opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-08-02 16:02:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

Service accounts: Update documentation with new changes (#52015)

Browse Source 
* Service accounts: Update documentation with new changes

* Apply suggestions from code review

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* Add sections about migration, handle comments

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Vardan Torosyan
2022-07-11 21:32:07 +01:00
committed by GitHub
parent 254159ad69
commit 73f4d7ac05
8 changed files with 378 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

274
docs/sources/developers/http_api/access_control.md
View File

@ -747,6 +747,280 @@ Content-Type: application/json; charset=UTF-8
DELETE /api/access-control/users/1/roles/AFUXBHKnk
Accept: application/json
```
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |
| 200 | Role is unassigned. |
| 403 | Access denied. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
### Set service account role assignments
`PUT /api/access-control/users/:serviceAccountId/roles`
Update the service accounts's role assignments to match the provided set of UIDs.
This will remove any assigned roles that aren't in the request and add
roles that are in the set but are not already assigned to the service account.
If you want to add or remove a single role, consider using
[Add a service account role assignment]({{< ref "#add-a-service-account-role-assignment" >}}) or
[Remove a service account role assignment]({{< ref "#remove-a-service-account-role-assignment" >}})
instead.
#### Required permissions
`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ------------------ | ------------------------- |
| users.roles:add | permissions:type:delegate |
| users.roles:remove | permissions:type:delegate |
#### Example request
```http
PUT /api/access-control/users/1/roles
Accept: application/json
Content-Type: application/json
{
"global": false,
"roleUids": [
"ZiHQJq5nk",
"GzNQ1357k"
]
}
```
#### JSON body schema
| Field Name | Date Type | Required | Description |
| ------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. |
| roleUids | list | Yes | List of role UIDs. |
| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. |
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |
| 200 | Roles have been assigned. |
| 403 | Access denied. |
| 404 | Role not found. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
## Create and remove team role assignments
### List roles assigned to a team
`GET /api/access-control/teams/:teamId/roles`
Lists the roles that have been directly assigned to a given team.
Query Parameters:
- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`.
#### Required permissions
| Action | Scope |
| ---------------- | -------------------- |
| teams.roles:read | teams:id:`<team ID>` |
#### Example request
```http
GET /api/access-control/teams/1/roles
Accept: application/json
```
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |
| 200 | Set of assigned roles is returned. |
| 403 | Access denied. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
### Add a team role assignment
`POST /api/access-control/teams/:teamId/roles`
Assign a role to a specific team.
For bulk updates consider [Set team role assignments]({{< ref "#set-team-role-assignments" >}}).
#### Required permissions
`permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have the permissions required to create users, they won't be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.
| Action | Scope |
| --------------- | ------------------------- |
| teams.roles:add | permissions:type:delegate |
#### Example request
```http
POST /api/access-control/teams/1/roles
Accept: application/json
Content-Type: application/json
{
"roleUid": "XvHQJq57z"
}
```
#### JSON body schema
| Field Name | Data Type | Required | Description |
| ---------- | --------- | -------- | ---------------- |
| roleUid | string | Yes | UID of the role. |
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |
| 200 | Role is assigned to a team. |
| 403 | Access denied. |
| 404 | Role not found. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
## Remove a team role assignment
`DELETE /api/access-control/teams/:teams/roles/:roleUID`
Revoke a role from a team.
For bulk updates consider [Set team role assignments]({{< ref "#set-team-role-assignments" >}}).
#### Required permissions
`permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have the permissions required to create users, they won't be able to assign a role that contains these permissions. This is done to prevent escalation of privileges.```
| Action | Scope |
| ------------------ | ------------------------- |
| teams.roles:remove | permissions:type:delegate |
#### Example request
```http
DELETE /api/access-control/teams/1/roles/AFUXBHKnk
Accept: application/json
```
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"message": "Role removed from team."
}
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |
| 200 | Role is unassigned. |
| 403 | Access denied. |
| 500 | Unexpected error. Refer to body and/or server logs for more details. |
### Set team role assignments
`PUT /api/access-control/teams/:teamId/roles`
Update the team's role assignments to match the provided set of UIDs.
This will remove any assigned roles that aren't in the request and add
roles that are in the set but are not already assigned to the user.
If you want to add or remove a single role, consider using
[Add a team role assignment]({{< ref "#add-a-team-role-assignment" >}}) or
[Remove a team role assignment]({{< ref "#remove-a-team-role-assignment" >}})
instead.
#### Required permissions
`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has.
For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role to a team which will allow to do that. This is done to prevent escalation of privileges.
| Action | Scope |
| ------------------ | ------------------------- |
| teams.roles:add | permissions:type:delegate |
| teams.roles:remove | permissions:type:delegate |
#### Example request
```http
PUT /api/access-control/teams/1/roles
Accept: application/json
Content-Type: application/json
{
"roleUids": [
"ZiHQJq5nk",
"GzNQ1357k"
]
}
```
#### JSON body schema
| Field Name | Date Type | Required | Description |
| ------------- | --------- | -------- | -------------------------------------------------------------- |
| roleUids | list | Yes | List of role UIDs. |
| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. |
#### Example response
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{
"message": "Team roles have been updated."
}
```
#### Status codes
| Code | Description |
| ---- | -------------------------------------------------------------------- |

12
docs/sources/developers/http_api/serviceaccount.md
View File

@ -24,9 +24,9 @@ title: 'Service account HTTP API'
See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | ------------------------- |
| serviceaccounts:read | global:serviceaccounts:\* |
| Action | Scope |
| -------------------- | ----- |
| serviceaccounts:read | n/a |
**Example Request**:
@ -91,9 +91,9 @@ Content-Type: application/json
| -------------------- | ------------------ |
| serviceaccounts:read | serviceaccounts:\* |
**Example Request**:
```http
**Example Request**:
```http
GET /api/serviceaccounts/1 HTTP/1.1
Accept: application/json
Content-Type: application/json