Karl Persson
c593b20465
* Add custom verb for get_permissions and update_permissions. Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
73 lines
2.6 KiB
Go
73 lines
2.6 KiB
Go
package mappers
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/utils"
|
|
)
|
|
|
|
const defaultAttribute = "uid"
|
|
|
|
type VerbMapping map[string]string // e.g. "get" -> "read"
|
|
type ResourceVerbMapping map[string]VerbMapping // e.g. "dashboards" -> VerbToAction
|
|
type GroupResourceVerbMapping map[string]ResourceVerbMapping // e.g. "dashboard.grafana.app" -> ResourceVerbToAction
|
|
|
|
type ResourceAttributeMapping map[string]string // e.g. "dashboards" -> "uid"
|
|
type GroupResourceAttributeMapping map[string]ResourceAttributeMapping // e.g. "dashboard.grafana.app" -> ResourceToAttribute
|
|
|
|
type K8sRbacMapper struct {
|
|
GroupResourceVerbMapping GroupResourceVerbMapping
|
|
GroupResourceAttributeMapping GroupResourceAttributeMapping
|
|
}
|
|
|
|
func NewK8sRbacMapper() *K8sRbacMapper {
|
|
defaultMapping := func(r string) VerbMapping {
|
|
return map[string]string{
|
|
utils.VerbGet: fmt.Sprintf("%s:read", r),
|
|
utils.VerbList: fmt.Sprintf("%s:read", r),
|
|
utils.VerbWatch: fmt.Sprintf("%s:read", r),
|
|
utils.VerbCreate: fmt.Sprintf("%s:create", r),
|
|
utils.VerbUpdate: fmt.Sprintf("%s:write", r),
|
|
utils.VerbPatch: fmt.Sprintf("%s:write", r),
|
|
utils.VerbDelete: fmt.Sprintf("%s:delete", r),
|
|
utils.VerbDeleteCollection: fmt.Sprintf("%s:delete", r),
|
|
utils.VerbGetPermissions: fmt.Sprintf("%s.permissions:read", r),
|
|
utils.VerbSetPermissions: fmt.Sprintf("%s.permissions:write", r),
|
|
}
|
|
}
|
|
|
|
return &K8sRbacMapper{
|
|
GroupResourceAttributeMapping: GroupResourceAttributeMapping{},
|
|
GroupResourceVerbMapping: GroupResourceVerbMapping{
|
|
"dashboard.grafana.app": ResourceVerbMapping{"dashboards": defaultMapping("dashboards")},
|
|
"folder.grafana.app": ResourceVerbMapping{"folders": defaultMapping("folders")},
|
|
},
|
|
}
|
|
}
|
|
|
|
func (m *K8sRbacMapper) Action(group, resource, verb string) (string, bool) {
|
|
if resourceActions, ok := m.GroupResourceVerbMapping[group]; ok {
|
|
if actions, ok := resourceActions[resource]; ok {
|
|
if action, ok := actions[verb]; ok {
|
|
// If the action is explicitly set empty
|
|
// it means that the action is not allowed
|
|
if action == "" {
|
|
return "", false
|
|
}
|
|
return action, true
|
|
}
|
|
}
|
|
}
|
|
return "", false
|
|
}
|
|
|
|
func (m *K8sRbacMapper) Scope(group, resource, name string) (string, bool) {
|
|
if resourceAttributes, ok := m.GroupResourceAttributeMapping[group]; ok {
|
|
if attribute, ok := resourceAttributes[resource]; ok {
|
|
return resource + ":" + attribute + ":" + name, true
|
|
}
|
|
}
|
|
|
|
return resource + ":" + defaultAttribute + ":" + name, true
|
|
}
|