RBAC: Fix background users to include permissions (#55147)

* RBAC: add function to construct background users * PluginDashboards: Set rbac permissions for user * Dashboards: use background user constructor
2025-02-25 18:55:37 -06:00 · 2022-09-14 11:26:05 +02:00 · 2022-09-14 11:26:05 +02:00 · d1b9849946
commit d1b9849946
parent 870929b463
3 changed files with 24 additions and 23 deletions
--- a/pkg/services/accesscontrol/accesscontrol.go
+++ b/pkg/services/accesscontrol/accesscontrol.go
@ -223,3 +223,14 @@ func GetOrgRoles(user *user.SignedInUser) []string {

 	return roles
 }
+
+func BackgroundUser(name string, orgID int64, role org.RoleType, permissions []Permission) *user.SignedInUser {
+	return &user.SignedInUser{
+		OrgID:   orgID,
+		OrgRole: role,
+		Login:   "grafana_" + name,
+		Permissions: map[int64]map[string][]string{
+			orgID: GroupScopesByAction(permissions),
+		},
+	}
+}
--- a/pkg/services/dashboards/service/dashboard_service.go
+++ b/pkg/services/dashboards/service/dashboard_service.go
@ -16,17 +16,16 @@ import (
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/guardian"
 	"github.com/grafana/grafana/pkg/services/org"
-	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

 var (
-	provisionerPermissions = map[string][]string{
-		dashboards.ActionFoldersCreate:    {},
-		dashboards.ActionFoldersWrite:     {dashboards.ScopeFoldersAll},
-		dashboards.ActionDashboardsCreate: {dashboards.ScopeFoldersAll},
-		dashboards.ActionDashboardsWrite:  {dashboards.ScopeFoldersAll},
+	provisionerPermissions = []accesscontrol.Permission{
+		{Action: dashboards.ActionFoldersCreate},
+		{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
+		{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
+		{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
 	}
 	// DashboardServiceImpl implements the DashboardService interface
 	_ dashboards.DashboardService = (*DashboardServiceImpl)(nil)
@ -218,14 +217,7 @@ func (dr *DashboardServiceImpl) SaveProvisionedDashboard(ctx context.Context, dt
 		dto.Dashboard.Data.Set("refresh", setting.MinRefreshInterval)
 	}

-	dto.User = &user.SignedInUser{
-		UserID:  0,
-		OrgRole: org.RoleAdmin,
-		OrgID:   dto.OrgId,
-		Permissions: map[int64]map[string][]string{
-			dto.OrgId: provisionerPermissions,
-		},
-	}
+	dto.User = accesscontrol.BackgroundUser("dashboard_provisioning", dto.OrgId, org.RoleAdmin, provisionerPermissions)

 	cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, setting.IsLegacyAlertingEnabled(), false)
 	if err != nil {
@ -268,12 +260,7 @@ func (dr *DashboardServiceImpl) SaveProvisionedDashboard(ctx context.Context, dt
 }

 func (dr *DashboardServiceImpl) SaveFolderForProvisionedDashboards(ctx context.Context, dto *dashboards.SaveDashboardDTO) (*models.Dashboard, error) {
-	dto.User = &user.SignedInUser{
-		UserID:      0,
-		OrgRole:     org.RoleAdmin,
-		OrgID:       dto.OrgId,
-		Permissions: map[int64]map[string][]string{dto.OrgId: provisionerPermissions},
-	}
+	dto.User = accesscontrol.BackgroundUser("dashboard_provisioning", dto.OrgId, org.RoleAdmin, provisionerPermissions)
 	cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, false, false)
 	if err != nil {
 		return nil, err
--- a/pkg/services/plugindashboards/service/dashboard_updater.go
+++ b/pkg/services/plugindashboards/service/dashboard_updater.go
@ -8,12 +8,12 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/dashboardimport"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/plugindashboards"
 	"github.com/grafana/grafana/pkg/services/pluginsettings"
-	"github.com/grafana/grafana/pkg/services/user"
 )

 func ProvideDashboardUpdater(bus bus.Bus, pluginStore plugins.Store, pluginDashboardService plugindashboards.Service,
@ -171,8 +171,11 @@ func (du *DashboardUpdater) autoUpdateAppDashboard(ctx context.Context, pluginDa
 	du.logger.Info("Auto updating App dashboard", "dashboard", resp.Dashboard.Title, "newRev",
 		pluginDashInfo.Revision, "oldRev", pluginDashInfo.ImportedRevision)
 	_, err = du.dashboardImportService.ImportDashboard(ctx, &dashboardimport.ImportDashboardRequest{
-		PluginId:  pluginDashInfo.PluginId,
-		User:      &user.SignedInUser{UserID: 0, OrgRole: org.RoleAdmin, OrgID: orgID},
+		PluginId: pluginDashInfo.PluginId,
+		User: accesscontrol.BackgroundUser("dashboard_updater", orgID, org.RoleAdmin, []accesscontrol.Permission{
+			{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
+			{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
+		}),
 		Path:      pluginDashInfo.Reference,
 		FolderId:  0,
 		Dashboard: resp.Dashboard.Data,