AccessControl: add one-dimensional permissions to datasources (#38070)

* AccessControl: add one-dimensional permissions to datasources in the backend * AccessControl: add one-dimensional permissions to datasources in the frontend (#38080) Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
2025-02-25 18:55:37 -06:00 · 2021-09-01 15:18:17 +02:00
parent 4e8ab0512c
commit 9f29241a0c
19 changed files with 506 additions and 40 deletions
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@@ -1,12 +1,19 @@
 package api

 import (
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 )

 // API related actions
 const (
 	ActionProvisioningReload = "provisioning:reload"
+
+	ActionDatasourcesRead   = "datasources:read"
+	ActionDatasourcesCreate = "datasources:create"
+	ActionDatasourcesWrite  = "datasources:write"
+	ActionDatasourcesDelete = "datasources:delete"
+	ActionDatasourcesIDRead = "datasources:id:read"
 )

 // API related scopes
@@ -16,26 +23,70 @@ const (
 	ScopeProvisionersPlugins       = "provisioners:plugins"
 	ScopeProvisionersDatasources   = "provisioners:datasources"
 	ScopeProvisionersNotifications = "provisioners:notifications"
+
+	ScopeDatasourcesAll = `datasources:*`
+	ScopeDatasourceID   = `datasources:id:{{ index . ":id" }}`
+	ScopeDatasourceUID  = `datasources:uid:{{ index . ":uid" }}`
+	ScopeDatasourceName = `datasources:name:{{ index . ":name" }}`
 )

 // declareFixedRoles declares to the AccessControl service fixed roles and their
 // grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
 // that HTTPServer needs
 func (hs *HTTPServer) declareFixedRoles() error {
-	registration := accesscontrol.RoleRegistration{
-		Role: accesscontrol.RoleDTO{
-			Version:     1,
-			Name:        "fixed:provisioning:admin",
-			Description: "Reload provisioning configurations",
-			Permissions: []accesscontrol.Permission{
-				{
-					Action: ActionProvisioningReload,
-					Scope:  ScopeProvisionersAll,
+	registrations := []accesscontrol.RoleRegistration{
+		{
+			Role: accesscontrol.RoleDTO{
+				Version:     1,
+				Name:        "fixed:provisioning:admin",
+				Description: "Reload provisioning configurations",
+				Permissions: []accesscontrol.Permission{
+					{
+						Action: ActionProvisioningReload,
+						Scope:  ScopeProvisionersAll,
+					},
 				},
 			},
+			Grants: []string{accesscontrol.RoleGrafanaAdmin},
+		},
+		{
+			Role: accesscontrol.RoleDTO{
+				Version:     1,
+				Name:        "fixed:datasources:admin",
+				Description: "Gives access to create, read, update, delete datasources",
+				Permissions: []accesscontrol.Permission{
+					{
+						Action: ActionDatasourcesRead,
+						Scope:  ScopeDatasourcesAll,
+					},
+					{
+						Action: ActionDatasourcesWrite,
+						Scope:  ScopeDatasourcesAll,
+					},
+					{Action: ActionDatasourcesCreate},
+					{
+						Action: ActionDatasourcesDelete,
+						Scope:  ScopeDatasourcesAll,
+					},
+				},
+			},
+			Grants: []string{string(models.ROLE_ADMIN)},
+		},
+		{
+			Role: accesscontrol.RoleDTO{
+				Version:     1,
+				Name:        "fixed:datasources:id:viewer",
+				Description: "Gives access to read datasources ID",
+				Permissions: []accesscontrol.Permission{
+					{
+						Action: ActionDatasourcesIDRead,
+						Scope:  ScopeDatasourcesAll,
+					},
+				},
+			},
+			Grants: []string{string(models.ROLE_VIEWER)},
 		},
-		Grants: []string{accesscontrol.RoleGrafanaAdmin},
 	}

-	return hs.AccessControl.DeclareFixedRoles(registration)
+	return hs.AccessControl.DeclareFixedRoles(registrations...)
 }