apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Chore: remove checks for whether RBAC is disabled (#73812)

Browse Source 
* remove checks for whether access control is disabled, as it is always enabled now

* linting
pull/73834/head
Ieva 2 years ago committed by GitHub
parent 972da629ab
commit 6885b3d577
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 31 additions and 73 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      pkg/api/datasources.go
  2. 19
      pkg/services/accesscontrol/acimpl/service.go
  3. 6
      pkg/services/annotations/annotationsimpl/xorm_store.go
  4. 7
      pkg/services/datasources/service/datasource.go
  5. 2
      pkg/services/org/orgimpl/store.go
  6. 4
      pkg/services/searchV2/allowed_actions.go
  7. 4
      pkg/services/searchV2/service.go
  8. 2
      pkg/services/serviceaccounts/database/store.go
  9. 2
      pkg/services/user/userimpl/store.go

2
pkg/api/datasources.go
Unescape View File

@ -400,9 +400,7 @@ func (hs *HTTPServer) AddDataSource(c *contextmodel.ReqContext) response.Respons
// Clear permission cache for the user who's created the data source, so that new permissions are fetched for their next call // Clear permission cache for the user who's created the data source, so that new permissions are fetched for their next call
// Required for cases when caller wants to immediately interact with the newly created object // Required for cases when caller wants to immediately interact with the newly created object
if !hs.AccessControl.IsDisabled() {
hs.accesscontrolService.ClearUserPermissionCache(c.SignedInUser) hs.accesscontrolService.ClearUserPermissionCache(c.SignedInUser)
}
ds := hs.convertModelToDtos(c.Req.Context(), dataSource) ds := hs.convertModelToDtos(c.Req.Context(), dataSource)
return response.JSON(http.StatusOK, util.DynMap{ return response.JSON(http.StatusOK, util.DynMap{

19
pkg/services/accesscontrol/acimpl/service.go
Unescape View File

@ -202,10 +202,6 @@ func (s *Service) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistrat
// RegisterFixedRoles registers all declared roles in RAM // RegisterFixedRoles registers all declared roles in RAM
func (s *Service) RegisterFixedRoles(ctx context.Context) error { func (s *Service) RegisterFixedRoles(ctx context.Context) error {
// If accesscontrol is disabled no need to register roles
if accesscontrol.IsDisabled(s.cfg) {
return nil
}
s.registrations.Range(func(registration accesscontrol.RoleRegistration) bool { s.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
for br := range accesscontrol.BuiltInRolesWithParents(registration.Grants) { for br := range accesscontrol.BuiltInRolesWithParents(registration.Grants) {
if basicRole, ok := s.roles[br]; ok { if basicRole, ok := s.roles[br]; ok {
@ -234,11 +230,6 @@ func permissionCacheKey(user identity.Requester) (string, error) {
// DeclarePluginRoles allow the caller to declare, to the service, plugin roles and their assignments // DeclarePluginRoles allow the caller to declare, to the service, plugin roles and their assignments
// to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin" // to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
func (s *Service) DeclarePluginRoles(_ context.Context, ID, name string, regs []plugins.RoleRegistration) error { func (s *Service) DeclarePluginRoles(_ context.Context, ID, name string, regs []plugins.RoleRegistration) error {
// If accesscontrol is disabled no need to register roles
if accesscontrol.IsDisabled(s.cfg) {
return nil
}
// Protect behind feature toggle // Protect behind feature toggle
if !s.features.IsEnabled(featuremgmt.FlagAccessControlOnCall) { if !s.features.IsEnabled(featuremgmt.FlagAccessControlOnCall) {
return nil return nil
@ -426,11 +417,6 @@ func PermissionMatchesSearchOptions(permission accesscontrol.Permission, searchO
} }
func (s *Service) SaveExternalServiceRole(ctx context.Context, cmd accesscontrol.SaveExternalServiceRoleCommand) error { func (s *Service) SaveExternalServiceRole(ctx context.Context, cmd accesscontrol.SaveExternalServiceRoleCommand) error {
// If accesscontrol is disabled no need to save the external service role
if accesscontrol.IsDisabled(s.cfg) {
return nil
}
if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) { if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) {
s.log.Debug("registering an external service role is behind a feature flag, enable it to use this feature.") s.log.Debug("registering an external service role is behind a feature flag, enable it to use this feature.")
return nil return nil
@ -444,11 +430,6 @@ func (s *Service) SaveExternalServiceRole(ctx context.Context, cmd accesscontrol
} }
func (s *Service) DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error { func (s *Service) DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error {
// If accesscontrol is disabled no need to delete the external service role
if accesscontrol.IsDisabled(s.cfg) {
return nil
}
if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) { if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) {
s.log.Debug("deleting an external service role is behind a feature flag, enable it to use this feature.") s.log.Debug("deleting an external service role is behind a feature flag, enable it to use this feature.")
return nil return nil

6
pkg/services/annotations/annotationsimpl/xorm_store.go
Unescape View File

@ -339,16 +339,12 @@ func (r *xormRepositoryImpl) Get(ctx context.Context, query *annotations.ItemQue
} }
} }
var acFilter acFilter acFilter, err := r.getAccessControlFilter(query.SignedInUser)
if !ac.IsDisabled(r.cfg) {
var err error
acFilter, err = r.getAccessControlFilter(query.SignedInUser)
if err != nil { if err != nil {
return err return err
} }
sql.WriteString(fmt.Sprintf(" AND (%s)", acFilter.where)) sql.WriteString(fmt.Sprintf(" AND (%s)", acFilter.where))
params = append(params, acFilter.whereParams...) params = append(params, acFilter.whereParams...)
}
if query.Limit == 0 { if query.Limit == 0 {
query.Limit = 100 query.Limit = 100

7
pkg/services/datasources/service/datasource.go
Unescape View File

@ -208,7 +208,6 @@ func (s *Service) AddDataSource(ctx context.Context, cmd *datasources.AddDataSou
return err return err
} }
if !s.ac.IsDisabled() {
// This belongs in Data source permissions, and we probably want // This belongs in Data source permissions, and we probably want
// to do this with a hook in the store and rollback on fail. // to do this with a hook in the store and rollback on fail.
// We can't use events, because there's no way to communicate // We can't use events, because there's no way to communicate
@ -221,12 +220,8 @@ func (s *Service) AddDataSource(ctx context.Context, cmd *datasources.AddDataSou
if cmd.UserID != 0 { if cmd.UserID != 0 {
permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Edit"}) permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Edit"})
} }
if _, err := s.permissionsService.SetPermissions(ctx, cmd.OrgID, dataSource.UID, permissions...); err != nil { _, err = s.permissionsService.SetPermissions(ctx, cmd.OrgID, dataSource.UID, permissions...)
return err return err
}
}
return nil
}) })
} }

2
pkg/services/org/orgimpl/store.go
Unescape View File

@ -560,7 +560,7 @@ func (ss *sqlStore) SearchOrgUsers(ctx context.Context, query *org.SearchOrgUser
ss.log.Warn("Query user not set for filtering.") ss.log.Warn("Query user not set for filtering.")
} }
if !query.DontEnforceAccessControl && !accesscontrol.IsDisabled(ss.cfg) { if !query.DontEnforceAccessControl {
acFilter, err := accesscontrol.Filter(query.User, "org_user.user_id", "users:id:", accesscontrol.ActionOrgUsersRead) acFilter, err := accesscontrol.Filter(query.User, "org_user.user_id", "users:id:", accesscontrol.ActionOrgUsersRead)
if err != nil { if err != nil {
return err return err

4
pkg/services/searchV2/allowed_actions.go
Unescape View File

@ -139,10 +139,6 @@ func (s *StandardSearchService) createAllowedActions(ctx context.Context, orgId
func (s *StandardSearchService) getAllowedActionsByUid(ctx context.Context, user *user.SignedInUser, func (s *StandardSearchService) getAllowedActionsByUid(ctx context.Context, user *user.SignedInUser,
orgID int64, prefix string, resourceIDs []string) map[string][]string { orgID int64, prefix string, resourceIDs []string) map[string][]string {
if s.ac.IsDisabled() {
return map[string][]string{}
}
if user.Permissions == nil { if user.Permissions == nil {
return map[string][]string{} return map[string][]string{}
} }

4
pkg/services/searchV2/service.go
Unescape View File

@ -185,10 +185,6 @@ func (s *StandardSearchService) getUser(ctx context.Context, backendUser *backen
} }
} }
if s.ac.IsDisabled() {
return usr, nil
}
if usr.Permissions == nil { if usr.Permissions == nil {
usr.Permissions = make(map[int64]map[string][]string) usr.Permissions = make(map[int64]map[string][]string)
} }

2
pkg/services/serviceaccounts/database/store.go
Unescape View File

@ -284,14 +284,12 @@ func (s *ServiceAccountsStoreImpl) SearchOrgServiceAccounts(ctx context.Context,
s.sqlStore.GetDialect().Quote("user"), s.sqlStore.GetDialect().Quote("user"),
s.sqlStore.GetDialect().BooleanStr(true))) s.sqlStore.GetDialect().BooleanStr(true)))
if !accesscontrol.IsDisabled(s.cfg) {
acFilter, err := accesscontrol.Filter(query.SignedInUser, "org_user.user_id", "serviceaccounts:id:", serviceaccounts.ActionRead) acFilter, err := accesscontrol.Filter(query.SignedInUser, "org_user.user_id", "serviceaccounts:id:", serviceaccounts.ActionRead)
if err != nil { if err != nil {
return err return err
} }
whereConditions = append(whereConditions, acFilter.Where) whereConditions = append(whereConditions, acFilter.Where)
whereParams = append(whereParams, acFilter.Args...) whereParams = append(whereParams, acFilter.Args...)
}
if query.Query != "" { if query.Query != "" {
queryWithWildcards := "%" + query.Query + "%" queryWithWildcards := "%" + query.Query + "%"

2
pkg/services/user/userimpl/store.go
Unescape View File

@ -635,14 +635,12 @@ func (ss *sqlStore) Search(ctx context.Context, query *user.SearchUsersQuery) (*
} }
// user only sees the users for which it has read permissions // user only sees the users for which it has read permissions
if !accesscontrol.IsDisabled(ss.cfg) {
acFilter, err := accesscontrol.Filter(query.SignedInUser, "u.id", "global.users:id:", accesscontrol.ActionUsersRead) acFilter, err := accesscontrol.Filter(query.SignedInUser, "u.id", "global.users:id:", accesscontrol.ActionUsersRead)
if err != nil { if err != nil {
return err return err
} }
whereConditions = append(whereConditions, acFilter.Where) whereConditions = append(whereConditions, acFilter.Where)
whereParams = append(whereParams, acFilter.Args...) whereParams = append(whereParams, acFilter.Args...)
}
if query.Query != "" { if query.Query != "" {
whereConditions = append(whereConditions, "(email "+ss.dialect.LikeStr()+" ? OR name "+ss.dialect.LikeStr()+" ? OR login "+ss.dialect.LikeStr()+" ?)") whereConditions = append(whereConditions, "(email "+ss.dialect.LikeStr()+" ? OR name "+ss.dialect.LikeStr()+" ? OR login "+ss.dialect.LikeStr()+" ?)")

Write Preview
Loading…
Cancel
Save