mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 17:52:30 +08:00
Access control: Always append all permissions to role admin in oss (#46282)
* Always append all permissions to built in role admin in oss
This commit is contained in:
Karl Persson
@ -372,7 +372,7 @@ func setupHTTPServerWithCfg(t *testing.T, useFakeAccessControl, enableAccessCont
|
|||||||
acmock = acmock.WithDisabled()
|
acmock = acmock.WithDisabled()
|
||||||
}
|
}
|
||||||
hs.AccessControl = acmock
|
hs.AccessControl = acmock
|
||||||
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(routeRegister, db, acmock, database.ProvideService(db))
|
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(cfg, routeRegister, db, acmock, database.ProvideService(db))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
hs.teamPermissionsService = teamPermissionService
|
hs.teamPermissionsService = teamPermissionService
|
||||||
} else {
|
} else {
|
||||||
@ -384,7 +384,7 @@ func setupHTTPServerWithCfg(t *testing.T, useFakeAccessControl, enableAccessCont
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
err = ac.RegisterFixedRoles()
|
err = ac.RegisterFixedRoles()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(routeRegister, db, ac, database.ProvideService(db))
|
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(cfg, routeRegister, db, ac, database.ProvideService(db))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
hs.teamPermissionsService = teamPermissionService
|
hs.teamPermissionsService = teamPermissionService
|
||||||
}
|
}
|
||||||
|
|||||||
@ -11,18 +11,22 @@ import (
|
|||||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||||
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
||||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||||
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
func ProvidePermissionsServices(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*PermissionsServices, error) {
|
func ProvidePermissionsServices(
|
||||||
teamPermissions, err := ProvideTeamPermissions(router, sql, ac, store)
|
cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
|
||||||
|
ac accesscontrol.AccessControl, store resourcepermissions.Store,
|
||||||
|
) (*PermissionsServices, error) {
|
||||||
|
teamPermissions, err := ProvideTeamPermissions(cfg, router, sql, ac, store)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
folderPermissions, err := provideFolderService(router, sql, ac, store)
|
folderPermissions, err := provideFolderService(cfg, router, sql, ac, store)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
dashboardPermissions, err := provideDashboardService(router, sql, ac, store)
|
dashboardPermissions, err := provideDashboardService(cfg, router, sql, ac, store)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -72,7 +76,10 @@ var (
|
|||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func ProvideTeamPermissions(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*resourcepermissions.Service, error) {
|
func ProvideTeamPermissions(
|
||||||
|
cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
|
||||||
|
ac accesscontrol.AccessControl, store resourcepermissions.Store,
|
||||||
|
) (*resourcepermissions.Service, error) {
|
||||||
options := resourcepermissions.Options{
|
options := resourcepermissions.Options{
|
||||||
Resource: "teams",
|
Resource: "teams",
|
||||||
OnlyManaged: true,
|
OnlyManaged: true,
|
||||||
@ -126,7 +133,7 @@ func ProvideTeamPermissions(router routing.RouteRegister, sql *sqlstore.SQLStore
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
return resourcepermissions.New(options, router, ac, store, sql)
|
return resourcepermissions.New(options, cfg, router, ac, store, sql)
|
||||||
}
|
}
|
||||||
|
|
||||||
var DashboardViewActions = []string{accesscontrol.ActionDashboardsRead}
|
var DashboardViewActions = []string{accesscontrol.ActionDashboardsRead}
|
||||||
@ -136,7 +143,10 @@ var FolderViewActions = []string{accesscontrol.ActionFoldersRead}
|
|||||||
var FolderEditActions = append(FolderViewActions, []string{accesscontrol.ActionFoldersWrite, accesscontrol.ActionFoldersDelete, accesscontrol.ActionDashboardsCreate}...)
|
var FolderEditActions = append(FolderViewActions, []string{accesscontrol.ActionFoldersWrite, accesscontrol.ActionFoldersDelete, accesscontrol.ActionDashboardsCreate}...)
|
||||||
var FolderAdminActions = append(FolderEditActions, []string{accesscontrol.ActionFoldersPermissionsRead, accesscontrol.ActionFoldersPermissionsWrite}...)
|
var FolderAdminActions = append(FolderEditActions, []string{accesscontrol.ActionFoldersPermissionsRead, accesscontrol.ActionFoldersPermissionsWrite}...)
|
||||||
|
|
||||||
func provideDashboardService(router routing.RouteRegister, sql *sqlstore.SQLStore, accesscontrol accesscontrol.AccessControl, store resourcepermissions.Store) (*resourcepermissions.Service, error) {
|
func provideDashboardService(
|
||||||
|
cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
|
||||||
|
accesscontrol accesscontrol.AccessControl, store resourcepermissions.Store,
|
||||||
|
) (*resourcepermissions.Service, error) {
|
||||||
options := resourcepermissions.Options{
|
options := resourcepermissions.Options{
|
||||||
Resource: "dashboards",
|
Resource: "dashboards",
|
||||||
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
|
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
|
||||||
@ -180,10 +190,13 @@ func provideDashboardService(router routing.RouteRegister, sql *sqlstore.SQLStor
|
|||||||
RoleGroup: "Dashboards",
|
RoleGroup: "Dashboards",
|
||||||
}
|
}
|
||||||
|
|
||||||
return resourcepermissions.New(options, router, accesscontrol, store, sql)
|
return resourcepermissions.New(options, cfg, router, accesscontrol, store, sql)
|
||||||
}
|
}
|
||||||
|
|
||||||
func provideFolderService(router routing.RouteRegister, sql *sqlstore.SQLStore, accesscontrol accesscontrol.AccessControl, store resourcepermissions.Store) (*resourcepermissions.Service, error) {
|
func provideFolderService(
|
||||||
|
cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
|
||||||
|
accesscontrol accesscontrol.AccessControl, store resourcepermissions.Store,
|
||||||
|
) (*resourcepermissions.Service, error) {
|
||||||
options := resourcepermissions.Options{
|
options := resourcepermissions.Options{
|
||||||
Resource: "folders",
|
Resource: "folders",
|
||||||
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
|
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
|
||||||
@ -227,7 +240,7 @@ func provideFolderService(router routing.RouteRegister, sql *sqlstore.SQLStore,
|
|||||||
RoleGroup: "Folders",
|
RoleGroup: "Folders",
|
||||||
}
|
}
|
||||||
|
|
||||||
return resourcepermissions.New(options, router, accesscontrol, store, sql)
|
return resourcepermissions.New(options, cfg, router, accesscontrol, store, sql)
|
||||||
}
|
}
|
||||||
|
|
||||||
func provideEmptyPermissionsService() accesscontrol.PermissionsService {
|
func provideEmptyPermissionsService() accesscontrol.PermissionsService {
|
||||||
|
|||||||
@ -87,6 +87,14 @@ func (a *api) getPermissions(c *models.ReqContext) response.Response {
|
|||||||
return response.Error(http.StatusInternalServerError, "failed to get permissions", err)
|
return response.Error(http.StatusInternalServerError, "failed to get permissions", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if a.service.options.Assignments.BuiltInRoles && !a.service.cfg.IsEnterprise {
|
||||||
|
permissions = append(permissions, accesscontrol.ResourcePermission{
|
||||||
|
Actions: a.service.actions,
|
||||||
|
Scope: "*",
|
||||||
|
BuiltInRole: string(models.ROLE_ADMIN),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
dto := make([]resourcePermissionDTO, 0, len(permissions))
|
dto := make([]resourcePermissionDTO, 0, len(permissions))
|
||||||
for _, p := range permissions {
|
for _, p := range permissions {
|
||||||
if permission := a.service.MapActions(p); permission != "" {
|
if permission := a.service.MapActions(p); permission != "" {
|
||||||
|
|||||||
@ -5,12 +5,12 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"sort"
|
"sort"
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions/types"
|
|
||||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/api/routing"
|
"github.com/grafana/grafana/pkg/api/routing"
|
||||||
"github.com/grafana/grafana/pkg/models"
|
"github.com/grafana/grafana/pkg/models"
|
||||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||||
|
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions/types"
|
||||||
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||||
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Store interface {
|
type Store interface {
|
||||||
@ -46,7 +46,7 @@ type Store interface {
|
|||||||
GetResourcesPermissions(ctx context.Context, orgID int64, query types.GetResourcesPermissionsQuery) ([]accesscontrol.ResourcePermission, error)
|
GetResourcesPermissions(ctx context.Context, orgID int64, query types.GetResourcesPermissionsQuery) ([]accesscontrol.ResourcePermission, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(options Options, router routing.RouteRegister, ac accesscontrol.AccessControl, store Store, sqlStore *sqlstore.SQLStore) (*Service, error) {
|
func New(options Options, cfg *setting.Cfg, router routing.RouteRegister, ac accesscontrol.AccessControl, store Store, sqlStore *sqlstore.SQLStore) (*Service, error) {
|
||||||
var permissions []string
|
var permissions []string
|
||||||
actionSet := make(map[string]struct{})
|
actionSet := make(map[string]struct{})
|
||||||
for permission, actions := range options.PermissionsToActions {
|
for permission, actions := range options.PermissionsToActions {
|
||||||
@ -68,6 +68,7 @@ func New(options Options, router routing.RouteRegister, ac accesscontrol.AccessC
|
|||||||
|
|
||||||
s := &Service{
|
s := &Service{
|
||||||
ac: ac,
|
ac: ac,
|
||||||
|
cfg: cfg,
|
||||||
store: store,
|
store: store,
|
||||||
options: options,
|
options: options,
|
||||||
permissions: permissions,
|
permissions: permissions,
|
||||||
@ -88,6 +89,7 @@ func New(options Options, router routing.RouteRegister, ac accesscontrol.AccessC
|
|||||||
|
|
||||||
// Service is used to create access control sub system including api / and service for managed resource permission
|
// Service is used to create access control sub system including api / and service for managed resource permission
|
||||||
type Service struct {
|
type Service struct {
|
||||||
|
cfg *setting.Cfg
|
||||||
ac accesscontrol.AccessControl
|
ac accesscontrol.AccessControl
|
||||||
store Store
|
store Store
|
||||||
api *api
|
api *api
|
||||||
|
|||||||
@ -13,6 +13,7 @@ import (
|
|||||||
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
||||||
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
||||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||||
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
type setUserPermissionTest struct {
|
type setUserPermissionTest struct {
|
||||||
@ -219,7 +220,9 @@ func setupTestEnvironment(t *testing.T, permissions []*accesscontrol.Permission,
|
|||||||
|
|
||||||
sql := sqlstore.InitTestDB(t)
|
sql := sqlstore.InitTestDB(t)
|
||||||
store := database.ProvideService(sql)
|
store := database.ProvideService(sql)
|
||||||
service, err := New(ops, routing.NewRouteRegister(), accesscontrolmock.New().WithPermissions(permissions), store, sql)
|
cfg := setting.NewCfg()
|
||||||
|
cfg.IsEnterprise = true
|
||||||
|
service, err := New(ops, cfg, routing.NewRouteRegister(), accesscontrolmock.New().WithPermissions(permissions), store, sql)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
return service, sql
|
return service, sql
|
||||||
|
|||||||
@ -601,7 +601,7 @@ func setupAccessControlGuardianTest(t *testing.T, dashID int64, permissions []*a
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
ac := accesscontrolmock.New().WithPermissions(permissions)
|
ac := accesscontrolmock.New().WithPermissions(permissions)
|
||||||
services, err := ossaccesscontrol.ProvidePermissionsServices(routing.NewRouteRegister(), store, ac, database.ProvideService(store))
|
services, err := ossaccesscontrol.ProvidePermissionsServices(setting.NewCfg(), routing.NewRouteRegister(), store, ac, database.ProvideService(store))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
return NewAccessControlDashboardGuardian(context.Background(), dashID, &models.SignedInUser{OrgId: 1}, store, ac, services)
|
return NewAccessControlDashboardGuardian(context.Background(), dashID, &models.SignedInUser{OrgId: 1}, store, ac, services)
|
||||||
|
|||||||
Reference in New Issue
Block a user