mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
7ebf4027a7
* add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
106 lines
2.7 KiB
Go
106 lines
2.7 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"time"
|
|
)
|
|
|
|
// RoleRegistration stores a role and its assignments to built-in roles
|
|
// (Viewer, Editor, Admin, Grafana Admin)
|
|
type RoleRegistration struct {
|
|
Role RoleDTO
|
|
Grants []string
|
|
}
|
|
|
|
type Role struct {
|
|
Version int64 `json:"version"`
|
|
UID string `json:"uid"`
|
|
Name string `json:"name"`
|
|
Description string `json:"description"`
|
|
|
|
Updated time.Time `json:"updated"`
|
|
Created time.Time `json:"created"`
|
|
}
|
|
|
|
type RoleDTO struct {
|
|
Version int64 `json:"version"`
|
|
UID string `json:"uid"`
|
|
Name string `json:"name"`
|
|
Description string `json:"description"`
|
|
Permissions []Permission `json:"permissions,omitempty"`
|
|
}
|
|
|
|
type Permission struct {
|
|
Action string `json:"action"`
|
|
Scope string `json:"scope"`
|
|
}
|
|
|
|
func (p RoleDTO) Role() Role {
|
|
return Role{
|
|
Name: p.Name,
|
|
Description: p.Description,
|
|
}
|
|
}
|
|
|
|
const (
|
|
// Permission actions
|
|
|
|
// Users actions
|
|
ActionUsersRead = "users:read"
|
|
ActionUsersWrite = "users:write"
|
|
ActionUsersTeamRead = "users.teams:read"
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
|
// nolint:gosec
|
|
ActionUsersAuthTokenList = "users.authtoken:list"
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
|
// nolint:gosec
|
|
ActionUsersAuthTokenUpdate = "users.authtoken:update"
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
|
// nolint:gosec
|
|
ActionUsersPasswordUpdate = "users.password:update"
|
|
ActionUsersDelete = "users:delete"
|
|
ActionUsersCreate = "users:create"
|
|
ActionUsersEnable = "users:enable"
|
|
ActionUsersDisable = "users:disable"
|
|
ActionUsersPermissionsUpdate = "users.permissions:update"
|
|
ActionUsersLogout = "users:logout"
|
|
ActionUsersQuotasList = "users.quotas:list"
|
|
ActionUsersQuotasUpdate = "users.quotas:update"
|
|
|
|
// Org actions
|
|
ActionOrgUsersRead = "org.users:read"
|
|
ActionOrgUsersAdd = "org.users:add"
|
|
ActionOrgUsersRemove = "org.users:remove"
|
|
ActionOrgUsersRoleUpdate = "org.users.role:update"
|
|
|
|
// LDAP actions
|
|
ActionLDAPUsersRead = "ldap.user:read"
|
|
ActionLDAPUsersSync = "ldap.user:sync"
|
|
ActionLDAPStatusRead = "ldap.status:read"
|
|
ActionLDAPConfigReload = "ldap.config:reload"
|
|
|
|
// Server actions
|
|
ActionServerStatsRead = "server.stats:read"
|
|
|
|
// Settings actions
|
|
ActionSettingsRead = "settings:read"
|
|
|
|
// Datasources actions
|
|
ActionDatasourcesExplore = "datasources:explore"
|
|
|
|
// Plugin actions
|
|
ActionPluginsManage = "plugins:manage"
|
|
|
|
// Global Scopes
|
|
ScopeGlobalUsersAll = "global:users:*"
|
|
|
|
// Users scope
|
|
ScopeUsersAll = "users:*"
|
|
|
|
// Settings scope
|
|
ScopeSettingsAll = "settings:*"
|
|
)
|
|
|
|
const RoleGrafanaAdmin = "Grafana Admin"
|
|
|
|
const FixedRolePrefix = "fixed:"
|