mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
RBAC: Add OAuth provider scopes separately to fixed:authentication.config:writer (#78202)
Add OAuth provider setting scopes to fixed:authentication writer * Change SSO Settings api scopes * Remove unused RBAC Action
This commit is contained in:
parent
d641f9153e
commit
7ae0ff1309
@ -396,7 +396,6 @@ const (
|
|||||||
|
|
||||||
// Settings scope
|
// Settings scope
|
||||||
ScopeSettingsAll = "settings:*"
|
ScopeSettingsAll = "settings:*"
|
||||||
ScopeSettingsAuth = "settings:auth:*"
|
|
||||||
ScopeSettingsSAML = "settings:auth.saml:*"
|
ScopeSettingsSAML = "settings:auth.saml:*"
|
||||||
|
|
||||||
// Team related actions
|
// Team related actions
|
||||||
@ -467,6 +466,10 @@ var (
|
|||||||
// Team scope
|
// Team scope
|
||||||
ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))
|
ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))
|
||||||
|
|
||||||
|
ScopeSettingsOAuth = func(provider string) string {
|
||||||
|
return Scope("settings", "auth."+provider, "*")
|
||||||
|
}
|
||||||
|
|
||||||
// Annotation scopes
|
// Annotation scopes
|
||||||
ScopeAnnotationsRoot = "annotations"
|
ScopeAnnotationsRoot = "annotations"
|
||||||
ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot)
|
ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot)
|
||||||
|
@ -202,19 +202,59 @@ var (
|
|||||||
Permissions: []Permission{
|
Permissions: []Permission{
|
||||||
{
|
{
|
||||||
Action: ActionSettingsRead,
|
Action: ActionSettingsRead,
|
||||||
Scope: ScopeSettingsAuth,
|
Scope: ScopeSettingsSAML,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Action: ActionSettingsWrite,
|
Action: ActionSettingsWrite,
|
||||||
Scope: ScopeSettingsAuth,
|
Scope: ScopeSettingsSAML,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Action: ActionSettingsRead,
|
Action: ActionSettingsRead,
|
||||||
Scope: ScopeSettingsSAML,
|
Scope: ScopeSettingsOAuth("azuread"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Action: ActionSettingsWrite,
|
Action: ActionSettingsWrite,
|
||||||
Scope: ScopeSettingsSAML,
|
Scope: ScopeSettingsOAuth("azuread"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsRead,
|
||||||
|
Scope: ScopeSettingsOAuth("okta"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsWrite,
|
||||||
|
Scope: ScopeSettingsOAuth("okta"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsRead,
|
||||||
|
Scope: ScopeSettingsOAuth("github"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsWrite,
|
||||||
|
Scope: ScopeSettingsOAuth("github"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsRead,
|
||||||
|
Scope: ScopeSettingsOAuth("gitlab"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsWrite,
|
||||||
|
Scope: ScopeSettingsOAuth("gitlab"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsRead,
|
||||||
|
Scope: ScopeSettingsOAuth("google"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsWrite,
|
||||||
|
Scope: ScopeSettingsOAuth("google"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsRead,
|
||||||
|
Scope: ScopeSettingsOAuth("generic_oauth"),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: ActionSettingsWrite,
|
||||||
|
Scope: ScopeSettingsOAuth("generic_oauth"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -43,13 +43,11 @@ func (api *Api) RegisterAPIEndpoints() {
|
|||||||
auth := ac.Middleware(api.AccessControl)
|
auth := ac.Middleware(api.AccessControl)
|
||||||
|
|
||||||
scopeKey := ac.Parameter(":key")
|
scopeKey := ac.Parameter(":key")
|
||||||
settingsScope := ac.Scope("settings", "auth."+scopeKey, "*")
|
settingsScope := ac.ScopeSettingsOAuth(scopeKey)
|
||||||
|
|
||||||
reqWriteAccess := auth(ac.EvalAny(
|
reqWriteAccess := auth(ac.EvalPermission(ac.ActionSettingsWrite, settingsScope))
|
||||||
ac.EvalPermission(ac.ActionSettingsWrite, ac.ScopeSettingsAuth),
|
|
||||||
ac.EvalPermission(ac.ActionSettingsWrite, settingsScope)))
|
|
||||||
|
|
||||||
router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead, ac.ScopeSettingsAuth)), routing.Wrap(api.listAllProvidersSettings))
|
router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead)), routing.Wrap(api.listAllProvidersSettings))
|
||||||
router.Get("/:key", auth(ac.EvalPermission(ac.ActionSettingsRead, settingsScope)), routing.Wrap(api.getProviderSettings))
|
router.Get("/:key", auth(ac.EvalPermission(ac.ActionSettingsRead, settingsScope)), routing.Wrap(api.getProviderSettings))
|
||||||
router.Put("/:key", reqWriteAccess, routing.Wrap(api.updateProviderSettings))
|
router.Put("/:key", reqWriteAccess, routing.Wrap(api.updateProviderSettings))
|
||||||
router.Delete("/:key", reqWriteAccess, routing.Wrap(api.removeProviderSettings))
|
router.Delete("/:key", reqWriteAccess, routing.Wrap(api.removeProviderSettings))
|
||||||
|
Loading…
Reference in New Issue
Block a user