Access control: allow granting a fixed role dynamically based on the startup settings (#43867)

* allow granting a fixed role dynamically depending on startup config

* move role definition for team writing

* undo test changes

* nicer naming

pkg/api/api.go

@@ -178,7 +178,7 @@ func (hs *HTTPServer) registerRoutes() {
 
 		// team (admin permission required)
 		apiRoute.Group("/teams", func(teamsRoute routing.RouteRegister) {
-			teamsRoute.Post("/", authorize(reqCanAccessTeams, ac.EvalPermission(ac.ActionTeamsCreate)), routing.Wrap(hs.CreateTeam))
+			teamsRoute.Post("/", authorize(reqCanAccessTeams, ac.EvalPermission(ActionTeamsCreate)), routing.Wrap(hs.CreateTeam))
 			teamsRoute.Put("/:teamId", reqCanAccessTeams, routing.Wrap(hs.UpdateTeam))
 			teamsRoute.Delete("/:teamId", reqCanAccessTeams, routing.Wrap(hs.DeleteTeamByID))
 			teamsRoute.Get("/:teamId/members", reqCanAccessTeams, routing.Wrap(hs.GetTeamMembers))

pkg/api/roles.go

@@ -24,6 +24,8 @@ const (
 	ActionOrgsQuotasWrite      = "orgs.quotas:write"
 	ActionOrgsDelete           = "orgs:delete"
 	ActionOrgsCreate           = "orgs:create"
+
+	ActionTeamsCreate = "teams:create"
 )
 
 // API related scopes
@@ -185,9 +187,29 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{string(accesscontrol.RoleGrafanaAdmin)},
 	}
 
+	teamWriterGrants := []string{string(models.ROLE_ADMIN)}
+	if hs.Cfg.EditorsCanAdmin {
+		teamWriterGrants = append(teamWriterGrants, string(models.ROLE_EDITOR))
+	}
+	teamsWriterRole := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Name:        "fixed:teams:writer",
+			DisplayName: "Team writer",
+			Description: "Create teams.",
+			Group:       "Teams",
+			Version:     1,
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionTeamsCreate,
+				},
+			},
+		},
+		Grants: teamWriterGrants,
+	}
+
 	return hs.AccessControl.DeclareFixedRoles(
 		provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
-		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole, orgMaintainerRole,
+		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole, orgMaintainerRole, teamsWriterRole,
 	)
 }
 

pkg/api/team_test.go

@@ -201,7 +201,7 @@ func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
 	setInitCtxSignedInViewer(sc.initCtx)
 	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
 	t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
-		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionTeamsCreate}}, 1)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})

pkg/services/accesscontrol/roles.go

@@ -197,19 +197,6 @@ var (
 			},
 		}),
 	}
-
-	teamsWriterRole = RoleDTO{
-		Name:        teamsWriter,
-		DisplayName: "Teams writer",
-		Description: "Create teams.",
-		Group:       "Teams",
-		Version:     1,
-		Permissions: []Permission{
-			{
-				Action: ActionTeamsCreate,
-			},
-		},
-	}
 )
 
 // Role names definitions
@@ -223,7 +210,6 @@ const (
 	statsReader         = "fixed:stats:reader"
 	usersReader         = "fixed:users:reader"
 	usersWriter         = "fixed:users:writer"
-	teamsWriter         = "fixed:teams:writer"
 )
 
 var (
@@ -243,7 +229,6 @@ var (
 		statsReader:         statsReaderRole,
 		usersReader:         usersReaderRole,
 		usersWriter:         usersWriterRole,
-		teamsWriter:         teamsWriterRole,
 	}
 
 	// FixedRoleGrants specifies which built-in roles are assigned
@@ -262,7 +247,6 @@ var (
 		string(models.ROLE_ADMIN): {
 			orgUsersReader,
 			orgUsersWriter,
-			teamsWriter,
 		},
 		string(models.ROLE_EDITOR): {
 			datasourcesExplorer,