AccessControl: Create FGAC roles for orgs (#40526)

* AccessControl: Create FGAC roles for orgs Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2021-10-27 11:01:21 +02:00 · 2021-10-27 11:01:21 +02:00 · a127e106db
commit a127e106db
parent 858d654d1c
1 changed files with 94 additions and 0 deletions
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@ -15,6 +15,15 @@ const (
 	ActionDatasourcesWrite  = "datasources:write"
 	ActionDatasourcesDelete = "datasources:delete"
 	ActionDatasourcesIDRead = "datasources.id:read"
 	ActionOrgsRead             = "orgs:read"
 	ActionOrgsPreferencesRead  = "orgs.preferences:read"
 	ActionOrgsQuotasRead       = "orgs.quotas:read"
 	ActionOrgsWrite            = "orgs:write"
 	ActionOrgsPreferencesWrite = "orgs.preferences:write"
 	ActionOrgsQuotasWrite      = "orgs.quotas:write"
 	ActionOrgsDelete           = "orgs:delete"
 	ActionOrgsCreate           = "orgs:create"
 )
 // API related scopes
@ -29,6 +38,12 @@ var (
 	ScopeDatasourceID   = accesscontrol.Scope("datasources", "id", accesscontrol.Parameter(":id"))
 	ScopeDatasourceUID  = accesscontrol.Scope("datasources", "uid", accesscontrol.Parameter(":uid"))
 	ScopeDatasourceName = accesscontrol.Scope("datasources", "name", accesscontrol.Parameter(":name"))
 	ScopeOrgsAll      = accesscontrol.Scope("orgs", "*")
 	ScopeOrgID        = accesscontrol.Scope("orgs", "id", accesscontrol.Parameter(":orgId"))
 	ScopeOrgCurrentID = accesscontrol.Scope("orgs", "id", accesscontrol.Field("OrgID"))
 	ScopeOrgName      = accesscontrol.Scope("orgs", "name", accesscontrol.Parameter(":name"))
 	ScopeOrgCurrent   = accesscontrol.Scope("orgs", "current")
 )
 // declareFixedRoles declares to the AccessControl service fixed roles and their
@ -104,6 +119,85 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			},
 			Grants: []string{string(models.ROLE_VIEWER)},
 		},
 		{
 			Role: accesscontrol.RoleDTO{
 				Version:     1,
 				Name:        "fixed:current:org:reader",
 				Description: "Read current organization and its quotas.",
 				Permissions: []accesscontrol.Permission{
 					{
 						Action: ActionOrgsRead,
 						Scope:  ScopeOrgCurrent,
 					},
 					{
 						Action: ActionOrgsQuotasRead,
 						Scope:  ScopeOrgCurrent,
 					},
 				},
 			},
 			Grants: []string{string(models.ROLE_VIEWER)},
 		},
 		{
 			Role: accesscontrol.RoleDTO{
 				Version:     1,
 				Name:        "fixed:current:org:writer",
 				Description: "Read current organization, its quotas, and its preferences. Write current organization and its preferences.",
 				Permissions: []accesscontrol.Permission{
 					{
 						Action: ActionOrgsRead,
 						Scope:  ScopeOrgCurrent,
 					},
 					{
 						Action: ActionOrgsQuotasRead,
 						Scope:  ScopeOrgCurrent,
 					},
 					{
 						Action: ActionOrgsPreferencesRead,
 						Scope:  ScopeOrgCurrent,
 					},
 					{
 						Action: ActionOrgsWrite,
 						Scope:  ScopeOrgCurrent,
 					},
 					{
 						Action: ActionOrgsPreferencesWrite,
 						Scope:  ScopeOrgCurrent,
 					},
 				},
 			},
 			Grants: []string{string(models.ROLE_ADMIN)},
 		},
 		{
 			Role: accesscontrol.RoleDTO{
 				Version:     1,
 				Name:        "fixed:orgs:writer",
 				Description: "Create, read, write, or delete an organization. Read or write an organization's quotas.",
 				Permissions: []accesscontrol.Permission{
 					{Action: ActionOrgsCreate},
 					{
 						Action: ActionOrgsRead,
 						Scope:  ScopeOrgsAll,
 					},
 					{
 						Action: ActionOrgsWrite,
 						Scope:  ScopeOrgsAll,
 					},
 					{
 						Action: ActionOrgsDelete,
 						Scope:  ScopeOrgsAll,
 					},
 					{
 						Action: ActionOrgsQuotasRead,
 						Scope:  ScopeOrgsAll,
 					},
 					{
 						Action: ActionOrgsQuotasWrite,
 						Scope:  ScopeOrgsAll,
 					},
 				},
 			},
 			Grants: []string{string(accesscontrol.RoleGrafanaAdmin)},
 		},
 	}
 	return hs.AccessControl.DeclareFixedRoles(registrations...)