Alerting: Export contact points to check access control action instead legacy role (#71990)

* introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader" * update alerting API authorization layer to let the user read provisioning with the new action * let new action use decrypt flag * add action and role to docs
2025-02-25 18:55:37 -06:00 · 2023-08-08 12:29:34 -04:00
parent e1d239a86e
commit 6b4a9d73d7
17 changed files with 347 additions and 104 deletions
--- a/pkg/services/ngalert/accesscontrol.go
+++ b/pkg/services/ngalert/accesscontrol.go
@@ -171,6 +171,24 @@ var (
 		},
 		Grants: []string{string(org.RoleAdmin)},
 	}
+
+	alertingProvisioningReaderWithSecretsRole = accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        accesscontrol.FixedRolePrefix + "alerting.provisioning.secrets:reader",
+			DisplayName: "Read via Provisioning API + Export Secrets",
+			Description: "Read all alert rules, contact points, notification policies, silences, etc. in the organization via provisioning API and use export with decrypted secrets",
+			Group:       AlertRolesGroup,
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: accesscontrol.ActionAlertingProvisioningReadSecrets, // organization scope
+				},
+				{
+					Action: accesscontrol.ActionAlertingProvisioningRead, // organization scope
+				},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
 )

 func DeclareFixedRoles(service accesscontrol.Service) error {
@@ -178,6 +196,6 @@ func DeclareFixedRoles(service accesscontrol.Service) error {
 		rulesReaderRole, rulesWriterRole,
 		instancesReaderRole, instancesWriterRole,
 		notificationsReaderRole, notificationsWriterRole,
-		alertingReaderRole, alertingWriterRole, alertingProvisionerRole,
+		alertingReaderRole, alertingWriterRole, alertingProvisionerRole, alertingProvisioningReaderWithSecretsRole,
 	)
 }