opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-08-01 12:23:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Access Control: Rename global users scope (#46794)

Browse Source 
* Rename scope from global:users to global.users to match scope convention
This commit is contained in:
Karl Persson
2022-03-22 12:48:46 +01:00
committed by GitHub
parent adc0cbf176
commit faf4a3f751
8 changed files with 39 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/sources/enterprise/access-control/permissions.md
View File

@ -43,20 +43,20 @@ The following list contains fine-grained access control actions.
| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. | | `teams.roles:list` | `teams:*` | List roles assigned directly to a team. |
| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. | | `teams.roles:add` | `permissions:delegate` | Assign a role to a team. |
| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. | | `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. |
| `users:read` | `global:users:*` | Read or search user profiles. | | `users:read` | `global.users:*` | Read or search user profiles. |
| `users:write` | `global:users:*` <br> `global:users:id` | Update a users profile. | | `users:write` | `global.users:*` <br> `global.users:id:*` | Update a users profile. |
| `users.teams:read` | `global:users:*` <br> `global:users:id:*` | Read a users teams. | | `users.teams:read` | `global.users:*` <br> `global.users:id:*` | Read a users teams. |
| `users.authtoken:list` | `global:users:*` <br> `global:users:id:*` | List authentication tokens that are assigned to a user. | | `users.authtoken:list` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global:users:*` <br> `global:users:id:*` | Update authentication tokens that are assigned to a user. | | `users.authtoken:update` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global:users:*` <br> `global:users:id:*` | Update a users password. | | `users.password:update` | `global.users:*` <br> `global.users:id:*` | Update a users password. |
| `users:delete` | `global:users:*` <br> `global:users:id:*` | Delete a user. | | `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
| `users:create` | n/a | Create a user. | | `users:create` | n/a | Create a user. |
| `users:enable` | `global:users:*` <br> `global:users:id:*` | Enable a user. | | `users:enable` | `globa.users:*` <br> `global.users:id:*` | Enable a user. |
| `users:disable` | `global:users:*` <br> `global:users:id:*` | Disable a user. | | `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
| `users.permissions:update` | `global:users:*` <br> `global:users:id:*` | Update a users organization-level permissions. | | `users.permissions:update` | `global.users:*` <br> `global.users:id:*` | Update a users organization-level permissions. |
| `users:logout` | `global:users:*` <br> `global:users:id:*` | Sign out a user. | | `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` <br> `global:users:id:*` | List a users quotas. | | `users.quotas:list` | `global.users:*` <br> `global.users:id:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` <br> `global:users:id:*` | Update a users quotas. | | `users.quotas:update` | `global.users:*` <br> `global.users:id:*` | Update a users quotas. |
| `users.roles:list` | `users:*` | List roles assigned directly to a user. | | `users.roles:list` | `users:*` | List roles assigned directly to a user. |
| `users.roles:add` | `permissions:delegate` | Assign a role to a user. | | `users.roles:add` | `permissions:delegate` | Assign a role to a user. |
| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. | | `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. |
@ -124,7 +124,7 @@ The following list contains fine-grained access control scopes.
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. | | `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. | | `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. | | `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` <br> `global:users:id:*` | Restrict an action to a set of global users. For example, `global:users:*` matches any user and `global:users:id:1` matches the user whose ID is `1`. | | `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | | `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | | `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | | `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |

12
docs/sources/http_api/admin.md
View File

@ -376,7 +376,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
`POST /api/admin/users/:id/logout` `POST /api/admin/users/:id/logout`
Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in
and will be required to authenticate again upon next activity. and will be required to authenticate again upon next activity.
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation. Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
@ -409,7 +409,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
`POST /api/admin/provisioning/dashboards/reload` `POST /api/admin/provisioning/dashboards/reload`
`POST /api/admin/provisioning/datasources/reload` `POST /api/admin/provisioning/datasources/reload`
`POST /api/admin/provisioning/plugins/reload` `POST /api/admin/provisioning/plugins/reload`
@ -442,7 +442,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
Accept: application/json Accept: application/json
Content-Type: application/json Content-Type: application/json
``` ```
**Example Response**: **Example Response**:
```http ```http
@ -510,7 +510,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |
| -------------------- | --------------- | | -------------------- | --------------- |
| users.authtoken:list | global:users:\* | | users.authtoken:list | global.users:\* |
**Example Request**: **Example Request**:
@ -569,7 +569,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |
| ---------------------- | --------------- | | ---------------------- | --------------- |
| users.authtoken:update | global:users:\* | | users.authtoken:update | global.users:\* |
**Example Request**: **Example Request**:
@ -609,7 +609,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |
| ------------ | --------------- | | ------------ | --------------- |
| users.logout | global:users:\* | | users.logout | global.users:\* |
**Example Request**: **Example Request**:

6
docs/sources/http_api/user.md
View File

@ -20,7 +20,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |
| ---------- | --------------- | | ---------- | --------------- |
| users:read | global:users:\* | | users:read | global.users:\* |
**Example Request**: **Example Request**:
@ -75,7 +75,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
``` ```
## Get single user by Id ## Get single user by Id
`GET /api/users/:id` `GET /api/users/:id`
#### Required permissions #### Required permissions
@ -182,7 +182,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
`GET /api/users/:id/orgs` `GET /api/users/:id/orgs`
#### Required permissions #### Required permissions
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation. See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |

4
pkg/api/api.go
View File

@ -174,7 +174,7 @@ func (hs *HTTPServer) registerRoutes() {
}, reqSignedInNoAnonymous) }, reqSignedInNoAnonymous)
apiRoute.Group("/users", func(usersRoute routing.RouteRegister) { apiRoute.Group("/users", func(usersRoute routing.RouteRegister) {
userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id")) userIDScope := ac.Scope("global.users", "id", ac.Parameter(":id"))
usersRoute.Get("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsers)) usersRoute.Get("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsers))
usersRoute.Get("/search", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsersWithPaging)) usersRoute.Get("/search", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsersWithPaging))
usersRoute.Get("/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, userIDScope)), routing.Wrap(hs.GetUserByID)) usersRoute.Get("/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, userIDScope)), routing.Wrap(hs.GetUserByID))
@ -516,7 +516,7 @@ func (hs *HTTPServer) registerRoutes() {
// Administering users // Administering users
r.Group("/api/admin/users", func(adminUserRoute routing.RouteRegister) { r.Group("/api/admin/users", func(adminUserRoute routing.RouteRegister) {
userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id")) userIDScope := ac.Scope("global.users", "id", ac.Parameter(":id"))
adminUserRoute.Post("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), routing.Wrap(hs.AdminCreateUser)) adminUserRoute.Post("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), routing.Wrap(hs.AdminCreateUser))
adminUserRoute.Put("/:id/password", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersPasswordUpdate, userIDScope)), routing.Wrap(hs.AdminUpdateUserPassword)) adminUserRoute.Put("/:id/password", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersPasswordUpdate, userIDScope)), routing.Wrap(hs.AdminUpdateUserPassword))

20
pkg/api/docs/definitions/admin_users.go
View File

@ -28,7 +28,7 @@ import (
// //
// Set password for user. // Set password for user.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.password:update` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.password:update` and scope `global.users:*`.
// //
// Security: // Security:
// - basic: // - basic:
@ -45,7 +45,7 @@ import (
// Set permissions for user. // Set permissions for user.
// //
// Only works with Basic Authentication (username and password). See introduction for an explanation. // Only works with Basic Authentication (username and password). See introduction for an explanation.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.permissions:update` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.permissions:update` and scope `global.users:*`.
// //
// Responses: // Responses:
// 200: okResponse // 200: okResponse
@ -58,7 +58,7 @@ import (
// //
// Delete global User. // Delete global User.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:delete` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:delete` and scope `global.users:*`.
// //
// Security: // Security:
// - basic: // - basic:
@ -74,7 +74,7 @@ import (
// //
// Disable user. // Disable user.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:disable` and scope `global:users:1` (userIDScope). // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:disable` and scope `global.users:1` (userIDScope).
// //
// Security: // Security:
// - basic: // - basic:
@ -90,7 +90,7 @@ import (
// //
// Enable user. // Enable user.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:enable` and scope `global:users:1` (userIDScope). // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:enable` and scope `global.users:1` (userIDScope).
// //
// Security: // Security:
// - basic: // - basic:
@ -106,7 +106,7 @@ import (
// //
// Fetch user quota. // Fetch user quota.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:list` and scope `global:users:1` (userIDScope). // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:list` and scope `global.users:1` (userIDScope).
// //
// Security: // Security:
// - basic: // - basic:
@ -122,7 +122,7 @@ import (
// //
// Update user quota. // Update user quota.
// //
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:update` and scope `global:users:1` (userIDScope). // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:update` and scope `global.users:1` (userIDScope).
// //
// Security: // Security:
// - basic: // - basic:
@ -137,7 +137,7 @@ import (
// swagger:route GET /admin/users/{user_id}/auth-tokens admin_users getAuthTokens // swagger:route GET /admin/users/{user_id}/auth-tokens admin_users getAuthTokens
// //
// Return a list of all auth tokens (devices) that the user currently have logged in from. // Return a list of all auth tokens (devices) that the user currently have logged in from.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:list` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:list` and scope `global.users:*`.
// //
// Security: // Security:
// - basic: // - basic:
@ -153,7 +153,7 @@ import (
// Revoke auth token for user. // Revoke auth token for user.
// //
// Revokes the given auth token (device) for the user. User of issued auth token (device) will no longer be logged in and will be required to authenticate again upon next activity. // Revokes the given auth token (device) for the user. User of issued auth token (device) will no longer be logged in and will be required to authenticate again upon next activity.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:update` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:update` and scope `global.users:*`.
// //
// Security: // Security:
// - basic: // - basic:
@ -169,7 +169,7 @@ import (
// swagger:route POST /admin/users/{user_id}/logout admin_users logoutUser // swagger:route POST /admin/users/{user_id}/logout admin_users logoutUser
// //
// Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in and will be required to authenticate again upon next activity. // Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in and will be required to authenticate again upon next activity.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.logout` and scope `global:users:*`. // If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.logout` and scope `global.users:*`.
// //
// Security: // Security:
// - basic: // - basic:

2
pkg/api/user.go
View File

@ -46,7 +46,7 @@ func (hs *HTTPServer) getUserUserProfile(c *models.ReqContext, userID int64) res
query.Result.IsExternal = true query.Result.IsExternal = true
} }
query.Result.AccessControl = hs.getAccessControlMetadata(c, "global:users:id:", strconv.FormatInt(userID, 10)) query.Result.AccessControl = hs.getAccessControlMetadata(c, "global.users:id:", strconv.FormatInt(userID, 10))
query.Result.AvatarUrl = dtos.GetGravatarUrl(query.Result.Email) query.Result.AvatarUrl = dtos.GetGravatarUrl(query.Result.Email)
return response.JSON(200, query.Result) return response.JSON(200, query.Result)

2
pkg/services/accesscontrol/models.go
View File

@ -296,7 +296,7 @@ const (
ActionPluginsManage = "plugins:manage" ActionPluginsManage = "plugins:manage"
// Global Scopes // Global Scopes
ScopeGlobalUsersAll = "global:users:*" ScopeGlobalUsersAll = "global.users:*"
// APIKeys scope // APIKeys scope
ScopeAPIKeysAll = "apikeys:*" ScopeAPIKeysAll = "apikeys:*"

4
pkg/services/accesscontrol/roles.go
View File

@ -115,7 +115,7 @@ var (
DisplayName: "User reader", DisplayName: "User reader",
Description: "Read all users and their information, such as team memberships, authentication tokens, and quotas.", Description: "Read all users and their information, such as team memberships, authentication tokens, and quotas.",
Group: "User administration (global)", Group: "User administration (global)",
Version: 3, Version: 4,
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionUsersRead, Action: ActionUsersRead,
@ -141,7 +141,7 @@ var (
DisplayName: "User writer", DisplayName: "User writer",
Description: "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users.", Description: "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users.",
Group: "User administration (global)", Group: "User administration (global)",
Version: 3, Version: 4,
Permissions: ConcatPermissions(usersReaderRole.Permissions, []Permission{ Permissions: ConcatPermissions(usersReaderRole.Permissions, []Permission{
{ {
Action: ActionUsersPasswordUpdate, Action: ActionUsersPasswordUpdate,