IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Revert fixed roles and service accounts (#44778)

Browse Source 
* Revert fixed roles and service accounts

* Leave the fixed role for service accounts
This commit is contained in:
Vardan Torosyan 2022-02-03 09:59:26 +01:00 committed by GitHub
parent 8c6a5f043a
commit f38f10416a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/api/api.go
View File

@ -13,7 +13,6 @@ import (
ac "github.com/grafana/grafana/pkg/services/accesscontrol" ac "github.com/grafana/grafana/pkg/services/accesscontrol"
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
"github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/featuremgmt"
sa "github.com/grafana/grafana/pkg/services/serviceaccounts/manager"
) )
var plog = log.New("api") var plog = log.New("api")
@ -256,10 +255,10 @@ func (hs *HTTPServer) registerRoutes() {
// auth api keys // auth api keys
apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) { apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) {
keysRoute.Get("/", authorize(reqOrgAdmin, sa.ActionApikeyListEv), routing.Wrap(GetAPIKeys)) keysRoute.Get("/", routing.Wrap(GetAPIKeys))
keysRoute.Post("/", authorize(reqOrgAdmin, sa.ActionApikeyAddEv), quota("api_key"), routing.Wrap(hs.AddAPIKey)) keysRoute.Post("/", quota("api_key"), routing.Wrap(hs.AddAPIKey))
keysRoute.Post("/additional", authorize(reqOrgAdmin, sa.ActionApikeyAddAdditionalEv), quota("api_key"), routing.Wrap(hs.AdditionalAPIKey)) keysRoute.Post("/additional", quota("api_key"), routing.Wrap(hs.AdditionalAPIKey))
keysRoute.Delete("/:id", authorize(reqOrgAdmin, sa.ActionApikeyRemoveEv), routing.Wrap(DeleteAPIKey)) keysRoute.Delete("/:id", routing.Wrap(DeleteAPIKey))
}, reqOrgAdmin) }, reqOrgAdmin)
// Preferences // Preferences

60
pkg/services/serviceaccounts/manager/roles.go
View File

@ -5,22 +5,6 @@ import (
"github.com/grafana/grafana/pkg/services/serviceaccounts" "github.com/grafana/grafana/pkg/services/serviceaccounts"
) )
var (
ActionApikeyList = "apikey:list"
ActionApikeyAdd = "apikey:add"
ActionApikeyRemove = "apikey:remove"
ActionApikeyAddAdditional = "apikey:addadditional"
apikeyWriter = "fixed:apikey:writer"
apikeyReader = "fixed:apikey:reader"
//API key actions
ActionApikeyListEv = accesscontrol.EvalPermission(ActionApikeyList)
ActionApikeyAddEv = accesscontrol.EvalPermission(ActionApikeyAdd)
ActionApikeyRemoveEv = accesscontrol.EvalPermission(ActionApikeyRemove) //Improvement:Check here or in database layer that user has permissiono modify the service account attached to this api key
ActionApikeyAddAdditionalEv = accesscontrol.EvalPermission(ActionApikeyAddAdditional)
)
func RegisterRoles(ac accesscontrol.AccessControl) error { func RegisterRoles(ac accesscontrol.AccessControl) error {
role := accesscontrol.RoleRegistration{ role := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{ Role: accesscontrol.RoleDTO{
@ -50,49 +34,5 @@ func RegisterRoles(ac accesscontrol.AccessControl) error {
return err return err
} }
apikeyAdminReadRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: apikeyReader,
DisplayName: "Apikeys reader",
Description: "Gives access to list apikeys.",
Group: "Service accounts",
Permissions: []accesscontrol.Permission{
{
Action: ActionApikeyList,
Scope: accesscontrol.ScopeUsersAll,
},
},
},
Grants: []string{"Admin"},
}
if err := ac.DeclareFixedRoles(apikeyAdminReadRole); err != nil {
return err
}
apikeyAdminEditRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: apikeyWriter,
DisplayName: "Apikeys writer",
Description: "Gives access to add and delete api keys.",
Group: "Service accounts",
Permissions: accesscontrol.ConcatPermissions(apikeyAdminReadRole.Role.Permissions, []accesscontrol.Permission{
{
Action: ActionApikeyAdd,
Scope: accesscontrol.ScopeUsersAll,
},
{
Action: ActionApikeyRemove,
Scope: accesscontrol.ScopeUsersAll,
},
}),
},
Grants: []string{"Admin"},
}
if err := ac.DeclareFixedRoles(apikeyAdminEditRole); err != nil {
return err
}
return nil return nil
} }

6
pkg/services/serviceaccounts/manager/service.go
View File

@ -36,8 +36,10 @@ func ProvideServiceAccountsService(
log: log.New("serviceaccounts"), log: log.New("serviceaccounts"),
} }
if err := RegisterRoles(ac); err != nil { if features.IsEnabled(featuremgmt.FlagServiceAccounts) {
s.log.Error("Failed to register roles", "error", err) if err := RegisterRoles(ac); err != nil {
s.log.Error("Failed to register roles", "error", err)
}
} }
serviceaccountsAPI := api.NewServiceAccountsAPI(s, ac, routeRegister, s.store) serviceaccountsAPI := api.NewServiceAccountsAPI(s, ac, routeRegister, s.store)