IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Document new permissions restricting data source access. (#39091)

Browse Source 
* Add data sources roles and permissions to docs

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Gabriel MABILLE 2021-09-29 17:45:27 +02:00 committed by GitHub
parent ff009bee9f
commit 6aa006b699
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 246 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/sources/enterprise/access-control/fine-grained-access-control-references.md
View File

@ -12,7 +12,7 @@ The reference information that follows complements conceptual information about
## Fine-grained access fixed roles ## Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions | | Fixed roles | Permissions | Descriptions |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. | | `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. | | `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. | | `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
@ -27,12 +27,16 @@ The reference information that follows complements conceptual information about
| `fixed:server:admin:read` | `server.stats:read` | Read server stats | | `fixed:server:admin:read` | `server.stats:read` | Read server stats |
| `fixed:settings:admin:read` | `settings:read` | Read settings | | `fixed:settings:admin:read` | `settings:read` | Read settings |
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings | | `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
| `fixed:datasource:editor:read` | `datasources:explore` | Explore datasources | | `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
| `fixed:datasources:admin` | `datasources:read`<br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Allows to create, read, update, delete data sources. |
| `fixed:datasources:id:viewer` | `datasources:id:read` | Allows to read data source IDs. |
| `fixed:datasources:permissions:admin` | `datasources.permissions:create`<br> `datasources.permissions:read`<br> `datasources.permissions:delete`<br>`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
## Default built-in role assignments ## Default built-in role assignments
| Built-in role | Associated role | Description | | Built-in role | Associated role | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default. | | Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read` | Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default. | | Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:datasources:admin`<br>`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Editor | `fixed:datasource:editor:read` | | Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |

22
docs/sources/enterprise/access-control/permissions.md
View File

@ -24,7 +24,7 @@ scope
The following list contains fine-grained access control actions. The following list contains fine-grained access control actions.
| Action | Applicable scope | Description | | Action | Applicable scope | Description |
| -------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | -------------------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:list` | `roles:*` | List available roles without permissions. | | `roles:list` | `roles:*` | List available roles without permissions. |
| `roles:read` | `roles:*` | Read a specific role with its permissions. | | `roles:read` | `roles:*` | Read a specific role with its permissions. |
| `roles:write` | `permissions:delegate` | Create or update a custom role. | | `roles:write` | `permissions:delegate` | Create or update a custom role. |
@ -54,9 +54,9 @@ The following list contains fine-grained access control actions.
| `users:logout` | `global:users:*` | Sign out a user. | | `users:logout` | `global:users:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` | List a users quotas. | | `users.quotas:list` | `global:users:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` | Update a users quotas. | | `users.quotas:update` | `global:users:*` | Update a users quotas. |
| `org.users.read` | `users:*` | Get user profiles within an organization. | | `org.users:read` | `users:*` | Get user profiles within an organization. |
| `org.users.add` | `users:*` | Add a user to an organization. | | `org.users:add` | `users:*` | Add a user to an organization. |
| `org.users.remove` | `users:*` | Remove a user from an organization. | | `org.users:remove` | `users:*` | Remove a user from an organization. |
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. | | `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
| `ldap.user:read` | n/a | Get a user via LDAP. | | `ldap.user:read` | n/a | Get a user via LDAP. |
| `ldap.user:sync` | n/a | Sync a user via LDAP. | | `ldap.user:sync` | n/a | Sync a user via LDAP. |
@ -66,14 +66,23 @@ The following list contains fine-grained access control actions.
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) | | `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). | | `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `server.stats:read` | n/a | Read server stats | | `server.stats:read` | n/a | Read server stats |
| `datasources:explore` | n/a | Enable explore | | `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
| `datasources:id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
| `datasources.permissions:create` | `datasources:*`<br>`datasources:id:*` | Create data source permissions. |
| `datasources.permissions:delete` | `datasources:*`<br>`datasources:id:*` | Delete data source permissions. |
| `datasources.permissions:toggle` | `datasources:*`<br>`datasources:id:*` | Enable or disable data source permissions. |
## Scope definitions ## Scope definitions
The following list contains fine-grained access control scopes. The following list contains fine-grained access control scopes.
| Scopes | Descriptions | | Scopes | Descriptions |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. | | `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | | `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. | | `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
@ -82,3 +91,4 @@ The following list contains fine-grained access control scopes.
| `users:*` | Restrict an action to a set of users from an organization. | | `users:*` | Restrict an action to a set of users from an organization. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | | `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). | | `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |

103
docs/sources/http_api/data_source.md
View File

@ -7,10 +7,23 @@ aliases = ["/docs/grafana/latest/http_api/datasource/"]
# Data source API # Data source API
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
## Get all data sources ## Get all data sources
`GET /api/datasources` `GET /api/datasources`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | -------------- |
| datasources:read | datasources:\* |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -57,6 +70,16 @@ Content-Type: application/json
`GET /api/datasources/:datasourceId` `GET /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ---------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -103,6 +126,16 @@ Content-Type: application/json
`GET /api/datasources/uid/:uid` `GET /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | -------------------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -149,6 +182,16 @@ Content-Type: application/json
`GET /api/datasources/name/:name` `GET /api/datasources/name/:name`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | ---------------------------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -195,6 +238,16 @@ Content-Type: application/json
`GET /api/datasources/id/:name` `GET /api/datasources/id/:name`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------- | ---------------------------------------------------------------------------------------------- |
| datasources:id:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -219,6 +272,16 @@ Content-Type: application/json
`POST /api/datasources` `POST /api/datasources`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ----- |
| datasources:create | n/a |
### Examples
**Example Graphite Request**: **Example Graphite Request**:
```http ```http
@ -357,6 +420,16 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
`PUT /api/datasources/:datasourceId` `PUT /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ----------------- | ---------------------------------------------------------------------------- |
| datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -427,6 +500,16 @@ Content-Type: application/json
`DELETE /api/datasources/:datasourceId` `DELETE /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -449,6 +532,16 @@ Content-Type: application/json
`DELETE /api/datasources/uid/:uid` `DELETE /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | -------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -471,6 +564,16 @@ Content-Type: application/json
`DELETE /api/datasources/name/:datasourceName` `DELETE /api/datasources/name/:datasourceName`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http

53
docs/sources/http_api/datasource_permissions.md
View File

@ -9,6 +9,9 @@ aliases = ["/docs/grafana/latest/http_api/datasourcepermissions/"]
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}). > The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
This API can be used to enable, disable, list, add and remove permissions for a data source. This API can be used to enable, disable, list, add and remove permissions for a data source.
Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything. Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything.
@ -23,6 +26,16 @@ The permission levels for the permission field:
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source. Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -58,6 +71,16 @@ Status codes:
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source. Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -93,6 +116,16 @@ Status codes:
Gets all existing permissions for the data source with the given `id`. Gets all existing permissions for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ---------------------------- | ---------------------------------------------------------------------------- |
| datasources.permissions:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -154,6 +187,16 @@ Status codes:
Adds a user permission for the data source with the given `id`. Adds a user permission for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:create | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -218,6 +261,16 @@ Status codes:
Removes the permission with the given `permissionId` for the data source with the given `id`. Removes the permission with the given `permissionId` for the data source with the given `id`.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http