Access Control: Add fgac to datasource query endpoints (#40294)

* Protect datasource tsdb and proxy endpoints with access control

* Add datasource query permissions to fixed admin role

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>

pkg/api/api.go

@@ -303,11 +303,11 @@ func (hs *HTTPServer) registerRoutes() {
 		}, reqOrgAdmin)
 
 		apiRoute.Get("/frontend/settings/", hs.GetFrontendSettings)
-		apiRoute.Any("/datasources/proxy/:id/*", reqSignedIn, hs.ProxyDataSourceRequest)
-		apiRoute.Any("/datasources/proxy/:id", reqSignedIn, hs.ProxyDataSourceRequest)
-		apiRoute.Any("/datasources/:id/resources", hs.CallDatasourceResource)
-		apiRoute.Any("/datasources/:id/resources/*", hs.CallDatasourceResource)
-		apiRoute.Any("/datasources/:id/health", routing.Wrap(hs.CheckDatasourceHealth))
+		apiRoute.Any("/datasources/proxy/:id/*", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), hs.ProxyDataSourceRequest)
+		apiRoute.Any("/datasources/proxy/:id", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), hs.ProxyDataSourceRequest)
+		apiRoute.Any("/datasources/:id/resources", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), hs.CallDatasourceResource)
+		apiRoute.Any("/datasources/:id/resources/*", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), hs.CallDatasourceResource)
+		apiRoute.Any("/datasources/:id/health", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), routing.Wrap(hs.CheckDatasourceHealth))
 
 		// Folders
 		apiRoute.Group("/folders", func(folderRoute routing.RouteRegister) {
@@ -373,10 +373,10 @@ func (hs *HTTPServer) registerRoutes() {
 		apiRoute.Get("/search/", routing.Wrap(Search))
 
 		// metrics
-		apiRoute.Post("/tsdb/query", bind(dtos.MetricRequest{}), routing.Wrap(hs.QueryMetrics))
+		apiRoute.Post("/tsdb/query", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), bind(dtos.MetricRequest{}), routing.Wrap(hs.QueryMetrics))
 
 		// DataSource w/ expressions
-		apiRoute.Post("/ds/query", bind(dtos.MetricRequest{}), routing.Wrap(hs.QueryMetricsV2))
+		apiRoute.Post("/ds/query", authorize(reqSignedIn, ac.EvalPermission(ActionDatasourcesQuery)), bind(dtos.MetricRequest{}), routing.Wrap(hs.QueryMetricsV2))
 
 		apiRoute.Group("/alerts", func(alertsRoute routing.RouteRegister) {
 			alertsRoute.Post("/test", bind(dtos.AlertTestCommand{}), routing.Wrap(hs.AlertTest))

pkg/api/roles.go

@@ -10,6 +10,7 @@ const (
 	ActionProvisioningReload = "provisioning:reload"
 
 	ActionDatasourcesRead   = "datasources:read"
+	ActionDatasourcesQuery  = "datasources:query"
 	ActionDatasourcesCreate = "datasources:create"
 	ActionDatasourcesWrite  = "datasources:write"
 	ActionDatasourcesDelete = "datasources:delete"
@@ -63,11 +64,17 @@ func (hs *HTTPServer) declareFixedRoles() error {
 						Action: ActionDatasourcesWrite,
 						Scope:  ScopeDatasourcesAll,
 					},
-					{Action: ActionDatasourcesCreate},
+					{
+						Action: ActionDatasourcesCreate,
+					},
 					{
 						Action: ActionDatasourcesDelete,
 						Scope:  ScopeDatasourcesAll,
 					},
+					{
+						Action: ActionDatasourcesQuery,
+						Scope:  ScopeDatasourcesAll,
+					},
 				},
 			},
 			Grants: []string{string(models.ROLE_ADMIN)},
@@ -86,6 +93,17 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			},
 			Grants: []string{string(models.ROLE_VIEWER)},
 		},
+		{
+			Role: accesscontrol.RoleDTO{
+				Version:     1,
+				Name:        "fixed:datasources:compatibility:querier",
+				Description: "Query data sources when data source permissions are not in use",
+				Permissions: []accesscontrol.Permission{
+					{Action: ActionDatasourcesQuery},
+				},
+			},
+			Grants: []string{string(models.ROLE_VIEWER)},
+		},
 	}
 
 	return hs.AccessControl.DeclareFixedRoles(registrations...)