Access control: allow granting a fixed role dynamically based on the startup settings (#43867)

* allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2025-02-25 18:55:37 -06:00 · 2022-01-11 10:58:40 +00:00 · 2022-01-11 10:58:40 +00:00 · a06564fb0d
commit a06564fb0d
parent f60a2e8152
4 changed files with 25 additions and 19 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -178,7 +178,7 @@ func (hs *HTTPServer) registerRoutes() {
 		// team (admin permission required)
 		apiRoute.Group("/teams", func(teamsRoute routing.RouteRegister) {
-			teamsRoute.Post("/", authorize(reqCanAccessTeams, ac.EvalPermission(ac.ActionTeamsCreate)), routing.Wrap(hs.CreateTeam))
+			teamsRoute.Post("/", authorize(reqCanAccessTeams, ac.EvalPermission(ActionTeamsCreate)), routing.Wrap(hs.CreateTeam))
 			teamsRoute.Put("/:teamId", reqCanAccessTeams, routing.Wrap(hs.UpdateTeam))
 			teamsRoute.Delete("/:teamId", reqCanAccessTeams, routing.Wrap(hs.DeleteTeamByID))
 			teamsRoute.Get("/:teamId/members", reqCanAccessTeams, routing.Wrap(hs.GetTeamMembers))
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@ -24,6 +24,8 @@ const (
 	ActionOrgsQuotasWrite      = "orgs.quotas:write"
 	ActionOrgsDelete           = "orgs:delete"
 	ActionOrgsCreate           = "orgs:create"
 	ActionTeamsCreate = "teams:create"
 )
 // API related scopes
@ -185,9 +187,29 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{string(accesscontrol.RoleGrafanaAdmin)},
 	}
 	teamWriterGrants := []string{string(models.ROLE_ADMIN)}
 	if hs.Cfg.EditorsCanAdmin {
 		teamWriterGrants = append(teamWriterGrants, string(models.ROLE_EDITOR))
 	}
 	teamsWriterRole := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
 			Name:        "fixed:teams:writer",
 			DisplayName: "Team writer",
 			Description: "Create teams.",
 			Group:       "Teams",
 			Version:     1,
 			Permissions: []accesscontrol.Permission{
 				{
 					Action: ActionTeamsCreate,
 				},
 			},
 		},
 		Grants: teamWriterGrants,
 	}
 	return hs.AccessControl.DeclareFixedRoles(
 		provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
-		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole, orgMaintainerRole,
+		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole, orgMaintainerRole, teamsWriterRole,
 	)
 }
--- a/pkg/api/team_test.go
+++ b/pkg/api/team_test.go
@ -201,7 +201,7 @@ func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
 	t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionTeamsCreate}}, 1)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@ -197,19 +197,6 @@ var (
 			},
 		}),
 	}
 	teamsWriterRole = RoleDTO{
 		Name:        teamsWriter,
 		DisplayName: "Teams writer",
 		Description: "Create teams.",
 		Group:       "Teams",
 		Version:     1,
 		Permissions: []Permission{
 			{
 				Action: ActionTeamsCreate,
 			},
 		},
 	}
 )
 // Role names definitions
@ -223,7 +210,6 @@ const (
 	statsReader         = "fixed:stats:reader"
 	usersReader         = "fixed:users:reader"
 	usersWriter         = "fixed:users:writer"
 	teamsWriter         = "fixed:teams:writer"
 )
 var (
@ -243,7 +229,6 @@ var (
 		statsReader:         statsReaderRole,
 		usersReader:         usersReaderRole,
 		usersWriter:         usersWriterRole,
 		teamsWriter:         teamsWriterRole,
 	}
 	// FixedRoleGrants specifies which built-in roles are assigned
@ -262,7 +247,6 @@ var (
 		string(models.ROLE_ADMIN): {
 			orgUsersReader,
 			orgUsersWriter,
 			teamsWriter,
 		},
 		string(models.ROLE_EDITOR): {
 			datasourcesExplorer,