Commit Graph

49 Commits

Author SHA1 Message Date
Ryan McKinley
1fab107e79
FeatureFlags: Avoid using cfg.IsFeatureToggleEnabled (#81407) 2024-01-28 15:22:45 -08:00
Ieva
048d1e7c86
RBAC: Annotation permission migration (#78899)
* add annotation permissions to dashboard managed role and add migrations for annotation permissions

* fix a bug with conditional access level definitions

* add tests

* Update pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* apply feedback

* add batching, fix tests and a typo

* add one more test

* undo unneeded change

* undo unwanted change

* only check the default basic permissions for non-OSS instances

* account for all wildcards and simplify the check a bit

* error handling and extra conditionals to avoid test failures

* fix a bug with admin permissions not appearing for folders

* fix the OSS check

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-01-26 17:17:29 +00:00
Jo
e77dbb63e3
AccessControl: Add group to role picker and standardize display (#79570)
* add group to role picker and standardize display

* change stuttery roles
2024-01-18 15:20:28 +01:00
Ieva
19ad788333
RBAC: change annotation scopes back (#79330)
Change the annotation scopes back to what they were
2023-12-12 09:51:08 +02:00
Ieva
c354c7bfff
RBAC: Update fixed annotation roles (#78756)
* update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled

* add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 14:50:55 +00:00
Ieva
39a30b0c01
Bug fix: add library panel permissions to basic roles (#77144)
set library panel permissions to basic roles
2023-10-25 18:44:55 +01:00
Ieva
94fec65192
RBAC: introduce a data source admin role (#75915)
* introduce data source admin role and fix frontend check

* introduce fixed roles for data source creator and team reader

* add documentation

* undo an unintended change
2023-10-19 14:36:41 +01:00
kay delaney
a12cb8cbf3
LibraryPanels: Add RBAC support (#73475) 2023-10-12 00:30:50 +01:00
Jo
26339f978b
Auth: Move access control API to SignedInUser interface (#73144)
* move access control api to SignedInUser interface

* remove unused code

* add logic for reading perms from a specific org

* move the specific org logic to org_user.go

* add a comment

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 11:42:18 +01:00
Michael Mandrus
779e0fe311
Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022)
* create roles for writing feature toggles

* create update endpoint / handler

* api changes

* add feature toggle validations

* hide toggles based on their state

* make FlagFeatureToggle read only

* add username log

* add username string

* refactor for better readability

* refactor unit tests so we can do more validations

* some skeletoning for the set tests

* write unit tests for updater

* break helper functions out

* update sample ini to match defaults

* add more logic to ReadOnly label

* add user documentation

* fix lint issue

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

* Update docs/sources/setup-grafana/configure-grafana/_index.md

Co-authored-by: J Stickler <julie.stickler@grafana.com>

---------

Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com>
Co-authored-by: J Stickler <julie.stickler@grafana.com>
2023-08-09 11:32:28 -04:00
João Calisto
4ba83173ea
Feature toggles management: Define get feature toggles api (#72106)
* Feature Toggle Management: Define get feature toggles api

* lint
2023-07-24 16:12:59 -04:00
Ieva
d8b66d5c4b
RBAC: remove some IsDisabled checks (#69272)
* remove some access contorl IsDisabled() checks

* cleaning up tests

* update tests

* linting
2023-05-31 09:58:57 +01:00
Will Browne
31d6416157
Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258)
* migrate licensing + access control

* update package name
2023-03-27 11:15:37 +02:00
Jo
6b6cf5f4b7
Cfg: Move ViewersCanEdit into cfg (#64876)
move ViewersCanEdit into cfg
2023-03-16 10:54:01 +01:00
idafurjes
6c5a573772
Chore: Move ReqContext to contexthandler service (#62102)
* Chore: Move ReqContext to contexthandler service

* Rename package to contextmodel

* Generate ngalert files

* Remove unused imports
2023-01-27 08:50:36 +01:00
Karl Persson
6d1bcd9f40
DataSourcePermissions: Handle licensing properly for ds permissions (#59694)
* RBAC: add viewer grand if dspermissions enforcement is not enabled

* RBAC: Change permissions based on role prefix

* RBAC: Add option to for permission service to add a license middleware

* RBAC: Remove actions from query struct
2022-12-02 13:19:14 +01:00
Torkel Ödegaard
09f4068849
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552) 2022-09-22 22:04:48 +02:00
Gabriel MABILLE
101349fe49
RBAC: Add permissions to install and configure plugins (#51829)
* RBAC: Allow app plugins restriction

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* Moving declaration to HttpServer

Co-Authored-By: marefr <marcus.efraimsson@gmail.com>

* Picking changes from the other branch

Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>

* Rename plugins.settings to plugins

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* Account for PluginAdminExternalManageEnabled

Co-authored-by: Will Browne <will.browne@grafana.com>

* Set metadata on instantiation

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: marefr <marcus.efraimsson@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
Co-authored-by: Will Browne <will.browne@grafana.com>
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-09-09 09:44:50 +02:00
Ezequiel Victorero
bcab0194f1
PublicDashboards: disable form if user does not has permissions (#54853) 2022-09-07 18:29:01 -03:00
Ezequiel Victorero
bfa35ff8d8
PublicDashboards: Add RBAC to secured endpoints (#54544) 2022-09-05 12:22:39 -03:00
Karl Persson
5a1b9d2283
RBAC: Remove DeclareFixedRoles wrapper on Access control and inject service (#54153)
* RBAC: Remove DeclareFixedRoles wrapper on Access control and inject service when needed
2022-08-26 09:59:34 +02:00
idafurjes
6afad51761
Move SignedInUser to user service and RoleType and Roles to org (#53445)
* Move SignedInUser to user service and RoleType and Roles to org

* Use go naming convention for roles

* Fix some imports and leftovers

* Fix ldap debug test

* Fix lint

* Fix lint 2

* Fix lint 3

* Fix type and not needed conversion

* Clean up messages in api tests

* Clean up api tests 2
2022-08-10 11:56:48 +02:00
Ieva
b590c1c60f
Access Control: Set permissions for Grafana's test data source (#53247)
* set permissions for Grafana's test data source

* linting
2022-08-05 10:19:50 +03:00
Ieva
0d324e931d
Access Control: Allow org admins to invite new users (#52894)
* allow org admins to invite new users to Grafana

* doc updates

* fix test
2022-07-27 17:37:27 +01:00
Ieva
b3a10202d4
Revert "Service accounts: Add service account to teams" (#52710)
* Revert "Service accounts: Add service account to teams (#51536)"

This reverts commit 0f919671e7.

* remove unneeded line

* fix test
2022-07-26 09:43:29 +01:00
Jean-Philippe Quéméner
41790083d2
Alerting: Add file provisioning for alert rules (#51635) 2022-07-14 23:53:13 +02:00
Gabriel MABILLE
5975c4bc6d
RBAC: Allow app plugins access restriction (#51524)
* RBAC: Allow app plugins restriction

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* Fix tests

* Imports

* WIP

* Adding RBAC to AppPluginsRoutes

* Switching middleware order

* Restrict access to resources

* Nit

* Cosmetic changes

* Fix fallback

* Moving declaration to HttpServer

Co-Authored-By: marefr <marcus.efraimsson@gmail.com>

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: marefr <marcus.efraimsson@gmail.com>
2022-07-08 13:24:09 +02:00
Ieva
0c33b9f211
Access control: Allow organisation admins to add existing users to org (#51668)
* check users with user add permission to access the invite endpoint

* undo unneeded changes

* tests and cleanup

* linting

* linting

* betterer

* betterer again

* fix prettier issue

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-07-08 12:07:00 +01:00
Ieva
d85df0a560
Service Accounts: Managed permissions for service accounts (#51818)
* backend changes

* frontend changes

* linting

* nit

* import order

* allow SA creator to access the SA page

* fix merge

* tests

* fix frontend tests

Co-authored-by: alexanderzobnin alexanderzobnin@gmail.com
2022-07-08 05:53:18 -04:00
Eric Leijonmarck
0f919671e7
Service accounts: Add service account to teams (#51536)
* Revert "Serviceaccounts: #48995

Do not display service accounts assigned to team (#48995)"

This reverts commit cbf71fbd7f.

* fix: test to not include more actions than necessary

* adding service accounts to teams - backend and frontend changes

* also support SA addition through the old team membership endpoints

* fix tests

* tests

* serviceaccounts permission tests

* serviceaccounts permission service tests run

* added back test that was removed by accident

* lint

* refactor: add testoptionsTeams

* fix a bug

* service account picker change

* explicitly set SA managed permissions to false for dash and folders

* lint

* allow team creator to list service accounts

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-07-06 05:34:36 -04:00
Karl Persson
b9bb0513e3
Remove version property from fixed roles (#51298) 2022-06-23 12:09:03 +02:00
Karl Persson
1796a1d277
AccessControl: Grant data source reader to all users when running oss (#49514)
* grant data source reader to all users when running oss or enterprise
without license

* fix asserts in alerting tests

* add oss licensing service for test setup

* fix tests to pass in enterprise

* lint

* fix tests

* set setting.IsEnterprise flag for tests

Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
2022-05-25 13:43:58 +02:00
Karl Persson
2738d1c557
Access Control: Move dashboard actions and create scope provider (#48618)
* Move dashboard actions and create scope provider
2022-05-04 16:12:09 +02:00
Vardan Torosyan
cbd2d09d70
Update API Keys UI to adjust based on users permissions (#47802)
* Update API Keys UI to adjust based on users permissions

Since API Keys support now RBAC we need to ensure that UI
is adjusted based on the user permissions.

* Applying PR suggestions
2022-04-20 09:45:45 +02:00
Vardan Torosyan
782ec05d8c
Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767)
* Create fixed roles for reading API Keys and service accounts

* Handle PR comments and fix the listing of token
2022-04-14 15:09:55 +02:00
Ieva
e50bd5cac8
Access control: expose SA frontend to users with the right permissions (#47727)
* expose frontend to users with permissions

* cover the ui endpoints

* fix permissions
2022-04-14 12:40:15 +01:00
Ieva
bc9b5325a0
update docs, simplify actions and scopes (#47067) 2022-04-04 13:53:58 +01:00
Karl Persson
a5e4a533fa
Access control: use uid for dashboard and folder scopes (#46807)
* use uid:s for folder and dashboard permissions

* evaluate folder and dashboard permissions based on uids

* add dashboard.uid to accept list

* Check for exact suffix

* Check parent folder on create

* update test

* drop dashboard:create actions with dashboard scope

* fix typo

* AccessControl: test id 0 scope conversion

* AccessControl: store only parent folder UID

* AccessControl: extract general as a constant

* FolderServices: Prevent creation of a folder uid'd general

* FolderServices: Test folder creation prevention

* Update pkg/services/guardian/accesscontrol_guardian.go

* FolderServices: fix mock call expect

* FolderServices: remove uneeded mocks

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 15:14:26 +02:00
Gabriel MABILLE
3440e7c8f7
AccessControl: Fix locked role picker in orgs/edit page (#46539)
* AccessControl: Fix locked role picker in orgs/edit page

* Use correct org when computing metadata
2022-03-24 08:58:10 +01:00
Ezequiel Victorero
c5f295b5b3
Access Control: adding FGAC validation to mass delete annotation endpoint (#46846)
* Access Control: adding FGAC validation to mass delete annotation endpoint
2022-03-23 18:39:00 -03:00
Ezequiel Victorero
c717320942
Adding FGAC annotations validation for creation and deletion (#46736)
Access Control: Adding FGAC annotations validation for creation and deletion
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-21 14:28:39 -03:00
Karl Persson
7ab1ef8d6e
Access Control: Support other attributes than id for resource permissions (#46727)
* Add option to set ResourceAttribute for a permissions service
* Use prefix in access control sql filter to parse scopes
* Use prefix in access control metadata to check access
2022-03-21 17:58:18 +01:00
Ieva
f2450575b3
Access control: FGAC for annotation updates (#46462)
* proposal

* PR feedback

* fix canSave bug

* update scope naming

* linting

* linting

Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-18 17:33:21 +01:00
Karl Persson
d27ff42376
Access control: Move data source actions and scopes to datasource package (#46594)
* Add permission actions and id scope

* Remove scope and actions variable prefix

* Move page evaluators and rename them
2022-03-16 15:11:03 +01:00
Yuriy Tseretyan
314be36a7c
Move datasource scopes and actions to access control package (#46334)
* create scope provider
* move datasource actions and scopes to datasource package + add provider
* change usages to use datasource scopes and update data source name resolver to use provider
* move folder permissions to dashboard package and update usages
2022-03-09 11:57:50 -05:00
J Guerreiro
c6cae8411a
APIKeys: add API key migration to ensure fk is null (#46285) 2022-03-07 15:58:20 +01:00
J Guerreiro
7f1e8cee2b
APIKeys: Add AC controls for legacy API keys (#46255)
* APIKeys: Add AC controls for legacy API keys

* pluralize actions
2022-03-04 19:01:03 +01:00
Karl Persson
4982ca3b1d
Access control: Use access control for dashboard and folder (#44702)
* Add actions and scopes

* add resource service for dashboard and folder

* Add dashboard guardian with fgac permission evaluation

* Add CanDelete function to guardian interface

* Add CanDelete property to folder and dashboard dto and set values

* change to correct function name

* Add accesscontrol to folder endpoints

* add access control to dashboard endpoints

* check access for nav links

* Add fixed roles for dashboard and folders

* use correct package

* add hack to override guardian Constructor if accesscontrol is enabled

* Add services

* Add function to handle api backward compatability

* Add permissionServices to HttpServer

* Set permission when new dashboard is created

* Add default permission when creating new dashboard

* Set default permission when creating folder and dashboard

* Add access control filter for dashboard search

* Add to accept list

* Add accesscontrol to dashboardimport

* Disable access control in tests

* Add check to see if user is allow to create a dashboard

* Use SetPermissions

* Use function to set several permissions at once

* remove permissions for folder and dashboard on delete

* update required permission

* set permission for provisioning

* Add CanCreate to dashboard guardian and set correct permisisons for
provisioning

* Dont set admin on folder / dashboard creation

* Add dashboard and folder permission migrations

* Add tests for CanCreate

* Add roles and update descriptions

* Solve uid to id for dashboard and folder permissions

* Add folder and dashboard actions to permission filter

* Handle viewer_can_edit flag

* set folder and dashboard permissions services

* Add dashboard permissions when importing a new dashboard

* Set access control permissions on provisioning

* Pass feature flags and only set permissions if access control is enabled

* only add default permissions for folders and dashboards without folders

* Batch create permissions in migrations


* Remove `dashboards:edit` action

* Remove unused function from interface

* Update pkg/services/guardian/accesscontrol_guardian_test.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00
Gabriel MABILLE
14bee49f9a
AccessControl: Compute metadata from context permissions (#45578)
* AccessControl: Compute metadata from context permissions

* Remove nil

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

* Check user permissions are set

Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 11:27:00 +01:00