SupportBundles: Add config enablement (#61776)

* wip

* implement role middleware drop

* remove not implement feature

* change grants based on config

* Update pkg/services/supportbundles/supportbundlesimpl/models.go

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

pkg/services/supportbundles/supportbundlesimpl/api.go

@@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/api/routing"
 	"github.com/grafana/grafana/pkg/middleware"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/models/roletype"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/supportbundles"
 	"github.com/grafana/grafana/pkg/web"
@@ -20,16 +21,21 @@ const rootUrl = "/api/support-bundles"
 func (s *Service) registerAPIEndpoints(routeRegister routing.RouteRegister) {
 	authorize := ac.Middleware(s.accessControl)
 
+	orgRoleMiddleware := middleware.ReqGrafanaAdmin
+	if !s.serverAdminOnly {
+		orgRoleMiddleware = middleware.RoleAuth(roletype.RoleAdmin)
+	}
+
 	routeRegister.Group(rootUrl, func(subrouter routing.RouteRegister) {
-		subrouter.Get("/", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionRead)), routing.Wrap(s.handleList))
-		subrouter.Post("/", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Post("/", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionCreate)), routing.Wrap(s.handleCreate))
-		subrouter.Get("/:uid", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/:uid", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionRead)), s.handleDownload)
-		subrouter.Delete("/:uid", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Delete("/:uid", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionDelete)), s.handleRemove)
-		subrouter.Get("/collectors", authorize(middleware.ReqGrafanaAdmin,
+		subrouter.Get("/collectors", authorize(orgRoleMiddleware,
 			ac.EvalPermission(ActionCreate)), routing.Wrap(s.handleGetCollectors))
 	})
 }

pkg/services/supportbundles/supportbundlesimpl/models.go

@@ -35,14 +35,19 @@ var (
 	}
 )
 
-func declareFixedRoles(ac accesscontrol.Service) error {
+func (s *Service) declareFixedRoles(ac accesscontrol.Service) error {
+	grants := []string{string(org.RoleAdmin), accesscontrol.RoleGrafanaAdmin}
+	if s.serverAdminOnly {
+		grants = []string{accesscontrol.RoleGrafanaAdmin}
+	}
+
 	bundleReader := accesscontrol.RoleRegistration{
 		Role:   bundleReaderRole,
-		Grants: []string{string(org.RoleAdmin)},
+		Grants: grants,
 	}
 	bundleWriter := accesscontrol.RoleRegistration{
 		Role:   bundleWriterRole,
-		Grants: []string{string(org.RoleAdmin)},
+		Grants: grants,
 	}
 
 	return ac.DeclareFixedRoles(bundleWriter, bundleReader)

pkg/services/supportbundles/supportbundlesimpl/service.go

@@ -34,6 +34,9 @@ type Service struct {
 
 	log log.Logger
 
+	enabled         bool
+	serverAdminOnly bool
+
 	collectors map[string]supportbundles.Collector
 }
 
@@ -49,6 +52,7 @@ func ProvideService(cfg *setting.Cfg,
 	pluginSettings pluginsettings.Service,
 	features *featuremgmt.FeatureManager,
 	usageStats usagestats.Service) (*Service, error) {
+	section := cfg.SectionWithEnvOverrides("support_bundles")
 	s := &Service{
 		cfg:             cfg,
 		store:           newStore(kvStore),
@@ -57,15 +61,17 @@ func ProvideService(cfg *setting.Cfg,
 		accessControl:   accessControl,
 		features:        features,
 		log:             log.New("supportbundle.service"),
+		enabled:         section.Key("enabled").MustBool(true),
+		serverAdminOnly: section.Key("server_admin_only").MustBool(true),
 		collectors:      make(map[string]supportbundles.Collector),
 	}
 
-	if !features.IsEnabled(featuremgmt.FlagSupportBundles) {
+	if !features.IsEnabled(featuremgmt.FlagSupportBundles) || !s.enabled {
 		return s, nil
 	}
 
 	if !accessControl.IsDisabled() {
-		if err := declareFixedRoles(accesscontrolService); err != nil {
+		if err := s.declareFixedRoles(accesscontrolService); err != nil {
 			return nil, err
 		}
 	}