2021-03-22 20:22:48 +08:00
|
|
|
package accesscontrol
|
|
|
|
|
|
|
|
|
|
import (
|
2021-09-21 15:58:35 +08:00
|
|
|
"encoding/json"
|
2023-05-09 19:19:38 +08:00
|
|
|
"errors"
|
2022-04-13 23:22:53 +08:00
|
|
|
"fmt"
|
2021-10-05 20:07:16 +08:00
|
|
|
"strings"
|
2021-03-22 20:22:48 +08:00
|
|
|
"time"
|
2022-04-11 20:18:38 +08:00
|
|
|
|
2023-05-09 19:19:38 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/slugify"
|
2022-04-11 20:18:38 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/annotations"
|
2022-08-10 17:56:48 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2023-01-30 22:19:42 +08:00
|
|
|
"github.com/grafana/grafana/pkg/util/errutil"
|
2021-03-22 20:22:48 +08:00
|
|
|
)
|
|
|
|
|
|
2023-08-22 18:52:24 +08:00
|
|
|
var ErrInternal = errutil.Internal("accesscontrol.internal")
|
2023-01-30 22:19:42 +08:00
|
|
|
|
2021-08-04 20:44:37 +08:00
|
|
|
// RoleRegistration stores a role and its assignments to built-in roles
|
|
|
|
|
// (Viewer, Editor, Admin, Grafana Admin)
|
|
|
|
|
type RoleRegistration struct {
|
2023-04-28 18:48:26 +08:00
|
|
|
Role RoleDTO
|
|
|
|
|
Grants []string
|
2021-08-04 20:44:37 +08:00
|
|
|
}
|
|
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
// Role is the model for Role in RBAC.
|
2021-03-22 20:22:48 +08:00
|
|
|
type Role struct {
|
2021-09-21 15:58:35 +08:00
|
|
|
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
|
|
|
|
|
OrgID int64 `json:"-" xorm:"org_id"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Version int64 `json:"version"`
|
2021-09-21 15:58:35 +08:00
|
|
|
UID string `xorm:"uid" json:"uid"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Name string `json:"name"`
|
2023-02-03 18:39:44 +08:00
|
|
|
DisplayName string `json:"displayName,omitempty"`
|
2021-11-12 18:42:47 +08:00
|
|
|
Group string `xorm:"group_name" json:"group"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Description string `json:"description"`
|
2022-03-15 21:17:45 +08:00
|
|
|
Hidden bool `json:"hidden"`
|
2021-03-22 20:22:48 +08:00
|
|
|
|
|
|
|
|
Updated time.Time `json:"updated"`
|
|
|
|
|
Created time.Time `json:"created"`
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 23:22:53 +08:00
|
|
|
func (r *Role) Global() bool {
|
2021-10-05 20:07:16 +08:00
|
|
|
return r.OrgID == GlobalOrgID
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 23:22:53 +08:00
|
|
|
func (r *Role) IsFixed() bool {
|
2021-10-05 20:07:16 +08:00
|
|
|
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-21 20:14:45 +08:00
|
|
|
func (r *Role) IsBasic() bool {
|
|
|
|
|
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-05 20:07:16 +08:00
|
|
|
func (r Role) MarshalJSON() ([]byte, error) {
|
|
|
|
|
type Alias Role
|
|
|
|
|
|
|
|
|
|
return json.Marshal(&struct {
|
|
|
|
|
Alias
|
|
|
|
|
Global bool `json:"global" xorm:"-"`
|
|
|
|
|
}{
|
|
|
|
|
Alias: (Alias)(r),
|
|
|
|
|
Global: r.Global(),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-22 20:22:48 +08:00
|
|
|
type RoleDTO struct {
|
|
|
|
|
Version int64 `json:"version"`
|
2021-09-21 15:58:35 +08:00
|
|
|
UID string `xorm:"uid" json:"uid"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Name string `json:"name"`
|
2023-02-03 18:39:44 +08:00
|
|
|
DisplayName string `json:"displayName,omitempty"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Description string `json:"description"`
|
2021-11-12 18:42:47 +08:00
|
|
|
Group string `xorm:"group_name" json:"group"`
|
2021-03-22 20:22:48 +08:00
|
|
|
Permissions []Permission `json:"permissions,omitempty"`
|
2021-11-22 22:44:03 +08:00
|
|
|
Delegatable *bool `json:"delegatable,omitempty"`
|
2022-03-15 21:17:45 +08:00
|
|
|
Hidden bool `json:"hidden,omitempty"`
|
2021-09-21 15:58:35 +08:00
|
|
|
|
|
|
|
|
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
|
|
|
|
|
OrgID int64 `json:"-" xorm:"org_id"`
|
|
|
|
|
|
|
|
|
|
Updated time.Time `json:"updated"`
|
|
|
|
|
Created time.Time `json:"created"`
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 23:22:53 +08:00
|
|
|
func (r *RoleDTO) LogID() string {
|
|
|
|
|
var org string
|
|
|
|
|
|
|
|
|
|
if r.Global() {
|
|
|
|
|
org = "Global"
|
|
|
|
|
} else {
|
|
|
|
|
org = fmt.Sprintf("OrgId:%v", r.OrgID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r.UID != "" {
|
|
|
|
|
return fmt.Sprintf("[%s RoleUID:%v]", org, r.UID)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Sprintf("[%s Role:%v]", org, r.Name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (r *RoleDTO) Role() Role {
|
2021-09-21 15:58:35 +08:00
|
|
|
return Role{
|
|
|
|
|
ID: r.ID,
|
|
|
|
|
OrgID: r.OrgID,
|
|
|
|
|
UID: r.UID,
|
2022-04-12 15:53:43 +08:00
|
|
|
Version: r.Version,
|
2021-09-21 15:58:35 +08:00
|
|
|
Name: r.Name,
|
2021-10-05 20:07:16 +08:00
|
|
|
DisplayName: r.DisplayName,
|
2021-11-12 18:42:47 +08:00
|
|
|
Group: r.Group,
|
2021-09-21 15:58:35 +08:00
|
|
|
Description: r.Description,
|
2022-03-15 21:17:45 +08:00
|
|
|
Hidden: r.Hidden,
|
2021-09-21 15:58:35 +08:00
|
|
|
Updated: r.Updated,
|
|
|
|
|
Created: r.Created,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 23:22:53 +08:00
|
|
|
func (r *RoleDTO) Global() bool {
|
2021-09-21 15:58:35 +08:00
|
|
|
return r.OrgID == GlobalOrgID
|
2021-03-22 20:22:48 +08:00
|
|
|
}
|
|
|
|
|
|
2022-09-22 22:00:42 +08:00
|
|
|
func (r *RoleDTO) IsManaged() bool {
|
|
|
|
|
return strings.HasPrefix(r.Name, ManagedRolePrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-13 23:22:53 +08:00
|
|
|
func (r *RoleDTO) IsFixed() bool {
|
2021-10-05 20:07:16 +08:00
|
|
|
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-07 18:30:45 +08:00
|
|
|
func (r *RoleDTO) IsPlugin() bool {
|
|
|
|
|
return strings.HasPrefix(r.Name, PluginRolePrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-21 20:14:45 +08:00
|
|
|
func (r *RoleDTO) IsBasic() bool {
|
|
|
|
|
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-09 19:19:38 +08:00
|
|
|
func (r *RoleDTO) IsExternalService() bool {
|
|
|
|
|
return strings.HasPrefix(r.Name, ExternalServiceRolePrefix) || strings.HasPrefix(r.UID, ExternalServiceRoleUIDPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
func (r RoleDTO) MarshalJSON() ([]byte, error) {
|
|
|
|
|
type Alias RoleDTO
|
2021-10-05 20:07:16 +08:00
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
return json.Marshal(&struct {
|
|
|
|
|
Alias
|
|
|
|
|
Global bool `json:"global" xorm:"-"`
|
|
|
|
|
}{
|
|
|
|
|
Alias: (Alias)(r),
|
|
|
|
|
Global: r.Global(),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-11 21:02:53 +08:00
|
|
|
type TeamRole struct {
|
|
|
|
|
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
|
|
|
|
|
OrgID int64 `json:"orgId" xorm:"org_id"`
|
|
|
|
|
RoleID int64 `json:"roleId" xorm:"role_id"`
|
|
|
|
|
TeamID int64 `json:"teamId" xorm:"team_id"`
|
|
|
|
|
|
|
|
|
|
Created time.Time
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type UserRole struct {
|
|
|
|
|
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
|
|
|
|
|
OrgID int64 `json:"orgId" xorm:"org_id"`
|
|
|
|
|
RoleID int64 `json:"roleId" xorm:"role_id"`
|
|
|
|
|
UserID int64 `json:"userId" xorm:"user_id"`
|
|
|
|
|
|
|
|
|
|
Created time.Time
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type BuiltinRole struct {
|
|
|
|
|
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
|
|
|
|
|
RoleID int64 `json:"roleId" xorm:"role_id"`
|
|
|
|
|
OrgID int64 `json:"orgId" xorm:"org_id"`
|
|
|
|
|
Role string
|
|
|
|
|
|
|
|
|
|
Updated time.Time
|
|
|
|
|
Created time.Time
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
// Permission is the model for access control permissions.
|
2021-03-22 20:22:48 +08:00
|
|
|
type Permission struct {
|
2021-09-21 15:58:35 +08:00
|
|
|
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
|
|
|
|
|
RoleID int64 `json:"-" xorm:"role_id"`
|
2021-04-13 21:28:11 +08:00
|
|
|
Action string `json:"action"`
|
|
|
|
|
Scope string `json:"scope"`
|
2021-09-21 15:58:35 +08:00
|
|
|
|
2023-07-21 22:23:01 +08:00
|
|
|
Kind string `json:"-"`
|
|
|
|
|
Attribute string `json:"-"`
|
|
|
|
|
Identifier string `json:"-"`
|
|
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
Updated time.Time `json:"updated"`
|
|
|
|
|
Created time.Time `json:"created"`
|
2021-03-22 20:22:48 +08:00
|
|
|
}
|
|
|
|
|
|
2021-09-21 15:58:35 +08:00
|
|
|
func (p Permission) OSSPermission() Permission {
|
|
|
|
|
return Permission{
|
|
|
|
|
Action: p.Action,
|
|
|
|
|
Scope: p.Scope,
|
2021-03-22 20:22:48 +08:00
|
|
|
}
|
|
|
|
|
}
|
2021-04-14 22:31:27 +08:00
|
|
|
|
2023-07-21 22:23:01 +08:00
|
|
|
// SplitScope returns kind, attribute and Identifier
|
|
|
|
|
func (p Permission) SplitScope() (string, string, string) {
|
|
|
|
|
if p.Scope == "" {
|
|
|
|
|
return "", "", ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fragments := strings.Split(p.Scope, ":")
|
|
|
|
|
switch l := len(fragments); l {
|
|
|
|
|
case 1: // Splitting a wildcard scope "*" -> kind: "*"; attribute: "*"; identifier: "*"
|
|
|
|
|
return fragments[0], fragments[0], fragments[0]
|
|
|
|
|
case 2: // Splitting a wildcard scope with specified kind "dashboards:*" -> kind: "dashboards"; attribute: "*"; identifier: "*"
|
|
|
|
|
return fragments[0], fragments[1], fragments[1]
|
|
|
|
|
default: // Splitting a scope with all fields specified "dashboards:uid:my_dash" -> kind: "dashboards"; attribute: "uid"; identifier: "my_dash"
|
|
|
|
|
return fragments[0], fragments[1], strings.Join(fragments[2:], ":")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-11 21:02:53 +08:00
|
|
|
type GetUserPermissionsQuery struct {
|
2023-05-09 19:19:38 +08:00
|
|
|
OrgID int64
|
|
|
|
|
UserID int64
|
|
|
|
|
Roles []string
|
|
|
|
|
TeamIDs []int64
|
|
|
|
|
RolePrefixes []string
|
2021-11-11 21:02:53 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-20 16:52:24 +08:00
|
|
|
// ResourcePermission is structure that holds all actions that either a team / user / builtin-role
|
|
|
|
|
// can perform against specific resource.
|
2021-11-11 21:02:53 +08:00
|
|
|
type ResourcePermission struct {
|
2023-10-06 23:48:13 +08:00
|
|
|
ID int64
|
|
|
|
|
RoleName string
|
|
|
|
|
Actions []string
|
|
|
|
|
Scope string
|
|
|
|
|
UserId int64
|
|
|
|
|
UserLogin string
|
|
|
|
|
UserEmail string
|
|
|
|
|
TeamId int64
|
|
|
|
|
TeamEmail string
|
|
|
|
|
Team string
|
|
|
|
|
BuiltInRole string
|
|
|
|
|
IsManaged bool
|
|
|
|
|
IsInherited bool
|
|
|
|
|
IsServiceAccount bool
|
|
|
|
|
Created time.Time
|
|
|
|
|
Updated time.Time
|
2021-11-11 21:02:53 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-20 16:52:24 +08:00
|
|
|
func (p *ResourcePermission) Contains(targetActions []string) bool {
|
|
|
|
|
if len(p.Actions) < len(targetActions) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var contain = func(arr []string, s string) bool {
|
|
|
|
|
for _, item := range arr {
|
|
|
|
|
if item == s {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, a := range targetActions {
|
|
|
|
|
if !contain(p.Actions, a) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type SetResourcePermissionCommand struct {
|
2022-10-31 22:32:28 +08:00
|
|
|
UserID int64 `json:"userId,omitempty"`
|
|
|
|
|
TeamID int64 `json:"teamId,omitempty"`
|
|
|
|
|
BuiltinRole string `json:"builtInRole,omitempty"`
|
2022-10-31 19:46:58 +08:00
|
|
|
Permission string `json:"permission"`
|
2021-11-11 21:02:53 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-09 19:19:38 +08:00
|
|
|
type SaveExternalServiceRoleCommand struct {
|
|
|
|
|
OrgID int64
|
|
|
|
|
Global bool
|
|
|
|
|
ExternalServiceID string
|
|
|
|
|
ServiceAccountID int64
|
|
|
|
|
Permissions []Permission
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (cmd *SaveExternalServiceRoleCommand) Validate() error {
|
|
|
|
|
if cmd.ExternalServiceID == "" {
|
|
|
|
|
return errors.New("external service id not specified")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// slugify the external service id ID for the role to have correct name and uid
|
|
|
|
|
cmd.ExternalServiceID = slugify.Slugify(cmd.ExternalServiceID)
|
|
|
|
|
|
|
|
|
|
if (cmd.OrgID == GlobalOrgID) != cmd.Global {
|
|
|
|
|
return fmt.Errorf("invalid org id %d for global role %t", cmd.OrgID, cmd.Global)
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-17 22:28:14 +08:00
|
|
|
// Check and deduplicate permissions
|
2023-05-09 19:19:38 +08:00
|
|
|
if cmd.Permissions == nil || len(cmd.Permissions) == 0 {
|
|
|
|
|
return errors.New("no permissions provided")
|
|
|
|
|
}
|
2023-05-17 22:28:14 +08:00
|
|
|
dedupMap := map[Permission]bool{}
|
|
|
|
|
dedup := make([]Permission, 0, len(cmd.Permissions))
|
|
|
|
|
for i := range cmd.Permissions {
|
|
|
|
|
if len(cmd.Permissions[i].Action) == 0 {
|
|
|
|
|
return fmt.Errorf("external service %v requests a permission with no Action", cmd.ExternalServiceID)
|
|
|
|
|
}
|
|
|
|
|
if dedupMap[cmd.Permissions[i]] {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
dedupMap[cmd.Permissions[i]] = true
|
|
|
|
|
dedup = append(dedup, cmd.Permissions[i])
|
|
|
|
|
}
|
|
|
|
|
cmd.Permissions = dedup
|
2023-05-09 19:19:38 +08:00
|
|
|
|
|
|
|
|
if cmd.ServiceAccountID <= 0 {
|
|
|
|
|
return fmt.Errorf("invalid service account id %d", cmd.ServiceAccountID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-14 22:31:27 +08:00
|
|
|
const (
|
2023-05-09 19:19:38 +08:00
|
|
|
GlobalOrgID = 0
|
|
|
|
|
FixedRolePrefix = "fixed:"
|
2023-10-10 22:29:31 +08:00
|
|
|
FixedRoleUIDPrefix = "fixed_"
|
2023-05-09 19:19:38 +08:00
|
|
|
ManagedRolePrefix = "managed:"
|
|
|
|
|
BasicRolePrefix = "basic:"
|
|
|
|
|
PluginRolePrefix = "plugins:"
|
|
|
|
|
ExternalServiceRolePrefix = "externalservice:"
|
|
|
|
|
BasicRoleUIDPrefix = "basic_"
|
|
|
|
|
ExternalServiceRoleUIDPrefix = "externalservice_"
|
|
|
|
|
RoleGrafanaAdmin = "Grafana Admin"
|
2022-04-12 15:53:43 +08:00
|
|
|
|
2022-03-30 21:14:26 +08:00
|
|
|
GeneralFolderUID = "general"
|
2022-03-22 00:58:18 +08:00
|
|
|
|
2023-09-14 17:42:07 +08:00
|
|
|
// Basic Role None
|
|
|
|
|
BasicRoleNoneUID = "basic_none"
|
|
|
|
|
BasicRoleNoneName = "basic:none"
|
|
|
|
|
|
2021-04-14 22:31:27 +08:00
|
|
|
// Permission actions
|
|
|
|
|
|
2022-03-05 02:01:03 +08:00
|
|
|
ActionAPIKeyRead = "apikeys:read"
|
|
|
|
|
ActionAPIKeyCreate = "apikeys:create"
|
|
|
|
|
ActionAPIKeyDelete = "apikeys:delete"
|
|
|
|
|
|
2021-04-22 18:19:41 +08:00
|
|
|
// Users actions
|
2023-05-25 21:38:30 +08:00
|
|
|
ActionUsersRead = "users:read"
|
|
|
|
|
ActionUsersWrite = "users:write"
|
|
|
|
|
ActionUsersImpersonate = "users:impersonate"
|
|
|
|
|
|
2021-08-24 17:36:28 +08:00
|
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
2021-04-14 22:31:27 +08:00
|
|
|
// nolint:gosec
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionUsersAuthTokenList = "users.authtoken:read"
|
2021-08-24 17:36:28 +08:00
|
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
2021-04-14 22:31:27 +08:00
|
|
|
// nolint:gosec
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionUsersAuthTokenUpdate = "users.authtoken:write"
|
2021-08-24 17:36:28 +08:00
|
|
|
// We can ignore gosec G101 since this does not contain any credentials.
|
2021-04-14 22:31:27 +08:00
|
|
|
// nolint:gosec
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionUsersPasswordUpdate = "users.password:write"
|
2021-04-14 22:31:27 +08:00
|
|
|
ActionUsersDelete = "users:delete"
|
|
|
|
|
ActionUsersCreate = "users:create"
|
|
|
|
|
ActionUsersEnable = "users:enable"
|
|
|
|
|
ActionUsersDisable = "users:disable"
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionUsersPermissionsUpdate = "users.permissions:write"
|
2021-04-14 22:31:27 +08:00
|
|
|
ActionUsersLogout = "users:logout"
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionUsersQuotasList = "users.quotas:read"
|
|
|
|
|
ActionUsersQuotasUpdate = "users.quotas:write"
|
2022-11-30 22:38:49 +08:00
|
|
|
ActionUsersPermissionsRead = "users.permissions:read"
|
2021-04-14 22:31:27 +08:00
|
|
|
|
2021-04-22 18:19:41 +08:00
|
|
|
// Org actions
|
2022-09-23 04:04:48 +08:00
|
|
|
ActionOrgsRead = "orgs:read"
|
|
|
|
|
ActionOrgsPreferencesRead = "orgs.preferences:read"
|
|
|
|
|
ActionOrgsQuotasRead = "orgs.quotas:read"
|
|
|
|
|
ActionOrgsWrite = "orgs:write"
|
|
|
|
|
ActionOrgsPreferencesWrite = "orgs.preferences:write"
|
|
|
|
|
ActionOrgsQuotasWrite = "orgs.quotas:write"
|
|
|
|
|
ActionOrgsDelete = "orgs:delete"
|
|
|
|
|
ActionOrgsCreate = "orgs:create"
|
|
|
|
|
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionOrgUsersRead = "org.users:read"
|
|
|
|
|
ActionOrgUsersAdd = "org.users:add"
|
|
|
|
|
ActionOrgUsersRemove = "org.users:remove"
|
|
|
|
|
ActionOrgUsersWrite = "org.users:write"
|
2021-04-22 18:19:41 +08:00
|
|
|
|
|
|
|
|
// LDAP actions
|
2021-06-11 21:58:18 +08:00
|
|
|
ActionLDAPUsersRead = "ldap.user:read"
|
|
|
|
|
ActionLDAPUsersSync = "ldap.user:sync"
|
|
|
|
|
ActionLDAPStatusRead = "ldap.status:read"
|
|
|
|
|
ActionLDAPConfigReload = "ldap.config:reload"
|
2021-04-22 18:19:41 +08:00
|
|
|
|
2021-06-14 23:36:48 +08:00
|
|
|
// Server actions
|
|
|
|
|
ActionServerStatsRead = "server.stats:read"
|
|
|
|
|
|
|
|
|
|
// Settings actions
|
2023-04-13 22:07:43 +08:00
|
|
|
ActionSettingsRead = "settings:read"
|
|
|
|
|
ActionSettingsWrite = "settings:write"
|
2021-06-14 23:36:48 +08:00
|
|
|
|
2021-07-02 20:43:12 +08:00
|
|
|
// Datasources actions
|
|
|
|
|
ActionDatasourcesExplore = "datasources:explore"
|
|
|
|
|
|
2021-04-14 22:31:27 +08:00
|
|
|
// Global Scopes
|
2022-03-22 19:48:46 +08:00
|
|
|
ScopeGlobalUsersAll = "global.users:*"
|
2021-04-22 18:19:41 +08:00
|
|
|
|
2022-03-05 02:01:03 +08:00
|
|
|
// APIKeys scope
|
|
|
|
|
ScopeAPIKeysAll = "apikeys:*"
|
|
|
|
|
|
2021-08-04 20:44:37 +08:00
|
|
|
// Users scope
|
2023-05-25 21:38:30 +08:00
|
|
|
ScopeUsersAll = "users:*"
|
|
|
|
|
ScopeUsersPrefix = "users:id:"
|
2021-05-10 17:46:42 +08:00
|
|
|
|
2021-06-14 23:36:48 +08:00
|
|
|
// Settings scope
|
2023-04-13 22:07:43 +08:00
|
|
|
ScopeSettingsAll = "settings:*"
|
|
|
|
|
ScopeSettingsAuth = "settings:auth:*"
|
|
|
|
|
ScopeSettingsSAML = "settings:auth.saml:*"
|
2021-10-05 21:54:26 +08:00
|
|
|
|
2022-01-26 22:48:41 +08:00
|
|
|
// Team related actions
|
|
|
|
|
ActionTeamsCreate = "teams:create"
|
|
|
|
|
ActionTeamsDelete = "teams:delete"
|
|
|
|
|
ActionTeamsRead = "teams:read"
|
|
|
|
|
ActionTeamsWrite = "teams:write"
|
|
|
|
|
ActionTeamsPermissionsRead = "teams.permissions:read"
|
|
|
|
|
ActionTeamsPermissionsWrite = "teams.permissions:write"
|
2022-01-27 23:16:44 +08:00
|
|
|
|
|
|
|
|
// Team related scopes
|
|
|
|
|
ScopeTeamsAll = "teams:*"
|
2022-02-12 02:43:29 +08:00
|
|
|
|
|
|
|
|
// Annotations related actions
|
2022-04-04 20:53:58 +08:00
|
|
|
ActionAnnotationsCreate = "annotations:create"
|
|
|
|
|
ActionAnnotationsDelete = "annotations:delete"
|
|
|
|
|
ActionAnnotationsRead = "annotations:read"
|
|
|
|
|
ActionAnnotationsWrite = "annotations:write"
|
2022-02-12 02:43:29 +08:00
|
|
|
|
2022-03-16 02:30:32 +08:00
|
|
|
// Alert scopes are divided into two groups. The internal (to Grafana) and the external ones.
|
|
|
|
|
// For the Grafana ones, given we have ACID control we're able to provide better granularity by defining CRUD options.
|
|
|
|
|
// For the external ones, we only have read and write permissions due to the lack of atomicity control of the external system.
|
|
|
|
|
|
|
|
|
|
// Alerting rules actions
|
|
|
|
|
ActionAlertingRuleCreate = "alert.rules:create"
|
|
|
|
|
ActionAlertingRuleRead = "alert.rules:read"
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionAlertingRuleUpdate = "alert.rules:write"
|
2022-03-16 02:30:32 +08:00
|
|
|
ActionAlertingRuleDelete = "alert.rules:delete"
|
|
|
|
|
|
|
|
|
|
// Alerting instances (+silences) actions
|
|
|
|
|
ActionAlertingInstanceCreate = "alert.instances:create"
|
2022-06-02 20:14:48 +08:00
|
|
|
ActionAlertingInstanceUpdate = "alert.instances:write"
|
2022-03-16 02:30:32 +08:00
|
|
|
ActionAlertingInstanceRead = "alert.instances:read"
|
|
|
|
|
|
|
|
|
|
// Alerting Notification policies actions
|
2022-05-20 22:55:07 +08:00
|
|
|
ActionAlertingNotificationsRead = "alert.notifications:read"
|
|
|
|
|
ActionAlertingNotificationsWrite = "alert.notifications:write"
|
2022-03-16 02:30:32 +08:00
|
|
|
|
|
|
|
|
// External alerting rule actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system.
|
|
|
|
|
ActionAlertingRuleExternalWrite = "alert.rules.external:write"
|
|
|
|
|
ActionAlertingRuleExternalRead = "alert.rules.external:read"
|
|
|
|
|
|
|
|
|
|
// External alerting instances actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system.
|
|
|
|
|
ActionAlertingInstancesExternalWrite = "alert.instances.external:write"
|
|
|
|
|
ActionAlertingInstancesExternalRead = "alert.instances.external:read"
|
|
|
|
|
|
|
|
|
|
// External alerting notifications actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system.
|
|
|
|
|
ActionAlertingNotificationsExternalWrite = "alert.notifications.external:write"
|
|
|
|
|
ActionAlertingNotificationsExternalRead = "alert.notifications.external:read"
|
2022-06-09 15:18:57 +08:00
|
|
|
|
|
|
|
|
// Alerting provisioning actions
|
2023-08-09 00:29:34 +08:00
|
|
|
ActionAlertingProvisioningRead = "alert.provisioning:read"
|
|
|
|
|
ActionAlertingProvisioningReadSecrets = "alert.provisioning.secrets:read"
|
|
|
|
|
ActionAlertingProvisioningWrite = "alert.provisioning:write"
|
2023-07-25 04:12:59 +08:00
|
|
|
|
|
|
|
|
// Feature Management actions
|
2023-08-09 23:32:28 +08:00
|
|
|
ActionFeatureManagementRead = "featuremgmt.read"
|
|
|
|
|
ActionFeatureManagementWrite = "featuremgmt.write"
|
2023-10-12 07:30:50 +08:00
|
|
|
|
|
|
|
|
// Library Panel actions
|
|
|
|
|
ActionLibraryPanelsCreate = "library.panels:create"
|
|
|
|
|
ActionLibraryPanelsRead = "library.panels:read"
|
|
|
|
|
ActionLibraryPanelsWrite = "library.panels:write"
|
|
|
|
|
ActionLibraryPanelsDelete = "library.panels:delete"
|
2022-01-26 22:48:41 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
// Team scope
|
|
|
|
|
ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))
|
2022-03-19 00:33:21 +08:00
|
|
|
|
|
|
|
|
// Annotation scopes
|
2022-03-22 01:28:39 +08:00
|
|
|
ScopeAnnotationsRoot = "annotations"
|
|
|
|
|
ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot)
|
|
|
|
|
ScopeAnnotationsAll = ScopeAnnotationsProvider.GetResourceAllScope()
|
|
|
|
|
ScopeAnnotationsID = Scope(ScopeAnnotationsRoot, "id", Parameter(":annotationId"))
|
2022-04-11 20:18:38 +08:00
|
|
|
ScopeAnnotationsTypeDashboard = ScopeAnnotationsProvider.GetResourceScopeType(annotations.Dashboard.String())
|
|
|
|
|
ScopeAnnotationsTypeOrganization = ScopeAnnotationsProvider.GetResourceScopeType(annotations.Organization.String())
|
2021-04-14 22:31:27 +08:00
|
|
|
)
|
|
|
|
|
|
2022-04-12 15:53:43 +08:00
|
|
|
func BuiltInRolesWithParents(builtInRoles []string) map[string]struct{} {
|
|
|
|
|
res := map[string]struct{}{}
|
|
|
|
|
|
|
|
|
|
for _, br := range builtInRoles {
|
|
|
|
|
res[br] = struct{}{}
|
|
|
|
|
if br != RoleGrafanaAdmin {
|
2022-08-10 17:56:48 +08:00
|
|
|
for _, parent := range org.RoleType(br).Parents() {
|
2022-04-12 15:53:43 +08:00
|
|
|
res[string(parent)] = struct{}{}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-08-04 20:44:37 +08:00
|
|
|
|
2022-04-12 15:53:43 +08:00
|
|
|
return res
|
|
|
|
|
}
|
2022-09-23 04:04:48 +08:00
|
|
|
|
|
|
|
|
// Evaluators
|
|
|
|
|
|
|
|
|
|
// TeamsAccessEvaluator is used to protect the "Configuration > Teams" page access
|
|
|
|
|
// grants access to a user when they can either create teams or can read and update a team
|
|
|
|
|
var TeamsAccessEvaluator = EvalAny(
|
|
|
|
|
EvalPermission(ActionTeamsCreate),
|
|
|
|
|
EvalAll(
|
|
|
|
|
EvalPermission(ActionTeamsRead),
|
|
|
|
|
EvalAny(
|
|
|
|
|
EvalPermission(ActionTeamsWrite),
|
|
|
|
|
EvalPermission(ActionTeamsPermissionsWrite),
|
|
|
|
|
),
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TeamsEditAccessEvaluator is used to protect the "Configuration > Teams > edit" page access
|
|
|
|
|
var TeamsEditAccessEvaluator = EvalAll(
|
|
|
|
|
EvalPermission(ActionTeamsRead),
|
|
|
|
|
EvalAny(
|
|
|
|
|
EvalPermission(ActionTeamsCreate),
|
|
|
|
|
EvalPermission(ActionTeamsWrite),
|
|
|
|
|
EvalPermission(ActionTeamsPermissionsWrite),
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// OrgPreferencesAccessEvaluator is used to protect the "Configure > Preferences" page access
|
|
|
|
|
var OrgPreferencesAccessEvaluator = EvalAny(
|
|
|
|
|
EvalAll(
|
|
|
|
|
EvalPermission(ActionOrgsRead),
|
|
|
|
|
EvalPermission(ActionOrgsWrite),
|
|
|
|
|
),
|
|
|
|
|
EvalAll(
|
|
|
|
|
EvalPermission(ActionOrgsPreferencesRead),
|
|
|
|
|
EvalPermission(ActionOrgsPreferencesWrite),
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// OrgsAccessEvaluator is used to protect the "Server Admin > Orgs" page access
|
|
|
|
|
// (you need to have read access to update or delete orgs; read is the minimum)
|
|
|
|
|
var OrgsAccessEvaluator = EvalPermission(ActionOrgsRead)
|
|
|
|
|
|
|
|
|
|
// OrgsCreateAccessEvaluator is used to protect the "Server Admin > Orgs > New Org" page access
|
|
|
|
|
var OrgsCreateAccessEvaluator = EvalAll(
|
|
|
|
|
EvalPermission(ActionOrgsRead),
|
|
|
|
|
EvalPermission(ActionOrgsCreate),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// ApiKeyAccessEvaluator is used to protect the "Configuration > API keys" page access
|
|
|
|
|
var ApiKeyAccessEvaluator = EvalPermission(ActionAPIKeyRead)
|
