Alertmanager: Add Role-Based Access Control via reqAction Field (#101543)

* Add reqAction for alert manager routes * Add endpoints from Prometheus Alertmanager API * use notifications reader for alertmanager/api/v2/status * use viewer for GET api/v1/alerts * add POST DELETE for api/v1/alerts * duplicate paths to cover upstream Alertmanager * add fallback rule to catch all GET * Update reqAction for GET api/v1/alerts * require Admin for all wildcard paths --------- Signed-off-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com> Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>
2025-07-30 07:42:23 +08:00 · 2025-04-05 07:59:45 +13:00
parent 8fadade4b8
commit ac7ad27867
1 changed files with 119 additions and 14 deletions
--- a/public/app/plugins/datasource/alertmanager/plugin.json
+++ b/public/app/plugins/datasource/alertmanager/plugin.json
@ -5,40 +5,145 @@
  "metrics": false,
  "routes": [
    {
-      "method": "POST",
+      "method": "GET",
      "path": "alertmanager/api/v2/silences",
-      "reqRole": "Editor"
-    },
-    {
-      "method": "DELETE",
-      "path": "alertmanager/api/v2/silence",
-      "reqRole": "Editor"
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
    },
    {
      "method": "GET",
-      "path": "alertmanager/api/v2/silences",
-      "reqRole": "Viewer"
+      "path": "api/v2/silences",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
    },
    {
      "method": "POST",
-      "reqRole": "Editor"
+      "path": "alertmanager/api/v2/silences",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
    },
    {
-      "method": "PUT",
-      "reqRole": "Editor"
+      "method": "POST",
+      "path": "api/v2/silences",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
+    },
+    {
+      "method": "GET",
+      "path": "alertmanager/api/v2/silence/",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "api/v2/silence/",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
    },
    {
      "method": "DELETE",
-      "reqRole": "Editor"
+      "path": "alertmanager/api/v2/silence/",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
+    },
+    {
+      "method": "DELETE",
+      "path": "api/v2/silence/",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
+    },
+    {
+      "method": "GET",
+      "path": "alertmanager/api/v2/alerts/groups",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "api/v2/alerts/groups",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
    },
    {
      "method": "GET",
      "path": "alertmanager/api/v2/alerts",
-      "reqRole": "Viewer"
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "api/v2/alerts",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
+    },
+    {
+      "method": "POST",
+      "path": "alertmanager/api/v2/alerts",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
+    },
+    {
+      "method": "POST",
+      "path": "api/v2/alerts",
+      "reqRole": "Editor",
+      "reqAction": "alert.instances.external:write"
+    },
+    {
+      "method": "GET",
+      "path": "alertmanager/api/v2/status",
+      "reqRole": "Viewer",
+      "reqAction": "alert.notifications.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "api/v2/status",
+      "reqRole": "Viewer",
+      "reqAction": "alert.notifications.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "alertmanager/api/v2/receivers",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
+    },
+    {
+      "method": "GET",
+      "path": "api/v2/receivers",
+      "reqRole": "Viewer",
+      "reqAction": "alert.instances.external:read"
    },
    {
      "method": "GET",
      "path": "api/v1/alerts",
+      "reqRole": "Viewer",
+      "reqAction": "alert.notifications.external:read"
+    },
+    {
+      "method": "POST",
+      "path": "api/v1/alerts",
+      "reqRole": "Editor",
+      "reqAction": "alert.notifications.external:write"
+    },
+    {
+      "method": "DELETE",
+      "path": "api/v1/alerts",
+      "reqRole": "Editor",
+      "reqAction": "alert.notifications.external:write"
+    },
+    {
+      "method": "POST",
+      "reqRole": "Admin"
+    },
+    {
+      "method": "PUT",
+      "reqRole": "Admin"
+    },
+    {
+      "method": "DELETE",
+      "reqRole": "Admin"
+    },
+    {
+      "method": "GET",
      "reqRole": "Admin"
    }
  ],