public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ddd38afa57010e95aed209d0bd2bb030d0203fbf
grafana/pkg/services/accesscontrol/ossaccesscontrol/team.go
Ieva 9bb2cf4968 RBAC: Allow omitting default permissions when a new resource is created (#90720) 
* Cfg: Move rbac settings to own struct

* Cfg: Add setting to control if resource should generate managed permissions when created

* Dashboards: Check if we should generate default permissions when dashboard is created

* Folders: Check if we should generate default permissions when folder is created

* Datasource: Check if we should generate default permissions when datasource is created

* ServiceAccount: Check if we should generate default permissions when service account is created

* Cfg: Add option to specify resources for wich we should default seed

* ManagedPermissions: Move providers to their own files

* Dashboards: Default seed all possible managed permissions if configured

* Folders: Default seed all possible managed permissions if configured

* Cfg: Remove service account from list

* RBAC: Move utility function

* remove managed permission settings from the config file examples, change the setting names

* remove ini file changes from the PR

* fix setting reading

* fix linting errors

* fix tests

* fix wildcard role seeding

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: jguer <me@jguer.space>
2024-07-24 19:31:26 +03:00

104 lines
3.1 KiB
Go
Raw Blame History

package ossaccesscontrol
import (
"context"
"fmt"
"strconv"
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/team"
"github.com/grafana/grafana/pkg/services/team/teamimpl"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
)
type TeamPermissionsService struct {
*resourcepermissions.Service
}
var (
TeamMemberActions = []string{
accesscontrol.ActionTeamsRead,
}
TeamAdminActions = []string{
accesscontrol.ActionTeamsRead,
accesscontrol.ActionTeamsDelete,
accesscontrol.ActionTeamsWrite,
accesscontrol.ActionTeamsPermissionsRead,
accesscontrol.ActionTeamsPermissionsWrite,
}
)
func ProvideTeamPermissions(
cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB,
ac accesscontrol.AccessControl, license licensing.Licensing, service accesscontrol.Service,
teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,
) (*TeamPermissionsService, error) {
options := resourcepermissions.Options{
Resource: "teams",
ResourceAttribute: "id",
OnlyManaged: true,
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
id, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
_, err = teamService.GetTeamByID(context.Background(), &team.GetTeamByIDQuery{
OrgID: orgID,
ID: id,
})
if err != nil {
return err
}
return nil
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Member": TeamMemberActions,
"Admin": TeamAdminActions,
},
ReaderRoleName: "Team permission reader",
WriterRoleName: "Team permission writer",
RoleGroup: "Teams",
OnSetUser: func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error {
teamId, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
switch permission {
case "Member":
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, 0)
case "Admin":
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, dashboardaccess.PERMISSION_ADMIN)
case "":
return teamimpl.RemoveTeamMemberHook(session, &team.RemoveTeamMemberCommand{
OrgID: orgID,
UserID: user.ID,
TeamID: teamId,
})
default:
return fmt.Errorf("invalid team permission type %s", permission)
}
},
}
srv, err := resourcepermissions.New(cfg, options, features, router, license, ac, service, sql, teamService, userService, actionSetService)
if err != nil {
return nil, err
}
return &TeamPermissionsService{srv}, nil
}
Reference in New Issue View Git Blame Copy Permalink