apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)

Browse Source 
This reverts commit 88c11f1cc0.
pull/37405/head
Emil Tullstedt 4 years ago committed by GitHub
parent 9494c2cd4f
commit 55efeb0c02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 232 additions and 954 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 169
      pkg/api/admin_provisioning_test.go
  2. 9
      pkg/api/api.go
  3. 4
      pkg/api/common_test.go
  4. 3
      pkg/api/http_server.go
  5. 41
      pkg/api/roles.go
  6. 18
      pkg/server/server.go
  7. 4
      pkg/services/accesscontrol/accesscontrol.go
  8. 8
      pkg/services/accesscontrol/errors.go
  9. 20
      pkg/services/accesscontrol/models.go
  10. 90
      pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
  11. 369
      pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
  12. 431
      pkg/services/accesscontrol/roles.go
  13. 18
      pkg/services/accesscontrol/roles_test.go
  14. 2
      pkg/services/provisioning/provisioning.go

169
pkg/api/admin_provisioning_test.go
Unescape View File

@ -1,169 +0,0 @@
package api
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/provisioning"
"github.com/grafana/grafana/pkg/setting"
"github.com/stretchr/testify/assert"
)
type reloadProvisioningTestCase struct {
desc string
url string
expectedCode int
expectedBody string
permissions []*accesscontrol.Permission
exit bool
checkCall func(mock provisioning.ProvisioningServiceMock)
}
func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
tests := []reloadProvisioningTestCase{
{
desc: "should work for dashboards with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Dashboards config reloaded"}`,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersDashboards,
},
},
url: "/api/admin/provisioning/dashboards/reload",
checkCall: func(mock provisioning.ProvisioningServiceMock) {
assert.Len(t, mock.Calls.ProvisionDashboards, 1)
},
},
{
desc: "should work for dashboards with broader scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Dashboards config reloaded"}`,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
},
},
url: "/api/admin/provisioning/dashboards/reload",
checkCall: func(mock provisioning.ProvisioningServiceMock) {
assert.Len(t, mock.Calls.ProvisionDashboards, 1)
},
},
{
desc: "should fail for dashboard with wrong scope",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: "services:noservice",
},
},
url: "/api/admin/provisioning/dashboards/reload",
exit: true,
},
{
desc: "should fail for dashboard with no permission",
expectedCode: http.StatusForbidden,
url: "/api/admin/provisioning/dashboards/reload",
exit: true,
},
{
desc: "should work for notifications with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Notifications config reloaded"}`,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersNotifications,
},
},
url: "/api/admin/provisioning/notifications/reload",
checkCall: func(mock provisioning.ProvisioningServiceMock) {
assert.Len(t, mock.Calls.ProvisionNotifications, 1)
},
},
{
desc: "should fail for notifications with no permission",
expectedCode: http.StatusForbidden,
url: "/api/admin/provisioning/notifications/reload",
exit: true,
},
{
desc: "should work for datasources with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Datasources config reloaded"}`,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersDatasources,
},
},
url: "/api/admin/provisioning/datasources/reload",
checkCall: func(mock provisioning.ProvisioningServiceMock) {
assert.Len(t, mock.Calls.ProvisionDatasources, 1)
},
},
{
desc: "should fail for datasources with no permission",
expectedCode: http.StatusForbidden,
url: "/api/admin/provisioning/datasources/reload",
exit: true,
},
{
desc: "should work for plugins with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Plugins config reloaded"}`,
permissions: []*accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersPlugins,
},
},
url: "/api/admin/provisioning/plugins/reload",
checkCall: func(mock provisioning.ProvisioningServiceMock) {
assert.Len(t, mock.Calls.ProvisionPlugins, 1)
},
},
{
desc: "should fail for plugins with no permission",
expectedCode: http.StatusForbidden,
url: "/api/admin/provisioning/plugins/reload",
exit: true,
},
}
cfg := setting.NewCfg()
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
sc, hs := setupAccessControlScenarioContext(t, cfg, test.url, test.permissions)
// Setup the mock
provisioningMock := provisioning.NewProvisioningServiceMock()
hs.ProvisioningService = provisioningMock
sc.resp = httptest.NewRecorder()
var err error
sc.req, err = http.NewRequest(http.MethodPost, test.url, nil)
assert.NoError(t, err)
sc.exec()
// Check return code
assert.Equal(t, test.expectedCode, sc.resp.Code)
if test.exit {
return
}
// Check body
assert.Equal(t, test.expectedBody, sc.resp.Body.String())
// Check we actually called the provisioning service
test.checkCall(*provisioningMock)
})
}
}

9
pkg/api/api.go
Unescape View File

@ -445,11 +445,10 @@ func (hs *HTTPServer) registerRoutes() {
adminRoute.Get("/stats", authorize(reqGrafanaAdmin, accesscontrol.ActionServerStatsRead), routing.Wrap(AdminGetStats)) adminRoute.Get("/stats", authorize(reqGrafanaAdmin, accesscontrol.ActionServerStatsRead), routing.Wrap(AdminGetStats))
adminRoute.Post("/pause-all-alerts", reqGrafanaAdmin, bind(dtos.PauseAllAlertsCommand{}), routing.Wrap(PauseAllAlerts)) adminRoute.Post("/pause-all-alerts", reqGrafanaAdmin, bind(dtos.PauseAllAlertsCommand{}), routing.Wrap(PauseAllAlerts))
adminRoute.Post("/provisioning/dashboards/reload", authorize(reqGrafanaAdmin, ActionProvisioningReload, ScopeProvisionersDashboards), routing.Wrap(hs.AdminProvisioningReloadDashboards)) adminRoute.Post("/provisioning/dashboards/reload", reqGrafanaAdmin, routing.Wrap(hs.AdminProvisioningReloadDashboards))
adminRoute.Post("/provisioning/plugins/reload", authorize(reqGrafanaAdmin, ActionProvisioningReload, ScopeProvisionersPlugins), routing.Wrap(hs.AdminProvisioningReloadPlugins)) adminRoute.Post("/provisioning/plugins/reload", reqGrafanaAdmin, routing.Wrap(hs.AdminProvisioningReloadPlugins))
adminRoute.Post("/provisioning/datasources/reload", authorize(reqGrafanaAdmin, ActionProvisioningReload, ScopeProvisionersDatasources), routing.Wrap(hs.AdminProvisioningReloadDatasources)) adminRoute.Post("/provisioning/datasources/reload", reqGrafanaAdmin, routing.Wrap(hs.AdminProvisioningReloadDatasources))
adminRoute.Post("/provisioning/notifications/reload", authorize(reqGrafanaAdmin, ActionProvisioningReload, ScopeProvisionersNotifications), routing.Wrap(hs.AdminProvisioningReloadNotifications)) adminRoute.Post("/provisioning/notifications/reload", reqGrafanaAdmin, routing.Wrap(hs.AdminProvisioningReloadNotifications))
adminRoute.Post("/ldap/reload", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPConfigReload), routing.Wrap(hs.ReloadLDAPCfg)) adminRoute.Post("/ldap/reload", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPConfigReload), routing.Wrap(hs.ReloadLDAPCfg))
adminRoute.Post("/ldap/sync/:id", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPUsersSync), routing.Wrap(hs.PostSyncUserWithLDAP)) adminRoute.Post("/ldap/sync/:id", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPUsersSync), routing.Wrap(hs.PostSyncUserWithLDAP))
adminRoute.Get("/ldap/:username", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPUsersRead), routing.Wrap(hs.GetUserFromLDAP)) adminRoute.Get("/ldap/:username", authorize(reqGrafanaAdmin, accesscontrol.ActionLDAPUsersRead), routing.Wrap(hs.GetUserFromLDAP))

4
pkg/api/common_test.go
Unescape View File

@ -253,10 +253,6 @@ func (f *fakeAccessControl) IsDisabled() bool {
return f.isDisabled return f.isDisabled
} }
func (f *fakeAccessControl) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistration) error {
return nil
}
func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []*accesscontrol.Permission) (*scenarioContext, *HTTPServer) { func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []*accesscontrol.Permission) (*scenarioContext, *HTTPServer) {
cfg.FeatureToggles = make(map[string]bool) cfg.FeatureToggles = make(map[string]bool)
cfg.FeatureToggles["accesscontrol"] = true cfg.FeatureToggles["accesscontrol"] = true

3
pkg/api/http_server.go
Unescape View File

@ -117,7 +117,8 @@ func (hs *HTTPServer) Init() error {
hs.macaron = hs.newMacaron() hs.macaron = hs.newMacaron()
hs.registerRoutes() hs.registerRoutes()
return hs.declareFixedRoles()
return nil
} }
func (hs *HTTPServer) AddMiddleware(middleware macaron.Handler) { func (hs *HTTPServer) AddMiddleware(middleware macaron.Handler) {

41
pkg/api/roles.go
Unescape View File

@ -1,41 +0,0 @@
package api
import (
"github.com/grafana/grafana/pkg/services/accesscontrol"
)
// API related actions
const (
ActionProvisioningReload = "provisioning:reload"
)
// API related scopes
const (
ScopeProvisionersAll = "provisioners:*"
ScopeProvisionersDashboards = "provisioners:dashboards"
ScopeProvisionersPlugins = "provisioners:plugins"
ScopeProvisionersDatasources = "provisioners:datasources"
ScopeProvisionersNotifications = "provisioners:notifications"
)
// declareFixedRoles declares to the AccessControl service fixed roles and their
// grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
// that HTTPServer needs
func (hs *HTTPServer) declareFixedRoles() error {
registration := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:provisioning:admin",
Description: "Reload provisioning configurations",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
},
},
},
Grants: []string{accesscontrol.RoleGrafanaAdmin},
}
return hs.AccessControl.DeclareFixedRoles(registration)
}

18
pkg/server/server.go
Unescape View File

@ -39,7 +39,7 @@ import (
_ "github.com/grafana/grafana/pkg/services/login/loginservice" _ "github.com/grafana/grafana/pkg/services/login/loginservice"
_ "github.com/grafana/grafana/pkg/services/ngalert" _ "github.com/grafana/grafana/pkg/services/ngalert"
_ "github.com/grafana/grafana/pkg/services/notifications" _ "github.com/grafana/grafana/pkg/services/notifications"
"github.com/grafana/grafana/pkg/services/provisioning" _ "github.com/grafana/grafana/pkg/services/provisioning"
_ "github.com/grafana/grafana/pkg/services/rendering" _ "github.com/grafana/grafana/pkg/services/rendering"
_ "github.com/grafana/grafana/pkg/services/search" _ "github.com/grafana/grafana/pkg/services/search"
_ "github.com/grafana/grafana/pkg/services/sqlstore" _ "github.com/grafana/grafana/pkg/services/sqlstore"
@ -73,11 +73,6 @@ func (r *globalServiceRegistry) GetServices() []*registry.Descriptor {
return registry.GetServices() return registry.GetServices()
} }
type roleRegistry interface {
// RegisterFixedRoles registers all roles declared to AccessControl
RegisterFixedRoles() error
}
// New returns a new instance of Server. // New returns a new instance of Server.
func New(cfg Config) (*Server, error) { func New(cfg Config) (*Server, error) {
s := newServer(cfg) s := newServer(cfg)
@ -135,9 +130,7 @@ type Server struct {
serviceRegistry serviceRegistry serviceRegistry serviceRegistry
HTTPServer *api.HTTPServer `inject:""` HTTPServer *api.HTTPServer `inject:""`
AccessControl roleRegistry `inject:""`
ProvisioningService provisioning.ProvisioningService `inject:""`
} }
// init initializes the server and its services. // init initializes the server and its services.
@ -174,12 +167,7 @@ func (s *Server) init() error {
} }
} }
// Register all fixed roles return nil
if err := s.AccessControl.RegisterFixedRoles(); err != nil {
return err
}
return s.ProvisioningService.RunInitProvisioners()
} }
// Run initializes and starts services. This will block until all services have // Run initializes and starts services. This will block until all services have

4
pkg/services/accesscontrol/accesscontrol.go
Unescape View File

@ -15,10 +15,6 @@ type AccessControl interface {
// Middleware checks if service disabled or not to switch to fallback authorization. // Middleware checks if service disabled or not to switch to fallback authorization.
IsDisabled() bool IsDisabled() bool
// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
DeclareFixedRoles(...RoleRegistration) error
} }
func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool { func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {

8
pkg/services/accesscontrol/errors.go
Unescape View File

@ -1,8 +0,0 @@
package accesscontrol
import "errors"
var (
ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")
ErrInvalidBuiltinRole = errors.New("built-in role is not valid")
)

20
pkg/services/accesscontrol/models.go
Unescape View File

@ -4,13 +4,6 @@ import (
"time" "time"
) )
// RoleRegistration stores a role and its assignments to built-in roles
// (Viewer, Editor, Admin, Grafana Admin)
type RoleRegistration struct {
Role RoleDTO
Grants []string
}
type Role struct { type Role struct {
Version int64 `json:"version"` Version int64 `json:"version"`
UID string `json:"uid"` UID string `json:"uid"`
@ -49,6 +42,9 @@ func (p RoleDTO) Role() Role {
const ( const (
// Permission actions // Permission actions
// Provisioning actions
ActionProvisioningReload = "provisioning:reload"
// Users actions // Users actions
ActionUsersRead = "users:read" ActionUsersRead = "users:read"
ActionUsersWrite = "users:write" ActionUsersWrite = "users:write"
@ -95,13 +91,15 @@ const (
// Global Scopes // Global Scopes
ScopeGlobalUsersAll = "global:users:*" ScopeGlobalUsersAll = "global:users:*"
// Users scope // Users scopes
ScopeUsersAll = "users:*" ScopeUsersSelf = "users:self"
ScopeUsersAll = "users:*"
// Settings scope // Settings scope
ScopeSettingsAll = "settings:**" ScopeSettingsAll = "settings:**"
// Services Scopes
ScopeServicesAll = "service:*"
) )
const RoleGrafanaAdmin = "Grafana Admin" const RoleGrafanaAdmin = "Grafana Admin"
const FixedRolePrefix = "fixed:"

90
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
Unescape View File

@ -15,10 +15,9 @@ import (
// OSSAccessControlService is the service implementing role based access control. // OSSAccessControlService is the service implementing role based access control.
type OSSAccessControlService struct { type OSSAccessControlService struct {
Cfg *setting.Cfg `inject:""` Cfg *setting.Cfg `inject:""`
UsageStats usagestats.UsageStats `inject:""` UsageStats usagestats.UsageStats `inject:""`
Log log.Logger Log log.Logger
registrations accesscontrol.RegistrationList
} }
// Init initializes the OSSAccessControlService. // Init initializes the OSSAccessControlService.
@ -70,11 +69,11 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
for _, builtin := range builtinRoles { for _, builtin := range builtinRoles {
if roleNames, ok := accesscontrol.FixedRoleGrants[builtin]; ok { if roleNames, ok := accesscontrol.FixedRoleGrants[builtin]; ok {
for _, name := range roleNames { for _, name := range roleNames {
role, exists := accesscontrol.FixedRoles[name] r, exists := accesscontrol.FixedRoles[name]
if !exists { if !exists {
continue continue
} }
for _, p := range role.Permissions { for _, p := range r.Permissions {
permission := p permission := p
permissions = append(permissions, &permission) permissions = append(permissions, &permission)
} }
@ -96,82 +95,3 @@ func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser
return roles return roles
} }
func (ac *OSSAccessControlService) saveFixedRole(role accesscontrol.RoleDTO) {
if storedRole, ok := accesscontrol.FixedRoles[role.Name]; ok {
// If a package wants to override another package's role, the version
// needs to be increased. Hence, we don't overwrite a role with a
// greater version.
if storedRole.Version >= role.Version {
log.Debugf("role %v has already been stored in a greater version, skipping registration", role.Name)
return
}
}
// Save role
accesscontrol.FixedRoles[role.Name] = role
}
func (ac *OSSAccessControlService) assignFixedRole(role accesscontrol.RoleDTO, builtInRoles []string) {
for _, builtInRole := range builtInRoles {
// Only record new assignments
alreadyAssigned := false
assignments, ok := accesscontrol.FixedRoleGrants[builtInRole]
if ok {
for _, assignedRole := range assignments {
if assignedRole == role.Name {
log.Debugf("role %v has already been assigned to %v", role.Name, builtInRole)
alreadyAssigned = true
}
}
}
if !alreadyAssigned {
assignments = append(assignments, role.Name)
accesscontrol.FixedRoleGrants[builtInRole] = assignments
}
}
}
// RegisterFixedRoles registers all declared roles in RAM
func (ac *OSSAccessControlService) RegisterFixedRoles() error {
// If accesscontrol is disabled no need to register roles
if ac.IsDisabled() {
return nil
}
var err error
ac.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
ac.registerFixedRole(registration.Role, registration.Grants)
return true
})
return err
}
// RegisterFixedRole saves a fixed role and assigns it to built-in roles
func (ac *OSSAccessControlService) registerFixedRole(role accesscontrol.RoleDTO, builtInRoles []string) {
ac.saveFixedRole(role)
ac.assignFixedRole(role, builtInRoles)
}
// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their assignments
// to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
func (ac *OSSAccessControlService) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistration) error {
// If accesscontrol is disabled no need to register roles
if ac.IsDisabled() {
return nil
}
for _, r := range registrations {
err := accesscontrol.ValidateFixedRole(r.Role)
if err != nil {
return err
}
err = accesscontrol.ValidateBuiltInRoles(r.Grants)
if err != nil {
return err
}
ac.registrations.Append(r)
}
return nil
}

369
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
Unescape View File

@ -2,7 +2,6 @@ package ossaccesscontrol
import ( import (
"context" "context"
"fmt"
"testing" "testing"
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
@ -32,28 +31,6 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
return &ac return &ac
} }
func removeRoleHelper(role string) {
delete(accesscontrol.FixedRoles, role)
// Compute new grants removing any appearance of the role in the list
replaceGrants := map[string][]string{}
for builtInRole, grants := range accesscontrol.FixedRoleGrants {
newGrants := make([]string, len(grants))
for _, r := range grants {
if r != role {
newGrants = append(newGrants, r)
}
}
replaceGrants[builtInRole] = newGrants
}
// Replace grants
for br, grants := range replaceGrants {
accesscontrol.FixedRoleGrants[br] = grants
}
}
type usageStatsMock struct { type usageStatsMock struct {
t *testing.T t *testing.T
metricsFuncs []usagestats.MetricsFunc metricsFuncs []usagestats.MetricsFunc
@ -189,349 +166,3 @@ func TestUsageMetrics(t *testing.T) {
}) })
} }
} }
type assignmentTestCase struct {
role accesscontrol.RoleDTO
builtInRoles []string
}
func TestOSSAccessControlService_RegisterFixedRole(t *testing.T) {
tests := []struct {
name string
runs []assignmentTestCase
}{
{
name: "Successfully register role no assignments",
runs: []assignmentTestCase{
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
},
},
},
{
name: "Successfully ignore overwriting existing role",
runs: []assignmentTestCase{
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
},
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
},
},
},
{
name: "Successfully register and assign role",
runs: []assignmentTestCase{
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
builtInRoles: []string{"Viewer", "Editor", "Admin"},
},
},
},
{
name: "Successfully ignore unchanged assignment",
runs: []assignmentTestCase{
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
builtInRoles: []string{"Viewer"},
},
{
role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:test:test",
},
builtInRoles: []string{"Viewer"},
},
},
},
{
name: "Successfully add a new assignment",
runs: []assignmentTestCase{
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
builtInRoles: []string{"Viewer"},
},
{
role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
builtInRoles: []string{"Editor"},
},
},
},
}
// Check all runs performed so far to get the number of assignments seeder
// should have recorded
getTotalAssignCount := func(curRunIdx int, runs []assignmentTestCase) int {
builtIns := map[string]struct{}{}
for i := 0; i < curRunIdx+1; i++ {
for _, br := range runs[i].builtInRoles {
builtIns[br] = struct{}{}
}
}
return len(builtIns)
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
ac := &OSSAccessControlService{
Cfg: setting.NewCfg(),
UsageStats: &usageStatsMock{t: t, metricsFuncs: make([]usagestats.MetricsFunc, 0)},
Log: log.New("accesscontrol-test"),
}
for i, run := range tc.runs {
// Remove any inserted role after the test case has been run
t.Cleanup(func() { removeRoleHelper(run.role.Name) })
ac.registerFixedRole(run.role, run.builtInRoles)
// Check role has been registered
storedRole, ok := accesscontrol.FixedRoles[run.role.Name]
assert.True(t, ok, "role should have been registered")
// Check registered role has not been altered
assert.Equal(t, run.role, storedRole, "role should not have been altered")
// Check assignments
// Count number of times the role has been assigned
assignCnt := 0
for _, grants := range accesscontrol.FixedRoleGrants {
for _, r := range grants {
if r == run.role.Name {
assignCnt++
}
}
}
assert.Equal(t, getTotalAssignCount(i, tc.runs), assignCnt,
"assignments should only be added, never removed")
for _, br := range run.builtInRoles {
assigns, ok := accesscontrol.FixedRoleGrants[br]
assert.True(t, ok,
fmt.Sprintf("role %s should have been assigned to %s", run.role.Name, br))
assert.Contains(t, assigns, run.role.Name,
fmt.Sprintf("role %s should have been assigned to %s", run.role.Name, br))
}
}
})
}
}
func TestOSSAccessControlService_DeclareFixedRoles(t *testing.T) {
tests := []struct {
name string
registrations []accesscontrol.RoleRegistration
wantErr bool
err error
}{
{
name: "should work with empty list",
wantErr: false,
},
{
name: "should add registration",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
Grants: []string{"Admin"},
},
},
wantErr: false,
},
{
name: "should fail registration invalid role name",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "custom:test:test",
},
Grants: []string{"Admin"},
},
},
wantErr: true,
err: accesscontrol.ErrFixedRolePrefixMissing,
},
{
name: "should fail registration invalid builtin role assignment",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
Grants: []string{"WrongAdmin"},
},
},
wantErr: true,
err: accesscontrol.ErrInvalidBuiltinRole,
},
{
name: "should add multiple registrations at once",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
Grants: []string{"Admin"},
},
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test2:test2",
},
Grants: []string{"Admin"},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ac := &OSSAccessControlService{
Cfg: setting.NewCfg(),
UsageStats: &usageStatsMock{t: t, metricsFuncs: make([]usagestats.MetricsFunc, 0)},
Log: log.New("accesscontrol-test"),
registrations: accesscontrol.RegistrationList{},
}
ac.Cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
// Test
err := ac.DeclareFixedRoles(tt.registrations...)
if tt.wantErr {
require.Error(t, err)
assert.ErrorIs(t, err, tt.err)
return
}
require.NoError(t, err)
registrationCnt := 0
ac.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
registrationCnt++
return true
})
assert.Equal(t, len(tt.registrations), registrationCnt,
"expected service registration list to contain all test registrations")
})
}
}
func TestOSSAccessControlService_RegisterFixedRoles(t *testing.T) {
tests := []struct {
name string
token models.Licensing
registrations []accesscontrol.RoleRegistration
wantErr bool
}{
{
name: "should work with empty list",
},
{
name: "should register and assign role",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
Grants: []string{"Admin"},
},
},
wantErr: false,
},
{
name: "should register and assign multiple roles",
registrations: []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test:test",
},
Grants: []string{"Admin"},
},
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:test2:test2",
},
Grants: []string{"Admin"},
},
},
wantErr: false,
},
}
for _, tt := range tests {
cfg := setting.NewCfg()
cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
t.Run(tt.name, func(t *testing.T) {
// Remove any inserted role after the test case has been run
t.Cleanup(func() {
for _, registration := range tt.registrations {
removeRoleHelper(registration.Role.Name)
}
})
// Setup
ac := &OSSAccessControlService{
Cfg: setting.NewCfg(),
UsageStats: &usageStatsMock{t: t, metricsFuncs: make([]usagestats.MetricsFunc, 0)},
Log: log.New("accesscontrol-test"),
registrations: accesscontrol.RegistrationList{},
}
ac.Cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
ac.registrations.Append(tt.registrations...)
// Test
err := ac.RegisterFixedRoles()
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
// Check
for _, registration := range tt.registrations {
role, ok := accesscontrol.FixedRoles[registration.Role.Name]
assert.True(t, ok,
fmt.Sprintf("role %s should have been registered", registration.Role.Name))
assert.NotNil(t, role,
fmt.Sprintf("role %s should have been registered", registration.Role.Name))
for _, br := range registration.Grants {
rolesWithGrant, ok := accesscontrol.FixedRoleGrants[br]
assert.True(t, ok,
fmt.Sprintf("role %s should have been assigned to %s", registration.Role.Name, br))
assert.Contains(t, rolesWithGrant, registration.Role.Name,
fmt.Sprintf("role %s should have been assigned to %s", registration.Role.Name, br))
}
}
})
}
}

431
pkg/services/accesscontrol/roles.go
Unescape View File

@ -1,173 +1,198 @@
package accesscontrol package accesscontrol
import ( import "github.com/grafana/grafana/pkg/models"
"fmt"
"strings" var datasourcesEditorReadRole = RoleDTO{
"sync" Version: 1,
Name: datasourcesEditorRead,
Permissions: []Permission{
{
Action: ActionDatasourcesExplore,
},
},
}
"github.com/grafana/grafana/pkg/models" var ldapAdminReadRole = RoleDTO{
) Name: ldapAdminRead,
Version: 1,
Permissions: []Permission{
{
Action: ActionLDAPUsersRead,
},
{
Action: ActionLDAPStatusRead,
},
},
}
// Roles definition var ldapAdminEditRole = RoleDTO{
var ( Name: ldapAdminEdit,
datasourcesEditorReadRole = RoleDTO{ Version: 2,
Version: 1, Permissions: ConcatPermissions(ldapAdminReadRole.Permissions, []Permission{
Name: datasourcesEditorRead, {
Permissions: []Permission{ Action: ActionLDAPUsersSync,
{
Action: ActionDatasourcesExplore,
},
}, },
} {
Action: ActionLDAPConfigReload,
},
}),
}
ldapAdminReadRole = RoleDTO{ var serverAdminReadRole = RoleDTO{
Name: ldapAdminRead, Version: 1,
Version: 1, Name: serverAdminRead,
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionLDAPUsersRead, Action: ActionServerStatsRead,
},
{
Action: ActionLDAPStatusRead,
},
}, },
} },
}
ldapAdminEditRole = RoleDTO{ var settingsAdminReadRole = RoleDTO{
Name: ldapAdminEdit, Version: 1,
Version: 2, Name: settingsAdminRead,
Permissions: ConcatPermissions(ldapAdminReadRole.Permissions, []Permission{ Permissions: []Permission{
{ {
Action: ActionLDAPUsersSync, Action: ActionSettingsRead,
}, Scope: ScopeSettingsAll,
{ },
Action: ActionLDAPConfigReload, },
}, }
}),
}
serverAdminReadRole = RoleDTO{ var usersOrgReadRole = RoleDTO{
Version: 1, Name: usersOrgRead,
Name: serverAdminRead, Version: 1,
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionServerStatsRead, Action: ActionOrgUsersRead,
}, Scope: ScopeUsersAll,
}, },
} },
}
settingsAdminReadRole = RoleDTO{ var usersOrgEditRole = RoleDTO{
Version: 1, Name: usersOrgEdit,
Name: settingsAdminRead, Version: 1,
Permissions: []Permission{ Permissions: ConcatPermissions(usersOrgReadRole.Permissions, []Permission{
{ {
Action: ActionSettingsRead, Action: ActionOrgUsersAdd,
Scope: ScopeSettingsAll, Scope: ScopeUsersAll,
},
}, },
} {
Action: ActionOrgUsersRoleUpdate,
Scope: ScopeUsersAll,
},
{
Action: ActionOrgUsersRemove,
Scope: ScopeUsersAll,
},
}),
}
usersOrgReadRole = RoleDTO{ var usersAdminReadRole = RoleDTO{
Name: usersOrgRead, Name: usersAdminRead,
Version: 1, Version: 1,
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionOrgUsersRead, Action: ActionUsersRead,
Scope: ScopeUsersAll, Scope: ScopeGlobalUsersAll,
},
}, },
} {
Action: ActionUsersTeamRead,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersAuthTokenList,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersQuotasList,
Scope: ScopeGlobalUsersAll,
},
},
}
usersOrgEditRole = RoleDTO{ var usersAdminEditRole = RoleDTO{
Name: usersOrgEdit, Name: usersAdminEdit,
Version: 1, Version: 1,
Permissions: ConcatPermissions(usersOrgReadRole.Permissions, []Permission{ Permissions: ConcatPermissions(usersAdminReadRole.Permissions, []Permission{
{ {
Action: ActionOrgUsersAdd, Action: ActionUsersPasswordUpdate,
Scope: ScopeUsersAll, Scope: ScopeGlobalUsersAll,
}, },
{ {
Action: ActionOrgUsersRoleUpdate, Action: ActionUsersCreate,
Scope: ScopeUsersAll, },
}, {
{ Action: ActionUsersWrite,
Action: ActionOrgUsersRemove, Scope: ScopeGlobalUsersAll,
Scope: ScopeUsersAll, },
}, {
}), Action: ActionUsersDelete,
} Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersEnable,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersDisable,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersPermissionsUpdate,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersLogout,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersAuthTokenUpdate,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersQuotasUpdate,
Scope: ScopeGlobalUsersAll,
},
}),
}
usersAdminReadRole = RoleDTO{ var provisioningAdminRole = RoleDTO{
Name: usersAdminRead, Name: provisioningAdmin,
Version: 1, Version: 1,
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionUsersRead, Action: ActionProvisioningReload,
Scope: ScopeGlobalUsersAll, Scope: ScopeServicesAll,
},
{
Action: ActionUsersTeamRead,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersAuthTokenList,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersQuotasList,
Scope: ScopeGlobalUsersAll,
},
}, },
} },
}
usersAdminEditRole = RoleDTO{ // FixedRoles provides a map of permission sets/roles which can be
Name: usersAdminEdit, // assigned to a set of users. When adding a new resource protected by
Version: 1, // Grafana access control the default permissions should be added to a
Permissions: ConcatPermissions(usersAdminReadRole.Permissions, []Permission{ // new fixed role in this set so that users can access the new
{ // resource. FixedRoleGrants lists which built-in roles are
Action: ActionUsersPasswordUpdate, // assigned which fixed roles in this list.
Scope: ScopeGlobalUsersAll, var FixedRoles = map[string]RoleDTO{
}, datasourcesEditorRead: datasourcesEditorReadRole,
{ serverAdminRead: serverAdminReadRole,
Action: ActionUsersCreate,
}, settingsAdminRead: settingsAdminReadRole,
{
Action: ActionUsersWrite, usersAdminRead: usersAdminReadRole,
Scope: ScopeGlobalUsersAll, usersAdminEdit: usersAdminEditRole,
},
{ usersOrgRead: usersOrgReadRole,
Action: ActionUsersDelete, usersOrgEdit: usersOrgEditRole,
Scope: ScopeGlobalUsersAll,
}, ldapAdminRead: ldapAdminReadRole,
{ ldapAdminEdit: ldapAdminEditRole,
Action: ActionUsersEnable,
Scope: ScopeGlobalUsersAll, provisioningAdmin: provisioningAdminRole,
}, }
{
Action: ActionUsersDisable,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersPermissionsUpdate,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersLogout,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersAuthTokenUpdate,
Scope: ScopeGlobalUsersAll,
},
{
Action: ActionUsersQuotasUpdate,
Scope: ScopeGlobalUsersAll,
},
}),
}
)
// Role names definitions
const ( const (
datasourcesEditorRead = "fixed:datasources:editor:read" datasourcesEditorRead = "fixed:datasources:editor:read"
@ -183,50 +208,33 @@ const (
ldapAdminEdit = "fixed:ldap:admin:edit" ldapAdminEdit = "fixed:ldap:admin:edit"
ldapAdminRead = "fixed:ldap:admin:read" ldapAdminRead = "fixed:ldap:admin:read"
)
var ( provisioningAdmin = "fixed:provisioning:admin"
// FixedRoles provides a map of permission sets/roles which can be
// assigned to a set of users. When adding a new resource protected by
// Grafana access control the default permissions should be added to a
// new fixed role in this set so that users can access the new
// resource. FixedRoleGrants lists which built-in roles are
// assigned which fixed roles in this list.
FixedRoles = map[string]RoleDTO{
datasourcesEditorRead: datasourcesEditorReadRole,
usersAdminEdit: usersAdminEditRole,
usersAdminRead: usersAdminReadRole,
usersOrgEdit: usersOrgEditRole,
usersOrgRead: usersOrgReadRole,
ldapAdminEdit: ldapAdminEditRole,
ldapAdminRead: ldapAdminReadRole,
serverAdminRead: serverAdminReadRole,
settingsAdminRead: settingsAdminReadRole,
}
// FixedRoleGrants specifies which built-in roles are assigned
// to which set of FixedRoles by default. Alphabetically sorted.
FixedRoleGrants = map[string][]string{
RoleGrafanaAdmin: {
ldapAdminEdit,
ldapAdminRead,
serverAdminRead,
settingsAdminRead,
usersAdminEdit,
usersAdminRead,
usersOrgEdit,
usersOrgRead,
},
string(models.ROLE_ADMIN): {
usersOrgEdit,
usersOrgRead,
},
string(models.ROLE_EDITOR): {
datasourcesEditorRead,
},
}
) )
// FixedRoleGrants specifies which built-in roles are assigned
// to which set of FixedRoles by default. Alphabetically sorted.
var FixedRoleGrants = map[string][]string{
RoleGrafanaAdmin: {
ldapAdminEdit,
ldapAdminRead,
provisioningAdmin,
serverAdminRead,
settingsAdminRead,
usersAdminEdit,
usersAdminRead,
usersOrgEdit,
usersOrgRead,
},
string(models.ROLE_ADMIN): {
usersOrgEdit,
usersOrgRead,
},
string(models.ROLE_EDITOR): {
datasourcesEditorRead,
},
}
func ConcatPermissions(permissions ...[]Permission) []Permission { func ConcatPermissions(permissions ...[]Permission) []Permission {
if permissions == nil { if permissions == nil {
return nil return nil
@ -239,42 +247,3 @@ func ConcatPermissions(permissions ...[]Permission) []Permission {
} }
return perms return perms
} }
// ValidateFixedRole errors when a fixed role does not match expected pattern
func ValidateFixedRole(role RoleDTO) error {
if !strings.HasPrefix(role.Name, FixedRolePrefix) {
return ErrFixedRolePrefixMissing
}
return nil
}
// ValidateBuiltInRoles errors when a built-in role does not match expected pattern
func ValidateBuiltInRoles(builtInRoles []string) error {
for _, br := range builtInRoles {
if !models.RoleType(br).IsValid() && br != RoleGrafanaAdmin {
return fmt.Errorf("'%s' %w", br, ErrInvalidBuiltinRole)
}
}
return nil
}
type RegistrationList struct {
mx sync.RWMutex
registrations []RoleRegistration
}
func (m *RegistrationList) Append(regs ...RoleRegistration) {
m.mx.Lock()
defer m.mx.Unlock()
m.registrations = append(m.registrations, regs...)
}
func (m *RegistrationList) Range(f func(registration RoleRegistration) bool) {
m.mx.RLock()
defer m.mx.RUnlock()
for _, registration := range m.registrations {
if ok := f(registration); !ok {
return
}
}
}

18
pkg/services/accesscontrol/roles_test.go
Unescape View File

@ -9,28 +9,26 @@ import (
) )
func TestPredefinedRoles(t *testing.T) { func TestPredefinedRoles(t *testing.T) {
for name, role := range FixedRoles { for name, r := range FixedRoles {
assert.Truef(t, assert.Truef(t,
strings.HasPrefix(name, "fixed:"), strings.HasPrefix(name, "fixed:"),
"expected all fixed roles to be prefixed by 'fixed:', found role '%s'", name, "expected all fixed roles to be prefixed by 'fixed:', found role '%s'", name,
) )
assert.Equal(t, name, role.Name) assert.Equal(t, name, r.Name)
assert.NotZero(t, role.Version) assert.NotZero(t, r.Version)
// assert.NotEmpty(t, r.Description)
} }
} }
func TestPredefinedRoleGrants(t *testing.T) { func TestPredefinedRoleGrants(t *testing.T) {
for _, grants := range FixedRoleGrants { for _, v := range FixedRoleGrants {
// Check grants list is sorted
assert.True(t, assert.True(t,
sort.SliceIsSorted(grants, func(i, j int) bool { sort.SliceIsSorted(v, func(i, j int) bool {
return grants[i] < grants[j] return v[i] < v[j]
}), }),
"require role grant lists to be sorted", "require role grant lists to be sorted",
) )
for _, r := range v {
// Check all granted roles have been registered
for _, r := range grants {
assert.Contains(t, FixedRoles, r) assert.Contains(t, FixedRoles, r)
} }
} }

2
pkg/services/provisioning/provisioning.go
Unescape View File

@ -78,7 +78,7 @@ type provisioningServiceImpl struct {
} }
func (ps *provisioningServiceImpl) Init() error { func (ps *provisioningServiceImpl) Init() error {
return nil return ps.RunInitProvisioners()
} }
func (ps *provisioningServiceImpl) RunInitProvisioners() error { func (ps *provisioningServiceImpl) RunInitProvisioners() error {

Write Preview
Loading…
Cancel
Save