apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39302 Commits
2179 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: fee50be1bb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fee50be1bb'
${ noResults }
grafana/pkg/services/accesscontrol/database/database.go

122 lines
3.5 KiB
Raw Normal View History Unescape

Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
package database
import (
"context"
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
"strconv"
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"strings"
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
3 years ago
"github.com/grafana/grafana/pkg/infra/db"
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"github.com/grafana/grafana/pkg/services/accesscontrol"
)
chore: replace sqlstore.Store with db.DB (#57010) * chore: replace sqlstore.SQLStore with db.DB * more post-sqlstore.SQLStore cleanup
3 years ago
func ProvideService(sql db.DB) *AccessControlStore {
RBAC: Initiate store in service (#55081) * RBAC: Dont inject store with wire * RBAC: Use Store interface * RBAC: Move store interface and initiate it from service
3 years ago
return &AccessControlStore{sql}
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
}
type AccessControlStore struct {
chore: replace sqlstore.Store with db.DB (#57010) * chore: replace sqlstore.SQLStore with db.DB * more post-sqlstore.SQLStore cleanup
3 years ago
sql db.DB
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
}
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
3 years ago
func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]accesscontrol.Permission, error) {
result := make([]accesscontrol.Permission, 0)
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
3 years ago
err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids
3 years ago
if query.UserID == 0 && len(query.TeamIDs) == 0 && len(query.Roles) == 0 {
// no permission to fetch
return nil
}
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
filter, params := accesscontrol.UserRolesFilter(query.OrgID, query.UserID, query.TeamIDs, query.Roles)
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids
3 years ago
q := `
SELECT
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
permission.action,
AccessControl: Only return action and scope for user permissions and make them unique (#48939) * Only return action and scope for user permissions and make them unique
3 years ago
permission.scope
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
FROM permission
INNER JOIN role ON role.id = permission.role_id
` + filter
RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids
3 years ago
if len(query.Actions) > 0 {
q += " WHERE permission.action IN("
Access control: Load permissions from memory and database (#42080) * Load permission from both in memory and from database Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
if len(query.Actions) > 0 {
q += "?" + strings.Repeat(",?", len(query.Actions)-1)
}
q += ")"
for _, a := range query.Actions {
params = append(params, a)
}
}
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
if err := sess.SQL(q, params...).Find(&result); err != nil {
return err
}
return nil
})
return result, err
}
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
func (s *AccessControlStore) DeleteUserPermissions(ctx context.Context, orgID, userID int64) error {
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
3 years ago
err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
roleDeleteQuery := "DELETE FROM user_role WHERE user_id = ?"
roleDeleteParams := []interface{}{roleDeleteQuery, userID}
if orgID != accesscontrol.GlobalOrgID {
roleDeleteQuery += " AND org_id = ?"
roleDeleteParams = []interface{}{roleDeleteQuery, userID, orgID}
}
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
// Delete user role assignments
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
if _, err := sess.Exec(roleDeleteParams...); err != nil {
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
return err
}
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
// only delete scopes to user if all permissions is removed (i.e. user is removed)
if orgID == accesscontrol.GlobalOrgID {
// Delete permissions that are scoped to user
if _, err := sess.Exec("DELETE FROM permission WHERE scope = ?", accesscontrol.Scope("users", "id", strconv.FormatInt(userID, 10))); err != nil {
return err
}
}
roleQuery := "SELECT id FROM role WHERE name = ?"
roleParams := []interface{}{accesscontrol.ManagedUserRoleName(userID)}
if orgID != accesscontrol.GlobalOrgID {
roleQuery += " AND org_id = ?"
roleParams = []interface{}{accesscontrol.ManagedUserRoleName(userID), orgID}
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
}
var roleIDs []int64
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
if err := sess.SQL(roleQuery, roleParams...).Find(&roleIDs); err != nil {
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
return err
}
if len(roleIDs) == 0 {
return nil
}
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
permissionDeleteQuery := "DELETE FROM permission WHERE role_id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"
permissionDeleteParams := make([]interface{}, 0, len(roleIDs)+1)
permissionDeleteParams = append(permissionDeleteParams, permissionDeleteQuery)
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
for _, id := range roleIDs {
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
permissionDeleteParams = append(permissionDeleteParams, id)
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
}
// Delete managed user permissions
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
if _, err := sess.Exec(permissionDeleteParams...); err != nil {
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
return err
}
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
managedRoleDeleteQuery := "DELETE FROM role WHERE id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"
managedRoleDeleteParams := []interface{}{managedRoleDeleteQuery}
for _, id := range roleIDs {
managedRoleDeleteParams = append(managedRoleDeleteParams, id)
}
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
// Delete managed user roles
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com>
3 years ago
if _, err := sess.Exec(managedRoleDeleteParams...); err != nil {
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
3 years ago
return err
}
return nil
})
return err
}