root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 249 Packages Projects Releases Wiki Activity
grafana/pkg/api/accesscontrol.go

661 lines
24 KiB
Go
Raw Normal View History

Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
package api
import (
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
"context"
Access Control: Set permissions for Grafana's test data source (#53247) * set permissions for Grafana's test data source * linting
2022-08-05 15:19:50 +08:00
"fmt"
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-10 00:57:50 +08:00
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/datasources"
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
"github.com/grafana/grafana/pkg/services/featuremgmt"
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
"github.com/grafana/grafana/pkg/services/libraryelements"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
"github.com/grafana/grafana/pkg/services/org"
Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258) * migrate licensing + access control * update package name
2023-03-27 17:15:37 +08:00
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
Access Control: Set permissions for Grafana's test data source (#53247) * set permissions for Grafana's test data source * linting
2022-08-05 15:19:50 +08:00
"github.com/grafana/grafana/pkg/tsdb/grafanads"
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
)
// API related actions
const (
ActionProvisioningReload = "provisioning:reload"
)
// API related scopes
AccessControl: Extend scope parameters with extra params from context (#39722) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-06 19:15:09 +08:00
var (
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
ScopeProvisionersAll = ac.Scope("provisioners", "*")
ScopeProvisionersDashboards = ac.Scope("provisioners", "dashboards")
ScopeProvisionersPlugins = ac.Scope("provisioners", "plugins")
ScopeProvisionersDatasources = ac.Scope("provisioners", "datasources")
ScopeProvisionersNotifications = ac.Scope("provisioners", "notifications")
Alerting: Add file provisioning for alert rules (#51635)
2022-07-15 05:53:13 +08:00
ScopeProvisionersAlertRules = ac.Scope("provisioners", "alerting")
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
)
// declareFixedRoles declares to the AccessControl service fixed roles and their
// grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
// that HTTPServer needs
func (hs *HTTPServer) declareFixedRoles() error {
RBAC: Allow app plugins access restriction (#51524) * RBAC: Allow app plugins restriction Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fix tests * Imports * WIP * Adding RBAC to AppPluginsRoutes * Switching middleware order * Restrict access to resources * Nit * Cosmetic changes * Fix fallback * Moving declaration to HttpServer Co-Authored-By: marefr <marcus.efraimsson@gmail.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com>
2022-07-08 19:24:09 +08:00
// Declare plugins roles
Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258) * migrate licensing + access control * update package name
2023-03-27 17:15:37 +08:00
if err := pluginaccesscontrol.DeclareRBACRoles(hs.accesscontrolService, hs.Cfg); err != nil {
RBAC: Allow app plugins access restriction (#51524) * RBAC: Allow app plugins restriction Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fix tests * Imports * WIP * Adding RBAC to AppPluginsRoutes * Switching middleware order * Restrict access to resources * Nit * Cosmetic changes * Fix fallback * Moving declaration to HttpServer Co-Authored-By: marefr <marcus.efraimsson@gmail.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com>
2022-07-08 19:24:09 +08:00
return err
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
provisioningWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Name: "fixed:provisioning:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Description: "Reload provisioning.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Provisioning",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
AccessControl: add one-dimensional permissions to datasources (#38070) * AccessControl: add one-dimensional permissions to datasources in the backend * AccessControl: add one-dimensional permissions to datasources in the frontend (#38080) Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
2021-09-01 21:18:17 +08:00
},
},
},
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Grants: []string{ac.RoleGrafanaAdmin},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
datasourcesExplorerRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
Name: "fixed:datasources:explorer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Explorer",
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
Group: "Data sources",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
{
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Action: ac.ActionDatasourcesExplore,
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
},
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleEditor)},
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
}
Cfg: Move ViewersCanEdit into cfg (#64876) move ViewersCanEdit into cfg
2023-03-16 17:54:01 +08:00
if hs.Cfg.ViewersCanEdit {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
datasourcesExplorerRole.Grants = append(datasourcesExplorerRole.Grants, string(org.RoleViewer))
Add viewer grant to `fixed:datasources:reader` if viewers_can_edit is set to true (#44657)
2022-01-31 23:33:41 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
datasourcesReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Name: "fixed:datasources:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Description: "Read and query all data sources.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Data sources",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionRead,
Scope: datasources.ScopeAll,
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
},
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionQuery,
Scope: datasources.ScopeAll,
AccessControl: add one-dimensional permissions to datasources (#38070) * AccessControl: add one-dimensional permissions to datasources in the backend * AccessControl: add one-dimensional permissions to datasources in the frontend (#38080) Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
2021-09-01 21:18:17 +08:00
},
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
Access Control: Set permissions for Grafana's test data source (#53247) * set permissions for Grafana's test data source * linting
2022-08-05 15:19:50 +08:00
builtInDatasourceReader := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:datasources.builtin:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Built in reader",
Access Control: Set permissions for Grafana's test data source (#53247) * set permissions for Grafana's test data source * linting
2022-08-05 15:19:50 +08:00
Description: "Read and query Grafana's built in test data sources.",
Group: "Data sources",
Permissions: []ac.Permission{
{
Action: datasources.ActionRead,
Scope: fmt.Sprintf("%s%s", datasources.ScopePrefix, grafanads.DatasourceUID),
},
{
Action: datasources.ActionQuery,
Scope: fmt.Sprintf("%s%s", datasources.ScopePrefix, grafanads.DatasourceUID),
},
},
Hidden: true,
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleViewer)},
Access Control: Set permissions for Grafana's test data source (#53247) * set permissions for Grafana's test data source * linting
2022-08-05 15:19:50 +08:00
}
AccessControl: Grant data source reader to all users when running oss (#49514) * grant data source reader to all users when running oss or enterprise without license * fix asserts in alerting tests * add oss licensing service for test setup * fix tests to pass in enterprise * lint * fix tests * set setting.IsEnterprise flag for tests Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
2022-05-25 19:43:58 +08:00
// when running oss or enterprise without a license all users should be able to query data sources
DataSourcePermissions: Handle licensing properly for ds permissions (#59694) * RBAC: add viewer grand if dspermissions enforcement is not enabled * RBAC: Change permissions based on role prefix * RBAC: Add option to for permission service to add a license middleware * RBAC: Remove actions from query struct
2022-12-02 20:19:14 +08:00
if !hs.License.FeatureEnabled("dspermissions.enforcement") {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
datasourcesReaderRole.Grants = []string{string(org.RoleViewer)}
AccessControl: Grant data source reader to all users when running oss (#49514) * grant data source reader to all users when running oss or enterprise without license * fix asserts in alerting tests * add oss licensing service for test setup * fix tests to pass in enterprise * lint * fix tests * set setting.IsEnterprise flag for tests Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
2022-05-25 19:43:58 +08:00
}
RBAC: introduce a data source admin role (#75915) * introduce data source admin role and fix frontend check * introduce fixed roles for data source creator and team reader * add documentation * undo an unintended change
2023-10-19 21:36:41 +08:00
datasourcesCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:datasources:creator",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Creator",
RBAC: introduce a data source admin role (#75915) * introduce data source admin role and fix frontend check * introduce fixed roles for data source creator and team reader * add documentation * undo an unintended change
2023-10-19 21:36:41 +08:00
Description: "Create data sources.",
Group: "Data sources",
Permissions: []ac.Permission{
{
Action: datasources.ActionCreate,
},
},
},
Grants: []string{},
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
datasourcesWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Name: "fixed:datasources:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Description: "Create, update, delete, read, or query data sources.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Data sources",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: ac.ConcatPermissions(datasourcesReaderRole.Role.Permissions, []ac.Permission{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionWrite,
Scope: datasources.ScopeAll,
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionCreate,
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
},
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionDelete,
Scope: datasources.ScopeAll,
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
},
}),
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
datasourcesIdReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
Name: "fixed:datasources.id:reader",
DisplayName: "Data source ID reader",
Description: "Read the ID of a data source based on its name.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Infrequently used",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
{
Access control: Move data source actions and scopes to datasource package (#46594) * Add permission actions and id scope * Remove scope and actions variable prefix * Move page evaluators and rename them
2022-03-16 22:11:03 +08:00
Action: datasources.ActionIDRead,
Scope: datasources.ScopeAll,
Access Control: Add fgac to datasource query endpoints (#40294) * Protect datasource tsdb and proxy endpoints with access control * Add datasource query permissions to fixed admin role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2021-10-21 21:41:40 +08:00
},
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleViewer)},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767) * Create fixed roles for reading API Keys and service accounts * Handle PR comments and fix the listing of token
2022-04-14 21:09:55 +08:00
apikeyReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:apikeys:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767) * Create fixed roles for reading API Keys and service accounts * Handle PR comments and fix the listing of token
2022-04-14 21:09:55 +08:00
Description: "Gives access to read api keys.",
Group: "API Keys",
Permissions: []ac.Permission{
{
Action: ac.ActionAPIKeyRead,
Scope: ac.ScopeAPIKeysAll,
},
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767) * Create fixed roles for reading API Keys and service accounts * Handle PR comments and fix the listing of token
2022-04-14 21:09:55 +08:00
}
APIKeys: Add AC controls for legacy API keys (#46255) * APIKeys: Add AC controls for legacy API keys * pluralize actions
2022-03-05 02:01:03 +08:00
apikeyWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:apikeys:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
APIKeys: Add AC controls for legacy API keys (#46255) * APIKeys: Add AC controls for legacy API keys * pluralize actions
2022-03-05 02:01:03 +08:00
Description: "Gives access to add and delete api keys.",
Group: "API Keys",
Update API Keys UI to adjust based on users permissions (#47802) * Update API Keys UI to adjust based on users permissions Since API Keys support now RBAC we need to ensure that UI is adjusted based on the user permissions. * Applying PR suggestions
2022-04-20 15:45:45 +08:00
Permissions: ac.ConcatPermissions(apikeyReaderRole.Role.Permissions, []ac.Permission{
APIKeys: Add AC controls for legacy API keys (#46255) * APIKeys: Add AC controls for legacy API keys * pluralize actions
2022-03-05 02:01:03 +08:00
{
Action: ac.ActionAPIKeyCreate,
},
{
Action: ac.ActionAPIKeyDelete,
Scope: ac.ScopeAPIKeysAll,
},
Update API Keys UI to adjust based on users permissions (#47802) * Update API Keys UI to adjust based on users permissions Since API Keys support now RBAC we need to ensure that UI is adjusted based on the user permissions. * Applying PR suggestions
2022-04-20 15:45:45 +08:00
}),
APIKeys: Add AC controls for legacy API keys (#46255) * APIKeys: Add AC controls for legacy API keys * pluralize actions
2022-03-05 02:01:03 +08:00
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
APIKeys: Add AC controls for legacy API keys (#46255) * APIKeys: Add AC controls for legacy API keys * pluralize actions
2022-03-05 02:01:03 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
orgReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Name: "fixed:organization:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Description: "Read an organization, such as its ID, name, address, or quotas.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Organizations",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
{Action: ac.ActionOrgsRead},
{Action: ac.ActionOrgsQuotasRead},
AccessControl: Create FGAC roles for orgs (#40526) * AccessControl: Create FGAC roles for orgs Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-10-27 17:01:21 +08:00
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleViewer), ac.RoleGrafanaAdmin},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
orgWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Name: "fixed:organization:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Description: "Read an organization, its quotas, or its preferences. Update organization properties, or its preferences.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Organizations",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: ac.ConcatPermissions(orgReaderRole.Role.Permissions, []ac.Permission{
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
{Action: ac.ActionOrgsPreferencesRead},
{Action: ac.ActionOrgsWrite},
{Action: ac.ActionOrgsPreferencesWrite},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}),
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
orgMaintainerRole := ac.RoleRegistration{
Role: ac.RoleDTO{
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Name: "fixed:organization:maintainer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Maintainer",
AccessControl: Renamed `orgs` roles, removed `fixed:orgs:reader` introduced in beta1 (#42049) * AccessControl: Rework Orgs roles * Increase version for name migration * Update pkg/api/roles.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Use maintainer instead of manager Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-11-24 17:08:42 +08:00
Description: "Create, read, write, or delete an organization. Read or write an organization's quotas. Needs to be assigned globally.",
Access control: add roles to fixed groups (#41673) * add roles to fixed groups * add global to group name
2021-11-18 17:16:18 +08:00
Group: "Organizations",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: ac.ConcatPermissions(orgReaderRole.Role.Permissions, []ac.Permission{
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
{Action: ac.ActionOrgsCreate},
{Action: ac.ActionOrgsWrite},
{Action: ac.ActionOrgsDelete},
{Action: ac.ActionOrgsQuotasWrite},
Access Control: Rename fixed roles (#41288) * Rename fixed roles * Update descriptions * Update docs for fixed roles and permissions Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-11-17 22:40:39 +08:00
}),
},
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Grants: []string{string(ac.RoleGrafanaAdmin)},
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
teamCreatorGrants := []string{string(org.RoleAdmin)}
Access control: allow granting a fixed role dynamically based on the startup settings (#43867) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2022-01-11 18:58:40 +08:00
if hs.Cfg.EditorsCanAdmin {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
teamCreatorGrants = append(teamCreatorGrants, string(org.RoleEditor))
Access control: allow granting a fixed role dynamically based on the startup settings (#43867) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2022-01-11 18:58:40 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
teamsCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
Name: "fixed:teams:creator",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Creator",
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 16:43:29 +08:00
Description: "Create teams and read organisation users (required to manage the created teams).",
Access control: allow granting a fixed role dynamically based on the startup settings (#43867) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2022-01-11 18:58:40 +08:00
Group: "Teams",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
{Action: ac.ActionTeamsCreate},
{Action: ac.ActionOrgUsersRead, Scope: ac.ScopeUsersAll},
Access control: allow granting a fixed role dynamically based on the startup settings (#43867) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2022-01-11 18:58:40 +08:00
},
},
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
Grants: teamCreatorGrants,
Access control: allow granting a fixed role dynamically based on the startup settings (#43867) * allow granting a fixed role dynamically depending on startup config * move role definition for team writing * undo test changes * nicer naming
2022-01-11 18:58:40 +08:00
}
RBAC: introduce a data source admin role (#75915) * introduce data source admin role and fix frontend check * introduce fixed roles for data source creator and team reader * add documentation * undo an unintended change
2023-10-19 21:36:41 +08:00
teamsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:teams:read",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
RBAC: introduce a data source admin role (#75915) * introduce data source admin role and fix frontend check * introduce fixed roles for data source creator and team reader * add documentation * undo an unintended change
2023-10-19 21:36:41 +08:00
Description: "List all teams.",
Group: "Teams",
Permissions: []ac.Permission{
{Action: ac.ActionTeamsRead, Scope: ac.ScopeTeamsAll},
},
},
Grants: []string{},
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
teamsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
Name: "fixed:teams:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
Description: "Create, read, write, or delete a team as well as controlling team memberships.",
Group: "Teams",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
{Action: ac.ActionTeamsCreate},
{Action: ac.ActionTeamsDelete, Scope: ac.ScopeTeamsAll},
{Action: ac.ActionTeamsPermissionsRead, Scope: ac.ScopeTeamsAll},
{Action: ac.ActionTeamsPermissionsWrite, Scope: ac.ScopeTeamsAll},
{Action: ac.ActionTeamsRead, Scope: ac.ScopeTeamsAll},
{Action: ac.ActionTeamsWrite, Scope: ac.ScopeTeamsAll},
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleAdmin)},
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
}
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
annotationsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
Name: "fixed:annotations:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
Description: "Read annotations and tags",
Group: "Annotations",
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsAll},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleViewer)},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
}
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
// TODO this role can be removed once we have rolled out FlagAnnotationPermissionUpdate to all users
// keeping it in for now for backwards compatibility
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
dashboardAnnotationsWriterRole := ac.RoleRegistration{
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
Role: ac.RoleDTO{
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
Name: "fixed:annotations.dashboard:writer",
DisplayName: "Dashboard annotation writer",
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
Description: "Update annotations associated with dashboards.",
Group: "Annotations",
Permissions: []ac.Permission{
Access Control: adding FGAC validation to mass delete annotation endpoint (#46846) * Access Control: adding FGAC validation to mass delete annotation endpoint
2022-03-24 05:39:00 +08:00
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeDashboard},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeDashboard},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeDashboard},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleViewer)},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
}
annotationsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
Description: "Update all annotations.",
Group: "Annotations",
Permissions: []ac.Permission{
Access Control: adding FGAC validation to mass delete annotation endpoint (#46846) * Access Control: adding FGAC validation to mass delete annotation endpoint
2022-03-24 05:39:00 +08:00
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsAll},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsAll},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsAll},
},
},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
Grants: []string{string(org.RoleEditor)},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
}
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
if hs.Features.IsEnabled(context.Background(), featuremgmt.FlagAnnotationPermissionUpdate) {
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsReaderRole = ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations:reader",
DisplayName: "Organization annotation reader",
Description: "Read organization annotations and annotation tags",
Group: "Annotations",
Permissions: []ac.Permission{
RBAC: change annotation scopes back (#79330) Change the annotation scopes back to what they were
2023-12-12 15:51:08 +08:00
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
// https://github.com/grafana/identity-access-team/issues/524
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsAll},
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
},
},
Grants: []string{string(org.RoleViewer)},
}
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsWriterRole = ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations:writer",
DisplayName: "Organization annotation writer",
Description: "Update organization annotations.",
Group: "Annotations",
Permissions: []ac.Permission{
RBAC: change annotation scopes back (#79330) Change the annotation scopes back to what they were
2023-12-12 15:51:08 +08:00
// Need to leave the permissions as they are, so that the seeder doesn't replace permissions when they have been removed from the basic role by the user
// Otherwise we could split this into ac.ScopeAnnotationsTypeOrganization and ac.ScopeAnnotationsTypeDashboard scopes and eventually remove the dashboard scope.
// https://github.com/grafana/identity-access-team/issues/524
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsAll},
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsAll},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsAll},
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
},
},
Grants: []string{string(org.RoleEditor)},
}
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
dashboardsCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:dashboards:creator",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Creator",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Description: "Create dashboard in general folder.",
Group: "Dashboards",
Permissions: []ac.Permission{
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 21:14:26 +08:00
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 22:12:09 +08:00
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
},
},
Grants: []string{"Editor"},
}
dashboardsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:dashboards:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Description: "Read all dashboards.",
Group: "Dashboards",
Permissions: []ac.Permission{
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 22:12:09 +08:00
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
},
},
Grants: []string{"Admin"},
}
dashboardsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:dashboards:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Group: "Dashboards",
Description: "Create, read, write or delete all dashboards and their permissions.",
Permissions: ac.ConcatPermissions(dashboardsReaderRole.Role.Permissions, []ac.Permission{
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 22:12:09 +08:00
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeDashboardsAll},
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeDashboardsAll},
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeDashboardsAll},
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeDashboardsAll},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
}),
},
Grants: []string{"Admin"},
}
foldersCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:folders:creator",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Creator",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Description: "Create folders.",
Group: "Folders",
Permissions: []ac.Permission{
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-10 00:57:50 +08:00
{Action: dashboards.ActionFoldersCreate},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
},
},
Grants: []string{"Editor"},
}
foldersReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:folders:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Description: "Read all folders and dashboards.",
Group: "Folders",
Permissions: []ac.Permission{
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-10 00:57:50 +08:00
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 22:12:09 +08:00
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
},
},
Grants: []string{"Admin"},
}
foldersWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:folders:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
Description: "Create, read, write or delete all folders and dashboards and their permissions.",
Group: "Folders",
Permissions: ac.ConcatPermissions(
foldersReaderRole.Role.Permissions,
[]ac.Permission{
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-10 00:57:50 +08:00
{Action: dashboards.ActionFoldersCreate},
{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionFoldersDelete, Scope: dashboards.ScopeFoldersAll},
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 22:12:09 +08:00
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
}),
},
Grants: []string{"Admin"},
}
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
libraryPanelsCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:library.panels:creator",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Creator",
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
Description: "Create library panel in general folder.",
Group: "Library panels",
Permissions: []ac.Permission{
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
},
},
Grants: []string{"Editor"},
}
libraryPanelsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:library.panels:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
Description: "Read all library panels.",
Group: "Library panels",
Permissions: []ac.Permission{
Bug fix: add library panel permissions to basic roles (#77144) set library panel permissions to basic roles
2023-10-26 01:44:55 +08:00
{Action: libraryelements.ActionLibraryPanelsRead, Scope: dashboards.ScopeFoldersAll},
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
},
},
Grants: []string{"Admin"},
}
libraryPanelsGeneralReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:library.panels:general.reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "General reader",
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
Description: "Read all library panels in general folder.",
Group: "Library panels",
Permissions: []ac.Permission{
{Action: libraryelements.ActionLibraryPanelsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
},
},
Grants: []string{"Viewer"},
}
libraryPanelsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:library.panels:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
Group: "Library panels",
Description: "Create, read, write or delete all library panels and their permissions.",
Permissions: ac.ConcatPermissions(libraryPanelsReaderRole.Role.Permissions, []ac.Permission{
Bug fix: add library panel permissions to basic roles (#77144) set library panel permissions to basic roles
2023-10-26 01:44:55 +08:00
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: dashboards.ScopeFoldersAll},
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: dashboards.ScopeFoldersAll},
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersAll},
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
}),
},
Grants: []string{"Admin"},
}
libraryPanelsGeneralWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:library.panels:general.writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "General writer",
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
Group: "Library panels",
Description: "Create, read, write or delete all library panels and their permissions in the general folder.",
Permissions: ac.ConcatPermissions(libraryPanelsGeneralReaderRole.Role.Permissions, []ac.Permission{
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
}),
},
Grants: []string{"Editor"},
}
PublicDashboards: Add RBAC to secured endpoints (#54544)
2022-09-05 23:22:39 +08:00
publicDashboardsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:dashboards.public:writer",
DisplayName: "Public Dashboard writer",
Description: "Create, write or disable a public dashboard.",
Group: "Dashboards",
Permissions: []ac.Permission{
PublicDashboards: disable form if user does not has permissions (#54853)
2022-09-08 05:29:01 +08:00
{Action: dashboards.ActionDashboardsPublicWrite, Scope: dashboards.ScopeDashboardsAll},
PublicDashboards: Add RBAC to secured endpoints (#54544)
2022-09-05 23:22:39 +08:00
},
},
Grants: []string{"Admin"},
}
Feature toggles management: Define get feature toggles api (#72106) * Feature Toggle Management: Define get feature toggles api * lint
2023-07-25 04:12:59 +08:00
featuremgmtReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:featuremgmt:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
Feature toggles management: Define get feature toggles api (#72106) * Feature Toggle Management: Define get feature toggles api * lint
2023-07-25 04:12:59 +08:00
Description: "Read feature toggles",
Group: "Feature Management",
Permissions: []ac.Permission{
{Action: ac.ActionFeatureManagementRead},
},
},
Grants: []string{"Admin"},
}
Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022) * create roles for writing feature toggles * create update endpoint / handler * api changes * add feature toggle validations * hide toggles based on their state * make FlagFeatureToggle read only * add username log * add username string * refactor for better readability * refactor unit tests so we can do more validations * some skeletoning for the set tests * write unit tests for updater * break helper functions out * update sample ini to match defaults * add more logic to ReadOnly label * add user documentation * fix lint issue * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> --------- Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com> Co-authored-by: J Stickler <julie.stickler@grafana.com>
2023-08-09 23:32:28 +08:00
featuremgmtWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:featuremgmt:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
Feature Toggles: Create API for updating feature toggle state from the feature toggle admin page (#73022) * create roles for writing feature toggles * create update endpoint / handler * api changes * add feature toggle validations * hide toggles based on their state * make FlagFeatureToggle read only * add username log * add username string * refactor for better readability * refactor unit tests so we can do more validations * some skeletoning for the set tests * write unit tests for updater * break helper functions out * update sample ini to match defaults * add more logic to ReadOnly label * add user documentation * fix lint issue * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: J Stickler <julie.stickler@grafana.com> --------- Co-authored-by: IbrahimCSAE <ibrahim.mdev@gmail.com> Co-authored-by: J Stickler <julie.stickler@grafana.com>
2023-08-09 23:32:28 +08:00
Description: "Write feature toggles",
Group: "Feature Management",
Permissions: []ac.Permission{
{Action: ac.ActionFeatureManagementWrite},
},
},
Grants: []string{"Admin"},
}
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
roles := []ac.RoleRegistration{provisioningWriterRole, datasourcesReaderRole, builtInDatasourceReader, datasourcesWriterRole,
RBAC: introduce a data source admin role (#75915) * introduce data source admin role and fix frontend check * introduce fixed roles for data source creator and team reader * add documentation * undo an unintended change
2023-10-19 21:36:41 +08:00
datasourcesIdReaderRole, datasourcesCreatorRole, orgReaderRole, orgWriterRole,
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, teamsReaderRole, datasourcesExplorerRole,
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
annotationsReaderRole, dashboardAnnotationsWriterRole, annotationsWriterRole,
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
Create fixed roles for reading API Keys and service accounts and fix listing of service account tokens (#47767) * Create fixed roles for reading API Keys and service accounts * Handle PR comments and fix the listing of token
2022-04-14 21:09:55 +08:00
foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyReaderRole, apikeyWriterRole,
Bug fix: add library panel permissions to basic roles (#77144) set library panel permissions to basic roles
2023-10-26 01:44:55 +08:00
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole, libraryPanelsCreatorRole,
libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole}
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
if hs.Features.IsEnabled(context.Background(), featuremgmt.FlagAnnotationPermissionUpdate) {
allAnnotationsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations.all:reader",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Reader",
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
Description: "Read all annotations and tags",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsRead, Scope: dashboards.ScopeDashboardsAll},
},
},
Grants: []string{string(org.RoleAdmin)},
}
allAnnotationsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations.all:writer",
AccessControl: Add group to role picker and standardize display (#79570) * add group to role picker and standardize display * change stuttery roles
2024-01-18 22:20:28 +08:00
DisplayName: "Writer",
RBAC: Update fixed annotation roles (#78756) * update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled * add dashboard type scope back in the fixed roles to make the migration easier
2023-12-01 22:50:55 +08:00
Description: "Update all annotations.",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsCreate, Scope: dashboards.ScopeDashboardsAll},
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsAll},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsAll},
},
},
Grants: []string{string(org.RoleAdmin)},
}
roles = append(roles, allAnnotationsReaderRole, allAnnotationsWriterRole)
}
LibraryPanels: Add RBAC support (#73475)
2023-10-12 07:30:50 +08:00
return hs.accesscontrolService.DeclareFixedRoles(roles...)
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
}
AccessControl: Protect /datasources endpoints consistently with NavLinks permissions (#39319)
2021-09-22 19:50:21 +08:00
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
// Metadata helpers
// getAccessControlMetadata returns the accesscontrol metadata associated with a given resource
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func (hs *HTTPServer) getAccessControlMetadata(c *contextmodel.ReqContext,
AccessControl: Fix locked role picker in orgs/edit page (#46539) * AccessControl: Fix locked role picker in orgs/edit page * Use correct org when computing metadata
2022-03-24 15:58:10 +08:00
orgID int64, prefix string, resourceID string) ac.Metadata {
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-22 00:58:18 +08:00
ids := map[string]bool{resourceID: true}
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
return hs.getMultiAccessControlMetadata(c, prefix, ids)[resourceID]
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
}
// getMultiAccessControlMetadata returns the accesscontrol metadata associated with a given set of resources
AccessControl: Fix locked role picker in orgs/edit page (#46539) * AccessControl: Fix locked role picker in orgs/edit page * Use correct org when computing metadata
2022-03-24 15:58:10 +08:00
// Context must contain permissions in the given org (see LoadPermissionsMiddleware or AuthorizeInOrgMiddleware)
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func (hs *HTTPServer) getMultiAccessControlMetadata(c *contextmodel.ReqContext,
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
prefix string, resourceIDs map[string]bool) map[string]ac.Metadata {
RBAC: remove some `IsDisabled` checks (#69272) * remove some access contorl IsDisabled() checks * cleaning up tests * update tests * linting
2023-05-31 16:58:57 +08:00
if !c.QueryBool("accesscontrol") {
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
return map[string]ac.Metadata{}
}
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
if len(c.SignedInUser.GetPermissions()) == 0 {
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
return map[string]ac.Metadata{}
}
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
return ac.GetResourcesMetadata(c.Req.Context(), c.SignedInUser.GetPermissions(), prefix, resourceIDs)
AccessControl: Compute metadata from context permissions (#45578) * AccessControl: Compute metadata from context permissions * Remove nil Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Check user permissions are set Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2022-02-18 18:27:00 +08:00
}