grafana/pkg/registry/apps/advisor/accesscontrol.go

package advisor

import (
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/org"
)

const (
	// Check
	ActionAdvisorCheckCreate = "advisor.checks:create" // CREATE.
	ActionAdvisorCheckWrite  = "advisor.checks:write"  // UPDATE.
	ActionAdvisorCheckRead   = "advisor.checks:read"   // GET + LIST.
	ActionAdvisorCheckDelete = "advisor.checks:delete" // DELETE.

	// CheckTypes
	ActionAdvisorCheckTypesCreate = "advisor.checktypes:create" // CREATE.
	ActionAdvisorCheckTypesWrite  = "advisor.checktypes:write"  // UPDATE.
	ActionAdvisorCheckTypesRead   = "advisor.checktypes:read"   // GET + LIST.
	ActionAdvisorCheckTypesDelete = "advisor.checktypes:delete" // DELETE.

	// Register
	ActionAdvisorRegisterCreate = "advisor.register:create" // CREATE (register check types).
)

var (
	ScopeProviderAdvisorCheck      = accesscontrol.NewScopeProvider("advisor.checks")
	ScopeProviderAdvisorCheckTypes = accesscontrol.NewScopeProvider("advisor.checktypes")
	ScopeProviderAdvisorRegister   = accesscontrol.NewScopeProvider("advisor.register")

	ScopeAllAdvisorCheck      = ScopeProviderAdvisorCheck.GetResourceAllScope()
	ScopeAllAdvisorCheckTypes = ScopeProviderAdvisorCheckTypes.GetResourceAllScope()
	ScopeAllAdvisorRegister   = ScopeProviderAdvisorRegister.GetResourceAllScope()
)

func registerAccessControlRoles(service accesscontrol.Service) error {
	// Check
	checkReader := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:advisor.checks:reader",
			DisplayName: "Advisor Check Reader",
			Description: "Read and list advisor checks.",
			Group:       "Advisor",
			Permissions: []accesscontrol.Permission{
				{
					Action: ActionAdvisorCheckRead,
					Scope:  ScopeAllAdvisorCheck,
				},
			},
		},
		Grants: []string{string(org.RoleAdmin)},
	}

	checkWriter := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:advisor.checks:writer",
			DisplayName: "Advisor Check Writer",
			Description: "Create, update and delete advisor checks.",
			Group:       "Advisor",
			Permissions: []accesscontrol.Permission{
				{
					Action: ActionAdvisorCheckCreate,
					Scope:  ScopeAllAdvisorCheck,
				},
				{
					Action: ActionAdvisorCheckRead,
					Scope:  ScopeAllAdvisorCheck,
				},
				{
					Action: ActionAdvisorCheckWrite,
					Scope:  ScopeAllAdvisorCheck,
				},
				{
					Action: ActionAdvisorCheckDelete,
					Scope:  ScopeAllAdvisorCheck,
				},
			},
		},
		Grants: []string{string(org.RoleAdmin)},
	}

	// CheckTypes
	checkTypesReader := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:advisor.checktypes:reader",
			DisplayName: "Advisor Check Types Reader",
			Description: "Read and list advisor check types.",
			Group:       "Advisor",
			Permissions: []accesscontrol.Permission{
				{
					Action: ActionAdvisorCheckTypesRead,
					Scope:  ScopeAllAdvisorCheckTypes,
				},
			},
		},
		Grants: []string{string(org.RoleAdmin)},
	}

	checkTypesWriter := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:advisor.checktypes:writer",
			DisplayName: "Advisor Check Types Writer",
			Description: "Create, update and delete advisor check types.",
			Group:       "Advisor",
			Permissions: []accesscontrol.Permission{
				{
					Action: ActionAdvisorCheckTypesCreate,
					Scope:  ScopeAllAdvisorCheckTypes,
				},
				{
					Action: ActionAdvisorCheckTypesRead,
					Scope:  ScopeAllAdvisorCheckTypes,
				},
				{
					Action: ActionAdvisorCheckTypesWrite,
					Scope:  ScopeAllAdvisorCheckTypes,
				},
				{
					Action: ActionAdvisorCheckTypesDelete,
					Scope:  ScopeAllAdvisorCheckTypes,
				},
			},
		},
		Grants: []string{string(org.RoleAdmin)},
	}

	// Register
	registerWriter := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:advisor.register:writer",
			DisplayName: "Advisor Register Writer",
			Description: "Register default advisor check types.",
			Group:       "Advisor",
			Permissions: []accesscontrol.Permission{
				{
					Action: ActionAdvisorRegisterCreate,
					Scope:  ScopeAllAdvisorRegister,
				},
			},
		},
		Grants: []string{string(org.RoleAdmin)},
	}

	return service.DeclareFixedRoles(
		checkReader,
		checkWriter,
		checkTypesReader,
		checkTypesWriter,
		registerWriter,
	)
}