mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
AccessControl: frontend changes for adding FGAC to licensing (#39484)
* refactor licenseURL function to use context and export permission evaluation fction * remove provisioning file * refactor licenseURL to take in a bool to avoid circular dependencies * remove function for appending nav link, as it was only used once and move the function to create admin node * better argument names * create a function for permission checking * extend permission checking when displaying server stats * enable the use of enterprise access control actions when evaluating permissions * import ordering * move licensing FGAC action definitions to models package to allow access from oss * move evaluatePermissions for routes to context serve * change permission evaluator to take in more permissions * move licensing FGAC actions again to appease wire * avoid index out of bounds issue in case no children are passed in when creating server admin node * simplify syntax for permission checking Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * update loading state for server stats * linting * more linting * fix test * fix a frontend test * update "licensing.reports:read" action naming * UI doesn't allow reading only licensing reports and not the rest of licensing info Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
This commit is contained in:
parent
f384288183
commit
52220b2470
@ -4,16 +4,15 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/models"
|
|
||||||
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/components/simplejson"
|
|
||||||
"github.com/grafana/grafana/pkg/util"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/bus"
|
"github.com/grafana/grafana/pkg/bus"
|
||||||
|
"github.com/grafana/grafana/pkg/components/simplejson"
|
||||||
"github.com/grafana/grafana/pkg/infra/log"
|
"github.com/grafana/grafana/pkg/infra/log"
|
||||||
|
"github.com/grafana/grafana/pkg/models"
|
||||||
"github.com/grafana/grafana/pkg/plugins"
|
"github.com/grafana/grafana/pkg/plugins"
|
||||||
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
|
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
||||||
|
"github.com/grafana/grafana/pkg/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) {
|
func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) {
|
||||||
@ -196,6 +195,8 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
|
|||||||
buildstamp = 0
|
buildstamp = 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
|
||||||
|
|
||||||
jsonObj := map[string]interface{}{
|
jsonObj := map[string]interface{}{
|
||||||
"defaultDatasource": defaultDS,
|
"defaultDatasource": defaultDS,
|
||||||
"datasources": dataSources,
|
"datasources": dataSources,
|
||||||
@ -247,7 +248,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
|
|||||||
"hasValidLicense": hs.License.HasValidLicense(),
|
"hasValidLicense": hs.License.HasValidLicense(),
|
||||||
"expiry": hs.License.Expiry(),
|
"expiry": hs.License.Expiry(),
|
||||||
"stateInfo": hs.License.StateInfo(),
|
"stateInfo": hs.License.StateInfo(),
|
||||||
"licenseUrl": hs.License.LicenseURL(c.SignedInUser),
|
"licenseUrl": hs.License.LicenseURL(hasAccess(accesscontrol.ReqGrafanaAdmin, accesscontrol.LicensingPageReaderAccess)),
|
||||||
"edition": hs.License.Edition(),
|
"edition": hs.License.Edition(),
|
||||||
},
|
},
|
||||||
"featureToggles": hs.Cfg.FeatureToggles,
|
"featureToggles": hs.Cfg.FeatureToggles,
|
||||||
|
@ -8,19 +8,15 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/plugins/manager"
|
|
||||||
"github.com/grafana/grafana/pkg/services/rendering"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/services/licensing"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/bus"
|
|
||||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
|
||||||
|
|
||||||
"gopkg.in/macaron.v1"
|
"gopkg.in/macaron.v1"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/bus"
|
||||||
|
"github.com/grafana/grafana/pkg/plugins/manager"
|
||||||
|
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
||||||
|
"github.com/grafana/grafana/pkg/services/licensing"
|
||||||
|
"github.com/grafana/grafana/pkg/services/rendering"
|
||||||
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -54,6 +50,7 @@ func setupTestEnvironment(t *testing.T, cfg *setting.Cfg) (*macaron.Macaron, *HT
|
|||||||
RenderService: r,
|
RenderService: r,
|
||||||
SQLStore: sqlStore,
|
SQLStore: sqlStore,
|
||||||
PluginManager: pm,
|
PluginManager: pm,
|
||||||
|
AccessControl: accesscontrolmock.New().WithDisabled(),
|
||||||
}
|
}
|
||||||
|
|
||||||
m := macaron.New()
|
m := macaron.New()
|
||||||
|
@ -6,6 +6,7 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/api/dtos"
|
"github.com/grafana/grafana/pkg/api/dtos"
|
||||||
|
"github.com/grafana/grafana/pkg/api/navlinks"
|
||||||
"github.com/grafana/grafana/pkg/bus"
|
"github.com/grafana/grafana/pkg/bus"
|
||||||
"github.com/grafana/grafana/pkg/models"
|
"github.com/grafana/grafana/pkg/models"
|
||||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||||
@ -347,16 +348,8 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto
|
|||||||
adminNavLinks := hs.buildAdminNavLinks(c)
|
adminNavLinks := hs.buildAdminNavLinks(c)
|
||||||
|
|
||||||
if len(adminNavLinks) > 0 {
|
if len(adminNavLinks) > 0 {
|
||||||
navTree = append(navTree, &dtos.NavLink{
|
serverAdminNode := navlinks.GetServerAdminNode(adminNavLinks)
|
||||||
Text: "Server Admin",
|
navTree = append(navTree, serverAdminNode)
|
||||||
SubTitle: "Manage all users and orgs",
|
|
||||||
HideFromTabs: true,
|
|
||||||
Id: "admin",
|
|
||||||
Icon: "shield",
|
|
||||||
Url: adminNavLinks[0].Url,
|
|
||||||
SortWeight: dtos.WeightAdmin,
|
|
||||||
Children: adminNavLinks,
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit)
|
helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit)
|
||||||
|
20
pkg/api/navlinks/navlinks.go
Normal file
20
pkg/api/navlinks/navlinks.go
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
package navlinks
|
||||||
|
|
||||||
|
import "github.com/grafana/grafana/pkg/api/dtos"
|
||||||
|
|
||||||
|
func GetServerAdminNode(children []*dtos.NavLink) *dtos.NavLink {
|
||||||
|
url := ""
|
||||||
|
if len(children) > 0 {
|
||||||
|
url = children[0].Url
|
||||||
|
}
|
||||||
|
return &dtos.NavLink{
|
||||||
|
Text: "Server Admin",
|
||||||
|
SubTitle: "Manage all users and orgs",
|
||||||
|
HideFromTabs: true,
|
||||||
|
Id: "admin",
|
||||||
|
Icon: "shield",
|
||||||
|
Url: url,
|
||||||
|
SortWeight: dtos.WeightAdmin,
|
||||||
|
Children: children,
|
||||||
|
}
|
||||||
|
}
|
@ -16,7 +16,7 @@ type Licensing interface {
|
|||||||
// Used to build content delivery URL
|
// Used to build content delivery URL
|
||||||
ContentDeliveryPrefix() string
|
ContentDeliveryPrefix() string
|
||||||
|
|
||||||
LicenseURL(user *SignedInUser) string
|
LicenseURL(showAdminLicensingPage bool) string
|
||||||
|
|
||||||
StateInfo() string
|
StateInfo() string
|
||||||
}
|
}
|
||||||
|
@ -13,7 +13,6 @@ import (
|
|||||||
"github.com/grafana/grafana-aws-sdk/pkg/awsds"
|
"github.com/grafana/grafana-aws-sdk/pkg/awsds"
|
||||||
"github.com/grafana/grafana-plugin-sdk-go/backend"
|
"github.com/grafana/grafana-plugin-sdk-go/backend"
|
||||||
"github.com/grafana/grafana/pkg/infra/log"
|
"github.com/grafana/grafana/pkg/infra/log"
|
||||||
"github.com/grafana/grafana/pkg/models"
|
|
||||||
"github.com/grafana/grafana/pkg/plugins/backendplugin"
|
"github.com/grafana/grafana/pkg/plugins/backendplugin"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
@ -493,7 +492,7 @@ func (t *testLicensingService) ContentDeliveryPrefix() string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *testLicensingService) LicenseURL(user *models.SignedInUser) string {
|
func (t *testLicensingService) LicenseURL(showAdminLicensingPage bool) string {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -197,8 +197,20 @@ const (
|
|||||||
|
|
||||||
// Settings scope
|
// Settings scope
|
||||||
ScopeSettingsAll = "settings:*"
|
ScopeSettingsAll = "settings:*"
|
||||||
|
|
||||||
|
// Licensing related actions
|
||||||
|
ActionLicensingRead = "licensing:read"
|
||||||
|
ActionLicensingUpdate = "licensing:update"
|
||||||
|
ActionLicensingDelete = "licensing:delete"
|
||||||
|
ActionLicensingReportsRead = "licensing.reports:read"
|
||||||
)
|
)
|
||||||
|
|
||||||
const RoleGrafanaAdmin = "Grafana Admin"
|
const RoleGrafanaAdmin = "Grafana Admin"
|
||||||
|
|
||||||
const FixedRolePrefix = "fixed:"
|
const FixedRolePrefix = "fixed:"
|
||||||
|
|
||||||
|
// LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
|
||||||
|
var LicensingPageReaderAccess = EvalAny(
|
||||||
|
EvalPermission(ActionLicensingRead),
|
||||||
|
EvalPermission(ActionServerStatsRead),
|
||||||
|
)
|
||||||
|
@ -36,8 +36,8 @@ func (*OSSLicensingService) ContentDeliveryPrefix() string {
|
|||||||
return "grafana-oss"
|
return "grafana-oss"
|
||||||
}
|
}
|
||||||
|
|
||||||
func (l *OSSLicensingService) LicenseURL(user *models.SignedInUser) string {
|
func (l *OSSLicensingService) LicenseURL(showAdminLicensingPage bool) string {
|
||||||
if user.IsGrafanaAdmin {
|
if showAdminLicensingPage {
|
||||||
return l.Cfg.AppSubURL + "/admin/upgrading"
|
return l.Cfg.AppSubURL + "/admin/upgrading"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -59,7 +59,7 @@ func ProvideService(cfg *setting.Cfg, hooksService *hooks.HooksService) *OSSLice
|
|||||||
node.Children = append(node.Children, &dtos.NavLink{
|
node.Children = append(node.Children, &dtos.NavLink{
|
||||||
Text: "Stats and license",
|
Text: "Stats and license",
|
||||||
Id: "upgrading",
|
Id: "upgrading",
|
||||||
Url: l.LicenseURL(req.SignedInUser),
|
Url: l.LicenseURL(req.IsGrafanaAdmin),
|
||||||
Icon: "unlock",
|
Icon: "unlock",
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -89,7 +89,7 @@ export class ContextSrv {
|
|||||||
}
|
}
|
||||||
|
|
||||||
isGrafanaVisible() {
|
isGrafanaVisible() {
|
||||||
return !!(document.visibilityState === undefined || document.visibilityState === 'visible');
|
return document.visibilityState === undefined || document.visibilityState === 'visible';
|
||||||
}
|
}
|
||||||
|
|
||||||
// checks whether the passed interval is longer than the configured minimum refresh rate
|
// checks whether the passed interval is longer than the configured minimum refresh rate
|
||||||
@ -113,6 +113,25 @@ export class ContextSrv {
|
|||||||
}
|
}
|
||||||
return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled;
|
return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hasAccess(action: string, fallBack: boolean) {
|
||||||
|
if (!config.featureToggles['accesscontrol']) {
|
||||||
|
return fallBack;
|
||||||
|
}
|
||||||
|
return this.hasPermission(action);
|
||||||
|
}
|
||||||
|
|
||||||
|
// evaluates access control permissions, granting access if the user has any of them; uses fallback if access control is disabled
|
||||||
|
evaluatePermission(fallback: () => string[], actions: string[]) {
|
||||||
|
if (!config.featureToggles['accesscontrol']) {
|
||||||
|
return fallback();
|
||||||
|
}
|
||||||
|
if (actions.some((action) => this.hasPermission(action))) {
|
||||||
|
return [];
|
||||||
|
}
|
||||||
|
// Hack to reject when user does not have permission
|
||||||
|
return ['Reject'];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
let contextSrv = new ContextSrv();
|
let contextSrv = new ContextSrv();
|
||||||
|
@ -26,6 +26,11 @@ const stats: ServerStat = {
|
|||||||
jest.mock('./state/apis', () => ({
|
jest.mock('./state/apis', () => ({
|
||||||
getServerStats: async () => stats,
|
getServerStats: async () => stats,
|
||||||
}));
|
}));
|
||||||
|
jest.mock('../../core/services/context_srv', () => ({
|
||||||
|
contextSrv: {
|
||||||
|
hasAccess: () => true,
|
||||||
|
},
|
||||||
|
}));
|
||||||
|
|
||||||
describe('ServerStats', () => {
|
describe('ServerStats', () => {
|
||||||
it('Should render page with stats', async () => {
|
it('Should render page with stats', async () => {
|
||||||
|
@ -9,17 +9,20 @@ import { Loader } from '../plugins/admin/components/Loader';
|
|||||||
|
|
||||||
export const ServerStats = () => {
|
export const ServerStats = () => {
|
||||||
const [stats, setStats] = useState<ServerStat | null>(null);
|
const [stats, setStats] = useState<ServerStat | null>(null);
|
||||||
const [isLoading, setIsLoading] = useState(true);
|
const [isLoading, setIsLoading] = useState(false);
|
||||||
const styles = useStyles2(getStyles);
|
const styles = useStyles2(getStyles);
|
||||||
|
|
||||||
useEffect(() => {
|
useEffect(() => {
|
||||||
getServerStats().then((stats) => {
|
if (contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
|
||||||
setStats(stats);
|
setIsLoading(true);
|
||||||
setIsLoading(false);
|
getServerStats().then((stats) => {
|
||||||
});
|
setStats(stats);
|
||||||
|
setIsLoading(false);
|
||||||
|
});
|
||||||
|
}
|
||||||
}, []);
|
}, []);
|
||||||
|
|
||||||
if (!contextSrv.hasPermission(AccessControlAction.ActionServerStatsRead)) {
|
if (!contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -139,10 +139,9 @@ export function getAppRoutes(): RouteDescriptor[] {
|
|||||||
path: '/explore',
|
path: '/explore',
|
||||||
pageClass: 'page-explore',
|
pageClass: 'page-explore',
|
||||||
roles: () =>
|
roles: () =>
|
||||||
evaluatePermission(
|
contextSrv.evaluatePermission(() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']), [
|
||||||
() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']),
|
AccessControlAction.DataSourcesExplore,
|
||||||
AccessControlAction.DataSourcesExplore
|
]),
|
||||||
),
|
|
||||||
component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
|
component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -526,16 +525,3 @@ export function getAppRoutes(): RouteDescriptor[] {
|
|||||||
// ...playlistRoutes,
|
// ...playlistRoutes,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
// evaluates access control permission, using fallback if access control is disabled
|
|
||||||
const evaluatePermission = (fallback: () => string[], action: AccessControlAction): string[] => {
|
|
||||||
if (!config.featureToggles['accesscontrol']) {
|
|
||||||
return fallback();
|
|
||||||
}
|
|
||||||
if (contextSrv.hasPermission(action)) {
|
|
||||||
return [];
|
|
||||||
} else {
|
|
||||||
// Hack to reject when user does not have permission
|
|
||||||
return ['Reject'];
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
Loading…
Reference in New Issue
Block a user