Alerting: Receiver resource permissions service (#93552)
This commit is contained in:
Matthew Jacobson
GitHub
@@ -11,6 +11,7 @@ import (
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
|
||||
"github.com/grafana/authlib/claims"
|
||||
|
||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||
"github.com/grafana/grafana/pkg/registry"
|
||||
"github.com/grafana/grafana/pkg/services/authn"
|
||||
@@ -148,6 +149,10 @@ type ServiceAccountPermissionsService interface {
|
||||
PermissionsService
|
||||
}
|
||||
|
||||
type ReceiverPermissionsService interface {
|
||||
PermissionsService
|
||||
}
|
||||
|
||||
type PermissionsService interface {
|
||||
// GetPermissions returns all permissions for given resourceID
|
||||
GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]ResourcePermission, error)
|
||||
|
||||
@@ -444,12 +444,14 @@ const (
|
||||
ActionAlertingNotificationsTimeIntervalsDelete = "alert.notifications.time-intervals:delete"
|
||||
|
||||
// Alerting receiver actions
|
||||
ActionAlertingReceiversList = "alert.notifications.receivers:list"
|
||||
ActionAlertingReceiversRead = "alert.notifications.receivers:read"
|
||||
ActionAlertingReceiversReadSecrets = "alert.notifications.receivers.secrets:read"
|
||||
ActionAlertingReceiversCreate = "alert.notifications.receivers:create"
|
||||
ActionAlertingReceiversUpdate = "alert.notifications.receivers:write"
|
||||
ActionAlertingReceiversDelete = "alert.notifications.receivers:delete"
|
||||
ActionAlertingReceiversList = "alert.notifications.receivers:list"
|
||||
ActionAlertingReceiversRead = "alert.notifications.receivers:read"
|
||||
ActionAlertingReceiversReadSecrets = "alert.notifications.receivers.secrets:read"
|
||||
ActionAlertingReceiversCreate = "alert.notifications.receivers:create"
|
||||
ActionAlertingReceiversUpdate = "alert.notifications.receivers:write"
|
||||
ActionAlertingReceiversDelete = "alert.notifications.receivers:delete"
|
||||
ActionAlertingReceiversPermissionsRead = "receivers.permissions:read"
|
||||
ActionAlertingReceiversPermissionsWrite = "receivers.permissions:write"
|
||||
|
||||
// External alerting rule actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system.
|
||||
ActionAlertingRuleExternalWrite = "alert.rules.external:write"
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
package ossaccesscontrol
|
||||
|
||||
import (
|
||||
"github.com/grafana/grafana/pkg/api/routing"
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/licensing"
|
||||
"github.com/grafana/grafana/pkg/services/ngalert"
|
||||
alertingac "github.com/grafana/grafana/pkg/services/ngalert/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/team"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
var ReceiversViewActions = []string{accesscontrol.ActionAlertingReceiversRead}
|
||||
var ReceiversEditActions = append(ReceiversViewActions, []string{accesscontrol.ActionAlertingReceiversUpdate, accesscontrol.ActionAlertingReceiversDelete}...)
|
||||
var ReceiversAdminActions = append(ReceiversEditActions, []string{accesscontrol.ActionAlertingReceiversReadSecrets, accesscontrol.ActionAlertingReceiversPermissionsRead, accesscontrol.ActionAlertingReceiversPermissionsWrite}...)
|
||||
|
||||
func ProvideReceiverPermissionsService(
|
||||
cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB, ac accesscontrol.AccessControl,
|
||||
license licensing.Licensing, service accesscontrol.Service,
|
||||
teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,
|
||||
) (*ReceiverPermissionsService, error) {
|
||||
if !features.IsEnabledGlobally(featuremgmt.FlagAlertingApiServer) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
options := resourcepermissions.Options{
|
||||
Resource: "receivers",
|
||||
ResourceAttribute: "uid",
|
||||
Assignments: resourcepermissions.Assignments{
|
||||
Users: true,
|
||||
Teams: true,
|
||||
BuiltInRoles: true,
|
||||
ServiceAccounts: true,
|
||||
},
|
||||
PermissionsToActions: map[string][]string{
|
||||
string(alertingac.ReceiverPermissionView): append([]string{}, ReceiversViewActions...),
|
||||
string(alertingac.ReceiverPermissionEdit): append([]string{}, ReceiversEditActions...),
|
||||
string(alertingac.ReceiverPermissionAdmin): append([]string{}, ReceiversAdminActions...),
|
||||
},
|
||||
ReaderRoleName: "Alerting receiver permission reader",
|
||||
WriterRoleName: "Alerting receiver permission writer",
|
||||
RoleGroup: ngalert.AlertRolesGroup,
|
||||
}
|
||||
|
||||
srv, err := resourcepermissions.New(cfg, options, features, router, license, ac, service, sql, teamService, userService, actionSetService)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ReceiverPermissionsService{Service: srv}, nil
|
||||
}
|
||||
|
||||
var _ accesscontrol.ReceiverPermissionsService = new(ReceiverPermissionsService)
|
||||
|
||||
type ReceiverPermissionsService struct {
|
||||
*resourcepermissions.Service
|
||||
}
|
||||
Reference in New Issue
Block a user