mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
RBAC: Fix background users to include permissions (#55147)
* RBAC: add function to construct background users * PluginDashboards: Set rbac permissions for user * Dashboards: use background user constructor
This commit is contained in:
Karl Persson
GitHub
@@ -223,3 +223,14 @@ func GetOrgRoles(user *user.SignedInUser) []string {
|
|||||||
|
|
||||||
return roles
|
return roles
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func BackgroundUser(name string, orgID int64, role org.RoleType, permissions []Permission) *user.SignedInUser {
|
||||||
|
return &user.SignedInUser{
|
||||||
|
OrgID: orgID,
|
||||||
|
OrgRole: role,
|
||||||
|
Login: "grafana_" + name,
|
||||||
|
Permissions: map[int64]map[string][]string{
|
||||||
|
orgID: GroupScopesByAction(permissions),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -16,17 +16,16 @@ import (
|
|||||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||||
"github.com/grafana/grafana/pkg/services/guardian"
|
"github.com/grafana/grafana/pkg/services/guardian"
|
||||||
"github.com/grafana/grafana/pkg/services/org"
|
"github.com/grafana/grafana/pkg/services/org"
|
||||||
"github.com/grafana/grafana/pkg/services/user"
|
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
"github.com/grafana/grafana/pkg/util"
|
"github.com/grafana/grafana/pkg/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
provisionerPermissions = map[string][]string{
|
provisionerPermissions = []accesscontrol.Permission{
|
||||||
dashboards.ActionFoldersCreate: {},
|
{Action: dashboards.ActionFoldersCreate},
|
||||||
dashboards.ActionFoldersWrite: {dashboards.ScopeFoldersAll},
|
{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
|
||||||
dashboards.ActionDashboardsCreate: {dashboards.ScopeFoldersAll},
|
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||||
dashboards.ActionDashboardsWrite: {dashboards.ScopeFoldersAll},
|
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||||
}
|
}
|
||||||
// DashboardServiceImpl implements the DashboardService interface
|
// DashboardServiceImpl implements the DashboardService interface
|
||||||
_ dashboards.DashboardService = (*DashboardServiceImpl)(nil)
|
_ dashboards.DashboardService = (*DashboardServiceImpl)(nil)
|
||||||
@@ -218,14 +217,7 @@ func (dr *DashboardServiceImpl) SaveProvisionedDashboard(ctx context.Context, dt
|
|||||||
dto.Dashboard.Data.Set("refresh", setting.MinRefreshInterval)
|
dto.Dashboard.Data.Set("refresh", setting.MinRefreshInterval)
|
||||||
}
|
}
|
||||||
|
|
||||||
dto.User = &user.SignedInUser{
|
dto.User = accesscontrol.BackgroundUser("dashboard_provisioning", dto.OrgId, org.RoleAdmin, provisionerPermissions)
|
||||||
UserID: 0,
|
|
||||||
OrgRole: org.RoleAdmin,
|
|
||||||
OrgID: dto.OrgId,
|
|
||||||
Permissions: map[int64]map[string][]string{
|
|
||||||
dto.OrgId: provisionerPermissions,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, setting.IsLegacyAlertingEnabled(), false)
|
cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, setting.IsLegacyAlertingEnabled(), false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -268,12 +260,7 @@ func (dr *DashboardServiceImpl) SaveProvisionedDashboard(ctx context.Context, dt
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (dr *DashboardServiceImpl) SaveFolderForProvisionedDashboards(ctx context.Context, dto *dashboards.SaveDashboardDTO) (*models.Dashboard, error) {
|
func (dr *DashboardServiceImpl) SaveFolderForProvisionedDashboards(ctx context.Context, dto *dashboards.SaveDashboardDTO) (*models.Dashboard, error) {
|
||||||
dto.User = &user.SignedInUser{
|
dto.User = accesscontrol.BackgroundUser("dashboard_provisioning", dto.OrgId, org.RoleAdmin, provisionerPermissions)
|
||||||
UserID: 0,
|
|
||||||
OrgRole: org.RoleAdmin,
|
|
||||||
OrgID: dto.OrgId,
|
|
||||||
Permissions: map[int64]map[string][]string{dto.OrgId: provisionerPermissions},
|
|
||||||
}
|
|
||||||
cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, false, false)
|
cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, false, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|||||||
@@ -8,12 +8,12 @@ import (
|
|||||||
"github.com/grafana/grafana/pkg/infra/log"
|
"github.com/grafana/grafana/pkg/infra/log"
|
||||||
"github.com/grafana/grafana/pkg/models"
|
"github.com/grafana/grafana/pkg/models"
|
||||||
"github.com/grafana/grafana/pkg/plugins"
|
"github.com/grafana/grafana/pkg/plugins"
|
||||||
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||||
"github.com/grafana/grafana/pkg/services/dashboardimport"
|
"github.com/grafana/grafana/pkg/services/dashboardimport"
|
||||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||||
"github.com/grafana/grafana/pkg/services/org"
|
"github.com/grafana/grafana/pkg/services/org"
|
||||||
"github.com/grafana/grafana/pkg/services/plugindashboards"
|
"github.com/grafana/grafana/pkg/services/plugindashboards"
|
||||||
"github.com/grafana/grafana/pkg/services/pluginsettings"
|
"github.com/grafana/grafana/pkg/services/pluginsettings"
|
||||||
"github.com/grafana/grafana/pkg/services/user"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func ProvideDashboardUpdater(bus bus.Bus, pluginStore plugins.Store, pluginDashboardService plugindashboards.Service,
|
func ProvideDashboardUpdater(bus bus.Bus, pluginStore plugins.Store, pluginDashboardService plugindashboards.Service,
|
||||||
@@ -171,8 +171,11 @@ func (du *DashboardUpdater) autoUpdateAppDashboard(ctx context.Context, pluginDa
|
|||||||
du.logger.Info("Auto updating App dashboard", "dashboard", resp.Dashboard.Title, "newRev",
|
du.logger.Info("Auto updating App dashboard", "dashboard", resp.Dashboard.Title, "newRev",
|
||||||
pluginDashInfo.Revision, "oldRev", pluginDashInfo.ImportedRevision)
|
pluginDashInfo.Revision, "oldRev", pluginDashInfo.ImportedRevision)
|
||||||
_, err = du.dashboardImportService.ImportDashboard(ctx, &dashboardimport.ImportDashboardRequest{
|
_, err = du.dashboardImportService.ImportDashboard(ctx, &dashboardimport.ImportDashboardRequest{
|
||||||
PluginId: pluginDashInfo.PluginId,
|
PluginId: pluginDashInfo.PluginId,
|
||||||
User: &user.SignedInUser{UserID: 0, OrgRole: org.RoleAdmin, OrgID: orgID},
|
User: accesscontrol.BackgroundUser("dashboard_updater", orgID, org.RoleAdmin, []accesscontrol.Permission{
|
||||||
|
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||||
|
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||||
|
}),
|
||||||
Path: pluginDashInfo.Reference,
|
Path: pluginDashInfo.Reference,
|
||||||
FolderId: 0,
|
FolderId: 0,
|
||||||
Dashboard: resp.Dashboard.Data,
|
Dashboard: resp.Dashboard.Data,
|
||||||
|
|||||||
Reference in New Issue
Block a user