mirror of
https://github.com/grafana/grafana.git
synced 2024-11-28 11:44:26 -06:00
101349fe49
* RBAC: Allow app plugins restriction Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Moving declaration to HttpServer Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Picking changes from the other branch Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Rename plugins.settings to plugins Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Account for PluginAdminExternalManageEnabled Co-authored-by: Will Browne <will.browne@grafana.com> * Set metadata on instantiation Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> Co-authored-by: Will Browne <will.browne@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>
76 lines
2.3 KiB
Go
76 lines
2.3 KiB
Go
package plugins
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/models"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
const (
|
|
// Plugins actions
|
|
ActionInstall = "plugins:install"
|
|
ActionWrite = "plugins:write"
|
|
|
|
// App Plugins actions
|
|
ActionAppAccess = "plugins.app:access"
|
|
)
|
|
|
|
var (
|
|
ScopeProvider = ac.NewScopeProvider("plugins")
|
|
// Protects access to the Configuration > Plugins page
|
|
AdminAccessEvaluator = ac.EvalAny(ac.EvalPermission(ActionWrite), ac.EvalPermission(ActionInstall))
|
|
)
|
|
|
|
func ReqCanAdminPlugins(cfg *setting.Cfg) func(rc *models.ReqContext) bool {
|
|
// Legacy handler that protects access to the Configuration > Plugins page
|
|
return func(rc *models.ReqContext) bool {
|
|
return rc.OrgRole == org.RoleAdmin || cfg.PluginAdminEnabled && rc.IsGrafanaAdmin
|
|
}
|
|
}
|
|
|
|
func DeclareRBACRoles(service ac.Service, cfg *setting.Cfg) error {
|
|
AppPluginsReader := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: ac.FixedRolePrefix + "plugins.app:reader",
|
|
DisplayName: "Application Plugins Access",
|
|
Description: "Access application plugins (still enforcing the organization role)",
|
|
Group: "Plugins",
|
|
Permissions: []ac.Permission{
|
|
{Action: ActionAppAccess, Scope: ScopeProvider.GetResourceAllScope()},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
PluginsWriter := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: ac.FixedRolePrefix + "plugins:writer",
|
|
DisplayName: "Plugin Writer",
|
|
Description: "Enable and disable plugins and edit plugins' settings",
|
|
Group: "Plugins",
|
|
Permissions: []ac.Permission{
|
|
{Action: ActionWrite, Scope: ScopeProvider.GetResourceAllScope()},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
PluginsMaintainer := ac.RoleRegistration{
|
|
Role: ac.RoleDTO{
|
|
Name: ac.FixedRolePrefix + "plugins:maintainer",
|
|
DisplayName: "Plugin Maintainer",
|
|
Description: "Install, uninstall plugins",
|
|
Group: "Plugins",
|
|
Permissions: []ac.Permission{
|
|
{Action: ActionInstall},
|
|
},
|
|
},
|
|
Grants: []string{ac.RoleGrafanaAdmin},
|
|
}
|
|
|
|
if !cfg.PluginAdminEnabled || cfg.PluginAdminExternalManageEnabled {
|
|
PluginsMaintainer.Grants = []string{}
|
|
}
|
|
|
|
return service.DeclareFixedRoles(AppPluginsReader, PluginsWriter, PluginsMaintainer)
|
|
}
|