apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

RBAC: Update fixed annotation roles (#78756)

Browse Source 
* update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled

* add dashboard type scope back in the fixed roles to make the migration easier
pull/78958/head
Ieva 2 years ago committed by GitHub
parent d3a269ab3b
commit c354c7bfff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 78 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 78
      pkg/api/accesscontrol.go

78
pkg/api/accesscontrol.go
Unescape View File

@ -1,12 +1,14 @@
package api
import (
"context"
"fmt"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/libraryelements"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
@ -314,6 +316,8 @@ func (hs *HTTPServer) declareFixedRoles() error {
Grants: []string{string(org.RoleViewer)},
}
// TODO this role can be removed once we have rolled out FlagAnnotationPermissionUpdate to all users
// keeping it in for now for backwards compatibility
dashboardAnnotationsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations.dashboard:writer",
@ -344,6 +348,44 @@ func (hs *HTTPServer) declareFixedRoles() error {
Grants: []string{string(org.RoleEditor)},
}
if hs.Features.IsEnabled(context.Background(), featuremgmt.FlagAnnotationPermissionUpdate) {
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsReaderRole = ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations:reader",
DisplayName: "Organization annotation reader",
Description: "Read organization annotations and annotation tags",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsTypeOrganization},
// Can remove the following permission when we remove the FlagAnnotationPermissionUpdate
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsTypeDashboard},
},
},
Grants: []string{string(org.RoleViewer)},
}
// Keeping the name to avoid breaking changes (for users who have assigned this role to grant permissions on organization annotations)
annotationsWriterRole = ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations:writer",
DisplayName: "Organization annotation writer",
Description: "Update organization annotations.",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeOrganization},
// Can remove the permissions scoped to ScopeAnnotationsTypeDashboard when we remove the FlagAnnotationPermissionUpdate
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeDashboard},
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeDashboard},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeDashboard},
},
},
Grants: []string{string(org.RoleEditor)},
}
}
dashboardsCreatorRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:dashboards:creator",
@ -555,6 +597,42 @@ func (hs *HTTPServer) declareFixedRoles() error {
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole, libraryPanelsCreatorRole,
libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole}
if hs.Features.IsEnabled(context.Background(), featuremgmt.FlagAnnotationPermissionUpdate) {
allAnnotationsReaderRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations.all:reader",
DisplayName: "Annotation reader",
Description: "Read all annotations and tags",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsRead, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsRead, Scope: dashboards.ScopeDashboardsAll},
},
},
Grants: []string{string(org.RoleAdmin)},
}
allAnnotationsWriterRole := ac.RoleRegistration{
Role: ac.RoleDTO{
Name: "fixed:annotations.all:writer",
DisplayName: "Annotation writer",
Description: "Update all annotations.",
Group: "Annotations",
Permissions: []ac.Permission{
{Action: ac.ActionAnnotationsCreate, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsCreate, Scope: dashboards.ScopeDashboardsAll},
{Action: ac.ActionAnnotationsDelete, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsAll},
{Action: ac.ActionAnnotationsWrite, Scope: ac.ScopeAnnotationsTypeOrganization},
{Action: ac.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsAll},
},
},
Grants: []string{string(org.RoleAdmin)},
}
roles = append(roles, allAnnotationsReaderRole, allAnnotationsWriterRole)
}
return hs.accesscontrolService.DeclareFixedRoles(roles...)
}

Write Preview
Loading…
Cancel
Save