Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767)

* Create fixed roles for reading API Keys and service accounts * Handle PR comments and fix the listing of token
2025-02-25 18:55:37 -06:00 · 2022-04-14 15:09:55 +02:00 · 2022-04-14 15:09:55 +02:00 · 782ec05d8c
commit 782ec05d8c
parent f79e0c68cc
3 changed files with 40 additions and 5 deletions
--- a/pkg/api/accesscontrol.go
+++ b/pkg/api/accesscontrol.go
@ -150,6 +150,23 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{string(models.ROLE_VIEWER)},
 	}

+	apikeyReaderRole := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Version:     1,
+			Name:        "fixed:apikeys:reader",
+			DisplayName: "APIKeys reader",
+			Description: "Gives access to read api keys.",
+			Group:       "API Keys",
+			Permissions: []ac.Permission{
+				{
+					Action: ac.ActionAPIKeyRead,
+					Scope:  ac.ScopeAPIKeysAll,
+				},
+			},
+		},
+		Grants: []string{string(models.ROLE_ADMIN)},
+	}
+
 	apikeyWriterRole := ac.RoleRegistration{
 		Role: ac.RoleDTO{
 			Version:     1,
@ -411,7 +428,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
 		annotationsReaderRole, dashboardAnnotationsWriterRole, annotationsWriterRole,
 		dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
-		foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyWriterRole,
+		foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyReaderRole, apikeyWriterRole,
 	)
 }

--- a/pkg/services/serviceaccounts/database/database.go
+++ b/pkg/services/serviceaccounts/database/database.go
@ -157,7 +157,7 @@ func (s *ServiceAccountsStoreImpl) ListTokens(ctx context.Context, orgID int64,
 		sess = dbSession.
 			Join("inner", quotedUser, quotedUser+".id = api_key.service_account_id").
 			Where(quotedUser+".org_id=? AND "+quotedUser+".id=?", orgID, serviceAccountID).
-			Asc("name")
+			Asc("api_key.name")

 		return sess.Find(&result)
 	})
--- a/pkg/services/serviceaccounts/manager/roles.go
+++ b/pkg/services/serviceaccounts/manager/roles.go
@ -1,12 +1,30 @@
 package manager

 import (
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/serviceaccounts"
 )

 func RegisterRoles(ac accesscontrol.AccessControl) error {
-	role := accesscontrol.RoleRegistration{
+	saReader := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Version:     1,
+			Name:        "fixed:serviceaccounts:reader",
+			DisplayName: "Service accounts reader",
+			Description: "Read service accounts and service account tokens.",
+			Group:       "Service accounts",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: serviceaccounts.ActionRead,
+					Scope:  serviceaccounts.ScopeAll,
+				},
+			},
+		},
+		Grants: []string{string(models.ROLE_ADMIN)},
+	}
+
+	saWriter := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
 			Version:     4,
 			Name:        "fixed:serviceaccounts:writer",
@ -31,10 +49,10 @@ func RegisterRoles(ac accesscontrol.AccessControl) error {
 				},
 			},
 		},
-		Grants: []string{"Admin"},
+		Grants: []string{string(models.ROLE_ADMIN)},
 	}

-	if err := ac.DeclareFixedRoles(role); err != nil {
+	if err := ac.DeclareFixedRoles(saReader, saWriter); err != nil {
 		return err
 	}