public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RBAC: Allow plugins to use scoped actions (#90945)

Browse Source 
Co-authored-by: gamab <gabriel.mabille@grafana.com>
This commit is contained in:
Kevin Minehart
2024-07-25 09:22:31 -05:00
committed by Kevin Minehart
parent beac3bdbcb
commit 9cdba084a9
8 changed files with 243 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/pluginsintegration/pluginaccesscontrol/accesscontrol.go
+40
View File
@@ -3,6 +3,7 @@ package pluginaccesscontrol
import (
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/setting"
@@ -75,3 +76,42 @@ func DeclareRBACRoles(service ac.Service, cfg *setting.Cfg, features featuremgmt
return service.DeclareFixedRoles(AppPluginsReader, PluginsWriter, PluginsMaintainer)
}
var datasourcesActions = map[string]bool{
datasources.ActionIDRead: true,
datasources.ActionQuery: true,
datasources.ActionRead: true,
datasources.ActionWrite: true,
datasources.ActionDelete: true,
datasources.ActionPermissionsRead: true,
datasources.ActionPermissionsWrite: true,
"datasources.caching:read": true,
"datasources.caching:write": true,
ac.ActionAlertingRuleExternalRead: true,
ac.ActionAlertingRuleExternalWrite: true,
ac.ActionAlertingInstancesExternalRead: true,
ac.ActionAlertingInstancesExternalWrite: true,
ac.ActionAlertingNotificationsExternalRead: true,
ac.ActionAlertingNotificationsExternalWrite: true,
}
// GetDataSourceRouteEvaluator returns an evaluator for the given data source UID and action.
func GetDataSourceRouteEvaluator(dsUID, action string) ac.Evaluator {
if datasourcesActions[action] {
return ac.EvalPermission(action, "datasources:uid:"+dsUID)
}
return ac.EvalPermission(action)
}
var pluginsActions = map[string]bool{
ActionWrite: true,
ActionAppAccess: true,
}
// GetPluginRouteEvaluator returns an evaluator for the given plugin ID and action.
func GetPluginRouteEvaluator(pluginID, action string) ac.Evaluator {
if pluginsActions[action] {
return ac.EvalPermission(action, "plugins:id:"+pluginID)
}
return ac.EvalPermission(action)
}