mirror of
https://github.com/grafana/grafana.git
synced 2025-08-02 04:00:55 +08:00
153 lines
4.4 KiB
Go
153 lines
4.4 KiB
Go
package secret
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
)
|
|
|
|
const (
|
|
// SecureValues
|
|
ActionSecretSecureValuesCreate = "secret.securevalues:create" // CREATE.
|
|
ActionSecretSecureValuesWrite = "secret.securevalues:write" // UPDATE.
|
|
ActionSecretSecureValuesRead = "secret.securevalues:read" // GET + LIST.
|
|
ActionSecretSecureValuesDelete = "secret.securevalues:delete" // DELETE.
|
|
|
|
// Keepers
|
|
ActionSecretKeepersCreate = "secret.keepers:create" // CREATE.
|
|
ActionSecretKeepersWrite = "secret.keepers:write" // UPDATE.
|
|
ActionSecretKeepersRead = "secret.keepers:read" // GET + LIST.
|
|
ActionSecretKeepersDelete = "secret.keepers:delete" // DELETE.
|
|
)
|
|
|
|
var (
|
|
ScopeProviderSecretSecureValues = accesscontrol.NewScopeProvider("secret.securevalues")
|
|
ScopeProviderSecretKeepers = accesscontrol.NewScopeProvider("secret.keepers")
|
|
|
|
ScopeAllSecureValues = ScopeProviderSecretSecureValues.GetResourceAllScope()
|
|
ScopeAllKeepers = ScopeProviderSecretKeepers.GetResourceAllScope()
|
|
)
|
|
|
|
func registerAccessControlRoles(service accesscontrol.Service) error {
|
|
// SecureValues
|
|
// These are broken down into more granular fixed roles on purpose.
|
|
// For inline Secure Values, we want to allow creation and deletion by Editors because there's no API to read/update.
|
|
// References are only available with the API and RBAC, so those roles can be granted to any basic role by Operators.
|
|
secureValuesCreator := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:creator",
|
|
DisplayName: "Secure Values Creator",
|
|
Description: "Create secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesCreate,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
secureValuesReader := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:reader",
|
|
DisplayName: "Secure Values Reader",
|
|
Description: "Read and list secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesRead,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
secureValuesUpdater := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:updater",
|
|
DisplayName: "Secure Values Updater",
|
|
Description: "Update secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesWrite,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
secureValuesDeleter := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:deleter",
|
|
DisplayName: "Secure Values Deleter",
|
|
Description: "Delete secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesDelete,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleEditor)},
|
|
}
|
|
|
|
// Keepers
|
|
keepersReader := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.keepers:reader",
|
|
DisplayName: "Keepers Reader",
|
|
Description: "Read and list keepers.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretKeepersRead,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
keepersWriter := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.keepers:writer",
|
|
DisplayName: "Keepers Writer",
|
|
Description: "Create, update and delete keepers.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretKeepersCreate,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersRead,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersWrite,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersDelete,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
return service.DeclareFixedRoles(
|
|
secureValuesCreator,
|
|
secureValuesReader,
|
|
secureValuesUpdater,
|
|
secureValuesDeleter,
|
|
keepersReader,
|
|
keepersWriter,
|
|
)
|
|
}
|