mirror of
https://github.com/grafana/grafana.git
synced 2024-11-25 10:20:29 -06:00
345 lines
13 KiB
Go
345 lines
13 KiB
Go
package ngalert
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/datasources"
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
|
ac "github.com/grafana/grafana/pkg/services/ngalert/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
)
|
|
|
|
const AlertRolesGroup = "Alerting"
|
|
|
|
var (
|
|
rulesReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.rules:reader",
|
|
DisplayName: "Rules Reader",
|
|
Description: "Read alert rules in all Grafana folders and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleRead,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleExternalRead,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingSilencesRead,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
// Following are needed for simplified notification policies
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsTimeIntervalsRead,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingReceiversList,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
rulesWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.rules:writer",
|
|
DisplayName: "Rules Writer",
|
|
Description: "Add, update, and delete rules in any Grafana folder and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(rulesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleCreate,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleUpdate,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleDelete,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRuleExternalWrite,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingSilencesWrite,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingSilencesCreate,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
}),
|
|
},
|
|
}
|
|
|
|
instancesReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.instances:reader",
|
|
DisplayName: "Instances and Silences Reader",
|
|
Description: "Read instances and silences of Grafana and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingInstanceRead,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingInstancesExternalRead,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
instancesWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.instances:writer",
|
|
DisplayName: "Silences Writer",
|
|
Description: "Add and update silences in Grafana and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(instancesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingInstanceCreate,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingInstanceUpdate,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingInstancesExternalWrite,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
}),
|
|
},
|
|
}
|
|
|
|
receiversReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.receivers:reader",
|
|
DisplayName: "Contact Point Reader",
|
|
Description: "Read all contact points in Grafana",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingReceiversRead, Scope: ac.ScopeReceiversAll},
|
|
},
|
|
},
|
|
}
|
|
|
|
receiversCreatorRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.receivers:creator",
|
|
DisplayName: "Contact Point Creator",
|
|
Description: "Create new contact points in Grafana",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingReceiversCreate},
|
|
},
|
|
},
|
|
}
|
|
|
|
receiversWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.receivers:writer",
|
|
DisplayName: "Contact Point Writer",
|
|
Description: "Create, update, and delete all contact points in Grafana",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(receiversReaderRole.Role.Permissions, receiversCreatorRole.Role.Permissions, []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingReceiversUpdate, Scope: ac.ScopeReceiversAll},
|
|
{Action: accesscontrol.ActionAlertingReceiversDelete, Scope: ac.ScopeReceiversAll},
|
|
}),
|
|
},
|
|
}
|
|
|
|
templatesReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.templates:reader",
|
|
DisplayName: "Templates Reader",
|
|
Description: "Read all templates in Grafana alerting",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingNotificationsTemplatesRead},
|
|
},
|
|
},
|
|
}
|
|
|
|
templatesWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.templates:writer",
|
|
DisplayName: "Templates Writer",
|
|
Description: "Create, update, and delete all templates in Grafana alerting",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(templatesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingNotificationsTemplatesWrite},
|
|
{Action: accesscontrol.ActionAlertingNotificationsTemplatesDelete},
|
|
}),
|
|
},
|
|
}
|
|
|
|
notificationsReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.notifications:reader",
|
|
DisplayName: "Notifications Reader",
|
|
Description: "Read notification policies and contact points in Grafana and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(receiversReaderRole.Role.Permissions, templatesReaderRole.Role.Permissions, []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsRead,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsExternalRead,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsTimeIntervalsRead,
|
|
},
|
|
}),
|
|
},
|
|
}
|
|
|
|
notificationsWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.notifications:writer",
|
|
DisplayName: "Notifications Writer",
|
|
Description: "Add, update, and delete contact points and notification policies in Grafana and external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(notificationsReaderRole.Role.Permissions, receiversWriterRole.Role.Permissions, templatesWriterRole.Role.Permissions, []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsWrite,
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsExternalWrite,
|
|
Scope: datasources.ScopeAll,
|
|
},
|
|
}),
|
|
},
|
|
}
|
|
|
|
alertingReaderRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting:reader",
|
|
DisplayName: "Full read-only access",
|
|
Description: "Read alert rules, instances, silences, contact points, and notification policies in Grafana and all external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(rulesReaderRole.Role.Permissions, instancesReaderRole.Role.Permissions, notificationsReaderRole.Role.Permissions),
|
|
},
|
|
Grants: []string{string(org.RoleViewer)},
|
|
}
|
|
|
|
alertingWriterRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting:writer",
|
|
DisplayName: "Full write access",
|
|
Description: "Add, update and delete alert rules, instances, silences, contact points, and notification policies in Grafana and all external providers",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(rulesWriterRole.Role.Permissions, instancesWriterRole.Role.Permissions, notificationsWriterRole.Role.Permissions),
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
alertingAdminRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting:admin",
|
|
DisplayName: "Full admin access",
|
|
Description: "Full write access in Grafana and all external providers, including their permissions and secrets",
|
|
Group: AlertRolesGroup,
|
|
Permissions: accesscontrol.ConcatPermissions(alertingWriterRole.Role.Permissions, []accesscontrol.Permission{
|
|
{Action: accesscontrol.ActionAlertingReceiversPermissionsRead, Scope: ac.ScopeReceiversAll},
|
|
{Action: accesscontrol.ActionAlertingReceiversPermissionsWrite, Scope: ac.ScopeReceiversAll},
|
|
{Action: accesscontrol.ActionAlertingReceiversReadSecrets, Scope: ac.ScopeReceiversAll},
|
|
}),
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
alertingProvisionerRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.provisioning:writer",
|
|
DisplayName: "Access to alert rules provisioning API",
|
|
Description: "Manage all alert rules, contact points, notification policies, silences, etc. in the organization via provisioning API.",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingProvisioningRead, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingProvisioningWrite, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRulesProvisioningRead, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRulesProvisioningWrite, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsProvisioningRead, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsProvisioningWrite, // organization scope
|
|
},
|
|
{
|
|
Action: dashboards.ActionFoldersRead,
|
|
Scope: dashboards.ScopeFoldersAll,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
alertingProvisioningReaderWithSecretsRole = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.provisioning.secrets:reader",
|
|
DisplayName: "Read via Provisioning API + Export Secrets",
|
|
Description: "Read all alert rules, contact points, notification policies, silences, etc. in the organization via provisioning API and use export with decrypted secrets",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingProvisioningReadSecrets, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingProvisioningRead, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingRulesProvisioningRead, // organization scope
|
|
},
|
|
{
|
|
Action: accesscontrol.ActionAlertingNotificationsProvisioningRead, // organization scope
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
alertingProvisioningStatus = accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: accesscontrol.FixedRolePrefix + "alerting.provisioning.provenance:writer",
|
|
DisplayName: "Set provisioning status",
|
|
Description: "Set provisioning status for alerting resources. Should be used together with other regular roles (Notifications Writer and/or Rules Writer)",
|
|
Group: AlertRolesGroup,
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: accesscontrol.ActionAlertingProvisioningSetStatus, // organization scope
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin), string(org.RoleEditor)},
|
|
}
|
|
)
|
|
|
|
func DeclareFixedRoles(service accesscontrol.Service, features featuremgmt.FeatureToggles) error {
|
|
fixedRoles := []accesscontrol.RoleRegistration{
|
|
rulesReaderRole, rulesWriterRole,
|
|
instancesReaderRole, instancesWriterRole,
|
|
notificationsReaderRole, notificationsWriterRole,
|
|
alertingReaderRole, alertingWriterRole, alertingAdminRole, alertingProvisionerRole, alertingProvisioningReaderWithSecretsRole, alertingProvisioningStatus,
|
|
}
|
|
|
|
if features.IsEnabledGlobally(featuremgmt.FlagAlertingApiServer) {
|
|
fixedRoles = append(fixedRoles, receiversReaderRole, receiversCreatorRole, receiversWriterRole, templatesReaderRole, templatesWriterRole)
|
|
}
|
|
|
|
return service.DeclareFixedRoles(fixedRoles...)
|
|
}
|