root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 82 Packages Projects Releases Wiki Activity
grafana/pkg/services/accesscontrol/models.go

342 lines
8.4 KiB
Go
Raw Normal View History

Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
package accesscontrol
import (
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
"encoding/json"
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
"strings"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
"time"
)
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
// RoleRegistration stores a role and its assignments to built-in roles
// (Viewer, Editor, Admin, Grafana Admin)
type RoleRegistration struct {
Role RoleDTO
Grants []string
}
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
// Role is the model for Role in RBAC.
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
type Role struct {
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"-" xorm:"org_id"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Version int64 `json:"version"`
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
UID string `xorm:"uid" json:"uid"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Name string `json:"name"`
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
DisplayName string `json:"displayName"`
Access Control: adding group field to roles (#41465) * add group field to roles in AC models * change to using group_name as the column name * add a migration for group column
2021-11-12 18:42:47 +08:00
Group string `xorm:"group_name" json:"group"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Description string `json:"description"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
}
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
func (r Role) Global() bool {
return r.OrgID == GlobalOrgID
}
func (r Role) IsFixed() bool {
return strings.HasPrefix(r.Name, FixedRolePrefix)
}
func (r Role) GetDisplayName() string {
if r.IsFixed() && r.DisplayName == "" {
r.DisplayName = fallbackDisplayName(r.Name)
}
return r.DisplayName
}
func (r Role) MarshalJSON() ([]byte, error) {
type Alias Role
r.DisplayName = r.GetDisplayName()
return json.Marshal(&struct {
Alias
Global bool `json:"global" xorm:"-"`
}{
Alias: (Alias)(r),
Global: r.Global(),
})
}
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
type RoleDTO struct {
Version int64 `json:"version"`
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
UID string `xorm:"uid" json:"uid"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Name string `json:"name"`
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
DisplayName string `json:"displayName"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Description string `json:"description"`
Access Control: adding group field to roles (#41465) * add group field to roles in AC models * change to using group_name as the column name * add a migration for group column
2021-11-12 18:42:47 +08:00
Group string `xorm:"group_name" json:"group"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
Permissions []Permission `json:"permissions,omitempty"`
Access control: use delegatable flag to check if role can be granted (#42070) * Access control: use delegatable flag to check if role can be granted or not * Fix naming
2021-11-22 22:44:03 +08:00
Delegatable *bool `json:"delegatable,omitempty"`
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"-" xorm:"org_id"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
}
func (r RoleDTO) Role() Role {
return Role{
ID: r.ID,
OrgID: r.OrgID,
UID: r.UID,
Name: r.Name,
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
DisplayName: r.DisplayName,
Access Control: adding group field to roles (#41465) * add group field to roles in AC models * change to using group_name as the column name * add a migration for group column
2021-11-12 18:42:47 +08:00
Group: r.Group,
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
Description: r.Description,
Updated: r.Updated,
Created: r.Created,
}
}
func (r RoleDTO) Global() bool {
return r.OrgID == GlobalOrgID
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
}
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
func (r RoleDTO) IsFixed() bool {
return strings.HasPrefix(r.Name, FixedRolePrefix)
}
func (r RoleDTO) GetDisplayName() string {
if r.IsFixed() && r.DisplayName == "" {
r.DisplayName = fallbackDisplayName(r.Name)
}
feat: fallback for displayname of non-fixed role without displayname (#40277)
2021-10-11 23:00:54 +08:00
if r.DisplayName == "" {
return r.Name
}
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
return r.DisplayName
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
}
func (r RoleDTO) MarshalJSON() ([]byte, error) {
type Alias RoleDTO
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
fix: marshal displayname RoleDTO (#40015)
2021-10-05 22:29:34 +08:00
r.DisplayName = r.GetDisplayName()
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
return json.Marshal(&struct {
Alias
Global bool `json:"global" xorm:"-"`
}{
Alias: (Alias)(r),
Global: r.Global(),
})
}
AccessControl: Add displayname field to Role (#39904) * feat: add displayname * refactor: marshal role for fallback displayname * refactor: moved to private heuristic function for displaynames * refactor: display name trimspace and remove prefix * refactor: renaming of fallbackFunction * refactor: moved methods below struct types
2021-10-05 20:07:16 +08:00
// fallbackDisplayName provides a fallback name for role
// that can be displayed in the ui for better readability
// example: currently this would give:
// fixed:datasources:name -> datasources name
// datasources:admin -> datasources admin
func fallbackDisplayName(rName string) string {
// removing prefix for fixed roles
rNameWithoutPrefix := strings.Replace(rName, FixedRolePrefix, "", 1)
return strings.TrimSpace(strings.Replace(rNameWithoutPrefix, ":", " ", -1))
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
}
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
type TeamRole struct {
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"orgId" xorm:"org_id"`
RoleID int64 `json:"roleId" xorm:"role_id"`
TeamID int64 `json:"teamId" xorm:"team_id"`
Created time.Time
}
type UserRole struct {
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"orgId" xorm:"org_id"`
RoleID int64 `json:"roleId" xorm:"role_id"`
UserID int64 `json:"userId" xorm:"user_id"`
Created time.Time
}
type BuiltinRole struct {
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
RoleID int64 `json:"roleId" xorm:"role_id"`
OrgID int64 `json:"orgId" xorm:"org_id"`
Role string
Updated time.Time
Created time.Time
}
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
// Permission is the model for access control permissions.
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
type Permission struct {
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
RoleID int64 `json:"-" xorm:"role_id"`
Access Control: Move database-related models to enterprise (#32907) * Move database-related models to enterprise * Chore: use GetUserBuiltInRoles() method * Rename permission to action
2021-04-13 21:28:11 +08:00
Action string `json:"action"`
Scope string `json:"scope"`
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
}
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
func (p Permission) OSSPermission() Permission {
return Permission{
Action: p.Action,
Scope: p.Scope,
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
}
}
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
type GetUserPermissionsQuery struct {
Access control: Load permissions from memory and database (#42080) * Load permission from both in memory and from database Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 23:11:18 +08:00
OrgID int64 `json:"-"`
UserID int64 `json:"userId"`
Roles []string
Actions []string
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
}
AccessControl: Extend scope parameters with extra params from context (#39722) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-06 19:15:09 +08:00
// ScopeParams holds the parameters used to fill in scope templates
type ScopeParams struct {
OrgID int64
URLParams map[string]string
}
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
// ResourcePermission is structure that holds all actions that either a team / user / builtin-role
// can perform against specific resource.
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
type ResourcePermission struct {
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
ID int64
ResourceID string
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
RoleName string
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
Actions []string
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
Scope string
UserId int64
UserLogin string
UserEmail string
TeamId int64
TeamEmail string
Team string
BuiltInRole string
Created time.Time
Updated time.Time
}
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
func (p *ResourcePermission) IsManaged() bool {
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
return strings.HasPrefix(p.RoleName, "managed:")
}
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
func (p *ResourcePermission) Contains(targetActions []string) bool {
if len(p.Actions) < len(targetActions) {
return false
}
var contain = func(arr []string, s string) bool {
for _, item := range arr {
if item == s {
return true
}
}
return false
}
for _, a := range targetActions {
if !contain(p.Actions, a) {
return false
}
}
return true
}
type SetResourcePermissionCommand struct {
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
Actions []string
Resource string
ResourceID string
Access Control: Pass db session to hooks (#44428) * Move hook calls to database and pass session
2022-01-26 00:12:00 +08:00
Permission string
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
}
type GetResourcesPermissionsQuery struct {
Actions []string
Resource string
ResourceIDs []string
Access Control: Add option to filter only managed permissions (#43371) * Add option to filter only managed permissions
2021-12-21 21:22:54 +08:00
OnlyManaged bool
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-11-11 21:02:53 +08:00
}
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
const (
Add extra fields to OSS types to support enterprise (#39427)
2021-09-21 15:58:35 +08:00
GlobalOrgID = 0
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
// Permission actions
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 18:19:41 +08:00
// Users actions
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
ActionUsersRead = "users:read"
ActionUsersWrite = "users:write"
ActionUsersTeamRead = "users.teams:read"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
// We can ignore gosec G101 since this does not contain any credentials.
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
// nolint:gosec
ActionUsersAuthTokenList = "users.authtoken:list"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
// We can ignore gosec G101 since this does not contain any credentials.
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
// nolint:gosec
ActionUsersAuthTokenUpdate = "users.authtoken:update"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
// We can ignore gosec G101 since this does not contain any credentials.
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
// nolint:gosec
ActionUsersPasswordUpdate = "users.password:update"
ActionUsersDelete = "users:delete"
ActionUsersCreate = "users:create"
ActionUsersEnable = "users:enable"
ActionUsersDisable = "users:disable"
ActionUsersPermissionsUpdate = "users.permissions:update"
ActionUsersLogout = "users:logout"
ActionUsersQuotasList = "users.quotas:list"
ActionUsersQuotasUpdate = "users.quotas:update"
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 18:19:41 +08:00
// Org actions
ActionOrgUsersRead = "org.users:read"
ActionOrgUsersAdd = "org.users:add"
ActionOrgUsersRemove = "org.users:remove"
ActionOrgUsersRoleUpdate = "org.users.role:update"
// LDAP actions
Access Control: Add fine-grained access control to ldap handlers (#35525) * Add new accesscontrol action for ldap config reload * Update ldapAdminEditRole with new ldap config reload permission * wrap /ldap/reload with accesscontrol authorize middleware * document new action and update fixed:ldap:admin:edit with said action * add fake accesscontrol implementation for tests * Add accesscontrol tests for ldap handlers Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-06-11 21:58:18 +08:00
ActionLDAPUsersRead = "ldap.user:read"
ActionLDAPUsersSync = "ldap.user:sync"
ActionLDAPStatusRead = "ldap.status:read"
ActionLDAPConfigReload = "ldap.config:reload"
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 18:19:41 +08:00
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings
2021-06-14 23:36:48 +08:00
// Server actions
ActionServerStatsRead = "server.stats:read"
// Settings actions
ActionSettingsRead = "settings:read"
Access Control: Add fine-grained access control to explore (#35883) * add fixed role for datasource read operations * Add action for datasource explore * add authorize middleware to explore index route * add fgac support for explore navlink * update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is * add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default * create function to evaluate permissions or using fallback if accesscontrol is disabled * change hasAccess to prop and derive the value in mapStateToProps * add test case to ensure buttons is not rendered when user does not have access * Only hide return with changes button * remove internal links if user does not have access to explorer Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>
2021-07-02 20:43:12 +08:00
// Datasources actions
ActionDatasourcesExplore = "datasources:explore"
Plugins: Fix catalog permissions for org and server admins (#37504) * simplify toggle + add link to server admin * feat(catalog): org admins can configure plugin apps, cannot install/uninstall plugins * fix(catalog): dont show buttons if user doesn't have install permissions * feat(catalog): cater for accessing catalog via /plugins and /admin/plugins * feat(catalog): use location for list links and match.url to define breadcrumb links * test(catalog): mock isGrafanaAdmin for PluginDetails tests * test(catalog): preserve default bootdata in PluginDetails mock * refactor(catalog): move orgAdmin check out of state and make easier to reason with Co-authored-by: Will Browne <will.browne@grafana.com>
2021-08-04 17:49:05 +08:00
// Plugin actions
ActionPluginsManage = "plugins:manage"
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
// Global Scopes
Access control: Clean up users scopes (#33532) Following discussion in grafana/grafana-enterprise#1292, removing org-scoped users scopes to make it clear that the local organization is the default and the alternative to that is a global scope (for a select few endpoints)
2021-05-03 16:27:12 +08:00
ScopeGlobalUsersAll = "global:users:*"
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints
2021-04-22 18:19:41 +08:00
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
// Users scope
ScopeUsersAll = "users:*"
Access control: Add a role for provisioning admins (#33787)
2021-05-10 17:46:42 +08:00
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings
2021-06-14 23:36:48 +08:00
// Settings scope
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2021-08-23 20:03:20 +08:00
ScopeSettingsAll = "settings:*"
AccessControl: frontend changes for adding FGAC to licensing (#39484) * refactor licenseURL function to use context and export permission evaluation fction * remove provisioning file * refactor licenseURL to take in a bool to avoid circular dependencies * remove function for appending nav link, as it was only used once and move the function to create admin node * better argument names * create a function for permission checking * extend permission checking when displaying server stats * enable the use of enterprise access control actions when evaluating permissions * import ordering * move licensing FGAC action definitions to models package to allow access from oss * move evaluatePermissions for routes to context serve * change permission evaluator to take in more permissions * move licensing FGAC actions again to appease wire * avoid index out of bounds issue in case no children are passed in when creating server admin node * simplify syntax for permission checking Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * update loading state for server stats * linting * more linting * fix test * fix a frontend test * update "licensing.reports:read" action naming * UI doesn't allow reading only licensing reports and not the rest of licensing info Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
2021-10-05 21:54:26 +08:00
// Licensing related actions
ActionLicensingRead = "licensing:read"
ActionLicensingUpdate = "licensing:update"
ActionLicensingDelete = "licensing:delete"
ActionLicensingReportsRead = "licensing.reports:read"
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
// Team related actions
ActionTeamsCreate = "teams:create"
ActionTeamsDelete = "teams:delete"
ActionTeamsRead = "teams:read"
ActionTeamsWrite = "teams:write"
ActionTeamsPermissionsRead = "teams.permissions:read"
ActionTeamsPermissionsWrite = "teams.permissions:write"
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
// Team related scopes
ScopeTeamsAll = "teams:*"
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
)
var (
// Team scope
ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 22:31:27 +08:00
)
const RoleGrafanaAdmin = "Grafana Admin"
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad.
2021-08-04 20:44:37 +08:00
const FixedRolePrefix = "fixed:"
AccessControl: frontend changes for adding FGAC to licensing (#39484) * refactor licenseURL function to use context and export permission evaluation fction * remove provisioning file * refactor licenseURL to take in a bool to avoid circular dependencies * remove function for appending nav link, as it was only used once and move the function to create admin node * better argument names * create a function for permission checking * extend permission checking when displaying server stats * enable the use of enterprise access control actions when evaluating permissions * import ordering * move licensing FGAC action definitions to models package to allow access from oss * move evaluatePermissions for routes to context serve * change permission evaluator to take in more permissions * move licensing FGAC actions again to appease wire * avoid index out of bounds issue in case no children are passed in when creating server admin node * simplify syntax for permission checking Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * update loading state for server stats * linting * more linting * fix test * fix a frontend test * update "licensing.reports:read" action naming * UI doesn't allow reading only licensing reports and not the rest of licensing info Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
2021-10-05 21:54:26 +08:00
// LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
var LicensingPageReaderAccess = EvalAny(
EvalPermission(ActionLicensingRead),
EvalPermission(ActionServerStatsRead),
)