Commit Graph

57 Commits

Author SHA1 Message Date
Gabriel MABILLE
818b8739c0
AccessControl: Remove scopes from orgs endpoints (#41709)
* AccessControl: Check permissions in target org

* Remove org scopes and add an authorizeInOrg middleware

* Use query result org id and perform users permission check globally for GetOrgByName

* Remove scope translation for orgs current

* Suggestion from Ieva
2021-11-17 10:12:28 +01:00
Ieva
dcae138379
Access Control: adding group field to roles (#41465)
* add group field to roles in AC models

* change to using group_name as the column name

* add a migration for group column
2021-11-12 10:42:47 +00:00
Karl Persson
3c659f1ea0
Access Control: Move part of access control database (#40483)
* Add accesscontrol migrations

* Add ResourceStore interface and related structs

* Add team/user/builtin-role

* Add accesscontrol database with functions to handle managed roles and
permissions

* Add ResourceManager

* Add GetUserPermissions

* Update pkg/services/accesscontrol/accesscontrol.go

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 14:02:53 +01:00
Jeremy Price
69c5370e94
Accesscontrol: Add additional API keys to service account, move cloneserviceaccount to sqlstore (#41189)
* Add additional api key, move cloneserviceaccount

* Remove TODOs, for now

* Error messages

* Linter

* Security check

* Add comments

* Take service account id from correct variable

* Update user.go
2021-11-11 10:42:21 +00:00
ying-jeanne
54de1078c8
remove the global log error/warn etc functions (#41404)
* remove the global log error/warn etc functions and use request context logger whenever possible
2021-11-08 17:56:56 +01:00
Emil Tullstedt
3b637f4b44
Access control: Redirect non-API calls (#41100) 2021-11-04 09:59:52 +01:00
idafurjes
9340430723
Chore: Add alert ctx (#41161)
* Add context for alert

* Remove context.TODO

* Remove xorm

* Remove context.TODO

* Fix UsageStatsQuerier interface
2021-11-03 14:10:39 +01:00
ying-jeanne
681218275e
remove crit and trace (#40320) 2021-10-26 17:36:24 +02:00
Gabriel MABILLE
6a3ce8bd38
AccessControl: tidy scope resolution (#40677)
* AccessControl: tidy scope resolution
2021-10-20 17:11:22 +02:00
Jeremy Price
6dbb6408d4
Access Control: Add service accounts (#38994)
* Add extra fields to OSS types to support enterprise

* Create a service account at the same time as the API key

* Use service account credentials when accessing API with APIkey

* Add GetRole to service, merge RoleDTO and Role structs

This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons:

1.  Makes switching between OSS and Enterprise easier
2.  Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise

* If API key is not linked to a service account, continue login as usual

* Fallback to old auth if no service account linked to key

* Add CloneUserToServiceAccount

* Adding LinkAPIKeyToServiceAccount

* Handle api key link error

* Better error messages for OSS accesscontrol

* Set an invalid user id as default

* Re-arrange field names

* ServiceAccountId is integer

* Better error messages

Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2021-10-20 14:36:11 +02:00
Gabriel MABILLE
fbc6febb0e
AccessControl: keyword scope resolution (#40229) 2021-10-19 14:40:21 +02:00
Eric Leijonmarck
b88cd08177
feat: fallback for displayname of non-fixed role without displayname (#40277) 2021-10-11 16:00:54 +01:00
Serge Zaitsev
57fcfd578d
Chore: replace macaron with web package (#40136)
* replace macaron with web package

* add web.go
2021-10-11 14:30:59 +02:00
Gabriel MABILLE
458371c8eb
AccessControl: Extend scope parameters with extra params from context (#39722)
* AccessControl: Extend scope parameters with extra params from context

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-06 13:15:09 +02:00
Eric Leijonmarck
5374eaca89
fix: marshal displayname RoleDTO (#40015) 2021-10-05 16:29:34 +02:00
Ieva
52220b2470
AccessControl: frontend changes for adding FGAC to licensing (#39484)
* refactor licenseURL function to use context and export permission evaluation fction

* remove provisioning file

* refactor licenseURL to take in a bool to avoid circular dependencies

* remove function for appending nav link, as it was only used once and move the function to create admin node

* better argument names

* create a function for permission checking

* extend permission checking when displaying server stats

* enable the use of enterprise access control actions when evaluating permissions

* import ordering

* move licensing FGAC action definitions to models package to allow access from oss

* move evaluatePermissions for routes to context serve

* change permission evaluator to take in more permissions

* move licensing FGAC actions again to appease wire

* avoid index out of bounds issue in case no children are passed in when creating server admin node

* simplify syntax for permission checking

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>

* update loading state for server stats

* linting

* more linting

* fix test

* fix a frontend test

* update "licensing.reports:read" action naming

* UI doesn't allow reading only licensing reports and not the rest of licensing info

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
2021-10-05 14:54:26 +01:00
Eric Leijonmarck
f384288183
AccessControl: Add displayname field to Role (#39904)
* feat: add displayname

* refactor: marshal role for fallback displayname

* refactor: moved to private heuristic function for displaynames

* refactor: display name trimspace and remove prefix

* refactor: renaming of fallbackFunction

* refactor: moved methods below struct types
2021-10-05 13:07:16 +01:00
Tania B
990911a3b9
Chore: Cleanup usageStatsMock duplication (#39710)
* Chore: Cleanup usageStatsMock duplication

* Remove making a new slice for UsageStatsMock
2021-09-29 09:59:02 +03:00
Tania B
b9acdce837
Chore: Fix grafana live stats reset when sending usage stats (#39558) 2021-09-23 12:55:00 +03:00
Joan López de la Franca Beltran
a680162792
Usage Stats: Split domain & service packages (#39488) 2021-09-21 20:50:37 +02:00
Jeremy Price
5ce5571c73
Add extra fields to OSS types to support enterprise (#39427) 2021-09-21 09:58:35 +02:00
Serge Zaitsev
063160aae2
Chore: pass url parameters through context.Context (#38826)
* pass url parameters through context.Context

* fix url param names without colon prefix

* change context params to vars

* replace url vars in tests using new api

* rename vars to params

* add some comments

* rename seturlvars to seturlparams
2021-09-14 18:34:56 +02:00
Gabriel MABILLE
a811d7d76f
Access control: Add a scope to Data Sources GET endpoint (#38933) 2021-09-07 17:13:11 +02:00
Arve Knudsen
78596a6756
Migrate to Wire for dependency injection (#32289)
Fixes #30144

Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
2021-08-25 15:11:22 +02:00
Gabriel MABILLE
f9273d0d37
AccessControl: Add a mock (#38515) 2021-08-24 20:12:48 +02:00
Karl Persson
7ebf4027a7
Access Control: refactor permission evaluator to be more flexible (#35996)
* add a more flexible way to create permissions

* update interface for accesscontrol to use new eval interface

* use new eval interface

* update middleware to use new eval interface

* remove evaluator function and move metrics to service

* add tests for accesscontrol middleware

* Remove failed function from interface and update inejct to create a new
evaluator

* Change name

* Support Several sopes for a permission


* use evaluator and update fakeAccessControl

* Implement String that will return string representation of permissions
for an evaluator

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 11:36:28 +02:00
Jeremy Price
9a71cec1f0
Access Control: Make the evaluator prefix match only (#38025)
* Make the evaluator prefix match only

* Handle empty scopes

* Bump version of settings read role

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-08-23 14:03:20 +02:00
Jeremy Price
e8e1a0b50b
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535)
This reverts commit 55efeb0c02.
2021-08-04 14:44:37 +02:00
Jack Westbrook
cdcccfcc53
Plugins: Fix catalog permissions for org and server admins (#37504)
* simplify toggle + add link to server admin

* feat(catalog): org admins can configure plugin apps, cannot install/uninstall plugins

* fix(catalog): dont show buttons if user doesn't have install permissions

* feat(catalog): cater for accessing catalog via /plugins and /admin/plugins

* feat(catalog): use location for list links and match.url to define breadcrumb links

* test(catalog): mock isGrafanaAdmin for PluginDetails tests

* test(catalog): preserve default bootdata in PluginDetails mock

* refactor(catalog): move orgAdmin check out of state and make easier to reason with

Co-authored-by: Will Browne <will.browne@grafana.com>
2021-08-04 11:49:05 +02:00
Emil Tullstedt
55efeb0c02
Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)
This reverts commit 88c11f1cc0.
2021-07-30 13:58:49 +02:00
Gabriel MABILLE
88c11f1cc0
AccessControl: Implement a way to register fixed roles (#35641)
* AccessControl: Implement a way to register fixed roles

* Add context to register func

* Use FixedRoleGrantsMap instead of FixedRoleGrants

* Removed FixedRoles map to sync.map


* Wrote test for accesscontrol and provisioning

* Use mutexes+map instead of sync maps

* Create a sync map struct out of a Map and a Mutex

* Create a sync map struct for grants as well

* Validate builtin roles

* Make validation public to access control

* Handle errors consistently with what seeder does

* Keep errors consistant amongst accesscontrol impl

* Handle registration error

* Reverse the registration direction thanks to a RoleRegistrant interface

* Removed sync map in favor for simple maps since registration now happens during init

* Work on the Registrant interface

* Remove the Register Role from the interface to have services returning their registrations instead

* Adding context to RegisterRegistrantsRoles and update descriptions

* little bit of cosmetics

* Making sure provisioning is ran after role registration

* test for role registration

* Change the accesscontrol interface to use a variadic

* check if accesscontrol is enabled

* Add a new test for RegisterFixedRoles and fix assign which was buggy

* Moved RegistrationList def to roles.go

* Change provisioning role's description

* Better comment on RegisterFixedRoles

* Correct comment on ValidateFixedRole

* Simplify helper func to removeRoleHelper

* Add log to saveFixedRole and assignFixedRole

Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
2021-07-30 09:52:09 +02:00
Joan López de la Franca Beltran
d9e500b654
UsageStats: Expose what ds types should be reported (#35916) 2021-07-07 23:12:00 +02:00
Karl Persson
2fd7031102
Access Control: Add fine-grained access control to explore (#35883)
* add fixed role for datasource read operations

* Add action for datasource explore

* add authorize middleware to explore index route

* add fgac support for explore navlink

* update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is

* add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default

* create function to evaluate permissions or using fallback if accesscontrol is disabled

* change hasAccess to prop and derive the value in mapStateToProps

* add test case to ensure buttons is not rendered when user does not have access

* Only hide return with changes button

* remove internal links if user does not have access to explorer

Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>
2021-07-02 14:43:12 +02:00
Karl Persson
395b942134
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622)
* add accesscontrol action for stats read

* use accesscontrol middleware for stats route

* add fixed role with permissions to read sever stats

* add accesscontrol action for settings read

* use accesscontrol middleware for settings route

* add fixed role with permissions to read settings

* add accesscontrol tests for AdminGetSettings and AdminGetStats

* add ability to scope settings

* add tests for AdminGetSettings
2021-06-14 17:36:48 +02:00
Karl Persson
36c997a625
Access Control: Add fine-grained access control to ldap handlers (#35525)
* Add new accesscontrol action for ldap config reload

* Update ldapAdminEditRole with new ldap config reload permission

* wrap /ldap/reload with accesscontrol authorize middleware

* document new action and update fixed:ldap:admin:edit with said action

* add fake accesscontrol implementation for tests

* Add accesscontrol tests for ldap handlers

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-06-11 15:58:18 +02:00
Joan López de la Franca Beltran
f601921670
Usage Stats: Make the UsageStatsService extension point more flexible (#34778)
* Usage Stats: Rename service to use a more idiomatic name

* Usage Stats: Update MetricsFunc definition and implementations

* Revert "Usage Stats: Rename service to use a more idiomatic name"

This reverts commit 910ecce3e8.

* Usage Stats: Update MetricsFunc definition and implementations
2021-05-27 10:53:10 +02:00
Emil Tullstedt
0f4806db8a
Access control: Rename predefined roles to fixed roles (code) (#34469)
* s/grafana:roles:/fixed:/

* Update free text references to predefined roles
2021-05-25 15:36:01 +02:00
Vardan Torosyan
1e566e7783
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107)
* Access control: Add phone-home metrics to check if fine-grained access control is enabled or not

* Apply suggestions from code review
2021-05-17 16:33:38 +02:00
donomii
fc451cf277
Access Control: Add histograms for evaluator and permissions checks (#34026)
This patch adds metrics to support instrumenting the accesscontrols package.
It also instruments the accesscontrol evaluator and the permissions function.

Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2021-05-17 13:52:16 +02:00
Emil Tullstedt
c2e761f28e
Access control: Attach ID to error message (#33472) 2021-05-12 23:00:27 +02:00
Vardan Torosyan
1d15686bdf
Access control: Add a role for provisioning admins (#33787) 2021-05-10 11:46:42 +02:00
Emil Tullstedt
4496ae496e
Access control: Clean up users scopes (#33532)
Following discussion in grafana/grafana-enterprise#1292, removing
org-scoped users scopes to make it clear that the local organization is
the default and the alternative to that is a global scope (for a select
few endpoints)
2021-05-03 10:27:12 +02:00
Emil Tullstedt
840828b5d2
Access control: Allow empty scope requirement lists (#33518) 2021-04-29 13:22:13 +02:00
Vardan Torosyan
5bf6d7dad8
Access control: Update evaluator to authorize when at least one of the scopes is a match (#33393) 2021-04-27 18:22:18 +02:00
Vardan Torosyan
bf83fb80b7
Access control: Combine permissions through predefined roles (#33275)
* Access control: Combine permissions through predefined roles

When certain permission is required for built-in role, instead of adding those permissions to the existing predefined roles, we need to have granular predefined roles with those permissions.

* Better copy...

* Adding and fixing tests

* Remove duplicated permission
2021-04-23 15:44:42 +02:00
Alexander Zobnin
dd9f701cd9
Access control: Fix predefined roles (#33260) 2021-04-22 12:49:24 +02:00
Alexander Zobnin
a7e721e987
Access control: Make Admin/Users UI working with the permissions (#33176)
* API: authorize admin/users views

* Render admin/users components based on user's permissions

* Add LDAP permissions (required by admin/user page)

* Extend default admin role by LDAP permissions

* Show/hide LDAP debug views

* Render LDAP debug page if user has access

* Authorize LDAP debug view

* fix permissions definitions

* Add LDAP page permissions

* remove ambiguous permissions check

* Hide logout buttons in sessions table

* Add org/users permissions

* Use org permissions for managing user roles in orgs

* Apply permissions to org/users

* Apply suggestions from review

* Fix tests

* remove scopes from the frontend

* Tweaks according to review

* Handle /invites endpoints
2021-04-22 13:19:41 +03:00
Alexander Zobnin
41f6af96c4
Access control: Build navigation links with access control (#33024)
* Build nav links with access control

* Break up getNavTree (reduce cyclomatic complexity)

* Fix tests

* Use only ActionUsersRead permissions

* Remove unused permissions definitions

* Chore: remove unused fallbacks

* Fix linter error
2021-04-19 12:23:29 +03:00
Alexander Zobnin
8b843eb0a6
Access control: expose permissions to the frontend (#32954)
* Expose user permissions to the frontend

* Do not include empty scope

* Extend ContextSrv with hasPermission() method

* Add access control types

* Fix type error (make permissions optional)

* Fallback if access control disabled

* Move UserPermission to types

* Simplify hasPermission()
2021-04-16 16:02:16 +03:00
Vardan Torosyan
9f82eac833
Access control: Add access control based permissions to admins/users (#32409)
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 16:31:27 +02:00