SupportBundles: Add config enablement (#61776)

* wip * implement role middleware drop * remove not implement feature * change grants based on config * Update pkg/services/supportbundles/supportbundlesimpl/models.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-01-20 08:59:15 +00:00 · 2023-01-20 08:59:15 +00:00 · caae4fd034
commit caae4fd034
parent 9faab75668
3 changed files with 35 additions and 18 deletions
--- a/pkg/services/supportbundles/supportbundlesimpl/api.go
+++ b/pkg/services/supportbundles/supportbundlesimpl/api.go
@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/api/routing"
 	"github.com/grafana/grafana/pkg/middleware"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/models/roletype"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/supportbundles"
 	"github.com/grafana/grafana/pkg/web"
@ -20,16 +21,21 @@ const rootUrl = "/api/support-bundles"
 func (s *Service) registerAPIEndpoints(routeRegister routing.RouteRegister) {
 	authorize := ac.Middleware(s.accessControl)

+	orgRoleMiddleware := middleware.ReqGrafanaAdmin
+	if !s.serverAdminOnly {
+		orgRoleMiddleware = middleware.RoleAuth(roletype.RoleAdmin)
+	}
+
 	routeRegister.Group(rootUrl, func(subrouter routing.RouteRegister) {
-		subrouter.Get("/", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionRead)), routing.Wrap(s.handleList))
-		subrouter.Post("/", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Post("/", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionCreate)), routing.Wrap(s.handleCreate))
-		subrouter.Get("/:uid", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/:uid", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionRead)), s.handleDownload)
-		subrouter.Delete("/:uid", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Delete("/:uid", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionDelete)), s.handleRemove)
-		subrouter.Get("/collectors", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/collectors", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionCreate)), routing.Wrap(s.handleGetCollectors))
 	})
 }
--- a/pkg/services/supportbundles/supportbundlesimpl/models.go
+++ b/pkg/services/supportbundles/supportbundlesimpl/models.go
@ -35,14 +35,19 @@ var (
 	}
 )

-func declareFixedRoles(ac accesscontrol.Service) error {
+func (s *Service) declareFixedRoles(ac accesscontrol.Service) error {
+	grants := []string{string(org.RoleAdmin), accesscontrol.RoleGrafanaAdmin}
+	if s.serverAdminOnly {
+		grants = []string{accesscontrol.RoleGrafanaAdmin}
+	}
+
 	bundleReader := accesscontrol.RoleRegistration{
 		Role:   bundleReaderRole,
-		Grants: []string{string(org.RoleAdmin)},
+		Grants: grants,
 	}
 	bundleWriter := accesscontrol.RoleRegistration{
 		Role:   bundleWriterRole,
-		Grants: []string{string(org.RoleAdmin)},
+		Grants: grants,
 	}

 	return ac.DeclareFixedRoles(bundleWriter, bundleReader)
--- a/pkg/services/supportbundles/supportbundlesimpl/service.go
+++ b/pkg/services/supportbundles/supportbundlesimpl/service.go
@ -34,6 +34,9 @@ type Service struct {

 	log log.Logger

+	enabled         bool
+	serverAdminOnly bool
+
 	collectors map[string]supportbundles.Collector
 }

@ -49,23 +52,26 @@ func ProvideService(cfg *setting.Cfg,
 	pluginSettings pluginsettings.Service,
 	features *featuremgmt.FeatureManager,
 	usageStats usagestats.Service) (*Service, error) {
+	section := cfg.SectionWithEnvOverrides("support_bundles")
 	s := &Service{
-		cfg:            cfg,
-		store:          newStore(kvStore),
-		pluginStore:    pluginStore,
-		pluginSettings: pluginSettings,
-		accessControl:  accessControl,
-		features:       features,
-		log:            log.New("supportbundle.service"),
-		collectors:     make(map[string]supportbundles.Collector),
+		cfg:             cfg,
+		store:           newStore(kvStore),
+		pluginStore:     pluginStore,
+		pluginSettings:  pluginSettings,
+		accessControl:   accessControl,
+		features:        features,
+		log:             log.New("supportbundle.service"),
+		enabled:         section.Key("enabled").MustBool(true),
+		serverAdminOnly: section.Key("server_admin_only").MustBool(true),
+		collectors:      make(map[string]supportbundles.Collector),
 	}

-	if !features.IsEnabled(featuremgmt.FlagSupportBundles) {
+	if !features.IsEnabled(featuremgmt.FlagSupportBundles) || !s.enabled {
 		return s, nil
 	}

 	if !accessControl.IsDisabled() {
-		if err := declareFixedRoles(accesscontrolService); err != nil {
+		if err := s.declareFixedRoles(accesscontrolService); err != nil {
 			return nil, err
 		}
 	}