apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "Service accounts: Add service account to teams" (#52710)

Browse Source 
* Revert "Service accounts: Add service account to teams (#51536)"

This reverts commit 0f919671e7.

* remove unneeded line

* fix test
pull/52786/head
Ieva 4 years ago committed by GitHub
parent 8f4d924531
commit b3a10202d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 151 additions and 410 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md
  2. 3
      pkg/api/accesscontrol.go
  3. 68
      pkg/services/accesscontrol/database/resource_permissions.go
  4. 29
      pkg/services/accesscontrol/models.go
  5. 28
      pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go
  6. 59
      pkg/services/accesscontrol/resourcepermissions/api.go
  7. 134
      pkg/services/accesscontrol/resourcepermissions/api_test.go
  8. 2
      pkg/services/accesscontrol/resourcepermissions/service.go
  9. 16
      pkg/services/accesscontrol/resourcepermissions/service_test.go
  10. 6
      pkg/services/serviceaccounts/api/api_test.go
  11. 18
      pkg/services/sqlstore/team.go
  12. 94
      pkg/services/sqlstore/team_test.go
  13. 9
      public/app/core/components/AccessControl/AddPermission.tsx
  14. 21
      public/app/core/components/AccessControl/Permissions.tsx
  15. 3
      public/app/core/components/AccessControl/types.ts
  16. 69
      public/app/core/components/Select/ServiceAccountPicker.tsx

2
docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md
Unescape View File

@ -78,7 +78,7 @@ The following tables list permissions associated with basic and fixed roles.
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read`<br>`serviceaccounts:read` | Create a team and list organization users and service accounts (required to manage the created team). |
| `fixed:teams:creator` | `teams:create`<br>`org.users:read` | Create a team and list organization users (required to manage the created team). |
| `fixed:teams:writer` | `teams:create`<br>`teams:delete`<br>`teams:read`<br>`teams:write`<br>`teams.permissions:read`<br>`teams.permissions:write` | Create, read, update and delete teams and manage team memberships. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:read`<br>`users.authtoken:read`<br>` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
| `fixed:users:writer` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:write`<br>`users.permissions:write`<br>`users:logout`<br>`users.authtoken:write`<br>`users.quotas:write` | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |

3
pkg/api/accesscontrol.go
Unescape View File

@ -230,12 +230,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
Role: ac.RoleDTO{
Name: "fixed:teams:creator",
DisplayName: "Team creator",
Description: "Create teams and read organisation users and service accounts (required to manage the created teams).",
Description: "Create teams and read organisation users (required to manage the created teams).",
Group: "Teams",
Permissions: []ac.Permission{
{Action: ac.ActionTeamsCreate},
{Action: ac.ActionOrgUsersRead, Scope: ac.ScopeUsersAll},
{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll},
},
},
Grants: teamCreatorGrants,

68
pkg/services/accesscontrol/database/resource_permissions.go
Unescape View File

@ -9,26 +9,24 @@ import (
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions/types"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/user"
)
type flatResourcePermission struct {
ID int64 `xorm:"id"`
RoleName string
Action string
Scope string
UserId int64
UserLogin string
UserEmail string
UserIsServiceAccount bool
TeamId int64
TeamEmail string
Team string
BuiltInRole string
Created time.Time
Updated time.Time
ID int64 `xorm:"id"`
RoleName string
Action string
Scope string
UserId int64
UserLogin string
UserEmail string
TeamId int64
TeamEmail string
Team string
BuiltInRole string
Created time.Time
Updated time.Time
}
func (p *flatResourcePermission) IsManaged(scope string) bool {
@ -295,7 +293,6 @@ func (s *AccessControlStore) getResourcePermissions(sess *sqlstore.DBSession, or
ur.user_id AS user_id,
u.login AS user_login,
u.email AS user_email,
u.is_service_account AS user_is_service_account,
0 AS team_id,
'' AS team,
'' AS team_email,
@ -306,7 +303,6 @@ func (s *AccessControlStore) getResourcePermissions(sess *sqlstore.DBSession, or
0 AS user_id,
'' AS user_login,
'' AS user_email,
false AS user_is_service_account,
tr.team_id AS team_id,
t.name AS team,
t.email AS team_email,
@ -317,7 +313,6 @@ func (s *AccessControlStore) getResourcePermissions(sess *sqlstore.DBSession, or
0 AS user_id,
'' AS user_login,
'' AS user_email,
false AS user_is_service_account,
0 as team_id,
'' AS team,
'' AS team_email,
@ -376,13 +371,8 @@ func (s *AccessControlStore) getResourcePermissions(sess *sqlstore.DBSession, or
if err != nil {
return nil, err
}
serviceAccountFilter, err := accesscontrol.Filter(query.User, "u.id", "serviceaccounts:id:", serviceaccounts.ActionRead)
if err != nil {
return nil, err
}
user := userSelect + userFrom + where + " AND (" + userFilter.Where + " OR " + serviceAccountFilter.Where + ") "
user := userSelect + userFrom + where + " AND " + userFilter.Where
args = append(args, userFilter.Args...)
args = append(args, serviceAccountFilter.Args...)
teamFilter, err := accesscontrol.Filter(query.User, "t.id", "teams:id:", accesscontrol.ActionTeamsRead)
if err != nil {
@ -468,21 +458,20 @@ func flatPermissionsToResourcePermission(scope string, permissions []flatResourc
first := permissions[0]
return &accesscontrol.ResourcePermission{
ID: first.ID,
RoleName: first.RoleName,
Actions: actions,
Scope: first.Scope,
UserId: first.UserId,
UserLogin: first.UserLogin,
UserEmail: first.UserEmail,
UserIsServiceAccount: first.UserIsServiceAccount,
TeamId: first.TeamId,
TeamEmail: first.TeamEmail,
Team: first.Team,
BuiltInRole: first.BuiltInRole,
Created: first.Created,
Updated: first.Updated,
IsManaged: first.IsManaged(scope),
ID: first.ID,
RoleName: first.RoleName,
Actions: actions,
Scope: first.Scope,
UserId: first.UserId,
UserLogin: first.UserLogin,
UserEmail: first.UserEmail,
TeamId: first.TeamId,
TeamEmail: first.TeamEmail,
Team: first.Team,
BuiltInRole: first.BuiltInRole,
Created: first.Created,
Updated: first.Updated,
IsManaged: first.IsManaged(scope),
}
}
@ -593,7 +582,6 @@ func (s *AccessControlStore) getResourcePermissionsByIds(sess *sqlstore.DBSessio
ur.user_id AS user_id,
u.login AS user_login,
u.email AS user_email,
u.is_service_account AS user_is_service_account,
tr.team_id AS team_id,
t.name AS team,
t.email AS team_email,

29
pkg/services/accesscontrol/models.go
Unescape View File

@ -222,21 +222,20 @@ type ScopeParams struct {
// ResourcePermission is structure that holds all actions that either a team / user / builtin-role
// can perform against specific resource.
type ResourcePermission struct {
ID int64
RoleName string
Actions []string
Scope string
UserId int64
UserLogin string
UserEmail string
UserIsServiceAccount bool
TeamId int64
TeamEmail string
Team string
BuiltInRole string
IsManaged bool
Created time.Time
Updated time.Time
ID int64
RoleName string
Actions []string
Scope string
UserId int64
UserLogin string
UserEmail string
TeamId int64
TeamEmail string
Team string
BuiltInRole string
IsManaged bool
Created time.Time
Updated time.Time
}
func (p *ResourcePermission) Contains(targetActions []string) bool {

28
pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go
Unescape View File

@ -59,10 +59,9 @@ func ProvideTeamPermissions(
return nil
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
ServiceAccounts: true,
Users: true,
Teams: false,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Member": TeamMemberActions,
@ -151,10 +150,9 @@ func ProvideDashboardPermissions(
return []string{}, nil
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: false,
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": DashboardViewActions,
@ -209,10 +207,9 @@ func ProvideFolderPermissions(
return nil
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: false,
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": append(DashboardViewActions, FolderViewActions...),
@ -283,10 +280,9 @@ func ProvideServiceAccountPermissions(
return err
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: true,
BuiltInRoles: false,
ServiceAccounts: false,
Users: true,
Teams: true,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Edit": {serviceaccounts.ActionRead, serviceaccounts.ActionWrite},

59
pkg/services/accesscontrol/resourcepermissions/api.go
Unescape View File

@ -40,7 +40,7 @@ func (a *api) registerEndpoints() {
scope := accesscontrol.Scope(a.service.options.Resource, a.service.options.ResourceAttribute, accesscontrol.Parameter(":resourceID"))
r.Get("/description", auth(disable, accesscontrol.EvalPermission(actionRead)), routing.Wrap(a.getDescription))
r.Get("/:resourceID", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionRead, scope)), routing.Wrap(a.getPermissions))
if a.service.options.Assignments.Users || a.service.options.Assignments.ServiceAccounts {
if a.service.options.Assignments.Users {
r.Post("/:resourceID/users/:userID", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, scope)), routing.Wrap(a.setUserPermission))
}
if a.service.options.Assignments.Teams {
@ -53,10 +53,9 @@ func (a *api) registerEndpoints() {
}
type Assignments struct {
Users bool `json:"users"`
Teams bool `json:"teams"`
BuiltInRoles bool `json:"builtInRoles"`
ServiceAccounts bool `json:"serviceAccounts"`
Users bool `json:"users"`
Teams bool `json:"teams"`
BuiltInRoles bool `json:"builtInRoles"`
}
type Description struct {
@ -72,19 +71,18 @@ func (a *api) getDescription(c *models.ReqContext) response.Response {
}
type resourcePermissionDTO struct {
ID int64 `json:"id"`
RoleName string `json:"roleName"`
IsManaged bool `json:"isManaged"`
UserID int64 `json:"userId,omitempty"`
UserLogin string `json:"userLogin,omitempty"`
UserAvatarUrl string `json:"userAvatarUrl,omitempty"`
UserIsServiceAccount bool `json:"userIsServiceAccount,omitempty"`
Team string `json:"team,omitempty"`
TeamID int64 `json:"teamId,omitempty"`
TeamAvatarUrl string `json:"teamAvatarUrl,omitempty"`
BuiltInRole string `json:"builtInRole,omitempty"`
Actions []string `json:"actions"`
Permission string `json:"permission"`
ID int64 `json:"id"`
RoleName string `json:"roleName"`
IsManaged bool `json:"isManaged"`
UserID int64 `json:"userId,omitempty"`
UserLogin string `json:"userLogin,omitempty"`
UserAvatarUrl string `json:"userAvatarUrl,omitempty"`
Team string `json:"team,omitempty"`
TeamID int64 `json:"teamId,omitempty"`
TeamAvatarUrl string `json:"teamAvatarUrl,omitempty"`
BuiltInRole string `json:"builtInRole,omitempty"`
Actions []string `json:"actions"`
Permission string `json:"permission"`
}
func (a *api) getPermissions(c *models.ReqContext) response.Response {
@ -112,19 +110,18 @@ func (a *api) getPermissions(c *models.ReqContext) response.Response {
}
dto = append(dto, resourcePermissionDTO{
ID: p.ID,
RoleName: p.RoleName,
UserID: p.UserId,
UserLogin: p.UserLogin,
UserAvatarUrl: dtos.GetGravatarUrl(p.UserEmail),
UserIsServiceAccount: p.UserIsServiceAccount,
Team: p.Team,
TeamID: p.TeamId,
TeamAvatarUrl: teamAvatarUrl,
BuiltInRole: p.BuiltInRole,
Actions: p.Actions,
Permission: permission,
IsManaged: p.IsManaged,
ID: p.ID,
RoleName: p.RoleName,
UserID: p.UserId,
UserLogin: p.UserLogin,
UserAvatarUrl: dtos.GetGravatarUrl(p.UserEmail),
Team: p.Team,
TeamID: p.TeamId,
TeamAvatarUrl: teamAvatarUrl,
BuiltInRole: p.BuiltInRole,
Actions: p.Actions,
Permission: permission,
IsManaged: p.IsManaged,
})
}
}

134
pkg/services/accesscontrol/resourcepermissions/api_test.go
Unescape View File

@ -18,7 +18,6 @@ import (
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
@ -160,12 +159,12 @@ func TestApi_getPermissions(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, tt.permissions, testOptionsDashboards)
service, sql := setupTestEnvironment(t, tt.permissions, testOptions)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
seedPermissions(t, tt.resourceID, sql, service)
permissions, recorder := getPermission(t, server, testOptionsDashboards.Resource, tt.resourceID)
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.resourceID)
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
@ -237,14 +236,14 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, _ := setupTestEnvironment(t, tt.permissions, testOptionsDashboards)
service, _ := setupTestEnvironment(t, tt.permissions, testOptions)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
recorder := setPermission(t, server, testOptionsDashboards.Resource, tt.resourceID, tt.permission, "builtInRoles", tt.builtInRole)
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "builtInRoles", tt.builtInRole)
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
permissions, _ := getPermission(t, server, testOptionsDashboards.Resource, tt.resourceID)
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.builtInRole, permissions[0].BuiltInRole)
@ -315,19 +314,19 @@ func TestApi_setTeamPermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, tt.permissions, testOptionsDashboards)
service, sql := setupTestEnvironment(t, tt.permissions, testOptions)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
// seed team
_, err := sql.CreateTeam("test", "test@test.com", 1)
require.NoError(t, err)
recorder := setPermission(t, server, testOptionsDashboards.Resource, tt.resourceID, tt.permission, "teams", strconv.Itoa(int(tt.teamID)))
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "teams", strconv.Itoa(int(tt.teamID)))
assert.Equal(t, tt.expectedStatus, recorder.Code)
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
permissions, _ := getPermission(t, server, testOptionsDashboards.Resource, tt.resourceID)
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.teamID, permissions[0].TeamID)
@ -398,107 +397,22 @@ func TestApi_setUserPermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, tt.permissions, testOptionsDashboards)
service, sql := setupTestEnvironment(t, tt.permissions, testOptions)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
// seed user
_, err := sql.CreateUser(context.Background(), user.CreateUserCommand{Login: "test", OrgID: 1})
require.NoError(t, err)
recorder := setPermission(t, server, testOptionsDashboards.Resource, tt.resourceID, tt.permission, "users", strconv.Itoa(int(tt.userID)))
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "users", strconv.Itoa(int(tt.userID)))
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
permissions, _ := getPermission(t, server, testOptionsDashboards.Resource, tt.resourceID)
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.userID, permissions[0].UserID)
}
})
}
}
type setServiceAccountPermissionTestCase struct {
desc string
serviceaccountID int64
resourceID string
expectedStatus int
permission string
permissions []accesscontrol.Permission
}
func TestApi_setServiceAccountPermission(t *testing.T) {
tests := []setServiceAccountPermissionTestCase{
{
desc: "should set Edit permission for serviceaccount 1",
serviceaccountID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "Edit",
permissions: []accesscontrol.Permission{
{Action: "teams.permissions:read", Scope: "teams:id:1"},
{Action: "teams.permissions:write", Scope: "teams:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll},
},
},
{
desc: "should set View permission for serviceaccount 1",
serviceaccountID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "View",
permissions: []accesscontrol.Permission{
{Action: "teams.permissions:read", Scope: "teams:id:1"},
{Action: "teams.permissions:write", Scope: "teams:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll},
},
},
{
desc: "should set return http 400 when serviceaccount does not exist",
serviceaccountID: 2,
resourceID: "1",
expectedStatus: http.StatusBadRequest,
permission: "View",
permissions: []accesscontrol.Permission{
{Action: "teams.permissions:read", Scope: "teams:id:1"},
{Action: "teams.permissions:write", Scope: "teams:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll},
},
},
{
desc: "should return http 403 when missing permissions",
serviceaccountID: 1,
resourceID: "1",
expectedStatus: http.StatusForbidden,
permission: "View",
permissions: []accesscontrol.Permission{
{Action: "teams.permissions:read", Scope: "teams:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
},
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, tt.permissions, testOptionsTeams)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
// seed serviceaccount
_, err := sql.CreateUser(context.Background(), user.CreateUserCommand{Login: "test", OrgID: 1, IsServiceAccount: true})
require.NoError(t, err)
recorder := setPermission(t, server, testOptionsTeams.Resource, tt.resourceID, tt.permission, "users", strconv.Itoa(int(tt.serviceaccountID)))
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
permissions, _ := getPermission(t, server, testOptionsTeams.Resource, tt.resourceID)
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.serviceaccountID, permissions[0].UserID)
assert.Equal(t, true, permissions[0].UserIsServiceAccount)
assert.Equal(t, tt.userID, permissions[0].UserID)
}
})
}
@ -530,14 +444,13 @@ func contextProvider(tc *testContext) web.Handler {
}
}
var testOptionsDashboards = Options{
var testOptions = Options{
Resource: "dashboards",
ResourceAttribute: "id",
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: true,
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
@ -545,21 +458,6 @@ var testOptionsDashboards = Options{
},
}
var testOptionsTeams = Options{
Resource: "teams",
ResourceAttribute: "id",
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: true,
},
PermissionsToActions: map[string][]string{
"View": {"teams:read"},
"Edit": {"teams:read", "teams:write", "teams:delete"},
},
}
func getPermission(t *testing.T, server *web.Mux, resource, resourceID string) ([]resourcePermissionDTO, *httptest.ResponseRecorder) {
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/%s", resource, resourceID), nil)
require.NoError(t, err)

2
pkg/services/accesscontrol/resourcepermissions/service.go
Unescape View File

@ -275,7 +275,7 @@ func (s *Service) validateResource(ctx context.Context, orgID int64, resourceID
}
func (s *Service) validateUser(ctx context.Context, orgID, userID int64) error {
if !(s.options.Assignments.Users || s.options.Assignments.ServiceAccounts) {
if !s.options.Assignments.Users {
return ErrInvalidAssignment
}

16
pkg/services/accesscontrol/resourcepermissions/service_test.go
Unescape View File

@ -38,7 +38,7 @@ func TestService_SetUserPermission(t *testing.T) {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
Resource: "dashboards",
Assignments: Assignments{Users: true, ServiceAccounts: true},
Assignments: Assignments{Users: true},
PermissionsToActions: nil,
})
@ -159,10 +159,9 @@ func TestService_SetPermissions(t *testing.T) {
options: Options{
Resource: "dashboards",
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: true,
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
@ -179,10 +178,9 @@ func TestService_SetPermissions(t *testing.T) {
options: Options{
Resource: "dashboards",
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
ServiceAccounts: true,
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},

6
pkg/services/serviceaccounts/api/api_test.go
Unescape View File

@ -177,10 +177,12 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
assert.Equal(t, tc.body["name"], sa.Name)
assert.Equal(t, tc.wantID, sa.Login)
tempUser := &models.SignedInUser{
OrgId: 1,
OrgId: 1,
UserId: 1,
Permissions: map[int64]map[string][]string{
1: {
serviceaccounts.ActionRead: []string{serviceaccounts.ScopeAll},
serviceaccounts.ActionRead: []string{serviceaccounts.ScopeAll},
accesscontrol.ActionOrgUsersRead: []string{accesscontrol.ScopeUsersAll},
},
},
}

18
pkg/services/sqlstore/team.go
Unescape View File

@ -9,7 +9,6 @@ import (
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
)
type TeamStore interface {
@ -529,25 +528,17 @@ func (ss *SQLStore) GetTeamMembers(ctx context.Context, query *models.GetTeamMem
// If the signed in user is not set no member will be returned
if !ac.IsDisabled(ss.Cfg) {
sqlID := fmt.Sprintf("%s.%s", ss.engine.Dialect().Quote("user"), ss.engine.Dialect().Quote("id"))
var filter ac.SQLFilter
*acFilter, err = ac.Filter(query.SignedInUser, sqlID, "users:id:", ac.ActionOrgUsersRead)
if err != nil {
return err
}
filter, err = ac.Filter(query.SignedInUser, sqlID, "serviceaccounts:id:", serviceaccounts.ActionRead)
if err != nil {
return err
}
acFilter.Where = fmt.Sprintf("(%s OR %s)", acFilter.Where, filter.Where)
acFilter.Args = append(acFilter.Args, filter.Args...)
}
return ss.getTeamMembers(ctx, query, acFilter)
}
// getTeamMembers return a list of members for the specified team
func (ss *SQLStore) getTeamMembers(ctx context.Context, query *models.GetTeamMembersQuery, acFilter *ac.SQLFilter) error {
func (ss *SQLStore) getTeamMembers(ctx context.Context, query *models.GetTeamMembersQuery, acUserFilter *ac.SQLFilter) error {
return ss.WithDbSession(ctx, func(dbSess *DBSession) error {
query.Result = make([]*models.TeamMemberDTO, 0)
sess := dbSess.Table("team_member")
@ -555,8 +546,11 @@ func (ss *SQLStore) getTeamMembers(ctx context.Context, query *models.GetTeamMem
fmt.Sprintf("team_member.user_id=%s.%s", ss.Dialect.Quote("user"), ss.Dialect.Quote("id")),
)
if acFilter != nil {
sess.Where(acFilter.Where, acFilter.Args...)
// explicitly check for serviceaccounts
sess.Where(fmt.Sprintf("%s.is_service_account=?", ss.Dialect.Quote("user")), ss.Dialect.BooleanStr(false))
if acUserFilter != nil {
sess.Where(acUserFilter.Where, acUserFilter.Args...)
}
// Join with only most recent auth module

94
pkg/services/sqlstore/team_test.go
Unescape View File

@ -24,8 +24,9 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
OrgId: 1,
Permissions: map[int64]map[string][]string{
1: {
ac.ActionTeamsRead: []string{ac.ScopeTeamsAll},
ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
ac.ActionTeamsRead: []string{ac.ScopeTeamsAll},
ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
serviceaccounts.ActionRead: []string{serviceaccounts.ScopeAll},
},
},
}
@ -372,21 +373,9 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
require.EqualValues(t, getTeamQuery.Result.MemberCount, 2)
})
t.Run("Should be able to add service accounts to teams, list it as a team member and remove it from team", func(t *testing.T) {
t.Run("Should be able to exclude service accounts from teamembers", func(t *testing.T) {
sqlStore = InitTestDB(t)
setup()
signedInUser := &models.SignedInUser{
Login: "loginuser0",
OrgId: testOrgID,
Permissions: map[int64]map[string][]string{
testOrgID: {
ac.ActionTeamsRead: []string{ac.ScopeTeamsAll},
ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
},
},
}
userCmd = user.CreateUserCommand{
Email: fmt.Sprint("sa", 1, "@test.com"),
Name: fmt.Sprint("sa", 1),
@ -396,23 +385,24 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
serviceAccount, err := sqlStore.CreateUser(context.Background(), userCmd)
require.NoError(t, err)
teamId := team1.Id
err = sqlStore.AddTeamMember(serviceAccount.ID, testOrgID, teamId, false, 0)
require.NoError(t, err)
getTeamMembersQuery := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: teamId, SignedInUser: signedInUser}
err = sqlStore.GetTeamMembers(context.Background(), getTeamMembersQuery)
groupId := team2.Id
// add service account to team
err = sqlStore.AddTeamMember(serviceAccount.ID, testOrgID, groupId, false, 0)
require.NoError(t, err)
require.EqualValues(t, 1, len(getTeamMembersQuery.Result))
require.EqualValues(t, serviceAccount.ID, getTeamMembersQuery.Result[0].UserId)
removeTeamMemberCmd := &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: teamId, UserId: serviceAccount.ID}
err = sqlStore.RemoveTeamMember(context.Background(), removeTeamMemberCmd)
// add user to team
err = sqlStore.AddTeamMember(userIds[0], testOrgID, groupId, false, 0)
require.NoError(t, err)
err = sqlStore.GetTeamMembers(context.Background(), getTeamMembersQuery)
teamMembersQuery := &models.GetTeamMembersQuery{
OrgId: testOrgID,
SignedInUser: testUser,
TeamId: groupId,
}
err = sqlStore.GetTeamMembers(context.Background(), teamMembersQuery)
require.NoError(t, err)
require.EqualValues(t, 0, len(getTeamMembersQuery.Result))
// should not receive service account from query
require.Equal(t, len(teamMembersQuery.Result), 1)
})
})
})
@ -499,7 +489,7 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
t.Skip("skipping integration test")
}
testOrgID := int64(2)
userIds := make([]int64, 5)
userIds := make([]int64, 4)
// Seed 2 teams with 2 members
setup := func(store *SQLStore) {
@ -508,15 +498,12 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
team2, errCreateTeam := store.CreateTeam("group2 name", "test2@example.org", testOrgID)
require.NoError(t, errCreateTeam)
for i := 0; i < 5; i++ {
for i := 0; i < 4; i++ {
userCmd := user.CreateUserCommand{
Email: fmt.Sprint("user", i, "@example.org"),
Name: fmt.Sprint("user", i),
Login: fmt.Sprint("loginuser", i),
}
if i >= 3 {
userCmd.IsServiceAccount = true
}
user, errCreateUser := store.CreateUser(context.Background(), userCmd)
require.NoError(t, errCreateUser)
userIds[i] = user.ID
@ -530,8 +517,6 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
require.NoError(t, errAddMember)
errAddMember = store.AddTeamMember(userIds[3], testOrgID, team2.Id, false, 0)
require.NoError(t, errAddMember)
errAddMember = store.AddTeamMember(userIds[4], testOrgID, team2.Id, false, 0)
require.NoError(t, errAddMember)
}
store := InitTestDB(t, InitTestDBOpt{})
@ -549,14 +534,11 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
query: &models.GetTeamMembersQuery{
OrgId: testOrgID,
SignedInUser: &models.SignedInUser{
OrgId: testOrgID,
Permissions: map[int64]map[string][]string{testOrgID: {
ac.ActionOrgUsersRead: {ac.ScopeUsersAll},
serviceaccounts.ActionRead: {serviceaccounts.ScopeAll},
}},
OrgId: testOrgID,
Permissions: map[int64]map[string][]string{testOrgID: {ac.ActionOrgUsersRead: {ac.ScopeUsersAll}}},
},
},
expectedNumUsers: 5,
expectedNumUsers: 4,
},
{
desc: "should return no team members",
@ -576,15 +558,11 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
OrgId: testOrgID,
SignedInUser: &models.SignedInUser{
OrgId: testOrgID,
Permissions: map[int64]map[string][]string{testOrgID: {
ac.ActionOrgUsersRead: {
ac.Scope("users", "id", fmt.Sprintf("%d", userIds[0])),
ac.Scope("users", "id", fmt.Sprintf("%d", userIds[2])),
},
serviceaccounts.ActionRead: {
ac.Scope("serviceaccounts", "id", fmt.Sprintf("%d", userIds[3])),
},
}},
Permissions: map[int64]map[string][]string{testOrgID: {ac.ActionOrgUsersRead: {
ac.Scope("users", "id", fmt.Sprintf("%d", userIds[0])),
ac.Scope("users", "id", fmt.Sprintf("%d", userIds[2])),
ac.Scope("users", "id", fmt.Sprintf("%d", userIds[3])),
}}},
},
},
expectedNumUsers: 3,
@ -598,20 +576,10 @@ func TestIntegrationSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
if !hasWildcardScope(tt.query.SignedInUser, ac.ActionOrgUsersRead) {
for _, member := range tt.query.Result {
hasPermission := false
for _, scope := range tt.query.SignedInUser.Permissions[tt.query.SignedInUser.OrgId][ac.ActionOrgUsersRead] {
if scope == ac.Scope("users", "id", fmt.Sprintf("%d", member.UserId)) {
hasPermission = true
break
}
}
for _, scope := range tt.query.SignedInUser.Permissions[tt.query.SignedInUser.OrgId][serviceaccounts.ActionRead] {
if scope == ac.Scope("serviceaccounts", "id", fmt.Sprintf("%d", member.UserId)) {
hasPermission = true
break
}
}
assert.True(t, hasPermission)
assert.Contains(t,
tt.query.SignedInUser.Permissions[tt.query.SignedInUser.OrgId][ac.ActionOrgUsersRead],
ac.Scope("users", "id", fmt.Sprintf("%d", member.UserId)),
)
}
}
})

9
public/app/core/components/AccessControl/AddPermission.tsx
Unescape View File

@ -2,7 +2,6 @@ import React, { useEffect, useMemo, useState } from 'react';
import { Button, Form, HorizontalGroup, Select } from '@grafana/ui';
import { CloseButton } from 'app/core/components/CloseButton/CloseButton';
import { ServiceAccountPicker } from 'app/core/components/Select/ServiceAccountPicker';
import { TeamPicker } from 'app/core/components/Select/TeamPicker';
import { UserPicker } from 'app/core/components/Select/UserPicker';
import { OrgRole } from 'app/types/acl';
@ -29,9 +28,6 @@ export const AddPermission = ({ title = 'Add Permission For', permissions, assig
if (assignments.users) {
options.push({ value: PermissionTarget.User, label: 'User' });
}
if (assignments.serviceAccounts) {
options.push({ value: PermissionTarget.ServiceAccount, label: 'Service Account' });
}
if (assignments.teams) {
options.push({ value: PermissionTarget.Team, label: 'Team' });
}
@ -50,7 +46,6 @@ export const AddPermission = ({ title = 'Add Permission For', permissions, assig
const isValid = () =>
(target === PermissionTarget.Team && teamId > 0) ||
(target === PermissionTarget.User && userId > 0) ||
(target === PermissionTarget.ServiceAccount && userId > 0) ||
(PermissionTarget.BuiltInRole && OrgRole.hasOwnProperty(builtInRole));
return (
@ -77,10 +72,6 @@ export const AddPermission = ({ title = 'Add Permission For', permissions, assig
<UserPicker onSelected={(u) => setUserId(u.value || 0)} className={'width-20'} />
)}
{target === PermissionTarget.ServiceAccount && (
<ServiceAccountPicker onSelected={(s) => setUserId(s.value?.id || 0)} className={'width-20'} />
)}
{target === PermissionTarget.Team && (
<TeamPicker onSelected={(t) => setTeamId(t.value?.id || 0)} className={'width-20'} />
)}

21
public/app/core/components/AccessControl/Permissions.tsx
Unescape View File

@ -16,7 +16,6 @@ const INITIAL_DESCRIPTION: Description = {
assignments: {
teams: false,
users: false,
serviceAccounts: false,
builtInRoles: false,
},
};
@ -58,7 +57,7 @@ export const Permissions = ({
const onAdd = (state: SetPermission) => {
let promise: Promise<void> | null = null;
if (state.target === PermissionTarget.User || state.target === PermissionTarget.ServiceAccount) {
if (state.target === PermissionTarget.User) {
promise = setUserPermission(resource, resourceId, state.userId!, state.permission);
} else if (state.target === PermissionTarget.Team) {
promise = setTeamPermission(resource, resourceId, state.teamId!, state.permission);
@ -110,15 +109,7 @@ export const Permissions = ({
const users = useMemo(
() =>
sortBy(
items.filter((i) => i.userId && !i.userIsServiceAccount),
['userLogin']
),
[items]
);
const serviceAccounts = useMemo(
() =>
sortBy(
items.filter((i) => i.userId && i.userIsServiceAccount),
items.filter((i) => i.userId),
['userLogin']
),
[items]
@ -170,14 +161,6 @@ export const Permissions = ({
onRemove={onRemove}
canSet={canSetPermissions}
/>
<PermissionList
title="Service Account"
items={serviceAccounts}
permissionLevels={desc.permissions}
onChange={onChange}
onRemove={onRemove}
canSet={canSetPermissions}
/>
<PermissionList
title="Team"
items={teams}

3
public/app/core/components/AccessControl/types.ts
Unescape View File

@ -5,7 +5,6 @@ export type ResourcePermission = {
userId?: number;
userLogin?: string;
userAvatarUrl?: string;
userIsServiceAccount?: boolean;
team?: string;
teamId?: number;
teamAvatarUrl?: string;
@ -26,7 +25,6 @@ export enum PermissionTarget {
None = 'None',
Team = 'Team',
User = 'User',
ServiceAccount = 'Service Account',
BuiltInRole = 'builtInRole',
}
export type Description = {
@ -37,6 +35,5 @@ export type Description = {
export type Assignments = {
users: boolean;
teams: boolean;
serviceAccounts: boolean;
builtInRoles: boolean;
};

69
public/app/core/components/Select/ServiceAccountPicker.tsx
Unescape View File

@ -1,69 +0,0 @@
import { debounce, isNil } from 'lodash';
import React, { useEffect, useState } from 'react';
import { SelectableValue } from '@grafana/data';
import { getBackendSrv } from '@grafana/runtime';
import { AsyncSelect } from '@grafana/ui';
import { ServiceAccount } from 'app/types';
export interface Props {
onSelected: (serviceAccount: SelectableValue<ServiceAccount>) => void;
className?: string;
inputId?: string;
autoFocus?: boolean;
}
export function ServiceAccountPicker({ onSelected, className, inputId, autoFocus }: Props) {
const [loadingServiceAccounts, setLoadingServiceAccounts] = useState(false);
// For whatever reason the autoFocus prop doesn't seem to work
// with AsyncSelect, hence this workaround. Maybe fixed in a later version?
useEffect(() => {
if (autoFocus && inputId) {
document.getElementById(inputId)?.focus();
}
}, [autoFocus, inputId]);
let search = (query?: string) => {
setLoadingServiceAccounts(true);
if (isNil(query)) {
query = '';
}
return getBackendSrv()
.get(`/api/serviceaccounts/search?query=${query}`)
.then((result: { serviceAccounts: ServiceAccount[] }) => {
const serviceAccounts: Array<SelectableValue<ServiceAccount>> = result.serviceAccounts.map((serviceAccount) => {
return {
id: serviceAccount.id,
value: serviceAccount,
label: serviceAccount.login,
imgUrl: serviceAccount.avatarUrl,
login: serviceAccount.login,
};
});
setLoadingServiceAccounts(false);
return serviceAccounts;
});
};
const debouncedSearch = debounce(search, 300, {
leading: true,
trailing: true,
});
return (
<AsyncSelect
inputId={inputId}
className={className}
isLoading={loadingServiceAccounts}
defaultOptions={true}
isSearchable={true}
loadOptions={debouncedSearch}
onChange={onSelected}
placeholder="Start typing to search for service accounts"
noOptionsMessage="No service accounts found"
/>
);
}
Write Preview
Loading…
Cancel
Save