IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-20 11:48:34 -06:00
Code Issues Packages Projects Releases Wiki Activity
49b3027049
grafana/pkg/services/accesscontrol/resourcepermissions/options.go
Karl Persson 6d1bcd9f40
DataSourcePermissions: Handle licensing properly for ds permissions (#59694) 
* RBAC: add viewer grand if dspermissions enforcement is not enabled

* RBAC: Change permissions based on role prefix

* RBAC: Add option to for permission service to add a license middleware

* RBAC: Remove actions from query struct
2022-12-02 13:19:14 +01:00

46 lines
2.4 KiB
Go
Raw Blame History

package resourcepermissions
import (
"context"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/web"
)
type ResourceValidator func(ctx context.Context, orgID int64, resourceID string) error
type InheritedScopesSolver func(ctx context.Context, orgID int64, resourceID string) ([]string, error)
type Options struct {
// Resource is the action and scope prefix that is generated
Resource string
// ResourceAttribute is the attribute the scope should be based on (e.g. id or uid)
ResourceAttribute string
// OnlyManaged will tell the service to return all permissions if set to false and only managed permissions if set to true
OnlyManaged bool
// ResourceValidator is a validator function that will be called before each assignment.
// If set to nil the validator will be skipped
ResourceValidator ResourceValidator
// Assignments decides what we can assign permissions to (users/teams/builtInRoles)
Assignments Assignments
// PermissionsToAction is a map of friendly named permissions and what access control actions they should generate.
// E.g. Edit permissions should generate dashboards:read, dashboards:write and dashboards:delete
PermissionsToActions map[string][]string
// ReaderRoleName is the display name for the generated fixed reader role
ReaderRoleName string
// WriterRoleName is the display name for the generated fixed writer role
WriterRoleName string
// RoleGroup is the group name for the generated fixed roles
RoleGroup string
// OnSetUser if configured will be called each time a permission is set for a user
OnSetUser func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error
// OnSetTeam if configured will be called each time a permission is set for a team
OnSetTeam func(session *db.Session, orgID, teamID int64, resourceID, permission string) error
// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
OnSetBuiltInRole func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error
// InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource
InheritedScopesSolver InheritedScopesSolver
// LicenseMV if configured is applied to endpoints that can modify permissions
LicenseMW web.Handler
}
Reference in New Issue View Git Blame Copy Permalink