mirror of
https://github.com/grafana/grafana.git
synced 2025-07-31 12:02:24 +08:00
LibraryPanels: Add RBAC support (#73475)
This commit is contained in:
kay delaney
@ -7,6 +7,8 @@ import (
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/libraryelements"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
|
||||
"github.com/grafana/grafana/pkg/tsdb/grafanads"
|
||||
@ -408,6 +410,76 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Grants: []string{"Admin"},
|
||||
}
|
||||
|
||||
libraryPanelsCreatorRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:library.panels:creator",
|
||||
DisplayName: "Library panel creator",
|
||||
Description: "Create library panel in general folder.",
|
||||
Group: "Library panels",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Editor"},
|
||||
}
|
||||
|
||||
libraryPanelsReaderRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:library.panels:reader",
|
||||
DisplayName: "Library panel reader",
|
||||
Description: "Read all library panels.",
|
||||
Group: "Library panels",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: libraryelements.ActionLibraryPanelsRead, Scope: libraryelements.ScopeLibraryPanelsAll},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
}
|
||||
|
||||
libraryPanelsGeneralReaderRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:library.panels:general.reader",
|
||||
DisplayName: "Library panel general reader",
|
||||
Description: "Read all library panels in general folder.",
|
||||
Group: "Library panels",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: libraryelements.ActionLibraryPanelsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Viewer"},
|
||||
}
|
||||
|
||||
libraryPanelsWriterRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:library.panels:writer",
|
||||
DisplayName: "Library panel writer",
|
||||
Group: "Library panels",
|
||||
Description: "Create, read, write or delete all library panels and their permissions.",
|
||||
Permissions: ac.ConcatPermissions(libraryPanelsReaderRole.Role.Permissions, []ac.Permission{
|
||||
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: libraryelements.ScopeLibraryPanelsAll},
|
||||
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: libraryelements.ScopeLibraryPanelsAll},
|
||||
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: libraryelements.ScopeLibraryPanelsAll},
|
||||
}),
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
}
|
||||
|
||||
libraryPanelsGeneralWriterRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:library.panels:general.writer",
|
||||
DisplayName: "Library panel general writer",
|
||||
Group: "Library panels",
|
||||
Description: "Create, read, write or delete all library panels and their permissions in the general folder.",
|
||||
Permissions: ac.ConcatPermissions(libraryPanelsGeneralReaderRole.Role.Permissions, []ac.Permission{
|
||||
{Action: libraryelements.ActionLibraryPanelsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
{Action: libraryelements.ActionLibraryPanelsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
{Action: libraryelements.ActionLibraryPanelsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
}),
|
||||
},
|
||||
Grants: []string{"Editor"},
|
||||
}
|
||||
|
||||
publicDashboardsWriterRole := ac.RoleRegistration{
|
||||
Role: ac.RoleDTO{
|
||||
Name: "fixed:dashboards.public:writer",
|
||||
@ -447,15 +519,18 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Grants: []string{"Admin"},
|
||||
}
|
||||
|
||||
return hs.accesscontrolService.DeclareFixedRoles(
|
||||
provisioningWriterRole, datasourcesReaderRole, builtInDatasourceReader, datasourcesWriterRole,
|
||||
roles := []ac.RoleRegistration{provisioningWriterRole, datasourcesReaderRole, builtInDatasourceReader, datasourcesWriterRole,
|
||||
datasourcesIdReaderRole, orgReaderRole, orgWriterRole,
|
||||
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
|
||||
annotationsReaderRole, dashboardAnnotationsWriterRole, annotationsWriterRole,
|
||||
dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
|
||||
foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyReaderRole, apikeyWriterRole,
|
||||
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole,
|
||||
)
|
||||
publicDashboardsWriterRole, featuremgmtReaderRole, featuremgmtWriterRole}
|
||||
if hs.Features.IsEnabled(featuremgmt.FlagLibraryPanelRBAC) {
|
||||
roles = append(roles, libraryPanelsCreatorRole, libraryPanelsReaderRole, libraryPanelsWriterRole, libraryPanelsGeneralReaderRole, libraryPanelsGeneralWriterRole)
|
||||
}
|
||||
|
||||
return hs.accesscontrolService.DeclareFixedRoles(roles...)
|
||||
}
|
||||
|
||||
// Metadata helpers
|
||||
|
||||
Reference in New Issue
Block a user