IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: introduce a data source admin role (#75915)

Browse Source 
* introduce data source admin role and fix frontend check

* introduce fixed roles for data source creator and team reader

* add documentation

* undo an unintended change
This commit is contained in:
Ieva 2023-10-19 14:36:41 +01:00 committed by GitHub
parent fb18dffd8e
commit 94fec65192
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 39 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/sources/administration/data-source-management/index.md
View File

@ -40,7 +40,8 @@ For links to data source-specific documentation, see [Data sources]({{< relref "
## Data source permissions
You can configure data source permissions to allow or deny certain users the ability to query or edit a data source. Each data sources configuration includes a Permissions tab where you can restrict data source permissions to specific users, teams, or roles.
You can configure data source permissions to allow or deny certain users the ability to query, edit, or administrate a data source. Each data sources configuration includes a Permissions tab where you can restrict data source permissions to specific users, teams, or roles.
Query permission allows users to query the data source. Edit permission allows users to query the data source, edit the data sources configuration and delete the data source. Admin permission allows users to query and edit the data source, change permissions on the data source and enable or disable query caching for the data source.
{{% admonition type="note" %}}
Available in [Grafana Enterprise]({{< relref "../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud](/docs/grafana-cloud).
@ -52,7 +53,7 @@ By default, data sources in an organization can be queried by any user in that o
### Assign data source permissions to users, teams, or roles
You can assign data source permissions to users, teams, and roles which will allow access to query or edit the data source.
You can assign data source permissions to users, teams, and roles which will allow access to query, edit, or administrate the data source.
1. Click **Connections** in the left-side menu.
1. Under Your connections, click **Data sources**.
@ -60,7 +61,7 @@ You can assign data source permissions to users, teams, and roles which will all
1. On the Permissions tab, click **Add a permission**.
1. Select **User**, **Team**, or **Role**.
1. Select the entity for which you want to modify permissions.
1. Select the **Query** or **Edit** permission.
1. Select the **Query**, **Edit**, or **Admin** permission.
1. Click **Save**.
<div class="clearfix"></div>

2
docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md
View File

@ -65,6 +65,7 @@ The following tables list permissions associated with basic and fixed roles.
| `fixed:datasources.insights:reader` | `datasources.insights:read` | Read data source insights data. |
| `fixed:datasources.permissions:reader` | `datasources.permissions:read` | Read data source permissions. |
| `fixed:datasources.permissions:writer` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:write` | Create, read, or delete permissions of a data source. |
| `fixed:datasources:creator` | `datasources:create` | Create data sources. |
| `fixed:datasources:reader` | `datasources:read`<br>`datasources:query` | Read and query data sources. |
| `fixed:datasources:writer` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Read, query, create, delete, or update a data source. |
| `fixed:folders.permissions:reader` | `folders.permissions:read` | Read all folder permissions. |
@ -96,6 +97,7 @@ The following tables list permissions associated with basic and fixed roles.
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:teams:reader` | `teams:read` | List all teams. |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read` | Create a team and list organization users (required to manage the created team). |
| `fixed:teams:writer` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write` | Create, read, update and delete teams and manage team memberships. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`<br>` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |

33
pkg/api/accesscontrol.go
View File

@ -119,6 +119,21 @@ func (hs *HTTPServer) declareFixedRoles() error {
datasourcesReaderRole.Grants = []string{string(org.RoleViewer)}
}
datasourcesCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:datasources:creator",
DisplayName: "Data source creator",
Description: "Create data sources.",
Group: "Data sources",
Permissions: []ac.Permission{
{
Action: datasources.ActionCreate,
},
},
},
Grants: []string{},
}
datasourcesWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:datasources:writer",
@ -256,6 +271,19 @@ func (hs *HTTPServer) declareFixedRoles() error {
Grants: teamCreatorGrants,
}
teamsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:teams:read",
DisplayName: "Team reader",
Description: "List all teams.",
Group: "Teams",
Permissions: []ac.Permission{
{Action: ac.ActionTeamsRead, Scope: ac.ScopeTeamsAll},
},
},
Grants: []string{},
}
teamsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:teams:writer",
@ -520,12 +548,13 @@ func (hs *HTTPServer) declareFixedRoles() error {
}
roles := []ac.RoleRegistration{provisioningWriterRole, datasourcesReaderRole, builtInDatasourceReader, datasourcesWriterRole,
datasourcesIdReaderRole, orgReaderRole, orgWriterRole,
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
datasourcesIdReaderRole, datasourcesCreatorRole, orgReaderRole, orgWriterRole,
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, teamsReaderRole, datasourcesExplorerRole,
annotationsReaderRole, dashboardAnnotationsWriterRole, annotationsWriterRole,
dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyReaderRole, apikeyWriterRole,
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole}
if hs.Features.IsEnabled(featuremgmt.FlagLibraryPanelRBAC) {
roles = append(roles, libraryPanelsCreatorRole, libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole)
}

2
pkg/services/datasources/service/datasource.go
View File

@ -229,7 +229,7 @@ func (s *Service) AddDataSource(ctx context.Context, cmd *datasources.AddDataSou
{BuiltinRole: "Editor", Permission: "Query"},
}
if cmd.UserID != 0 {
permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Edit"})
permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Admin"})
}
_, err = s.permissionsService.SetPermissions(ctx, cmd.OrgID, dataSource.UID, permissions...)
return err

2
public/app/features/datasources/state/navModel.ts
View File

@ -72,7 +72,7 @@ export function buildNavModel(dataSource: DataSourceSettings, plugin: GenericDat
}
if (featureEnabled('dspermissions.enforcement')) {
if (contextSrv.hasPermission(AccessControlAction.DataSourcesPermissionsRead)) {
if (contextSrv.hasPermissionInMetadata(AccessControlAction.DataSourcesPermissionsRead, dataSource)) {
navModel.children!.push(dsPermissions);
}
} else if (highlightsEnabled && !isLoadingNav) {