public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a2882ebd857539236b00a1be21a3bfdc086fd0cb
grafana/pkg/registry/apis/provisioning/accesscontrol.go
T
Charandas 6c728f8dec Provisioning: allow access check to proceed even when non access policy (#112946) 
* Provisioning: allow access check to proceed even when non access policy

* Provisioning: access checker needs this for MT

* add permissions registration

* remove scopes

* use in MT for now

* no need to document an internal flag here

* revert vscode change

* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation

* update wire

* gofmt

* add boolean to struct

---------

Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2025-11-02 13:14:08 -08:00

130 lines
3.6 KiB
Go
Raw Blame History

package provisioning
import (
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/org"
)
const (
// Repositories
ActionProvisioningRepositoriesCreate = "provisioning.repositories:create" // CREATE.
ActionProvisioningRepositoriesWrite = "provisioning.repositories:write" // UPDATE.
ActionProvisioningRepositoriesRead = "provisioning.repositories:read" // GET + LIST.
ActionProvisioningRepositoriesDelete = "provisioning.repositories:delete" // DELETE.
// Jobs
ActionProvisioningJobsCreate = "provisioning.jobs:create" // CREATE.
ActionProvisioningJobsWrite = "provisioning.jobs:write" // UPDATE.
ActionProvisioningJobsRead = "provisioning.jobs:read" // GET + LIST.
ActionProvisioningJobsDelete = "provisioning.jobs:delete" // DELETE.
// Historic Jobs
ActionProvisioningHistoricJobsRead = "provisioning.historicjobs:read" // GET + LIST.
)
func registerAccessControlRoles(service accesscontrol.Service) error {
// Repositories
repositoriesReader := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Name: "fixed:provisioning.repositories:reader",
DisplayName: "Repositories Reader",
Description: "Read and list provisioning repositories.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningRepositoriesRead,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
repositoriesWriter := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Name: "fixed:provisioning.repositories:writer",
DisplayName: "Repositories Writer",
Description: "Create, update and delete provisioning repositories.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningRepositoriesCreate,
},
{
Action: ActionProvisioningRepositoriesRead,
},
{
Action: ActionProvisioningRepositoriesWrite,
},
{
Action: ActionProvisioningRepositoriesDelete,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
// Jobs
jobsReader := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Name: "fixed:provisioning.jobs:reader",
DisplayName: "Jobs Reader",
Description: "Read and list provisioning jobs.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningJobsRead,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
jobsWriter := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Name: "fixed:provisioning.jobs:writer",
DisplayName: "Jobs Writer",
Description: "Create, update and delete provisioning jobs.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningJobsCreate,
},
{
Action: ActionProvisioningJobsRead,
},
{
Action: ActionProvisioningJobsWrite,
},
{
Action: ActionProvisioningJobsDelete,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
// Historic Jobs
historicJobsReader := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Name: "fixed:provisioning.historicjobs:reader",
DisplayName: "Historic Jobs Reader",
Description: "Read and list provisioning historic jobs.",
Group: "Provisioning",
Permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningHistoricJobsRead,
},
},
},
Grants: []string{string(org.RoleAdmin)},
}
return service.DeclareFixedRoles(
repositoriesReader,
repositoriesWriter,
jobsReader,
jobsWriter,
historicJobsReader,
)
}
Reference in New Issue View Git Blame Copy Permalink