IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-30 12:44:10 -06:00
Code Issues Packages Projects Releases Wiki Activity
a7e721e987
grafana/pkg/services/accesscontrol/roles.go
Alexander Zobnin a7e721e987
Access control: Make Admin/Users UI working with the permissions (#33176) 
* API: authorize admin/users views

* Render admin/users components based on user's permissions

* Add LDAP permissions (required by admin/user page)

* Extend default admin role by LDAP permissions

* Show/hide LDAP debug views

* Render LDAP debug page if user has access

* Authorize LDAP debug view

* fix permissions definitions

* Add LDAP page permissions

* remove ambiguous permissions check

* Hide logout buttons in sessions table

* Add org/users permissions

* Use org permissions for managing user roles in orgs

* Apply permissions to org/users

* Apply suggestions from review

* Fix tests

* remove scopes from the frontend

* Tweaks according to review

* Handle /invites endpoints
2021-04-22 13:19:41 +03:00

144 lines
3.1 KiB
Go
Raw Blame History

package accesscontrol
// PredefinedRoles provides a map of permission sets/roles which can be
// assigned to a set of users. When adding a new resource protected by
// Grafana access control the default permissions should be added to a
// new predefined role in this set so that users can access the new
// resource. PredefinedRoleGrants lists which organization roles are
// assigned which predefined roles in this list.
var PredefinedRoles = map[string]RoleDTO{
// TODO: Add support for inheritance between the predefined roles to
// make the admin ⊃ editor ⊃ viewer property hold.
usersAdminRead: {
Name: usersAdminRead,
Version: 1,
Permissions: []Permission{
{
Action: ActionUsersRead,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersTeamRead,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersAuthTokenList,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersQuotasList,
Scope: ScopeUsersAll,
},
{
Action: ActionOrgUsersRead,
Scope: ScopeOrgAllUsersAll,
},
{
Action: ActionLDAPUsersRead,
},
{
Action: ActionLDAPStatusRead,
},
},
},
usersAdminEdit: {
Name: usersAdminEdit,
Version: 1,
Permissions: []Permission{
{
// Inherited from grafana:roles:users:admin:read
Action: ActionUsersRead,
Scope: ScopeUsersAll,
},
{
// Inherited from grafana:roles:users:admin:read
Action: ActionUsersTeamRead,
Scope: ScopeUsersAll,
},
{
// Inherited from grafana:roles:users:admin:read
Action: ActionUsersAuthTokenList,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersPasswordUpdate,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersCreate,
},
{
Action: ActionUsersWrite,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersDelete,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersEnable,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersDisable,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersPermissionsUpdate,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersLogout,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersAuthTokenUpdate,
Scope: ScopeUsersAll,
},
{
// Inherited from grafana:roles:users:admin:read
Action: ActionUsersQuotasList,
Scope: ScopeUsersAll,
},
{
Action: ActionUsersQuotasUpdate,
Scope: ScopeUsersAll,
},
{
// Inherited from grafana:roles:users:admin:read
Action: ActionOrgUsersRead,
Scope: ScopeOrgAllUsersAll,
},
{
Action: ActionOrgUsersAdd,
Scope: ScopeOrgAllUsersAll,
},
{
Action: ActionOrgUsersRemove,
Scope: ScopeOrgAllUsersAll,
},
{
Action: ActionOrgUsersRoleUpdate,
Scope: ScopeOrgAllUsersAll,
},
{
Action: ActionLDAPUsersSync,
},
},
},
}
const (
usersAdminEdit = "grafana:roles:users:admin:edit"
usersAdminRead = "grafana:roles:users:admin:read"
)
// PredefinedRoleGrants specifies which organization roles are assigned
// to which set of PredefinedRoles by default. Alphabetically sorted.
var PredefinedRoleGrants = map[string][]string{
RoleGrafanaAdmin: {
usersAdminEdit,
usersAdminRead,
},
}
Reference in New Issue View Git Blame Copy Permalink