mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
6b4a9d73d7
* introduce a new action "alert.provisioning.secrets:read" and role "fixed:alerting.provisioning.secrets:reader" * update alerting API authorization layer to let the user read provisioning with the new action * let new action use decrypt flag * add action and role to docs
134 lines
4.6 KiB
TypeScript
134 lines
4.6 KiB
TypeScript
import { contextSrv } from 'app/core/services/context_srv';
|
|
import { isOrgAdmin } from 'app/features/plugins/admin/permissions';
|
|
import { AccessControlAction } from 'app/types';
|
|
|
|
import { GRAFANA_RULES_SOURCE_NAME, isGrafanaRulesSource } from './datasource';
|
|
|
|
type RulesSourceType = 'grafana' | 'external';
|
|
|
|
function getRulesSourceType(alertManagerSourceName: string): RulesSourceType {
|
|
return isGrafanaRulesSource(alertManagerSourceName) ? 'grafana' : 'external';
|
|
}
|
|
|
|
export const instancesPermissions = {
|
|
read: {
|
|
grafana: AccessControlAction.AlertingInstanceRead,
|
|
external: AccessControlAction.AlertingInstancesExternalRead,
|
|
},
|
|
create: {
|
|
grafana: AccessControlAction.AlertingInstanceCreate,
|
|
external: AccessControlAction.AlertingInstancesExternalWrite,
|
|
},
|
|
update: {
|
|
grafana: AccessControlAction.AlertingInstanceUpdate,
|
|
external: AccessControlAction.AlertingInstancesExternalWrite,
|
|
},
|
|
delete: {
|
|
grafana: AccessControlAction.AlertingInstanceUpdate,
|
|
external: AccessControlAction.AlertingInstancesExternalWrite,
|
|
},
|
|
};
|
|
|
|
export const notificationsPermissions = {
|
|
read: {
|
|
grafana: AccessControlAction.AlertingNotificationsRead,
|
|
external: AccessControlAction.AlertingNotificationsExternalRead,
|
|
},
|
|
create: {
|
|
grafana: AccessControlAction.AlertingNotificationsWrite,
|
|
external: AccessControlAction.AlertingNotificationsExternalWrite,
|
|
},
|
|
update: {
|
|
grafana: AccessControlAction.AlertingNotificationsWrite,
|
|
external: AccessControlAction.AlertingNotificationsExternalWrite,
|
|
},
|
|
delete: {
|
|
grafana: AccessControlAction.AlertingNotificationsWrite,
|
|
external: AccessControlAction.AlertingNotificationsExternalWrite,
|
|
},
|
|
};
|
|
|
|
export const provisioningPermissions = {
|
|
read: AccessControlAction.AlertingProvisioningRead,
|
|
readSecrets: AccessControlAction.AlertingProvisioningReadSecrets,
|
|
write: AccessControlAction.AlertingProvisioningWrite,
|
|
};
|
|
|
|
const rulesPermissions = {
|
|
read: {
|
|
grafana: AccessControlAction.AlertingRuleRead,
|
|
external: AccessControlAction.AlertingRuleExternalRead,
|
|
},
|
|
create: {
|
|
grafana: AccessControlAction.AlertingRuleCreate,
|
|
external: AccessControlAction.AlertingRuleExternalWrite,
|
|
},
|
|
update: {
|
|
grafana: AccessControlAction.AlertingRuleUpdate,
|
|
external: AccessControlAction.AlertingRuleExternalWrite,
|
|
},
|
|
delete: {
|
|
grafana: AccessControlAction.AlertingRuleDelete,
|
|
external: AccessControlAction.AlertingRuleExternalWrite,
|
|
},
|
|
};
|
|
|
|
export function getInstancesPermissions(rulesSourceName: string) {
|
|
const sourceType = getRulesSourceType(rulesSourceName);
|
|
|
|
return {
|
|
read: instancesPermissions.read[sourceType],
|
|
create: instancesPermissions.create[sourceType],
|
|
update: instancesPermissions.update[sourceType],
|
|
delete: instancesPermissions.delete[sourceType],
|
|
};
|
|
}
|
|
|
|
export function getNotificationsPermissions(rulesSourceName: string) {
|
|
const sourceType = getRulesSourceType(rulesSourceName);
|
|
|
|
return {
|
|
read: notificationsPermissions.read[sourceType],
|
|
create: notificationsPermissions.create[sourceType],
|
|
update: notificationsPermissions.update[sourceType],
|
|
delete: notificationsPermissions.delete[sourceType],
|
|
provisioning: provisioningPermissions,
|
|
};
|
|
}
|
|
|
|
export function getRulesPermissions(rulesSourceName: string) {
|
|
const sourceType = getRulesSourceType(rulesSourceName);
|
|
|
|
return {
|
|
read: rulesPermissions.read[sourceType],
|
|
create: rulesPermissions.create[sourceType],
|
|
update: rulesPermissions.update[sourceType],
|
|
delete: rulesPermissions.delete[sourceType],
|
|
};
|
|
}
|
|
|
|
export function evaluateAccess(actions: AccessControlAction[], fallBackUserRoles: string[]) {
|
|
return () => {
|
|
return contextSrv.evaluatePermission(() => fallBackUserRoles, actions);
|
|
};
|
|
}
|
|
|
|
export function getRulesAccess() {
|
|
return {
|
|
canCreateGrafanaRules:
|
|
contextSrv.hasAccess(AccessControlAction.FoldersRead, contextSrv.hasEditPermissionInFolders) &&
|
|
contextSrv.hasAccess(rulesPermissions.create.grafana, contextSrv.hasEditPermissionInFolders),
|
|
canCreateCloudRules:
|
|
contextSrv.hasAccess(AccessControlAction.DataSourcesRead, contextSrv.isEditor) &&
|
|
contextSrv.hasAccess(rulesPermissions.create.external, contextSrv.isEditor),
|
|
canEditRules: (rulesSourceName: string) => {
|
|
const permissionFallback =
|
|
rulesSourceName === GRAFANA_RULES_SOURCE_NAME ? contextSrv.hasEditPermissionInFolders : contextSrv.isEditor;
|
|
return contextSrv.hasAccess(getRulesPermissions(rulesSourceName).update, permissionFallback);
|
|
},
|
|
canReadProvisioning:
|
|
contextSrv.hasAccess(provisioningPermissions.read, isOrgAdmin()) ||
|
|
contextSrv.hasAccess(provisioningPermissions.readSecrets, isOrgAdmin()),
|
|
};
|
|
}
|