apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Access Control: Rename fixed roles (#41288)

Browse Source 
* Rename fixed roles
* Update descriptions
* Update docs for fixed roles and permissions

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
pull/41819/head
Karl Persson 4 years ago committed by GitHub
parent d76cea45b5
commit d623285fcc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 283 additions and 240 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 62
      docs/sources/enterprise/access-control/fine-grained-access-control-references.md
  2. 26
      docs/sources/enterprise/access-control/permissions.md
  3. 1
      pkg/api/api.go
  4. 252
      pkg/api/roles.go
  5. 1
      pkg/models/datasource.go
  6. 177
      pkg/services/accesscontrol/roles.go
  7. 4
      pkg/services/accesscontrol/roles_test.go

62
docs/sources/enterprise/access-control/fine-grained-access-control-references.md
Unescape View File

@ -11,34 +11,40 @@ The reference information that follows complements conceptual information about
## Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
| `fixed:settings:admin:read` | `settings:read` | Read settings |
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
| `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
| `fixed:datasources:admin` | `datasources:read`<br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Allows to create, read, update, delete data sources. |
| `fixed:datasources:id:viewer` | `datasources.id:read` | Allows to read data source IDs. |
| `fixed:datasources:permissions:admin` | `datasources.permissions:create`<br> `datasources.permissions:read`<br> `datasources.permissions:delete`<br>`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
| `fixed:licensing:viewer` | `licensing:read`<br>`licensing.reports:read` | Read licensing information and custom permission reports. |
| `fixed:licensing:editor` | All permissions from `fixed:licensing:viewer` and <br>`licensing:update`<br>`licensing:delete` | Read licensing information and custom permission reports, and update and delete the license token. |
| Fixed roles | Permissions | Descriptions |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:roles:reader` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Read all access control roles and built-in role assignments. |
| `fixed:roles:writer` | All permissions from `fixed:roles:reader` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Create, read, update, or delete all roles and built-in role assignments. |
| `fixed:reports:reader` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Read all reports and shared report settings. |
| `fixed:reports:writer` | All permissions from `fixed:reports:reader` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Create, read, update, or delete all reports and shared report settings. |
| `fixed:users:reader` | `users:read`<br>`users.quotas:list`<br>`users.authtoken:list`<br>`users.teams:read` | Read all users and their information, such as team memberships, authentication tokens, and quotas. |
| `fixed:users:writer` | All permissions from `fixed:users:reader` and <br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.password:update`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users. |
| `fixed:org.users:reader` | `org.users:read` | Read users within a single organization. |
| `fixed:org.users:writer` | All permissions from `fixed:org.users:reader` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user. |
| `fixed:ldap:reader` | `ldap.user:read`<br>`ldap.status:read` | Read the LDAP configuration and LDAP status information. |
| `fixed:ldap:writer` | All permissions from `fixed:ldap:reader` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Read and update the LDAP configuration, and read LDAP status information. |
| `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. |
| `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. |
| `fixed:settings:writer` | All permissions from `fixed:settings:reader` and<br>`settings:write` | Read and update Grafana instance settings. |
| `fixed:datasources:explorer` | `datasources:explore` | Enable the Explore feature. Data source permissions still apply, you can only query data sources for which you have query permissions. |
| `fixed:datasources:reader` | `datasources:read`<br>`datasources:query` | Read and query data sources. |
| `fixed:datasources:writer` | All permissions from `fixed:datasources:reader` and <br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Read, query, create, delete, or update a data source. |
| `fixed:datasources:id:reader` | `datasources.id:read` | Read the ID of a data source based on its name. |
| `fixed:datasources.permissions:reader` | `datasources.permissions:read` | Read data source permissions. |
| `fixed:datasources.permissions:writer` | All permissions from `fixed:datasources.permissions:reader` and <br>`datasources.permissions:create`<br>`datasources.permissions:delete`<br>`datasources.permissions:toggle` | Create, read, or delete permissions of a data source. |
| `fixed:licensing:reader` | `licensing:read`<br>`licensing.reports:read` | Read licensing information and licensing reports. |
| `fixed:licensing:writer` | All permissions from `fixed:licensing:viewer` and <br>`licensing:update`<br>`licensing:delete` | Read licensing information and licensing reports, update and delete the license token. |
| `fixed:provisioning:writer` | `provisioning:reload` | Reload provisioning. |
| `fixed:orgs:reader` | `orgs:read`<br>`orgs.quotas:read` | Read the organization and its quotas. |
| `fixed:orgs:writer` | All permissions from `fixed:orgs:reader` and <br> `orgs:write`<br>`orgs:delete`<br>`orgs.quotas:write` | Create, read, write, or delete an organization. Read or write its quotas. |
| `fixed:current.org:reader` | `orgs:read`<br>`orgs.quotas:read` | Read the current organization, such as its ID, name, address, or quotas. |
| `fixed:current.org:writer` | All permissions from `fixed:current.orgs:reader` and <br> `orgs:write`<br>`orgs.quotas:write`<br>`orgs.preferences:read`<br>`orgs.preferences:write` | Read the current organization, its quotas, or its preferences. Update the current organization properties, or its preferences. |
## Default built-in role assignments
| Built-in role | Associated role | Description |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit`<br>`fixed:licensing:editor` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:datasources:admin`<br>`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Built-in role | Associated role | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:roles:reader`<br>`fixed:roles:writer`<br>`fixed:users:reader`<br>`fixed:users:writer`<br>`fixed:org.users:reader`<br>`fixed:org.users:writer`<br>`fixed:ldap:reader`<br>`fixed:ldap:writer`<br>`fixed:stats:reader`<br>`fixed:settings:reader`<br>`fixed:settings:writer`<br>`fixed:provisioning:writer`<br>`fixed:orgs:reader`<br>`fixed:orgs:writer`<br>`fixed:licensing:reader`<br>`fixed:licensing:writer` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
| Admin | `fixed:reports:reader`<br>`fixed:reports:writer`<br>`fixed:datasources:reader`<br>`fixed:datasources:writer`<br>`fixed:current.org:writer`<br>`fixed:datasources.permissions:reader`<br>`fixed:datasources.permissions:writer`<br> | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Editor | `fixed:datasources:explorer` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Viewer | `fixed:datasources:id:reader` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |

26
docs/sources/enterprise/access-control/permissions.md
Unescape View File

@ -58,16 +58,25 @@ The following list contains fine-grained access control actions.
| `org.users:add` | `users:*` | Add a user to an organization. |
| `org.users:remove` | `users:*` <br> `users:id:*` | Remove a user from an organization. |
| `org.users.role:update` | `users:*` <br> `users:id:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
| `ldap.user:read` | n/a | Get a user via LDAP. |
| `ldap.user:sync` | n/a | Sync a user via LDAP. |
| `orgs:read` | `orgs:*` <br> `orgs:id:*` | Read one or more organizations. |
| `orgs:write` | `orgs:*` <br> `orgs:id:*` | Update one or more organizations. |
| `org:create` | n/a | Create an organization. |
| `orgs:delete` | `orgs:*` <br> `orgs:id:*` | Delete one or more organizations. |
| `orgs.quotas:read` | `orgs:*` <br> `orgs:id:*` | Read organization quotas. |
| `orgs.quotas:write` | `orgs:*` <br> `orgs:id:*` | Update organization quotas. |
| `orgs.preferences:read` | `orgs:*` <br> `orgs:id:*` | Read organization preferences. |
| `orgs.preferences:write` | `orgs:*` <br> `orgs:id:*` | Update organization preferences. |
| `ldap.user:read` | n/a | Read users via LDAP. |
| `ldap.user:sync` | n/a | Sync users via LDAP. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `server.stats:read` | n/a | Read server stats |
| `server.stats:read` | n/a | Read Grafana instance statistics. |
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
| `datasources:query` | n/a<br>`datasources:*`<br>`datasources:id:*` | Query data sources. |
| `datasources.id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
@ -80,6 +89,7 @@ The following list contains fine-grained access control actions.
| `licensing:update` | n/a | Update the license token. |
| `licensing:delete` | n/a | Delete the license token. |
| `licensing.reports:read` | n/a | Get custom permission reports. |
| `serviceaccounts:delete` | `serviceaccounts:*` <br> `serviceaccounts:id:*` | Delete one or more service accounts. |
## Scope definitions
@ -87,12 +97,14 @@ The following list contains fine-grained access control scopes.
| Scopes | Descriptions |
| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:uid:randomuid` matches only the role with UID `randomuid` |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report with id `1`. |
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` | Restrict an action to a set of global users. |
| `users:*` | Restrict an action to a set of users from an organization. |
| `global:users:*` <br> `global:users:id:*` | Restrict an action to a set of global users. For example, `global:users:*` matches any user and `global:users:id:1` matches the user whose ID is `1`. |
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |
| `serviceaccounts:*` <br> `serviceaccounts:id:*` | Restrict an action to a set of service accounts. For example, `serviceaccounts:*` matches any service account and `serviceaccounts:id:1` matches the service account whose ID is `1`. |

1
pkg/api/api.go
Unescape View File

@ -166,7 +166,6 @@ func (hs *HTTPServer) registerRoutes() {
userRoute.Post("/revoke-auth-token", bind(models.RevokeAuthTokenCmd{}), routing.Wrap(hs.RevokeUserAuthToken))
}, reqSignedInNoAnonymous)
// users (admin permission required)
apiRoute.Group("/users", func(usersRoute routing.RouteRegister) {
userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id"))
usersRoute.Get("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsers))

252
pkg/api/roles.go
Unescape View File

@ -44,145 +44,157 @@ var (
// grants to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
// that HTTPServer needs
func (hs *HTTPServer) declareFixedRoles() error {
registrations := []accesscontrol.RoleRegistration{
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:provisioning:admin",
Description: "Reload provisioning configurations",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
},
provisioningWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:provisioning:writer",
DisplayName: "Provisioning writer",
Description: "Reload provisioning.",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
},
},
Grants: []string{accesscontrol.RoleGrafanaAdmin},
},
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:datasources:admin",
Description: "Gives access to create, read, update, delete datasources",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesRead,
Scope: ScopeDatasourcesAll,
},
{
Action: ActionDatasourcesWrite,
Scope: ScopeDatasourcesAll,
},
{
Action: ActionDatasourcesCreate,
},
{
Action: ActionDatasourcesDelete,
Scope: ScopeDatasourcesAll,
},
{
Action: ActionDatasourcesQuery,
Scope: ScopeDatasourcesAll,
},
Grants: []string{accesscontrol.RoleGrafanaAdmin},
}
datasourcesReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:datasources:reader",
DisplayName: "Data source reader",
Description: "Read and query all data sources.",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesRead,
Scope: ScopeDatasourcesAll,
},
{
Action: ActionDatasourcesQuery,
Scope: ScopeDatasourcesAll,
},
},
Grants: []string{string(models.ROLE_ADMIN)},
},
{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:datasources:id:viewer",
Description: "Gives access to read datasources ID",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesIDRead,
Scope: ScopeDatasourcesAll,
},
Grants: []string{string(models.ROLE_ADMIN)},
}
datasourcesWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:datasources:writer",
DisplayName: "Data source writer",
Description: "Create, update, delete, read, or query data sources.",
Permissions: accesscontrol.ConcatPermissions(datasourcesReaderRole.Role.Permissions, []accesscontrol.Permission{
{
Action: ActionDatasourcesWrite,
Scope: ScopeDatasourcesAll,
},
},
Grants: []string{string(models.ROLE_VIEWER)},
{
Action: ActionDatasourcesCreate,
},
{
Action: ActionDatasourcesDelete,
Scope: ScopeDatasourcesAll,
},
}),
},
{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:datasources:compatibility:querier",
Description: "Query data sources when data source permissions are not in use",
Permissions: []accesscontrol.Permission{
{Action: ActionDatasourcesQuery},
Grants: []string{string(models.ROLE_ADMIN)},
}
datasourcesIdReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Name: "fixed:datasources.id:reader",
DisplayName: "Data source ID reader",
Description: "Read the ID of a data source based on its name.",
Permissions: []accesscontrol.Permission{
{
Action: ActionDatasourcesIDRead,
Scope: ScopeDatasourcesAll,
},
},
Grants: []string{string(models.ROLE_VIEWER)},
},
{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:current:org:reader",
Description: "Read current organization and its quotas.",
Permissions: []accesscontrol.Permission{
{
Action: ActionOrgsRead,
},
{
Action: ActionOrgsQuotasRead,
},
},
Grants: []string{string(models.ROLE_VIEWER)},
}
datasourcesCompatibilityReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:datasources:compatibility:querier",
DisplayName: "Data source compatibility querier",
Description: "Only used for open source compatibility. Query data sources.",
Permissions: []accesscontrol.Permission{
{Action: ActionDatasourcesQuery},
},
Grants: []string{string(models.ROLE_VIEWER)},
},
{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:current:org:writer",
Description: "Read current organization, its quotas, and its preferences. Write current organization and its preferences.",
Permissions: []accesscontrol.Permission{
{
Action: ActionOrgsRead,
},
{
Action: ActionOrgsQuotasRead,
},
{
Action: ActionOrgsPreferencesRead,
},
{
Action: ActionOrgsWrite,
},
{
Action: ActionOrgsPreferencesWrite,
},
},
Grants: []string{string(models.ROLE_VIEWER)},
}
currentOrgReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Name: "fixed:current.org:reader",
DisplayName: "Current Organization reader",
Description: "Read the current organization, such as its ID, name, address, or quotas.",
Permissions: []accesscontrol.Permission{
{Action: ActionOrgsRead},
{Action: ActionOrgsQuotasRead},
},
Grants: []string{string(models.ROLE_ADMIN)},
},
{
Role: accesscontrol.RoleDTO{
Version: 2,
Name: "fixed:orgs:writer",
Description: "Create, read, write, or delete an organization. Read or write an organization's quotas.",
Permissions: []accesscontrol.Permission{
{Action: ActionOrgsCreate},
{
Action: ActionOrgsRead,
},
{
Action: ActionOrgsWrite,
},
{
Action: ActionOrgsDelete,
},
{
Action: ActionOrgsQuotasRead,
},
{
Action: ActionOrgsQuotasWrite,
},
},
Grants: []string{string(models.ROLE_VIEWER)},
}
currentOrgWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Name: "fixed:current.org:writer",
DisplayName: "Current Organization writer",
Description: "Read the current organization, its quotas, or its preferences. Update the current organization properties, or its preferences.",
Permissions: accesscontrol.ConcatPermissions(currentOrgReaderRole.Role.Permissions, []accesscontrol.Permission{
{Action: ActionOrgsPreferencesRead},
{Action: ActionOrgsWrite},
{Action: ActionOrgsPreferencesWrite},
}),
},
Grants: []string{string(models.ROLE_ADMIN)},
}
orgReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: "fixed:orgs:reader",
DisplayName: "Organization reader",
Description: "Read the organization and its quotas.",
Permissions: []accesscontrol.Permission{
{Action: ActionOrgsRead},
{Action: ActionOrgsQuotasRead},
},
Grants: []string{accesscontrol.RoleGrafanaAdmin},
},
Grants: []string{string(accesscontrol.RoleGrafanaAdmin)},
}
orgWriterRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Name: "fixed:orgs:writer",
DisplayName: "Organization writer",
Description: "Create, read, write, or delete an organization. Read or write an organization's quotas.",
Permissions: accesscontrol.ConcatPermissions(orgReaderRole.Role.Permissions, []accesscontrol.Permission{
{Action: ActionOrgsCreate},
{Action: ActionOrgsWrite},
{Action: ActionOrgsDelete},
{Action: ActionOrgsQuotasWrite},
}),
},
Grants: []string{string(accesscontrol.RoleGrafanaAdmin)},
}
return hs.AccessControl.DeclareFixedRoles(registrations...)
return hs.AccessControl.DeclareFixedRoles(
provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
datasourcesCompatibilityReaderRole, currentOrgReaderRole, currentOrgWriterRole, orgReaderRole, orgWriterRole,
)
}
// Evaluators

1
pkg/models/datasource.go
Unescape View File

@ -168,6 +168,7 @@ type DsPermissionType int
const (
DsPermissionNoAccess DsPermissionType = iota
DsPermissionQuery
DsPermissionRead
)
func (p DsPermissionType) String() string {

177
pkg/services/accesscontrol/roles.go
Unescape View File

@ -15,9 +15,11 @@ type RoleRegistry interface {
// Roles definition
var (
datasourcesEditorReadRole = RoleDTO{
Version: 1,
Name: datasourcesEditorRead,
datasourcesExplorerRole = RoleDTO{
Version: 2,
Name: datasourcesExplorer,
DisplayName: "Data source explorer",
Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
Permissions: []Permission{
{
Action: ActionDatasourcesExplore,
@ -25,9 +27,11 @@ var (
},
}
ldapAdminReadRole = RoleDTO{
Name: ldapAdminRead,
Version: 1,
ldapReaderRole = RoleDTO{
Name: ldapReader,
DisplayName: "LDAP reader",
Description: "Read LDAP configuration and status.",
Version: 2,
Permissions: []Permission{
{
Action: ActionLDAPUsersRead,
@ -38,10 +42,12 @@ var (
},
}
ldapAdminEditRole = RoleDTO{
Name: ldapAdminEdit,
Version: 2,
Permissions: ConcatPermissions(ldapAdminReadRole.Permissions, []Permission{
ldapWriterRole = RoleDTO{
Name: ldapWriter,
DisplayName: "LDAP writer",
Description: "Read and update LDAP configuration and read LDAP status.",
Version: 3,
Permissions: ConcatPermissions(ldapReaderRole.Permissions, []Permission{
{
Action: ActionLDAPUsersSync,
},
@ -51,30 +57,32 @@ var (
}),
}
serverAdminReadRole = RoleDTO{
Version: 1,
Name: serverAdminRead,
Permissions: []Permission{
orgUsersWriterRole = RoleDTO{
Name: orgUsersWriter,
DisplayName: "Organization user writer",
Description: "Within a single organization, add a user, invite a user, read information about a user and their role, remove a user from that organization, or change the role of a user.",
Version: 2,
Permissions: ConcatPermissions(orgUsersReaderRole.Permissions, []Permission{
{
Action: ActionServerStatsRead,
Action: ActionOrgUsersAdd,
Scope: ScopeUsersAll,
},
},
}
settingsAdminReadRole = RoleDTO{
Version: 2,
Name: settingsAdminRead,
Permissions: []Permission{
{
Action: ActionSettingsRead,
Scope: ScopeSettingsAll,
Action: ActionOrgUsersRoleUpdate,
Scope: ScopeUsersAll,
},
},
{
Action: ActionOrgUsersRemove,
Scope: ScopeUsersAll,
},
}),
}
usersOrgReadRole = RoleDTO{
Name: usersOrgRead,
Version: 1,
orgUsersReaderRole = RoleDTO{
Name: orgUsersReader,
DisplayName: "Organization user reader",
Description: "Read users within a single organization.",
Version: 2,
Permissions: []Permission{
{
Action: ActionOrgUsersRead,
@ -83,28 +91,36 @@ var (
},
}
usersOrgEditRole = RoleDTO{
Name: usersOrgEdit,
Version: 1,
Permissions: ConcatPermissions(usersOrgReadRole.Permissions, []Permission{
{
Action: ActionOrgUsersAdd,
Scope: ScopeUsersAll,
},
settingsReaderRole = RoleDTO{
Version: 3,
DisplayName: "Setting reader",
Description: "Read Grafana instance settings.",
Name: settingsReader,
Permissions: []Permission{
{
Action: ActionOrgUsersRoleUpdate,
Scope: ScopeUsersAll,
Action: ActionSettingsRead,
Scope: ScopeSettingsAll,
},
},
}
statsReaderRole = RoleDTO{
Version: 2,
Name: statsReader,
DisplayName: "Statistics reader",
Description: "Read Grafana instance statistics.",
Permissions: []Permission{
{
Action: ActionOrgUsersRemove,
Scope: ScopeUsersAll,
Action: ActionServerStatsRead,
},
}),
},
}
usersAdminReadRole = RoleDTO{
Name: usersAdminRead,
Version: 1,
usersReaderRole = RoleDTO{
Name: usersReader,
DisplayName: "User reader",
Description: "Read all users and their information, such as team memberships, authentication tokens, and quotas.",
Version: 2,
Permissions: []Permission{
{
Action: ActionUsersRead,
@ -125,10 +141,12 @@ var (
},
}
usersAdminEditRole = RoleDTO{
Name: usersAdminEdit,
Version: 1,
Permissions: ConcatPermissions(usersAdminReadRole.Permissions, []Permission{
usersWriterRole = RoleDTO{
Name: usersWriter,
DisplayName: "User writer",
Description: "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a user’s authentication token, or update quotas for all users.",
Version: 2,
Permissions: ConcatPermissions(usersReaderRole.Permissions, []Permission{
{
Action: ActionUsersPasswordUpdate,
Scope: ScopeGlobalUsersAll,
@ -174,20 +192,15 @@ var (
// Role names definitions
const (
datasourcesEditorRead = "fixed:datasources:editor:read"
serverAdminRead = "fixed:server:admin:read"
settingsAdminRead = "fixed:settings:admin:read"
usersAdminEdit = "fixed:users:admin:edit"
usersAdminRead = "fixed:users:admin:read"
usersOrgEdit = "fixed:users:org:edit"
usersOrgRead = "fixed:users:org:read"
ldapAdminEdit = "fixed:ldap:admin:edit"
ldapAdminRead = "fixed:ldap:admin:read"
datasourcesExplorer = "fixed:datasources:explorer"
ldapReader = "fixed:ldap:reader"
ldapWriter = "fixed:ldap:writer"
orgUsersReader = "fixed:org.users:reader"
orgUsersWriter = "fixed:org.users:writer"
settingsReader = "fixed:settings:reader"
statsReader = "fixed:stats:reader"
usersReader = "fixed:users:reader"
usersWriter = "fixed:users:writer"
)
var (
@ -198,36 +211,36 @@ var (
// resource. FixedRoleGrants lists which built-in roles are
// assigned which fixed roles in this list.
FixedRoles = map[string]RoleDTO{
datasourcesEditorRead: datasourcesEditorReadRole,
usersAdminEdit: usersAdminEditRole,
usersAdminRead: usersAdminReadRole,
usersOrgEdit: usersOrgEditRole,
usersOrgRead: usersOrgReadRole,
ldapAdminEdit: ldapAdminEditRole,
ldapAdminRead: ldapAdminReadRole,
serverAdminRead: serverAdminReadRole,
settingsAdminRead: settingsAdminReadRole,
datasourcesExplorer: datasourcesExplorerRole,
ldapReader: ldapReaderRole,
ldapWriter: ldapWriterRole,
orgUsersReader: orgUsersReaderRole,
orgUsersWriter: orgUsersWriterRole,
settingsReader: settingsReaderRole,
statsReader: statsReaderRole,
usersReader: usersReaderRole,
usersWriter: usersWriterRole,
}
// FixedRoleGrants specifies which built-in roles are assigned
// to which set of FixedRoles by default. Alphabetically sorted.
FixedRoleGrants = map[string][]string{
RoleGrafanaAdmin: {
ldapAdminEdit,
ldapAdminRead,
serverAdminRead,
settingsAdminRead,
usersAdminEdit,
usersAdminRead,
usersOrgEdit,
usersOrgRead,
ldapReader,
ldapWriter,
orgUsersReader,
orgUsersWriter,
settingsReader,
statsReader,
usersReader,
usersWriter,
},
string(models.ROLE_ADMIN): {
usersOrgEdit,
usersOrgRead,
orgUsersReader,
orgUsersWriter,
},
string(models.ROLE_EDITOR): {
datasourcesEditorRead,
datasourcesExplorer,
},
}
)

4
pkg/services/accesscontrol/roles_test.go
Unescape View File

@ -8,7 +8,7 @@ import (
"github.com/stretchr/testify/assert"
)
func TestPredefinedRoles(t *testing.T) {
func TestFixedRoles(t *testing.T) {
for name, role := range FixedRoles {
assert.Truef(t,
strings.HasPrefix(name, "fixed:"),
@ -19,7 +19,7 @@ func TestPredefinedRoles(t *testing.T) {
}
}
func TestPredefinedRoleGrants(t *testing.T) {
func TestFixedRoleGrants(t *testing.T) {
for _, grants := range FixedRoleGrants {
// Check grants list is sorted
assert.True(t,

Write Preview
Loading…
Cancel
Save