mirror of
https://github.com/grafana/grafana.git
synced 2024-12-01 04:59:15 -06:00
5a1b9d2283
* RBAC: Remove DeclareFixedRoles wrapper on Access control and inject service when needed
78 lines
2.1 KiB
Go
78 lines
2.1 KiB
Go
package manager
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
|
)
|
|
|
|
func RegisterRoles(service accesscontrol.Service) error {
|
|
saReader := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:serviceaccounts:reader",
|
|
DisplayName: "Service accounts reader",
|
|
Description: "Read service accounts and service account tokens.",
|
|
Group: "Service accounts",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: serviceaccounts.ActionRead,
|
|
Scope: serviceaccounts.ScopeAll,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
saCreator := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:serviceaccounts:creator",
|
|
DisplayName: "Service accounts creator",
|
|
Description: "Create service accounts.",
|
|
Group: "Service accounts",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: serviceaccounts.ActionCreate,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
saWriter := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:serviceaccounts:writer",
|
|
DisplayName: "Service accounts writer",
|
|
Description: "Create, delete and read service accounts, manage service account permissions.",
|
|
Group: "Service accounts",
|
|
Permissions: accesscontrol.ConcatPermissions(saReader.Role.Permissions, []accesscontrol.Permission{
|
|
{
|
|
Action: serviceaccounts.ActionWrite,
|
|
Scope: serviceaccounts.ScopeAll,
|
|
},
|
|
{
|
|
Action: serviceaccounts.ActionCreate,
|
|
},
|
|
{
|
|
Action: serviceaccounts.ActionDelete,
|
|
Scope: serviceaccounts.ScopeAll,
|
|
},
|
|
{
|
|
Action: serviceaccounts.ActionPermissionsRead,
|
|
Scope: serviceaccounts.ScopeAll,
|
|
},
|
|
{
|
|
Action: serviceaccounts.ActionPermissionsWrite,
|
|
Scope: serviceaccounts.ScopeAll,
|
|
},
|
|
}),
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
if err := service.DeclareFixedRoles(saReader, saCreator, saWriter); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|