mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
AccessControl: frontend changes for adding FGAC to licensing (#39484)
* refactor licenseURL function to use context and export permission evaluation fction * remove provisioning file * refactor licenseURL to take in a bool to avoid circular dependencies * remove function for appending nav link, as it was only used once and move the function to create admin node * better argument names * create a function for permission checking * extend permission checking when displaying server stats * enable the use of enterprise access control actions when evaluating permissions * import ordering * move licensing FGAC action definitions to models package to allow access from oss * move evaluatePermissions for routes to context serve * change permission evaluator to take in more permissions * move licensing FGAC actions again to appease wire * avoid index out of bounds issue in case no children are passed in when creating server admin node * simplify syntax for permission checking Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * update loading state for server stats * linting * more linting * fix test * fix a frontend test * update "licensing.reports:read" action naming * UI doesn't allow reading only licensing reports and not the rest of licensing info Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
This commit is contained in:
parent
f384288183
commit
52220b2470
@ -4,16 +4,15 @@ import (
|
||||
"errors"
|
||||
"strconv"
|
||||
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
||||
|
||||
"github.com/grafana/grafana/pkg/components/simplejson"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/components/simplejson"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
)
|
||||
|
||||
func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) {
|
||||
@ -196,6 +195,8 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
|
||||
buildstamp = 0
|
||||
}
|
||||
|
||||
hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
|
||||
|
||||
jsonObj := map[string]interface{}{
|
||||
"defaultDatasource": defaultDS,
|
||||
"datasources": dataSources,
|
||||
@ -247,7 +248,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
|
||||
"hasValidLicense": hs.License.HasValidLicense(),
|
||||
"expiry": hs.License.Expiry(),
|
||||
"stateInfo": hs.License.StateInfo(),
|
||||
"licenseUrl": hs.License.LicenseURL(c.SignedInUser),
|
||||
"licenseUrl": hs.License.LicenseURL(hasAccess(accesscontrol.ReqGrafanaAdmin, accesscontrol.LicensingPageReaderAccess)),
|
||||
"edition": hs.License.Edition(),
|
||||
},
|
||||
"featureToggles": hs.Cfg.FeatureToggles,
|
||||
|
@ -8,19 +8,15 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/grafana/grafana/pkg/plugins/manager"
|
||||
"github.com/grafana/grafana/pkg/services/rendering"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/licensing"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
|
||||
"gopkg.in/macaron.v1"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/plugins/manager"
|
||||
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
||||
"github.com/grafana/grafana/pkg/services/licensing"
|
||||
"github.com/grafana/grafana/pkg/services/rendering"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
@ -54,6 +50,7 @@ func setupTestEnvironment(t *testing.T, cfg *setting.Cfg) (*macaron.Macaron, *HT
|
||||
RenderService: r,
|
||||
SQLStore: sqlStore,
|
||||
PluginManager: pm,
|
||||
AccessControl: accesscontrolmock.New().WithDisabled(),
|
||||
}
|
||||
|
||||
m := macaron.New()
|
||||
|
@ -6,6 +6,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/grafana/grafana/pkg/api/dtos"
|
||||
"github.com/grafana/grafana/pkg/api/navlinks"
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
@ -347,16 +348,8 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto
|
||||
adminNavLinks := hs.buildAdminNavLinks(c)
|
||||
|
||||
if len(adminNavLinks) > 0 {
|
||||
navTree = append(navTree, &dtos.NavLink{
|
||||
Text: "Server Admin",
|
||||
SubTitle: "Manage all users and orgs",
|
||||
HideFromTabs: true,
|
||||
Id: "admin",
|
||||
Icon: "shield",
|
||||
Url: adminNavLinks[0].Url,
|
||||
SortWeight: dtos.WeightAdmin,
|
||||
Children: adminNavLinks,
|
||||
})
|
||||
serverAdminNode := navlinks.GetServerAdminNode(adminNavLinks)
|
||||
navTree = append(navTree, serverAdminNode)
|
||||
}
|
||||
|
||||
helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit)
|
||||
|
20
pkg/api/navlinks/navlinks.go
Normal file
20
pkg/api/navlinks/navlinks.go
Normal file
@ -0,0 +1,20 @@
|
||||
package navlinks
|
||||
|
||||
import "github.com/grafana/grafana/pkg/api/dtos"
|
||||
|
||||
func GetServerAdminNode(children []*dtos.NavLink) *dtos.NavLink {
|
||||
url := ""
|
||||
if len(children) > 0 {
|
||||
url = children[0].Url
|
||||
}
|
||||
return &dtos.NavLink{
|
||||
Text: "Server Admin",
|
||||
SubTitle: "Manage all users and orgs",
|
||||
HideFromTabs: true,
|
||||
Id: "admin",
|
||||
Icon: "shield",
|
||||
Url: url,
|
||||
SortWeight: dtos.WeightAdmin,
|
||||
Children: children,
|
||||
}
|
||||
}
|
@ -16,7 +16,7 @@ type Licensing interface {
|
||||
// Used to build content delivery URL
|
||||
ContentDeliveryPrefix() string
|
||||
|
||||
LicenseURL(user *SignedInUser) string
|
||||
LicenseURL(showAdminLicensingPage bool) string
|
||||
|
||||
StateInfo() string
|
||||
}
|
||||
|
@ -13,7 +13,6 @@ import (
|
||||
"github.com/grafana/grafana-aws-sdk/pkg/awsds"
|
||||
"github.com/grafana/grafana-plugin-sdk-go/backend"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/plugins/backendplugin"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/stretchr/testify/require"
|
||||
@ -493,7 +492,7 @@ func (t *testLicensingService) ContentDeliveryPrefix() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func (t *testLicensingService) LicenseURL(user *models.SignedInUser) string {
|
||||
func (t *testLicensingService) LicenseURL(showAdminLicensingPage bool) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
|
@ -197,8 +197,20 @@ const (
|
||||
|
||||
// Settings scope
|
||||
ScopeSettingsAll = "settings:*"
|
||||
|
||||
// Licensing related actions
|
||||
ActionLicensingRead = "licensing:read"
|
||||
ActionLicensingUpdate = "licensing:update"
|
||||
ActionLicensingDelete = "licensing:delete"
|
||||
ActionLicensingReportsRead = "licensing.reports:read"
|
||||
)
|
||||
|
||||
const RoleGrafanaAdmin = "Grafana Admin"
|
||||
|
||||
const FixedRolePrefix = "fixed:"
|
||||
|
||||
// LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
|
||||
var LicensingPageReaderAccess = EvalAny(
|
||||
EvalPermission(ActionLicensingRead),
|
||||
EvalPermission(ActionServerStatsRead),
|
||||
)
|
||||
|
@ -36,8 +36,8 @@ func (*OSSLicensingService) ContentDeliveryPrefix() string {
|
||||
return "grafana-oss"
|
||||
}
|
||||
|
||||
func (l *OSSLicensingService) LicenseURL(user *models.SignedInUser) string {
|
||||
if user.IsGrafanaAdmin {
|
||||
func (l *OSSLicensingService) LicenseURL(showAdminLicensingPage bool) string {
|
||||
if showAdminLicensingPage {
|
||||
return l.Cfg.AppSubURL + "/admin/upgrading"
|
||||
}
|
||||
|
||||
@ -59,7 +59,7 @@ func ProvideService(cfg *setting.Cfg, hooksService *hooks.HooksService) *OSSLice
|
||||
node.Children = append(node.Children, &dtos.NavLink{
|
||||
Text: "Stats and license",
|
||||
Id: "upgrading",
|
||||
Url: l.LicenseURL(req.SignedInUser),
|
||||
Url: l.LicenseURL(req.IsGrafanaAdmin),
|
||||
Icon: "unlock",
|
||||
})
|
||||
}
|
||||
|
@ -89,7 +89,7 @@ export class ContextSrv {
|
||||
}
|
||||
|
||||
isGrafanaVisible() {
|
||||
return !!(document.visibilityState === undefined || document.visibilityState === 'visible');
|
||||
return document.visibilityState === undefined || document.visibilityState === 'visible';
|
||||
}
|
||||
|
||||
// checks whether the passed interval is longer than the configured minimum refresh rate
|
||||
@ -113,6 +113,25 @@ export class ContextSrv {
|
||||
}
|
||||
return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled;
|
||||
}
|
||||
|
||||
hasAccess(action: string, fallBack: boolean) {
|
||||
if (!config.featureToggles['accesscontrol']) {
|
||||
return fallBack;
|
||||
}
|
||||
return this.hasPermission(action);
|
||||
}
|
||||
|
||||
// evaluates access control permissions, granting access if the user has any of them; uses fallback if access control is disabled
|
||||
evaluatePermission(fallback: () => string[], actions: string[]) {
|
||||
if (!config.featureToggles['accesscontrol']) {
|
||||
return fallback();
|
||||
}
|
||||
if (actions.some((action) => this.hasPermission(action))) {
|
||||
return [];
|
||||
}
|
||||
// Hack to reject when user does not have permission
|
||||
return ['Reject'];
|
||||
}
|
||||
}
|
||||
|
||||
let contextSrv = new ContextSrv();
|
||||
|
@ -26,6 +26,11 @@ const stats: ServerStat = {
|
||||
jest.mock('./state/apis', () => ({
|
||||
getServerStats: async () => stats,
|
||||
}));
|
||||
jest.mock('../../core/services/context_srv', () => ({
|
||||
contextSrv: {
|
||||
hasAccess: () => true,
|
||||
},
|
||||
}));
|
||||
|
||||
describe('ServerStats', () => {
|
||||
it('Should render page with stats', async () => {
|
||||
|
@ -9,17 +9,20 @@ import { Loader } from '../plugins/admin/components/Loader';
|
||||
|
||||
export const ServerStats = () => {
|
||||
const [stats, setStats] = useState<ServerStat | null>(null);
|
||||
const [isLoading, setIsLoading] = useState(true);
|
||||
const [isLoading, setIsLoading] = useState(false);
|
||||
const styles = useStyles2(getStyles);
|
||||
|
||||
useEffect(() => {
|
||||
getServerStats().then((stats) => {
|
||||
setStats(stats);
|
||||
setIsLoading(false);
|
||||
});
|
||||
if (contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
|
||||
setIsLoading(true);
|
||||
getServerStats().then((stats) => {
|
||||
setStats(stats);
|
||||
setIsLoading(false);
|
||||
});
|
||||
}
|
||||
}, []);
|
||||
|
||||
if (!contextSrv.hasPermission(AccessControlAction.ActionServerStatsRead)) {
|
||||
if (!contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -139,10 +139,9 @@ export function getAppRoutes(): RouteDescriptor[] {
|
||||
path: '/explore',
|
||||
pageClass: 'page-explore',
|
||||
roles: () =>
|
||||
evaluatePermission(
|
||||
() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']),
|
||||
AccessControlAction.DataSourcesExplore
|
||||
),
|
||||
contextSrv.evaluatePermission(() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']), [
|
||||
AccessControlAction.DataSourcesExplore,
|
||||
]),
|
||||
component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
|
||||
},
|
||||
{
|
||||
@ -526,16 +525,3 @@ export function getAppRoutes(): RouteDescriptor[] {
|
||||
// ...playlistRoutes,
|
||||
];
|
||||
}
|
||||
|
||||
// evaluates access control permission, using fallback if access control is disabled
|
||||
const evaluatePermission = (fallback: () => string[], action: AccessControlAction): string[] => {
|
||||
if (!config.featureToggles['accesscontrol']) {
|
||||
return fallback();
|
||||
}
|
||||
if (contextSrv.hasPermission(action)) {
|
||||
return [];
|
||||
} else {
|
||||
// Hack to reject when user does not have permission
|
||||
return ['Reject'];
|
||||
}
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user