IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access control: add roles to fixed groups (#41673)

Browse Source 
* add roles to fixed groups

* add global to group name
This commit is contained in:
Ieva 2021-11-18 09:16:18 +00:00 committed by GitHub
parent e59c3a34fe
commit b7f47561b6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/api/roles.go
View File

@ -46,10 +46,11 @@ var (
func (hs *HTTPServer) declareFixedRoles() error {
provisioningWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Version: 3,
Name: "fixed:provisioning:writer",
DisplayName: "Provisioning writer",
Description: "Reload provisioning.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
@ -62,10 +63,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
datasourcesReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Version: 3,
Name: "fixed:datasources:reader",
DisplayName: "Data source reader",
Description: "Read and query all data sources.",
Group: "Data sources",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesRead,
@ -82,10 +84,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
datasourcesWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Version: 3,
Name: "fixed:datasources:writer",
DisplayName: "Data source writer",
Description: "Create, update, delete, read, or query data sources.",
Group: "Data sources",
Permissions: accesscontrol.ConcatPermissions(datasourcesReaderRole.Role.Permissions, []accesscontrol.Permission{
{
Action: ActionDatasourcesWrite,
@ -105,10 +108,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
datasourcesIdReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Version: 4,
Name: "fixed:datasources.id:reader",
DisplayName: "Data source ID reader",
Description: "Read the ID of a data source based on its name.",
Group: "Infrequently used",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesIDRead,
@ -121,10 +125,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
datasourcesCompatibilityReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Version: 3,
Name: "fixed:datasources:compatibility:querier",
DisplayName: "Data source compatibility querier",
Description: "Only used for open source compatibility. Query data sources.",
Group: "Infrequently used",
Permissions: []accesscontrol.Permission{
{Action: ActionDatasourcesQuery},
},
@ -134,10 +139,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
currentOrgReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Version: 4,
Name: "fixed:current.org:reader",
DisplayName: "Current Organization reader",
Description: "Read the current organization, such as its ID, name, address, or quotas.",
Group: "Organizations",
Permissions: []accesscontrol.Permission{
{Action: ActionOrgsRead},
{Action: ActionOrgsQuotasRead},
@ -148,10 +154,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
currentOrgWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Version: 4,
Name: "fixed:current.org:writer",
DisplayName: "Current Organization writer",
Description: "Read the current organization, its quotas, or its preferences. Update the current organization properties, or its preferences.",
Group: "Organizations",
Permissions: accesscontrol.ConcatPermissions(currentOrgReaderRole.Role.Permissions, []accesscontrol.Permission{
{Action: ActionOrgsPreferencesRead},
{Action: ActionOrgsWrite},
@ -163,10 +170,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
orgReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Version: 2,
Name: "fixed:orgs:reader",
DisplayName: "Organization reader",
Description: "Read the organization and its quotas.",
Group: "Organizations",
Permissions: []accesscontrol.Permission{
{Action: ActionOrgsRead},
{Action: ActionOrgsQuotasRead},
@ -177,10 +185,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
orgWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Version: 4,
Name: "fixed:orgs:writer",
DisplayName: "Organization writer",
Description: "Create, read, write, or delete an organization. Read or write an organization's quotas.",
Group: "Organizations",
Permissions: accesscontrol.ConcatPermissions(orgReaderRole.Role.Permissions, []accesscontrol.Permission{
{Action: ActionOrgsCreate},
{Action: ActionOrgsWrite},

27
pkg/services/accesscontrol/roles.go
View File

@ -16,10 +16,11 @@ type RoleRegistry interface {
// Roles definition
var (
datasourcesExplorerRole = RoleDTO{
Version: 2,
Version: 3,
Name: datasourcesExplorer,
DisplayName: "Data source explorer",
Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
Group: "Data sources",
Permissions: []Permission{
{
Action: ActionDatasourcesExplore,
@ -31,7 +32,8 @@ var (
Name: ldapReader,
DisplayName: "LDAP reader",
Description: "Read LDAP configuration and status.",
Version: 2,
Group: "LDAP",
Version: 3,
Permissions: []Permission{
{
Action: ActionLDAPUsersRead,
@ -46,7 +48,8 @@ var (
Name: ldapWriter,
DisplayName: "LDAP writer",
Description: "Read and update LDAP configuration and read LDAP status.",
Version: 3,
Group: "LDAP",
Version: 4,
Permissions: ConcatPermissions(ldapReaderRole.Permissions, []Permission{
{
Action: ActionLDAPUsersSync,
@ -61,7 +64,8 @@ var (
Name: orgUsersWriter,
DisplayName: "Organization user writer",
Description: "Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.",
Version: 2,
Group: "User administration (organizational)",
Version: 3,
Permissions: ConcatPermissions(orgUsersReaderRole.Permissions, []Permission{
{
Action: ActionOrgUsersAdd,
@ -82,7 +86,8 @@ var (
Name: orgUsersReader,
DisplayName: "Organization user reader",
Description: "Read users within a single organization.",
Version: 2,
Group: "User administration (organizational)",
Version: 3,
Permissions: []Permission{
{
Action: ActionOrgUsersRead,
@ -92,9 +97,10 @@ var (
}
settingsReaderRole = RoleDTO{
Version: 3,
Version: 4,
DisplayName: "Setting reader",
Description: "Read Grafana instance settings.",
Group: "Settings",
Name: settingsReader,
Permissions: []Permission{
{
@ -105,10 +111,11 @@ var (
}
statsReaderRole = RoleDTO{
Version: 2,
Version: 3,
Name: statsReader,
DisplayName: "Statistics reader",
Description: "Read Grafana instance statistics.",
Group: "Statistics",
Permissions: []Permission{
{
Action: ActionServerStatsRead,
@ -120,7 +127,8 @@ var (
Name: usersReader,
DisplayName: "User reader",
Description: "Read all users and their information, such as team memberships, authentication tokens, and quotas.",
Version: 2,
Group: "User administration (global)",
Version: 3,
Permissions: []Permission{
{
Action: ActionUsersRead,
@ -145,7 +153,8 @@ var (
Name: usersWriter,
DisplayName: "User writer",
Description: "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users.",
Version: 2,
Group: "User administration (global)",
Version: 3,
Permissions: ConcatPermissions(usersReaderRole.Permissions, []Permission{
{
Action: ActionUsersPasswordUpdate,

3
pkg/services/serviceaccounts/manager/roles.go
View File

@ -8,9 +8,10 @@ import (
var (
role = accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Version: 2,
Name: "fixed:serviceaccounts:writer",
Description: "",
Group: "Service accounts",
Permissions: []accesscontrol.Permission{
{
Action: serviceaccounts.ActionDelete,