IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-11 08:05:43 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access control: allow hiding roles (#46358)

Browse Source 
* allow hiding roles

* extend docs

* docs feedback

* extend provisioning docs

* formatting

Co-authored-by: Leonard Gram <leo@xlson.com>
This commit is contained in:
Ieva 2022-03-15 13:17:45 +00:00 committed by GitHub
parent 5cf0906622
commit 510c69ec91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/sources/enterprise/access-control/provisioning.md
View File

@ -50,7 +50,8 @@ roles:
scope: 'users:*'
```
Here is an example YAML file to create a global role with a set of permissions, where the `global:true` option makes a role global:
Here is an example YAML file to create a hidden global role with a set of permissions.
`global:true` option makes a role global, and `hidden:true` option hides the role from the role picker:
```yaml
# config file version
@ -62,6 +63,7 @@ roles:
description: 'This role allows users to list, create, or update other users within the organization.'
version: 1
global: true
hidden: true
permissions:
- action: 'users:read'
scope: 'users:*'

30
docs/sources/http_api/access_control.md
View File

@ -64,6 +64,10 @@ Gets all existing roles. The response contains all global and organization local
Refer to the [Role scopes]({{< relref "../enterprise/access-control/roles.md#built-in-role-assignments" >}}) for more information.
Query Parameters:
- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
#### Required permissions
| Action | Scope |
@ -258,6 +262,7 @@ Content-Type: application/json
| description | string | No | Description of the role. |
| displayName | string | No | Display name of the role, visible in the UI. |
| group | string | No | The group name the role belongs to. |
| hidden | boolean | No | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified. |
| permissions | Permission | No | If not present, the role will be created without any permissions. |
**Permission**
@ -350,13 +355,14 @@ Content-Type: application/json
#### JSON body schema
| Field Name | Data Type | Required | Description |
| ----------- | ------------------- | -------- | ------------------------------------------------------------------- |
| ----------- | ------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| version | number | Yes | Version of the role. Must be incremented for update to work. |
| name | string | Yes | Name of the role. |
| description | string | No | Description of the role. |
| displayName | string | No | Display name of the role, visible in the UI. |
| group | string | No | The group name the role belongs to. |
| permissions | List of Permissions | No | The full list of permissions the role should have after the update. |
| hidden | boolean | No | Specify whether the role is hidden or not. If set to `true`, then the role does not show in the role picker. It will not be listed by API endpoints unless explicitly specified. |
| permissions | List of Permissions | No | The full list of permissions for the role after the update. |
**Permission**
@ -466,6 +472,10 @@ Content-Type: application/json; charset=UTF-8
Lists the roles that have been directly assigned to a given user. The list does not include built-in roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team.
Query Parameters:
- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
#### Required permissions
| Action | Scope |
@ -703,9 +713,10 @@ Content-Type: application/json
#### JSON body schema
| Field Name | Date Type | Required | Description |
| ---------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| ------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. |
| roleUids | list | Yes | List of role UIDs. |
| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. |
#### Example response
@ -735,6 +746,10 @@ Content-Type: application/json; charset=UTF-8
Lists the roles that have been directly assigned to a given team.
Query Parameters:
- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
#### Required permissions
| Action | Scope |
@ -832,7 +847,7 @@ Content-Type: application/json; charset=UTF-8
| 404 | Role not found. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
## Remove a user role assignment
## Remove a team role assignment
`DELETE /api/access-control/teams/:teams/roles/:roleUID`
@ -916,8 +931,9 @@ Content-Type: application/json
#### JSON body schema
| Field Name | Date Type | Required | Description |
| ---------- | --------- | -------- | ------------------ |
| ------------- | --------- | -------- | -------------------------------------------------------------- |
| roleUids | list | Yes | List of role UIDs. |
| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. |
#### Example response
@ -949,6 +965,10 @@ API set allows to create or remove [built-in role assignments]({{< relref "../en
Gets all built-in role assignments.
Query Parameters:
- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
#### Required permissions
| Action | Scope |

3
pkg/services/accesscontrol/models.go
View File

@ -23,6 +23,7 @@ type Role struct {
DisplayName string `json:"displayName"`
Group string `xorm:"group_name" json:"group"`
Description string `json:"description"`
Hidden bool `json:"hidden"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
@ -65,6 +66,7 @@ type RoleDTO struct {
Group string `xorm:"group_name" json:"group"`
Permissions []Permission `json:"permissions,omitempty"`
Delegatable *bool `json:"delegatable,omitempty"`
Hidden bool `json:"hidden,omitempty"`
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"-" xorm:"org_id"`
@ -82,6 +84,7 @@ func (r RoleDTO) Role() Role {
DisplayName: r.DisplayName,
Group: r.Group,
Description: r.Description,
Hidden: r.Hidden,
Updated: r.Updated,
Created: r.Created,
}

4
pkg/services/sqlstore/migrations/accesscontrol/migrations.go
View File

@ -162,4 +162,8 @@ func AddMigration(mg *migrator.Migrator) {
//------- indexes ------------------
mg.AddMigration("add unique index builtin_role_role_name", migrator.NewAddIndexMigration(seedAssignmentV1, seedAssignmentV1.Indices[0]))
mg.AddMigration("add column hidden to role table", migrator.NewAddColumnMigration(roleV1, &migrator.Column{
Name: "hidden", Type: migrator.DB_Bool, Nullable: false, Default: "0",
}))
}