From e1aad9c9bfbcc154410f037e818c22e9e51727b9 Mon Sep 17 00:00:00 2001 From: Misi Date: Wed, 4 Oct 2023 17:53:26 +0200 Subject: [PATCH] Docs: Update RBAC documentation (#75869) * Align docs to current permissions in code * Update permissions list * Add example responses, fix link * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update based on reviews --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> --- .../custom-role-actions-scopes/index.md | 38 ++++--- .../index.md | 14 +-- .../developers/http_api/access_control.md | 104 +++++++++++++++--- 3 files changed, 120 insertions(+), 36 deletions(-) diff --git a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md index cfe97214b54..9efe67b5fa5 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md +++ b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes/index.md @@ -76,6 +76,8 @@ The following list contains role-based access control actions. | `datasources:query` | `datasources:*`
`datasources:uid:*` | Query data sources. | | `datasources:read` | `datasources:*`
`datasources:uid:*` | List data sources. | | `datasources:write` | `datasources:*`
`datasources:uid:*` | Update data sources. | +| `featuremgmt.read` | n/a | Read feature toggles. | +| `featuremgmt.write` | n/a | Write feature toggles. | | `folders.permissions:read` | `folders:*`
`folders:uid:*` | Read permissions for one or more folders and their subfolders. | | `folders.permissions:write` | `folders:*`
`folders:uid:*` | Update permissions for one or more folders and their subfolders. | | `folders:create` | n/a | Create folders in the root level. If granted together with `folders:write`, also allows creating subfolders under all folders that the user can update. | @@ -91,17 +93,17 @@ The following list contains role-based access control actions. | `licensing:read` | n/a | Read licensing information. | | `licensing:write` | n/a | Update the license token. | | `org.users:write` | `users:*`
`users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of a user. | -| `org.users:add` | `users:*` | Add a user to an organization or invite a new user to an organization. | +| `org.users:add` | `users:*`
`users:id:*` | Add a user to an organization or invite a new user to an organization. | | `org.users:read` | `users:*`
`users:id:*` | Get user profiles within an organization. | | `org.users:remove` | `users:*`
`users:id:*` | Remove a user from an organization. | -| `org:create` | n/a | Create an organization. | -| `orgs.preferences:read` | `orgs:*`
`orgs:id:*` | Read organization preferences. | -| `orgs.preferences:write` | `orgs:*`
`orgs:id:*` | Update organization preferences. | -| `orgs.quotas:read` | `orgs:*`
`orgs:id:*` | Read organization quotas. | -| `orgs.quotas:write` | `orgs:*`
`orgs:id:*` | Update organization quotas. | -| `orgs:delete` | `orgs:*`
`orgs:id:*` | Delete one or more organizations. | -| `orgs:read` | `orgs:*`
`orgs:id:*` | Read one or more organizations. | -| `orgs:write` | `orgs:*`
`orgs:id:*` | Update one or more organizations. | +| `orgs.preferences:read` | n/a | Read organization preferences. | +| `orgs.preferences:write` | n/a | Update organization preferences. | +| `orgs.quotas:read` | n/a | Read organization quotas. | +| `orgs.quotas:write` | n/a | Update organization quotas. | +| `orgs:create` | n/a | Create an organization. | +| `orgs:delete` | n/a | Delete one or more organizations. | +| `orgs:read` | n/a | Read one or more organizations. | +| `orgs:write` | n/a | Update one or more organizations. | | `plugins.app:access` | `plugins:*`
`plugins:id:*` | Access one or more application plugins (still enforcing the organization role) | | `plugins:install` | n/a | Install and uninstall plugins. | | `plugins:write` | `plugins:*`
`plugins:id:*` | Edit settings for one or more plugins. | @@ -111,26 +113,30 @@ The following list contains role-based access control actions. | `reports.settings:read` | n/a | Read report settings. | | `reports.settings:write` | n/a | Update report settings. | | `reports:delete` | `reports:*`
`reports:id:*` | Delete reports. | -| `reports:read` | `reports:*` | List all available reports or get a specific report. | -| `reports:send` | `reports:*` | Send a report email. | +| `reports:read` | `reports:*`
`reports:id:*` | List all available reports or get a specific report. | +| `reports:send` | `reports:*`
`reports:id:*` | Send a report email. | | `roles:delete` | `permissions:type:delegate` | Delete a custom role. | | `roles:read` | `roles:*`
`roles:uid:*` | List roles and read a specific with its permissions. | | `roles:write` | `permissions:type:delegate` | Create or update a custom role. | | `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. | | `server.stats:read` | n/a | Read Grafana instance statistics. | +| `server.usagestats.report:read` | n/a | View usage statistics report. | | `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. | | `serviceaccounts:create` | n/a | Update Grafana service accounts. | -| `serviceaccounts:delete` | `serviceaccounts:*` | Delete Grafana service accounts. | -| `serviceaccounts:read` | `serviceaccounts:*` | Read Grafana service accounts. | -| `serviceaccounts.permissions:write` | `serviceaccounts:*` | Update Grafana service account permissions to control who can do what with the service account. | -| `serviceaccounts.permissions:read` | `serviceaccounts:*` | Read Grafana service account permissions to see who can do what with the service account. | +| `serviceaccounts:delete` | `serviceaccounts:*`
`serviceaccounts:id:*` | Delete Grafana service accounts. | +| `serviceaccounts:read` | `serviceaccounts:*`
`serviceaccounts:id:*` | Read Grafana service accounts. | +| `serviceaccounts.permissions:write` | `serviceaccounts:*`
`serviceaccounts:id:*` | Update Grafana service account permissions to control who can do what with the service account. | +| `serviceaccounts.permissions:read` | `serviceaccounts:*`
`serviceaccounts:id:*` | Read Grafana service account permissions to see who can do what with the service account. | | `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../../setup-grafana/configure-grafana/" >}}) | | `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../../setup-grafana/configure-grafana/settings-updates-at-runtime" >}}). | +| `support.bundles:create` | n/a | Create support bundles. | +| `support.bundles:delete` | n/a | Delete support bundles. | +| `support.bundles:read` | n/a | List and download support bundles. | | `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | | `teams.permissions:read` | `teams:*`
`teams:id:*` | Read members and Team Sync setup for teams. | | `teams.permissions:write` | `teams:*`
`teams:id:*` | Add, remove and update members and manage Team Sync setup for teams. | | `teams.roles:add` | `permissions:type:delegate` | Assign a role to a team. | -| `teams.roles:read` | `teams:*` | List roles assigned directly to a team. | +| `teams.roles:read` | `teams:*`
`teams:id:*` | List roles assigned directly to a team. | | `teams.roles:remove` | `permissions:type:delegate` | Unassign a role from a team. | | `teams:create` | n/a | Create teams. | | `teams:delete` | `teams:*`
`teams:id:*` | Delete one or more teams. | diff --git a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md index b741c59c0a3..77e2aa44d83 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md +++ b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/index.md @@ -23,13 +23,13 @@ The following tables list permissions associated with basic and fixed roles. ## Basic role assignments -| Basic role | Associated fixed roles | Description | -| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | -| Grafana Admin | `fixed:roles:reader`
`fixed:roles:writer`
`fixed:users:reader`
`fixed:users:writer`
`fixed:org.users:reader`
`fixed:org.users:writer`
`fixed:ldap:reader`
`fixed:ldap:writer`
`fixed:stats:reader`
`fixed:settings:reader`
`fixed:settings:writer`
`fixed:provisioning:writer`
`fixed:organization:reader`
`fixed:organization:maintainer`
`fixed:licensing:reader`
`fixed:licensing:writer`
`fixed:datasources.caching:reader`
`fixed:datasources.caching:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader`
`fixed:plugins:maintainer`
`fixed:authentication.config:writer` | Default [Grafana server administrator]({{< relref "../#grafana-server-administrators" >}}) assignments. | -| Admin | `fixed:reports:reader`
`fixed:reports:writer`
`fixed:datasources:reader`
`fixed:datasources:writer`
`fixed:organization:writer`
`fixed:datasources.permissions:reader`
`fixed:datasources.permissions:writer`
`fixed:teams:writer`
`fixed:dashboards:reader`
`fixed:dashboards:writer`
`fixed:dashboards.permissions:reader`
`fixed:dashboards.permissions:writer`
`fixed:dashboards.public:writer`
`fixed:folders:reader`
`fixed:folders:writer`
`fixed:folders.permissions:reader`
`fixed:folders.permissions:writer`
`fixed:alerting:writer`
`fixed:apikeys:reader`
`fixed:apikeys:writer`
`fixed:alerting.provisioning.secrets:reader`
`fixed:alerting.provisioning:writer`
`fixed:datasources.caching:reader`
`fixed:datasources.caching:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader`
`fixed:plugins:writer` | Default [Grafana organization administrator]({{< relref "../#basic-roles" >}}) assignments. | -| Editor | `fixed:datasources:explorer`
`fixed:dashboards:creator`
`fixed:folders:creator`
`fixed:annotations:writer`
`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled
`fixed:alerting:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader` | Default [Editor]({{< relref "../#basic-roles" >}}) assignments. | -| Viewer | `fixed:datasources:id:reader`
`fixed:organization:reader`
`fixed:annotations:reader`
`fixed:annotations.dashboard:writer`
`fixed:alerting:reader`
`fixed:plugins.app:reader`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader` | Default [Viewer]({{< relref "../#basic-roles" >}}) assignments. | -| No Basic Role | | Default [No Basic Role]({{< relref "../#basic-roles" >}}) | +| Basic role | Associated fixed roles | Description | +| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | +| Grafana Admin | `fixed:roles:reader`
`fixed:roles:writer`
`fixed:users:reader`
`fixed:users:writer`
`fixed:org.users:reader`
`fixed:org.users:writer`
`fixed:ldap:reader`
`fixed:ldap:writer`
`fixed:stats:reader`
`fixed:settings:reader`
`fixed:settings:writer`
`fixed:provisioning:writer`
`fixed:organization:reader`
`fixed:organization:maintainer`
`fixed:licensing:reader`
`fixed:licensing:writer`
`fixed:datasources.caching:reader`
`fixed:datasources.caching:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader`
`fixed:plugins:maintainer`
`fixed:authentication.config:writer` | Default [Grafana server administrator]({{< relref "../../#grafana-server-administrators" >}}) assignments. | +| Admin | `fixed:reports:reader`
`fixed:reports:writer`
`fixed:datasources:reader`
`fixed:datasources:writer`
`fixed:organization:writer`
`fixed:datasources.permissions:reader`
`fixed:datasources.permissions:writer`
`fixed:teams:writer`
`fixed:dashboards:reader`
`fixed:dashboards:writer`
`fixed:dashboards.permissions:reader`
`fixed:dashboards.permissions:writer`
`fixed:dashboards.public:writer`
`fixed:folders:reader`
`fixed:folders:writer`
`fixed:folders.permissions:reader`
`fixed:folders.permissions:writer`
`fixed:alerting:writer`
`fixed:apikeys:reader`
`fixed:apikeys:writer`
`fixed:alerting.provisioning.secrets:reader`
`fixed:alerting.provisioning:writer`
`fixed:datasources.caching:reader`
`fixed:datasources.caching:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader`
`fixed:plugins:writer` | Default [Grafana organization administrator]({{< relref "../#basic-roles" >}}) assignments. | +| Editor | `fixed:datasources:explorer`
`fixed:dashboards:creator`
`fixed:folders:creator`
`fixed:annotations:writer`
`fixed:teams:creator` if the `editors_can_admin` configuration flag is enabled
`fixed:alerting:writer`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader` | Default [Editor]({{< relref "../#basic-roles" >}}) assignments. | +| Viewer | `fixed:datasources:id:reader`
`fixed:organization:reader`
`fixed:annotations:reader`
`fixed:annotations.dashboard:writer`
`fixed:alerting:reader`
`fixed:plugins.app:reader`
`fixed:dashboards.insights:reader`
`fixed:datasources.insights:reader` | Default [Viewer]({{< relref "../#basic-roles" >}}) assignments. | +| No Basic Role | | Default [No Basic Role]({{< relref "../#basic-roles" >}}) | ## Fixed role definitions diff --git a/docs/sources/developers/http_api/access_control.md b/docs/sources/developers/http_api/access_control.md index 9fdd584027a..695f8d129e6 100644 --- a/docs/sources/developers/http_api/access_control.md +++ b/docs/sources/developers/http_api/access_control.md @@ -311,14 +311,84 @@ Content-Type: application/json; charset=UTF-8 } ``` +#### Create role validation errors + +Permission validation only occurs when permission validation is enabled (`rbac.permission_validation_enabled = true`). + +> It has been enabled by default since Grafana 10.2. + +##### Invalid action + +The following example shows a request with an invalid action. The action `serviceaccounts.permissions:reader` is not a valid action. The valid action should be `serviceaccounts.permissions:read`. + +```http +POST /api/access-control/roles HTTP/1.1 +Content-Type: application/json +{ + "Name": "Read Service Account with id 6", + "Permissions": [ + { + "action": "serviceaccounts.permissions:reader", + "scope": "serviceaccounts:uid:6" + } + ] +} +``` + +```http +HTTP/1.1 400 Bad Request +Content-Type: application/json +{ + "extra": { + "validationError": "the provided action was not found in the list of valid actions: serviceaccounts.permissions:reader" + }, + "message": "Permission contains an invalid action", + "messageId": "accesscontrol.permission-invalid-action", + "statusCode": 400, + "traceID": "" +} +``` + +##### Invalid scope + +The following example shows a request with an invalid scope. The scope `serviceaccounts:serviceaccount6` is not a valid scope for the action `serviceaccounts.permissions:read`. The valid scopes for this action are `*`, `serviceaccounts:*` and `serviceaccounts:id:*`. + +```http +POST /api/access-control/roles HTTP/1.1 +Content-Type: application/json +{ + "Name": "Read Service Account with id 6", + "Permissions": [ + { + "action": "serviceaccounts.permissions:read", + "scope": "serviceaccounts:serviceaccount6" + } + ] +} +``` + +```http +HTTP/1.1 400 Bad Request +Content-Type: application/json +{ + "extra": { + "validationError": "unknown scope: serviceaccounts:serviceaccount6 for action: serviceaccounts.permissions:read provided, expected prefixes are [* serviceaccounts:* serviceaccounts:id:*]" + }, + "message": "Invalid scope", + "messageId": "accesscontrol.permission-invalid-scope", + "statusCode": 400, + "traceID": "" +} +``` + #### Status codes -| Code | Description | -| ---- | ---------------------------------------------------------------------------------- | -| 200 | Role is updated. | -| 400 | Bad request (invalid json, missing content-type, missing or invalid fields, etc.). | -| 403 | Access denied | -| 500 | Unexpected error. Refer to body and/or server logs for more details. | +| Code | Description | +| ---- | ------------------------------------------------------------------------------------- | +| 200 | Role is updated. | +| 400 | Bad request (invalid json, missing content-type, missing or invalid fields, etc.). | +| 403 | Access denied (one of the specified permissions is not assigned to the the requester) | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | ### Update a role @@ -418,15 +488,23 @@ Content-Type: application/json; charset=UTF-8 } ``` +#### Update role validation errors + +Permission validation only occurs when permission validation is enabled (`rbac.permission_validation_enabled = true`). + +> It has been enabled by default since Grafana 10.2. + +For more information, refer to [Create role validation errors]({{< ref "#create-role-validation-errors" >}}). + #### Status codes -| Code | Description | -| ---- | ---------------------------------------------------------------------------------- | -| 200 | Role is updated. | -| 400 | Bad request (invalid json, missing content-type, missing or invalid fields, etc.). | -| 403 | Access denied | -| 404 | Role was not found to update. | -| 500 | Unexpected error. Refer to body and/or server logs for more details. | +| Code | Description | +| ---- | ------------------------------------------------------------------------------------- | +| 200 | Role is updated. | +| 400 | Bad request (invalid json, missing content-type, missing or invalid fields, etc.). | +| 403 | Access denied (one of the specified permissions is not assigned to the the requester) | +| 404 | Role was not found to update. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | ### Delete a custom role