RBAC: Add config option to reset basic roles on start up (#59598)

* RBAC: add config option to reset basic roles on start up Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Update docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add to sample.ini as well Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-12-01 09:41:40 +01:00
parent 009d65b794
commit 8e929163a8
5 changed files with 37 additions and 2 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -717,6 +717,10 @@ managed_identity_client_id =
 # If enabled, cache permissions in a in memory cache
 permission_cache = true

+# Reset basic roles permissions on boot
+# Warning left to true, basic roles permissions will be reset on every boot
+reset_basic_roles = false
+
 #################################### SMTP / Emailing #####################
 [smtp]
 enabled = false
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -703,6 +703,11 @@
 #################################### Role-based Access Control ###########
 [rbac]
 ;permission_cache = true
+
+# Reset basic roles permissions on boot
+# Warning left to true, basic roles permissions will be reset on every boot
+#reset_basic_roles = false
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
--- a/docs/sources/administration/roles-and-permissions/access-control/configure-rbac/index.md
+++ b/docs/sources/administration/roles-and-permissions/access-control/configure-rbac/index.md
@@ -18,6 +18,7 @@ The table below describes all RBAC configuration options. Like any other Grafana
 | ------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `permission_cache`              | No       | Enable to use in memory cache for loading and evaluating users' permissions.                                                                                                                                                                                                                                                    | `true`  |
 | `permission_validation_enabled` | No       | Grafana enforces validation for permissions when a user creates or updates a role. The system checks the internal list of scopes and actions for each permission to determine they are valid. By default, if a scope or action is not recognized, Grafana logs a warning message. When set to `true`, Grafana returns an error. | `false` |
+| `reset_basic_roles`             | No       | Reset Grafana's basic roles' (Viewer, Editor, Admin, Grafana Admin) permissions to their default. Warning, if this configuration option is left to `true` this will be done on every reboot.                                                                                                                                    | `true`  |

 ## Example RBAC configuration

--- a/docs/sources/administration/roles-and-permissions/access-control/manage-rbac-roles/index.md
+++ b/docs/sources/administration/roles-and-permissions/access-control/manage-rbac-roles/index.md
@@ -309,7 +309,29 @@ You can also change basic roles' permissions using the API. Refer to the [RBAC H

 ## Reset basic roles to their default

-This section describes how to reset the basic roles to their default:
+This section describes how to reset the basic roles to their default.
+
+You have two options to reset the basic roles permissions to their default.
+
+### Use the configuration option
+
+> **Note**: Available as of Grafana Enterprise 9.4.
+
+> Warning: If this option is left to true, permissions will be reset on every boot.
+
+Use the [reset_basic_roles]({{< relref "../configure-rbac/#configure-rbac-in-grafana" >}}) option to reset
+basic roles permissions to their default on Grafana instance boot up.
+
+1. Open you configuration file and update the rbac section as follow:
+
+```bash
+[rbac]
+reset_basic_roles = true
+```
+
+### Use the http endpoint
+
+An alternative to the configuration option is to use the HTTP endpoint.

 1. Open the YAML configuration file and locate the `roles` section.

@@ -327,7 +349,7 @@ This section describes how to reset the basic roles to their default:
       permissions:
         # Permission allowing to reset basic roles
         - action: 'roles:write'
-          scope: 'permissions:type:escalate'
+           scope: 'permissions:type:escalate'
   ```

 1. As a `Grafana Admin`, call the API endpoint to reset the basic roles to their default. Refer to the [RBAC HTTP API]({{< relref "../../../../developers/http_api/access_control/#reset-basic-roles-to-their-default" >}}) for more details.
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -482,6 +482,8 @@ type Cfg struct {
 	RBACPermissionCache bool
 	// Enable Permission validation during role creation and provisioning
 	RBACPermissionValidationEnabled bool
+	// Reset basic roles permissions on start-up
+	RBACResetBasicRoles bool
 	// GRPC Server.
 	GRPCServerNetwork   string
 	GRPCServerAddress   string
@@ -1447,6 +1449,7 @@ func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
 	cfg.RBACEnabled = rbac.Key("enabled").MustBool(true)
 	cfg.RBACPermissionCache = rbac.Key("permission_cache").MustBool(true)
 	cfg.RBACPermissionValidationEnabled = rbac.Key("permission_validation_enabled").MustBool(false)
+	cfg.RBACResetBasicRoles = rbac.Key("reset_basic_roles").MustBool(false)
 }

 func readUserSettings(iniFile *ini.File, cfg *Cfg) error {