6 +63,7 @@ roles: description: 'This role allows users to list, create, or update other users within the organization.' version: 1 global: true + hidden: true permissions: - action: 'users:read' scope: 'users:*' diff --git a/docs/sources/http_api/access_control.md b/docs/sources/http_api/access_control.md index b90255186ba..c33b727698b 100644 --- a/docs/sources/http_api/access_control.md +++ b/docs/sources/http_api/access_control.md @@ -64,6 +64,10 @@ Gets all existing roles. The response contains all global and organization local Refer to the [Role scopes]({{< relref "../enterprise/access-control/roles.md#built-in-role-assignments" >}}) for more information. +Query Parameters: + +- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`. + #### Required permissions | Action | Scope | @@ -258,6 +262,7 @@ Content-Type: application/json | description | string | No | Description of the role. | | displayName | string | No | Display name of the role, visible in the UI. | | group | string | No | The group name the role belongs to. | +| hidden | boolean | No | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified. | | permissions | Permission | No | If not present, the role will be created without any permissions. | **Permission** @@ -349,14 +354,15 @@ Content-Type: application/json #### JSON body schema -| Field Name | Data Type | Required | Description | -| ----------- | ------------------- | -------- | ------------------------------------------------------------------- | -| version | number | Yes | Version of the role. Must be incremented for update to work. | -| name | string | Yes | Name of the role. | -| description | string | No | Description of the role. | -| displayName | string | No | Display name of the role, visible in the UI. | -| group | string | No | The group name the role belongs to. | -| permissions | List of Permissions | No | The full list of permissions the role should have after the update. | +| Field Name | Data Type | Required | Description | +| ----------- | ------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| version | number | Yes | Version of the role. Must be incremented for update to work. | +| name | string | Yes | Name of the role. | +| description | string | No | Description of the role. | +| displayName | string | No | Display name of the role, visible in the UI. | +| group | string | No | The group name the role belongs to. | +| hidden | boolean | No | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified. | +| permissions | List of Permissions | No | The full list of permissions for the role after the update. | **Permission** @@ -466,6 +472,10 @@ Content-Type: application/json; charset=UTF-8 Lists the roles that have been directly assigned to a given user. The list does not include built-in roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team. +Query Parameters: + +- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`. + #### Required permissions | Action | Scope | @@ -702,10 +712,11 @@ Content-Type: application/json #### JSON body schema -| Field Name | Date Type | Required | Description | -| ---------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. | -| roleUids | list | Yes | List of role UIDs. | +| Field Name | Date Type | Required | Description | +| ------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. | +| roleUids | list | Yes | List of role UIDs. | +| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. | #### Example response @@ -735,6 +746,10 @@ Content-Type: application/json; charset=UTF-8 Lists the roles that have been directly assigned to a given team. +Query Parameters: + +- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`. + #### Required permissions | Action | Scope | @@ -832,7 +847,7 @@ Content-Type: application/json; charset=UTF-8 | 404 | Role not found. | | 500 | Unexpected error. Refer to body and/or server logs for more details. | -## Remove a user role assignment +## Remove a team role assignment `DELETE /api/access-control/teams/:teams/roles/:roleUID` @@ -915,9 +930,10 @@ Content-Type: application/json #### JSON body schema -| Field Name | Date Type | Required | Description | -| ---------- | --------- | -------- | ------------------ | -| roleUids | list | Yes | List of role UIDs. | +| Field Name | Date Type | Required | Description | +| ------------- | --------- | -------- | -------------------------------------------------------------- | +| roleUids | list | Yes | List of role UIDs. | +| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. | #### Example response @@ -949,6 +965,10 @@ API set allows to create or remove [built-in role assignments]({{< relref "../en Gets all built-in role assignments. +Query Parameters: + +- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`. + #### Required permissions | Action | Scope | diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go index 3259614442e..bfb6f1af0c1 100644 --- a/pkg/services/accesscontrol/models.go +++ b/pkg/services/accesscontrol/models.go @@ -23,6 +23,7 @@ type Role struct { DisplayName string `json:"displayName"` Group string `xorm:"group_name" json:"group"` Description string `json:"description"` + Hidden bool `json:"hidden"` Updated time.Time `json:"updated"` Created time.Time `json:"created"` @@ -65,6 +66,7 @@ type RoleDTO struct { Group string `xorm:"group_name" json:"group"` Permissions []Permission `json:"permissions,omitempty"` Delegatable *bool `json:"delegatable,omitempty"` + Hidden bool `json:"hidden,omitempty"` ID int64 `json:"-" xorm:"pk autoincr 'id'"` OrgID int64 `json:"-" xorm:"org_id"` @@ -82,6 +84,7 @@ func (r RoleDTO) Role() Role { DisplayName: r.DisplayName, Group: r.Group, Description: r.Description, + Hidden: r.Hidden, Updated: r.Updated, Created: r.Created, } diff --git a/pkg/services/sqlstore/migrations/accesscontrol/migrations.go b/pkg/services/sqlstore/migrations/accesscontrol/migrations.go index 692a3d47ac3..38f880f5674 100644 --- a/pkg/services/sqlstore/migrations/accesscontrol/migrations.go +++ b/pkg/services/sqlstore/migrations/accesscontrol/migrations.go @@ -162,4 +162,8 @@ func AddMigration(mg *migrator.Migrator) { //------- indexes ------------------ mg.AddMigration("add unique index builtin_role_role_name", migrator.NewAddIndexMigration(seedAssignmentV1, seedAssignmentV1.Indices[0])) + + mg.AddMigration("add column hidden to role table", migrator.NewAddColumnMigration(roleV1, &migrator.Column{ + Name: "hidden", Type: migrator.DB_Bool, Nullable: false, Default: "0", + })) }