From ac7ad27867be5c85ebde3687b59bcd7731347c60 Mon Sep 17 00:00:00 2001 From: Oleg Yevik Date: Sat, 5 Apr 2025 07:59:45 +1300 Subject: [PATCH] Alertmanager: Add Role-Based Access Control via reqAction Field (#101543) * Add reqAction for alert manager routes * Add endpoints from Prometheus Alertmanager API * use notifications reader for alertmanager/api/v2/status * use viewer for GET api/v1/alerts * add POST DELETE for api/v1/alerts * duplicate paths to cover upstream Alertmanager * add fallback rule to catch all GET * Update reqAction for GET api/v1/alerts * require Admin for all wildcard paths --------- Signed-off-by: Yuri Tseretyan Co-authored-by: Yuri Tseretyan --- .../datasource/alertmanager/plugin.json | 133 ++++++++++++++++-- 1 file changed, 119 insertions(+), 14 deletions(-) diff --git a/public/app/plugins/datasource/alertmanager/plugin.json b/public/app/plugins/datasource/alertmanager/plugin.json index 9312287a9d5..af43f3858bd 100644 --- a/public/app/plugins/datasource/alertmanager/plugin.json +++ b/public/app/plugins/datasource/alertmanager/plugin.json @@ -5,40 +5,145 @@ "metrics": false, "routes": [ { - "method": "POST", + "method": "GET", "path": "alertmanager/api/v2/silences", - "reqRole": "Editor" - }, - { - "method": "DELETE", - "path": "alertmanager/api/v2/silence", - "reqRole": "Editor" + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" }, { "method": "GET", - "path": "alertmanager/api/v2/silences", - "reqRole": "Viewer" + "path": "api/v2/silences", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" }, { "method": "POST", - "reqRole": "Editor" + "path": "alertmanager/api/v2/silences", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" }, { - "method": "PUT", - "reqRole": "Editor" + "method": "POST", + "path": "api/v2/silences", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" + }, + { + "method": "GET", + "path": "alertmanager/api/v2/silence/", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" + }, + { + "method": "GET", + "path": "api/v2/silence/", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" }, { "method": "DELETE", - "reqRole": "Editor" + "path": "alertmanager/api/v2/silence/", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" + }, + { + "method": "DELETE", + "path": "api/v2/silence/", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" + }, + { + "method": "GET", + "path": "alertmanager/api/v2/alerts/groups", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" + }, + { + "method": "GET", + "path": "api/v2/alerts/groups", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" }, { "method": "GET", "path": "alertmanager/api/v2/alerts", - "reqRole": "Viewer" + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" + }, + { + "method": "GET", + "path": "api/v2/alerts", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" + }, + { + "method": "POST", + "path": "alertmanager/api/v2/alerts", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" + }, + { + "method": "POST", + "path": "api/v2/alerts", + "reqRole": "Editor", + "reqAction": "alert.instances.external:write" + }, + { + "method": "GET", + "path": "alertmanager/api/v2/status", + "reqRole": "Viewer", + "reqAction": "alert.notifications.external:read" + }, + { + "method": "GET", + "path": "api/v2/status", + "reqRole": "Viewer", + "reqAction": "alert.notifications.external:read" + }, + { + "method": "GET", + "path": "alertmanager/api/v2/receivers", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" + }, + { + "method": "GET", + "path": "api/v2/receivers", + "reqRole": "Viewer", + "reqAction": "alert.instances.external:read" }, { "method": "GET", "path": "api/v1/alerts", + "reqRole": "Viewer", + "reqAction": "alert.notifications.external:read" + }, + { + "method": "POST", + "path": "api/v1/alerts", + "reqRole": "Editor", + "reqAction": "alert.notifications.external:write" + }, + { + "method": "DELETE", + "path": "api/v1/alerts", + "reqRole": "Editor", + "reqAction": "alert.notifications.external:write" + }, + { + "method": "POST", + "reqRole": "Admin" + }, + { + "method": "PUT", + "reqRole": "Admin" + }, + { + "method": "DELETE", + "reqRole": "Admin" + }, + { + "method": "GET", "reqRole": "Admin" } ],