IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
dd9f701cd9
grafana/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
Vardan Torosyan 9f82eac833
Access control: Add access control based permissions to admins/users (#32409) 
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 16:31:27 +02:00

73 lines
2.0 KiB
Go
Raw Blame History

package ossaccesscontrol
import (
"context"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/evaluator"
"github.com/grafana/grafana/pkg/setting"
)
// OSSAccessControlService is the service implementing role based access control.
type OSSAccessControlService struct {
Cfg *setting.Cfg `inject:""`
Log log.Logger
}
// Init initializes the OSSAccessControlService.
func (ac *OSSAccessControlService) Init() error {
ac.Log = log.New("accesscontrol")
return nil
}
func (ac *OSSAccessControlService) IsDisabled() bool {
if ac.Cfg == nil {
return true
}
_, exists := ac.Cfg.FeatureToggles["accesscontrol"]
return !exists
}
// Evaluate evaluates access to the given resource
func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error) {
return evaluator.Evaluate(ctx, ac, user, permission, scope...)
}
// GetUserPermissions returns user permissions based on built-in roles
func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*accesscontrol.Permission, error) {
builtinRoles := ac.GetUserBuiltInRoles(user)
permissions := make([]*accesscontrol.Permission, 0)
for _, builtin := range builtinRoles {
if roleNames, ok := accesscontrol.PredefinedRoleGrants[builtin]; ok {
for _, name := range roleNames {
r, exists := accesscontrol.PredefinedRoles[name]
if !exists {
continue
}
for _, p := range r.Permissions {
permission := p
permissions = append(permissions, &permission)
}
}
}
}
return permissions, nil
}
func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser) []string {
roles := []string{string(user.OrgRole)}
for _, role := range user.OrgRole.Children() {
roles = append(roles, string(role))
}
if user.IsGrafanaAdmin {
roles = append(roles, accesscontrol.RoleGrafanaAdmin)
}
return roles
}
Reference in New Issue View Git Blame Copy Permalink