package ossaccesscontrol import ( "context" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/accesscontrol/evaluator" "github.com/grafana/grafana/pkg/setting" ) // OSSAccessControlService is the service implementing role based access control. type OSSAccessControlService struct { Cfg *setting.Cfg `inject:""` Log log.Logger } // Init initializes the OSSAccessControlService. func (ac *OSSAccessControlService) Init() error { ac.Log = log.New("accesscontrol") return nil } func (ac *OSSAccessControlService) IsDisabled() bool { if ac.Cfg == nil { return true } _, exists := ac.Cfg.FeatureToggles["accesscontrol"] return !exists } // Evaluate evaluates access to the given resource func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error) { return evaluator.Evaluate(ctx, ac, user, permission, scope...) } // GetUserPermissions returns user permissions based on built-in roles func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*accesscontrol.Permission, error) { builtinRoles := ac.GetUserBuiltInRoles(user) permissions := make([]*accesscontrol.Permission, 0) for _, builtin := range builtinRoles { if roleNames, ok := accesscontrol.PredefinedRoleGrants[builtin]; ok { for _, name := range roleNames { r, exists := accesscontrol.PredefinedRoles[name] if !exists { continue } for _, p := range r.Permissions { permission := p permissions = append(permissions, &permission) } } } } return permissions, nil } func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser) []string { roles := []string{string(user.OrgRole)} for _, role := range user.OrgRole.Children() { roles = append(roles, string(role)) } if user.IsGrafanaAdmin { roles = append(roles, accesscontrol.RoleGrafanaAdmin) } return roles }