Commit Graph

13 Commits

Author SHA1 Message Date
Karl Persson
9d2f5ef62f
RBAC: Add function to generate wildcards from prefix (#54275)
* RBAC: Move metadata to own file

* RBAC: Rename test files

* RBAC: Add wildcard structure and helper function to generate wildcards
from prefix

* RBAC: Refactor filter to use WildcardsFromPrefix

* RBAC: Refactor GetResourceMetadata to use WildcardsFromPrefix
2022-08-26 17:10:35 +02:00
Karl Persson
c4a75f9eb3
RBAC: Add scope resolvers for dashboards (#50110)
* Inject access control into dashboard service

* Add function to parse id scopes

* Add dashboard as return value

* Update mock

* Return only err to keep service interface

* Add scope resolvers for dashboard id scopes

* Add function to parse uid scopes

* Add dashboard uid scope resolver

* Register scope resolvers for dashboards

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 11:02:20 +02:00
Karl Persson
de50f39c12
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202)
* Refactor Scope resolver to support resolving into several scopes

* Change permission evaluator to match at least one of passed scopes
2022-05-02 09:29:30 +02:00
Jguer
90a94eab74
Dashboard/Folder permission fix session (#47174)
* Fix inherited scopes for dashboard to use folder uid

* Add inherited evaluators

* Slight modification of the commments

* Add test for inheritance

* Nit.

* extract shared function from tests

* Nit. Extra line

* Remove unused comment

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-04-05 14:28:23 +02:00
Gabriel MABILLE
ff3c1e3144
AccessControl: Handle ':' in attribute resolution (#46742)
* AccessControl: Handle ':' in attribute resolution

* Simplify based on assumption that prefixes will have maximum 2 parts
2022-03-23 08:48:32 +01:00
Ieva
f2450575b3
Access control: FGAC for annotation updates (#46462)
* proposal

* PR feedback

* fix canSave bug

* update scope naming

* linting

* linting

Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-18 17:33:21 +01:00
Yuriy Tseretyan
314be36a7c
Move datasource scopes and actions to access control package (#46334)
* create scope provider
* move datasource actions and scopes to datasource package + add provider
* change usages to use datasource scopes and update data source name resolver to use provider
* move folder permissions to dashboard package and update usages
2022-03-09 11:57:50 -05:00
Gabriel MABILLE
54280fc9d7
AccessControl: Resolve attribute based scopes to id based scopes (#40742)
* AccessControl: POC scope attribute resolution

Refactor based on ScopeMutators

test errors and calls to cache

Add comments to tests

Rename logger

Create keywordMutator only once

* AccessControl: Add AttributeScopeResolver registration

Co-authored-by: gamab <gabriel.mabille@grafana.com>

* AccessControl: Add AttributeScopeResolver to datasources

Co-authored-by: gamab <gabriel.mabille@grafana.com>

* Test evaluation with translation

* fix imports

* AccessControl: Test attribute resolver

* Fix trailing white space

* Make ScopeResolver public for enterprise redefine

* Handle wildcard

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-01-18 17:34:35 +01:00
Gabriel MABILLE
c7cabdfd6f
AccessControl: Add accesscontrol metadata to datasources DTOs (#42675)
* AccessControl: Provide scope to frontend

* Covering datasources with accesscontrol metadata

* Write benchmark tests for GetResourcesMetadata

* Add accesscontrol util and interface

* Add the hasPermissionInMetadata function in the frontend access control code

* Use IsDisabled rather that performing a feature toggle check

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-12-15 12:08:15 +01:00
Gabriel MABILLE
818b8739c0
AccessControl: Remove scopes from orgs endpoints (#41709)
* AccessControl: Check permissions in target org

* Remove org scopes and add an authorizeInOrg middleware

* Use query result org id and perform users permission check globally for GetOrgByName

* Remove scope translation for orgs current

* Suggestion from Ieva
2021-11-17 10:12:28 +01:00
Gabriel MABILLE
6a3ce8bd38
AccessControl: tidy scope resolution (#40677)
* AccessControl: tidy scope resolution
2021-10-20 17:11:22 +02:00
Gabriel MABILLE
458371c8eb
AccessControl: Extend scope parameters with extra params from context (#39722)
* AccessControl: Extend scope parameters with extra params from context

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-06 13:15:09 +02:00
Karl Persson
7ebf4027a7
Access Control: refactor permission evaluator to be more flexible (#35996)
* add a more flexible way to create permissions

* update interface for accesscontrol to use new eval interface

* use new eval interface

* update middleware to use new eval interface

* remove evaluator function and move metrics to service

* add tests for accesscontrol middleware

* Remove failed function from interface and update inejct to create a new
evaluator

* Change name

* Support Several sopes for a permission


* use evaluator and update fakeAccessControl

* Implement String that will return string representation of permissions
for an evaluator

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00