public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
746e2eeee6af891700dfd628cd877f6ac6b69bd7
grafana/pkg/services/accesscontrol/ossaccesscontrol/datasource.go
Ieva 9bb2cf4968 RBAC: Allow omitting default permissions when a new resource is created (#90720) 
* Cfg: Move rbac settings to own struct

* Cfg: Add setting to control if resource should generate managed permissions when created

* Dashboards: Check if we should generate default permissions when dashboard is created

* Folders: Check if we should generate default permissions when folder is created

* Datasource: Check if we should generate default permissions when datasource is created

* ServiceAccount: Check if we should generate default permissions when service account is created

* Cfg: Add option to specify resources for wich we should default seed

* ManagedPermissions: Move providers to their own files

* Dashboards: Default seed all possible managed permissions if configured

* Folders: Default seed all possible managed permissions if configured

* Cfg: Remove service account from list

* RBAC: Move utility function

* remove managed permission settings from the config file examples, change the setting names

* remove ini file changes from the PR

* fix setting reading

* fix linting errors

* fix tests

* fix wildcard role seeding

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: jguer <me@jguer.space>
2024-07-24 19:31:26 +03:00

88 lines
3.6 KiB
Go
Raw Blame History

package ossaccesscontrol
import (
"context"
"github.com/grafana/grafana/pkg/apimachinery/identity"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/setting"
)
// DatasourceQueryActions contains permissions to read information
// about a data source and submit arbitrary queries to it.
var DatasourceQueryActions = []string{
datasources.ActionRead,
datasources.ActionQuery,
}
func ProvideDatasourcePermissionsService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, db db.DB) *DatasourcePermissionsService {
return &DatasourcePermissionsService{
store: resourcepermissions.NewStore(cfg, db, features),
}
}
var _ accesscontrol.DatasourcePermissionsService = new(DatasourcePermissionsService)
type DatasourcePermissionsService struct {
store resourcepermissions.Store
}
func (e DatasourcePermissionsService) GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]accesscontrol.ResourcePermission, error) {
return nil, nil
}
func (e DatasourcePermissionsService) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
return nil, nil
}
func (e DatasourcePermissionsService) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
return nil, nil
}
func (e DatasourcePermissionsService) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*accesscontrol.ResourcePermission, error) {
return nil, nil
}
// SetPermissions sets managed permissions for a datasource in OSS. This ensures that Viewers and Editors maintain query access to a data source
// if an OSS/unlicensed instance is upgraded to Enterprise/licensed.
// https://github.com/grafana/identity-access-team/issues/672
func (e DatasourcePermissionsService) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand) ([]accesscontrol.ResourcePermission, error) {
dbCommands := make([]resourcepermissions.SetResourcePermissionsCommand, 0, len(commands))
for _, cmd := range commands {
// Only set query permissions for built-in roles; do not set permissions for data sources with * as UID, as this would grant wildcard permissions
if cmd.Permission != "Query" || cmd.BuiltinRole == "" || resourceID == "*" {
continue
}
actions := DatasourceQueryActions
dbCommands = append(dbCommands, resourcepermissions.SetResourcePermissionsCommand{
BuiltinRole: cmd.BuiltinRole,
SetResourcePermissionCommand: resourcepermissions.SetResourcePermissionCommand{
Actions: actions,
Resource: datasources.ScopeRoot,
ResourceID: resourceID,
ResourceAttribute: "uid",
Permission: cmd.Permission,
},
})
}
return e.store.SetResourcePermissions(ctx, orgID, dbCommands, resourcepermissions.ResourceHooks{})
}
func (e DatasourcePermissionsService) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error {
return e.store.DeleteResourcePermissions(ctx, orgID, &resourcepermissions.DeleteResourcePermissionsCmd{
Resource: datasources.ScopeRoot,
ResourceAttribute: "uid",
ResourceID: resourceID,
})
}
func (e DatasourcePermissionsService) MapActions(permission accesscontrol.ResourcePermission) string {
return ""
}
Reference in New Issue View Git Blame Copy Permalink