Access Control: Move database-related models to enterprise (#32907)

* Move database-related models to enterprise

* Chore: use GetUserBuiltInRoles() method

* Rename permission to action

pkg/services/accesscontrol/accesscontrol.go

@@ -11,7 +11,7 @@ type AccessControl interface {
 	Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error)
 
 	// GetUserPermissions returns user permissions.
-	GetUserPermissions(ctx context.Context, user *models.SignedInUser, roles []string) ([]*Permission, error)
+	GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*Permission, error)
 
 	// Middleware checks if service disabled or not to switch to fallback authorization.
 	IsDisabled() bool

pkg/services/accesscontrol/evaluator/evaluator.go

@@ -9,19 +9,9 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 )
 
-const roleGrafanaAdmin = "Grafana Admin"
-
 // Evaluate evaluates access to the given resource, using provided AccessControl instance
 func Evaluate(ctx context.Context, ac accesscontrol.AccessControl, user *models.SignedInUser, permission string, scope ...string) (bool, error) {
-	roles := []string{string(user.OrgRole)}
-	for _, role := range user.OrgRole.Children() {
-		roles = append(roles, string(role))
-	}
-	if user.IsGrafanaAdmin {
-		roles = append(roles, roleGrafanaAdmin)
-	}
-
-	res, err := ac.GetUserPermissions(ctx, user, roles)
+	res, err := ac.GetUserPermissions(ctx, user)
 	if err != nil {
 		return false, err
 	}
@@ -61,7 +51,7 @@ func extractPermission(permissions []*accesscontrol.Permission, permission strin
 		if p == nil {
 			continue
 		}
-		if p.Permission == permission {
+		if p.Action == permission {
 			ok = true
 			scopes[p.Scope] = struct{}{}
 		}

pkg/services/accesscontrol/models.go

@@ -4,12 +4,9 @@ import (
 	"time"
 )
 
-// Role is the model for Role in RBAC.
 type Role struct {
-	ID          int64  `json:"id" xorm:"pk autoincr 'id'"`
-	OrgID       int64  `json:"orgId" xorm:"org_id"`
 	Version     int64  `json:"version"`
-	UID         string `xorm:"uid" json:"uid"`
+	UID         string `json:"uid"`
 	Name        string `json:"name"`
 	Description string `json:"description"`
 
@@ -18,33 +15,16 @@ type Role struct {
 }
 
 type RoleDTO struct {
-	ID          int64        `json:"id" xorm:"pk autoincr 'id'"`
-	OrgID       int64        `json:"orgId" xorm:"org_id"`
 	Version     int64        `json:"version"`
-	UID         string       `xorm:"uid" json:"uid"`
+	UID         string       `json:"uid"`
 	Name        string       `json:"name"`
 	Description string       `json:"description"`
 	Permissions []Permission `json:"permissions,omitempty"`
-
-	Updated time.Time `json:"updated"`
-	Created time.Time `json:"created"`
 }
 
-// Permission is the model for Permission in RBAC.
 type Permission struct {
-	ID         int64  `json:"id" xorm:"pk autoincr 'id'"`
-	RoleID     int64  `json:"-" xorm:"role_id"`
-	Permission string `json:"permission"`
-	Scope      string `json:"scope"`
-
-	Updated time.Time `json:"updated"`
-	Created time.Time `json:"created"`
-}
-
-type GetUserPermissionsQuery struct {
-	OrgID  int64 `json:"-"`
-	UserID int64 `json:"userId"`
-	Roles  []string
+	Action string `json:"action"`
+	Scope  string `json:"scope"`
 }
 
 type EvaluationResult struct {
@@ -54,11 +34,7 @@ type EvaluationResult struct {
 
 func (p RoleDTO) Role() Role {
 	return Role{
-		ID:          p.ID,
-		OrgID:       p.OrgID,
 		Name:        p.Name,
 		Description: p.Description,
-		Updated:     p.Updated,
-		Created:     p.Created,
 	}
 }

pkg/services/accesscontrol/ossaccesscontrol/builtin_roles.go

@@ -4,22 +4,24 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 )
 
+const roleGrafanaAdmin = "Grafana Admin"
+
 var builtInRolesMap = map[string]accesscontrol.RoleDTO{
 	"grafana:builtin:users:read:self": {
 		Name:    "grafana:builtin:users:read:self",
 		Version: 1,
 		Permissions: []accesscontrol.Permission{
 			{
-				Permission: "users:read",
-				Scope:      "users:self",
+				Action: "users:read",
+				Scope:  "users:self",
 			},
 			{
-				Permission: "users.tokens:list",
-				Scope:      "users:self",
+				Action: "users.tokens:list",
+				Scope:  "users:self",
 			},
 			{
-				Permission: "users.teams:read",
-				Scope:      "users:self",
+				Action: "users.teams:read",
+				Scope:  "users:self",
 			},
 		},
 	},

pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go

@@ -38,7 +38,8 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
 }
 
 // GetUserPermissions returns user permissions based on built-in roles
-func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser, roles []string) ([]*accesscontrol.Permission, error) {
+func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*accesscontrol.Permission, error) {
+	roles := ac.GetUserBuiltInRoles(user)
 	permissions := make([]*accesscontrol.Permission, 0)
 	for _, legacyRole := range roles {
 		if builtInRoleNames, ok := builtInRoleGrants[legacyRole]; ok {
@@ -57,3 +58,15 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
 
 	return permissions, nil
 }
+
+func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser) []string {
+	roles := []string{string(user.OrgRole)}
+	for _, role := range user.OrgRole.Children() {
+		roles = append(roles, string(role))
+	}
+	if user.IsGrafanaAdmin {
+		roles = append(roles, roleGrafanaAdmin)
+	}
+
+	return roles
+}