root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 142 Packages Projects Releases Wiki Activity

Permission Creator: Remove user type check

This commit is contained in:
Stephanie Hingtgen 2025-10-03 14:48:40 -06:00
parent e414e790f7
commit 141eab1920
No known key found for this signature in database
GPG Key ID: 53B53CC8FFFFB1D0
2 changed files with 0 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/storage/unified/apistore/permissions.go
View File

@ -39,11 +39,6 @@ func afterCreatePermissionCreator(ctx context.Context,
return nil, errors.New("missing auth info")
}
idtype := auth.GetIdentityType()
if idtype != authtypes.TypeUser && idtype != authtypes.TypeServiceAccount && idtype != authtypes.TypeAccessPolicy {
return nil, fmt.Errorf("only users, service accounts, and access policies may grant permissions using an annotation")
}
return func(ctx context.Context) error {
return setter(ctx, key, auth, val)
}, nil

82
pkg/storage/unified/apistore/permissions_test.go
View File

@ -9,7 +9,6 @@ import (
authtypes "github.com/grafana/authlib/types"
"github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v0alpha1"
"github.com/grafana/grafana/pkg/apimachinery/identity"
"github.com/grafana/grafana/pkg/apimachinery/utils"
"github.com/grafana/grafana/pkg/storage/unified/resourcepb"
)
@ -46,85 +45,4 @@ func TestAfterCreatePermissionCreator(t *testing.T) {
require.Nil(t, creator)
require.Contains(t, err.Error(), "missing auth info")
})
t.Run("should succeed for user identity", func(t *testing.T) {
ctx := identity.WithRequester(context.Background(), &identity.StaticRequester{
Type: authtypes.TypeUser,
OrgID: 1,
OrgRole: "Admin",
UserID: 1,
})
obj := &v0alpha1.Dashboard{}
key := &resourcepb.ResourceKey{
Group: "test",
Resource: "test",
Namespace: "test",
Name: "test",
}
creator, err := afterCreatePermissionCreator(ctx, key, utils.AnnoGrantPermissionsDefault, obj, mockSetter)
require.NoError(t, err)
require.NotNil(t, creator)
err = creator(ctx)
require.NoError(t, err)
})
t.Run("should succeed for service account identity", func(t *testing.T) {
ctx := identity.WithRequester(context.Background(), &identity.StaticRequester{
Type: authtypes.TypeServiceAccount,
OrgID: 1,
OrgRole: "Admin",
UserID: 1,
})
obj := &v0alpha1.Dashboard{}
key := &resourcepb.ResourceKey{
Group: "test",
Resource: "test",
Namespace: "test",
Name: "test",
}
creator, err := afterCreatePermissionCreator(ctx, key, utils.AnnoGrantPermissionsDefault, obj, mockSetter)
require.NoError(t, err)
require.NotNil(t, creator)
err = creator(ctx)
require.NoError(t, err)
})
t.Run("should succeed for access policy identity", func(t *testing.T) {
ctx := identity.WithRequester(context.Background(), &identity.StaticRequester{
Type: authtypes.TypeAccessPolicy,
OrgID: 1,
OrgRole: "Admin",
UserID: 1,
})
obj := &v0alpha1.Dashboard{}
key := &resourcepb.ResourceKey{
Group: "test",
Resource: "test",
Namespace: "test",
Name: "test",
}
creator, err := afterCreatePermissionCreator(ctx, key, utils.AnnoGrantPermissionsDefault, obj, mockSetter)
require.NoError(t, err)
require.NotNil(t, creator)
err = creator(ctx)
require.NoError(t, err)
})
t.Run("should error for non-user/non-service-account identity", func(t *testing.T) {
ctx := identity.WithRequester(context.Background(), &identity.StaticRequester{
Type: authtypes.TypeAnonymous,
})
obj := &v0alpha1.Dashboard{}
creator, err := afterCreatePermissionCreator(ctx, nil, utils.AnnoGrantPermissionsDefault, obj, mockSetter)
require.Error(t, err)
require.Nil(t, creator)
require.Contains(t, err.Error(), "only users, service accounts, and access policies may grant permissions")
})
}