mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 04:22:14 +08:00
126 lines
3.6 KiB
Go
126 lines
3.6 KiB
Go
package secret
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
)
|
|
|
|
const (
|
|
// SecureValues
|
|
ActionSecretSecureValuesCreate = "secret.securevalues:create" // CREATE.
|
|
ActionSecretSecureValuesWrite = "secret.securevalues:write" // UPDATE.
|
|
ActionSecretSecureValuesRead = "secret.securevalues:read" // GET + LIST.
|
|
ActionSecretSecureValuesDelete = "secret.securevalues:delete" // DELETE.
|
|
|
|
// Keepers
|
|
ActionSecretKeepersCreate = "secret.keepers:create" // CREATE.
|
|
ActionSecretKeepersWrite = "secret.keepers:write" // UPDATE.
|
|
ActionSecretKeepersRead = "secret.keepers:read" // GET + LIST.
|
|
ActionSecretKeepersDelete = "secret.keepers:delete" // DELETE.
|
|
)
|
|
|
|
var (
|
|
ScopeProviderSecretSecureValues = accesscontrol.NewScopeProvider("secret.securevalues")
|
|
ScopeProviderSecretKeepers = accesscontrol.NewScopeProvider("secret.keepers")
|
|
|
|
ScopeAllSecureValues = ScopeProviderSecretSecureValues.GetResourceAllScope()
|
|
ScopeAllKeepers = ScopeProviderSecretKeepers.GetResourceAllScope()
|
|
)
|
|
|
|
func RegisterAccessControlRoles(service accesscontrol.Service) error {
|
|
// SecureValues
|
|
secureValuesReader := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:reader",
|
|
DisplayName: "Secrets Manager secure values reader",
|
|
Description: "Read and list secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesRead,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
secureValuesWriter := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.securevalues:writer",
|
|
DisplayName: "Secrets Manager secure values writer",
|
|
Description: "Create, update and delete secure values.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretSecureValuesCreate,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
{
|
|
Action: ActionSecretSecureValuesRead,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
{
|
|
Action: ActionSecretSecureValuesWrite,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
{
|
|
Action: ActionSecretSecureValuesDelete,
|
|
Scope: ScopeAllSecureValues,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
// Keepers
|
|
keepersReader := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.keepers:reader",
|
|
DisplayName: "Secrets Manager keepers reader",
|
|
Description: "Read and list keepers.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretKeepersRead,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
keepersWriter := accesscontrol.RoleRegistration{
|
|
Role: accesscontrol.RoleDTO{
|
|
Name: "fixed:secret.keepers:writer",
|
|
DisplayName: "Secrets Manager keepers writer",
|
|
Description: "Create, update and delete keepers.",
|
|
Group: "Secrets Manager",
|
|
Permissions: []accesscontrol.Permission{
|
|
{
|
|
Action: ActionSecretKeepersCreate,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersRead,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersWrite,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
{
|
|
Action: ActionSecretKeepersDelete,
|
|
Scope: ScopeAllKeepers,
|
|
},
|
|
},
|
|
},
|
|
Grants: []string{string(org.RoleAdmin)},
|
|
}
|
|
|
|
return service.DeclareFixedRoles(
|
|
secureValuesReader, secureValuesWriter,
|
|
keepersReader, keepersWriter,
|
|
)
|
|
}
|