RBAC: Allow omitting default permissions when a new resource is created (#90720)

* Cfg: Move rbac settings to own struct * Cfg: Add setting to control if resource should generate managed permissions when created * Dashboards: Check if we should generate default permissions when dashboard is created * Folders: Check if we should generate default permissions when folder is created * Datasource: Check if we should generate default permissions when datasource is created * ServiceAccount: Check if we should generate default permissions when service account is created * Cfg: Add option to specify resources for wich we should default seed * ManagedPermissions: Move providers to their own files * Dashboards: Default seed all possible managed permissions if configured * Folders: Default seed all possible managed permissions if configured * Cfg: Remove service account from list * RBAC: Move utility function * remove managed permission settings from the config file examples, change the setting names * remove ini file changes from the PR * fix setting reading * fix linting errors * fix tests * fix wildcard role seeding --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: jguer <me@jguer.space>
2025-02-25 18:55:37 -06:00 · 2024-07-24 17:31:26 +01:00
parent 82236976ae
commit 9bb2cf4968
19 changed files with 712 additions and 475 deletions
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -322,9 +322,6 @@ type Cfg struct {
 	// GrafanaJavascriptAgent config
 	GrafanaJavascriptAgent GrafanaJavascriptAgent

-	// accessactionsets
-	OnlyStoreAccessActionSets bool
-
 	// Data sources
 	DataSourceLimit int
 	// Number of queries to be executed concurrently. Only for the datasource supports concurrency.
@@ -467,14 +464,7 @@ type Cfg struct {
 	OAuth2ServerGeneratedKeyTypeForClient string
 	OAuth2ServerAccessTokenLifespan       time.Duration

-	// Access Control
-	RBACPermissionCache bool
-	// Enable Permission validation during role creation and provisioning
-	RBACPermissionValidationEnabled bool
-	// Reset basic roles permissions on start-up
-	RBACResetBasicRoles bool
-	// RBAC single organization. This configuration option is subject to change.
-	RBACSingleOrganization bool
+	RBAC RBACSettings

 	Zanzana ZanzanaSettings

@@ -1116,7 +1106,7 @@ func (cfg *Cfg) parseINIFile(iniFile *ini.File) error {

 	readOAuth2ServerSettings(cfg)

-	readAccessControlSettings(iniFile, cfg)
+	cfg.readRBACSettings()

 	cfg.readZanzanaSettings()

@@ -1657,15 +1647,6 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	return nil
 }

-func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
-	rbac := iniFile.Section("rbac")
-	cfg.RBACPermissionCache = rbac.Key("permission_cache").MustBool(true)
-	cfg.RBACPermissionValidationEnabled = rbac.Key("permission_validation_enabled").MustBool(false)
-	cfg.RBACResetBasicRoles = rbac.Key("reset_basic_roles").MustBool(false)
-	cfg.RBACSingleOrganization = rbac.Key("single_organization").MustBool(false)
-	cfg.OnlyStoreAccessActionSets = rbac.Key("only_store_access_action_sets").MustBool(false)
-}
-
 func readOAuth2ServerSettings(cfg *Cfg) {
 	oauth2Srv := cfg.SectionWithEnvOverrides("oauth2_server")
 	cfg.OAuth2ServerEnabled = oauth2Srv.Key("enabled").MustBool(false)
--- a/pkg/setting/settings_rbac.go
+++ b/pkg/setting/settings_rbac.go
@@ -0,0 +1,61 @@
+package setting
+
+import (
+	"github.com/grafana/grafana/pkg/util"
+)
+
+type RBACSettings struct {
+	// Enable permission cache
+	PermissionCache bool
+	// Enable Permission validation during role creation and provisioning
+	PermissionValidationEnabled bool
+	// Reset basic roles permissions on start-up
+	ResetBasicRoles bool
+	// RBAC single organization. This configuration option is subject to change.
+	SingleOrganization bool
+
+	OnlyStoreAccessActionSets bool
+
+	// set of resources that should generate managed permissions when created
+	resourcesWithPermissionsOnCreation map[string]struct{}
+
+	// set of resources that should we should seed wildcard scopes for
+	resourcesWithWildcardSeed map[string]struct{}
+}
+
+func (cfg *Cfg) readRBACSettings() {
+	s := RBACSettings{}
+
+	rbac := cfg.Raw.Section("rbac")
+	s.PermissionCache = rbac.Key("permission_cache").MustBool(true)
+	s.PermissionValidationEnabled = rbac.Key("permission_validation_enabled").MustBool(false)
+	s.ResetBasicRoles = rbac.Key("reset_basic_roles").MustBool(false)
+	s.SingleOrganization = rbac.Key("single_organization").MustBool(false)
+	s.OnlyStoreAccessActionSets = rbac.Key("only_store_access_action_sets").MustBool(false)
+
+	// List of resources to generate managed permissions for upon resource creation (dashboard, folder, service-account, datasource)
+	resources := util.SplitString(rbac.Key("resources_with_managed_permissions_on_creation").MustString("dashboard, folder, service-account, datasource"))
+	s.resourcesWithPermissionsOnCreation = map[string]struct{}{}
+	for _, resource := range resources {
+		s.resourcesWithPermissionsOnCreation[resource] = struct{}{}
+	}
+
+	// List of resources to seed managed permission wildcards for (dashboard, folder, datasource)
+	resources = util.SplitString(rbac.Key("resources_with_seeded_wildcard_access").MustString(""))
+	s.resourcesWithWildcardSeed = map[string]struct{}{}
+	for _, resource := range resources {
+		s.resourcesWithWildcardSeed[resource] = struct{}{}
+	}
+
+	cfg.RBAC = s
+}
+
+func (r RBACSettings) PermissionsOnCreation(resource string) bool {
+	_, ok := r.resourcesWithPermissionsOnCreation[resource]
+	return ok
+}
+
+func (r RBACSettings) PermissionsWildcardSeed(resource string) bool {
+	_, ok := r.resourcesWithWildcardSeed[resource]
+	return ok
+}