public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ef1d96c19aa6fb3b32fd78a4dba8a12ba7dcbccb
grafana/pkg/services/accesscontrol/ossaccesscontrol/service_account.go
T
Ieva 9bb2cf4968 RBAC: Allow omitting default permissions when a new resource is created (#90720) 
* Cfg: Move rbac settings to own struct

* Cfg: Add setting to control if resource should generate managed permissions when created

* Dashboards: Check if we should generate default permissions when dashboard is created

* Folders: Check if we should generate default permissions when folder is created

* Datasource: Check if we should generate default permissions when datasource is created

* ServiceAccount: Check if we should generate default permissions when service account is created

* Cfg: Add option to specify resources for wich we should default seed

* ManagedPermissions: Move providers to their own files

* Dashboards: Default seed all possible managed permissions if configured

* Folders: Default seed all possible managed permissions if configured

* Cfg: Remove service account from list

* RBAC: Move utility function

* remove managed permission settings from the config file examples, change the setting names

* remove ini file changes from the PR

* fix setting reading

* fix linting errors

* fix tests

* fix wildcard role seeding

---------

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: jguer <me@jguer.space>
2024-07-24 19:31:26 +03:00

74 lines
2.5 KiB
Go
Raw Blame History

package ossaccesscontrol
import (
"context"
"strconv"
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
"github.com/grafana/grafana/pkg/services/serviceaccounts/retriever"
"github.com/grafana/grafana/pkg/services/team"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
)
var (
ServiceAccountEditActions = []string{
serviceaccounts.ActionRead,
serviceaccounts.ActionWrite,
}
ServiceAccountAdminActions = []string{
serviceaccounts.ActionRead,
serviceaccounts.ActionWrite,
serviceaccounts.ActionDelete,
serviceaccounts.ActionPermissionsRead,
serviceaccounts.ActionPermissionsWrite,
}
)
type ServiceAccountPermissionsService struct {
*resourcepermissions.Service
}
func ProvideServiceAccountPermissions(
cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB, ac accesscontrol.AccessControl,
license licensing.Licensing, serviceAccountRetrieverService *retriever.Service, service accesscontrol.Service,
teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,
) (*ServiceAccountPermissionsService, error) {
options := resourcepermissions.Options{
Resource: "serviceaccounts",
ResourceAttribute: "id",
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
id, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
_, err = serviceAccountRetrieverService.RetrieveServiceAccount(ctx, orgID, id)
return err
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: true,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Edit": ServiceAccountEditActions,
"Admin": ServiceAccountAdminActions,
},
ReaderRoleName: "Service account permission reader",
WriterRoleName: "Service account permission writer",
RoleGroup: "Service accounts",
}
srv, err := resourcepermissions.New(cfg, options, features, router, license, ac, service, sql, teamService, userService, actionSetService)
if err != nil {
return nil, err
}
return &ServiceAccountPermissionsService{srv}, nil
}
Reference in New Issue View Git Blame Copy Permalink