opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 07:32:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Access Control: Rename global users scope (#46794)

Browse Source 
* Rename scope from global:users to global.users to match scope convention
This commit is contained in:
Karl Persson
2022-03-22 12:48:46 +01:00
committed by GitHub
parent adc0cbf176
commit faf4a3f751
8 changed files with 39 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/sources/enterprise/access-control/permissions.md
View File

@ -43,20 +43,20 @@ The following list contains fine-grained access control actions.
| `teams.roles:list` | `teams:*` | List roles assigned directly to a team. |
| `teams.roles:add` | `permissions:delegate` | Assign a role to a team. |
| `teams.roles:remove` | `permissions:delegate` | Unassign a role from a team. |
| `users:read` | `global:users:*` | Read or search user profiles. |
| `users:write` | `global:users:*` <br> `global:users:id` | Update a users profile. |
| `users.teams:read` | `global:users:*` <br> `global:users:id:*` | Read a users teams. |
| `users.authtoken:list` | `global:users:*` <br> `global:users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global:users:*` <br> `global:users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global:users:*` <br> `global:users:id:*` | Update a users password. |
| `users:delete` | `global:users:*` <br> `global:users:id:*` | Delete a user. |
| `users:read` | `global.users:*` | Read or search user profiles. |
| `users:write` | `global.users:*` <br> `global.users:id:*` | Update a users profile. |
| `users.teams:read` | `global.users:*` <br> `global.users:id:*` | Read a users teams. |
| `users.authtoken:list` | `global.users:*` <br> `global.users:id:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global.users:*` <br> `global.users:id:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global.users:*` <br> `global.users:id:*` | Update a users password. |
| `users:delete` | `global.users:*` <br> `global.users:id:*` | Delete a user. |
| `users:create` | n/a | Create a user. |
| `users:enable` | `global:users:*` <br> `global:users:id:*` | Enable a user. |
| `users:disable` | `global:users:*` <br> `global:users:id:*` | Disable a user. |
| `users.permissions:update` | `global:users:*` <br> `global:users:id:*` | Update a users organization-level permissions. |
| `users:logout` | `global:users:*` <br> `global:users:id:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` <br> `global:users:id:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` <br> `global:users:id:*` | Update a users quotas. |
| `users:enable` | `globa.users:*` <br> `global.users:id:*` | Enable a user. |
| `users:disable` | `global.users:*` <br> `global.users:id:*` | Disable a user. |
| `users.permissions:update` | `global.users:*` <br> `global.users:id:*` | Update a users organization-level permissions. |
| `users:logout` | `global.users:*` <br> `global.users:id:*` | Sign out a user. |
| `users.quotas:list` | `global.users:*` <br> `global.users:id:*` | List a users quotas. |
| `users.quotas:update` | `global.users:*` <br> `global.users:id:*` | Update a users quotas. |
| `users.roles:list` | `users:*` | List roles assigned directly to a user. |
| `users.roles:add` | `permissions:delegate` | Assign a role to a user. |
| `users.roles:remove` | `permissions:delegate` | Unassign a role from a user. |
@ -124,7 +124,7 @@ The following list contains fine-grained access control scopes.
| `roles:*` <br> `roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. |
| `reports:*` <br> `reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` <br> `global:users:id:*` | Restrict an action to a set of global users. For example, `global:users:*` matches any user and `global:users:id:1` matches the user whose ID is `1`. |
| `global.users:*` <br> `global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. |
| `teams:*` <br> `teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. |
| `users:*` <br> `users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. |
| `orgs:*` <br> `orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. |

12
docs/sources/http_api/admin.md
View File

@ -376,7 +376,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
`POST /api/admin/users/:id/logout`
Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in
Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in
and will be required to authenticate again upon next activity.
Only works with Basic Authentication (username and password). See [introduction](http://docs.grafana.org/http_api/admin/#admin-api) for an explanation.
@ -409,7 +409,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
`POST /api/admin/provisioning/dashboards/reload`
`POST /api/admin/provisioning/datasources/reload`
`POST /api/admin/provisioning/datasources/reload`
`POST /api/admin/provisioning/plugins/reload`
@ -442,7 +442,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
Accept: application/json
Content-Type: application/json
```
**Example Response**:
```http
@ -510,7 +510,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope |
| -------------------- | --------------- |
| users.authtoken:list | global:users:\* |
| users.authtoken:list | global.users:\* |
**Example Request**:
@ -569,7 +569,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope |
| ---------------------- | --------------- |
| users.authtoken:update | global:users:\* |
| users.authtoken:update | global.users:\* |
**Example Request**:
@ -609,7 +609,7 @@ See note in the [introduction]({{< ref "#admin-api" >}}) for an explanation.
| Action | Scope |
| ------------ | --------------- |
| users.logout | global:users:\* |
| users.logout | global.users:\* |
**Example Request**:

6
docs/sources/http_api/user.md
View File

@ -20,7 +20,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
| Action | Scope |
| ---------- | --------------- |
| users:read | global:users:\* |
| users:read | global.users:\* |
**Example Request**:
@ -75,7 +75,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
```
## Get single user by Id
`GET /api/users/:id`
#### Required permissions
@ -182,7 +182,7 @@ See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
`GET /api/users/:id/orgs`
#### Required permissions
See note in the [introduction]({{< ref "#user-api" >}}) for an explanation.
| Action | Scope |

4
pkg/api/api.go
View File

@ -174,7 +174,7 @@ func (hs *HTTPServer) registerRoutes() {
}, reqSignedInNoAnonymous)
apiRoute.Group("/users", func(usersRoute routing.RouteRegister) {
userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id"))
userIDScope := ac.Scope("global.users", "id", ac.Parameter(":id"))
usersRoute.Get("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsers))
usersRoute.Get("/search", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsersWithPaging))
usersRoute.Get("/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, userIDScope)), routing.Wrap(hs.GetUserByID))
@ -516,7 +516,7 @@ func (hs *HTTPServer) registerRoutes() {
// Administering users
r.Group("/api/admin/users", func(adminUserRoute routing.RouteRegister) {
userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id"))
userIDScope := ac.Scope("global.users", "id", ac.Parameter(":id"))
adminUserRoute.Post("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), routing.Wrap(hs.AdminCreateUser))
adminUserRoute.Put("/:id/password", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersPasswordUpdate, userIDScope)), routing.Wrap(hs.AdminUpdateUserPassword))

20
pkg/api/docs/definitions/admin_users.go
View File

@ -28,7 +28,7 @@ import (
//
// Set password for user.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.password:update` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.password:update` and scope `global.users:*`.
//
// Security:
// - basic:
@ -45,7 +45,7 @@ import (
// Set permissions for user.
//
// Only works with Basic Authentication (username and password). See introduction for an explanation.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.permissions:update` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.permissions:update` and scope `global.users:*`.
//
// Responses:
// 200: okResponse
@ -58,7 +58,7 @@ import (
//
// Delete global User.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:delete` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:delete` and scope `global.users:*`.
//
// Security:
// - basic:
@ -74,7 +74,7 @@ import (
//
// Disable user.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:disable` and scope `global:users:1` (userIDScope).
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:disable` and scope `global.users:1` (userIDScope).
//
// Security:
// - basic:
@ -90,7 +90,7 @@ import (
//
// Enable user.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:enable` and scope `global:users:1` (userIDScope).
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users:enable` and scope `global.users:1` (userIDScope).
//
// Security:
// - basic:
@ -106,7 +106,7 @@ import (
//
// Fetch user quota.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:list` and scope `global:users:1` (userIDScope).
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:list` and scope `global.users:1` (userIDScope).
//
// Security:
// - basic:
@ -122,7 +122,7 @@ import (
//
// Update user quota.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:update` and scope `global:users:1` (userIDScope).
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.quotas:update` and scope `global.users:1` (userIDScope).
//
// Security:
// - basic:
@ -137,7 +137,7 @@ import (
// swagger:route GET /admin/users/{user_id}/auth-tokens admin_users getAuthTokens
//
// Return a list of all auth tokens (devices) that the user currently have logged in from.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:list` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:list` and scope `global.users:*`.
//
// Security:
// - basic:
@ -153,7 +153,7 @@ import (
// Revoke auth token for user.
//
// Revokes the given auth token (device) for the user. User of issued auth token (device) will no longer be logged in and will be required to authenticate again upon next activity.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:update` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.authtoken:update` and scope `global.users:*`.
//
// Security:
// - basic:
@ -169,7 +169,7 @@ import (
// swagger:route POST /admin/users/{user_id}/logout admin_users logoutUser
//
// Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in and will be required to authenticate again upon next activity.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.logout` and scope `global:users:*`.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `users.logout` and scope `global.users:*`.
//
// Security:
// - basic:

2
pkg/api/user.go
View File

@ -46,7 +46,7 @@ func (hs *HTTPServer) getUserUserProfile(c *models.ReqContext, userID int64) res
query.Result.IsExternal = true
}
query.Result.AccessControl = hs.getAccessControlMetadata(c, "global:users:id:", strconv.FormatInt(userID, 10))
query.Result.AccessControl = hs.getAccessControlMetadata(c, "global.users:id:", strconv.FormatInt(userID, 10))
query.Result.AvatarUrl = dtos.GetGravatarUrl(query.Result.Email)
return response.JSON(200, query.Result)

2
pkg/services/accesscontrol/models.go
View File

@ -296,7 +296,7 @@ const (
ActionPluginsManage = "plugins:manage"
// Global Scopes
ScopeGlobalUsersAll = "global:users:*"
ScopeGlobalUsersAll = "global.users:*"
// APIKeys scope
ScopeAPIKeysAll = "apikeys:*"

4
pkg/services/accesscontrol/roles.go
View File

@ -115,7 +115,7 @@ var (
DisplayName: "User reader",
Description: "Read all users and their information, such as team memberships, authentication tokens, and quotas.",
Group: "User administration (global)",
Version: 3,
Version: 4,
Permissions: []Permission{
{
Action: ActionUsersRead,
@ -141,7 +141,7 @@ var (
DisplayName: "User writer",
Description: "Read and update all attributes and settings for all users in Grafana: update user information, read user information, create or enable or disable a user, make a user a Grafana administrator, sign out a user, update a users authentication token, or update quotas for all users.",
Group: "User administration (global)",
Version: 3,
Version: 4,
Permissions: ConcatPermissions(usersReaderRole.Permissions, []Permission{
{
Action: ActionUsersPasswordUpdate,