fysmtkhc
/
grafana-jool
forked from grafana.jool/grafana-jool
0
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
1
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
1 Tag
74 MiB
 
 
 
 
 
 
Tree: 559e74f3e5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '559e74f3e5'
${ noResults }
grafana-jool/pkg/services/serviceaccounts/manager/roles.go

98 lines
2.8 KiB
Raw Blame History

package manager
import (
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
)
var (
ActionApikeyList = "apikey:list"
ActionApikeyAdd = "apikey:add"
ActionApikeyRemove = "apikey:remove"
ActionApikeyAddAdditional = "apikey:addadditional"
apikeyWriter = "fixed:apikey:writer"
apikeyReader = "fixed:apikey:reader"
//API key actions
ActionApikeyListEv = accesscontrol.EvalPermission(ActionApikeyList)
ActionApikeyAddEv = accesscontrol.EvalPermission(ActionApikeyAdd)
ActionApikeyRemoveEv = accesscontrol.EvalPermission(ActionApikeyRemove) //Improvement:Check here or in database layer that user has permissiono modify the service account attached to this api key
ActionApikeyAddAdditionalEv = accesscontrol.EvalPermission(ActionApikeyAddAdditional)
)
func RegisterRoles(ac accesscontrol.AccessControl) error {
role := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 3,
Name: "fixed:serviceaccounts:writer",
DisplayName: "Service accounts writer",
Description: "Create, delete, read, or query service accounts.",
Group: "Service accounts",
Permissions: []accesscontrol.Permission{
{
Action: serviceaccounts.ActionRead,
Scope: serviceaccounts.ScopeAll,
},
{
Action: serviceaccounts.ActionCreate,
},
{
Action: serviceaccounts.ActionDelete,
Scope: serviceaccounts.ScopeAll,
},
},
},
Grants: []string{"Admin"},
}
if err := ac.DeclareFixedRoles(role); err != nil {
return err
}
apikeyAdminReadRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: apikeyReader,
DisplayName: "Apikeys reader",
Description: "Gives access to list apikeys.",
Group: "Service accounts",
Permissions: []accesscontrol.Permission{
{
Action: ActionApikeyList,
Scope: accesscontrol.ScopeUsersAll,
},
},
},
Grants: []string{"Admin"},
}
if err := ac.DeclareFixedRoles(apikeyAdminReadRole); err != nil {
return err
}
apikeyAdminEditRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
Name: apikeyWriter,
DisplayName: "Apikeys writer",
Description: "Gives access to add and delete api keys.",
Group: "Service accounts",
Permissions: accesscontrol.ConcatPermissions(apikeyAdminReadRole.Role.Permissions, []accesscontrol.Permission{
{
Action: ActionApikeyAdd,
Scope: accesscontrol.ScopeUsersAll,
},
{
Action: ActionApikeyRemove,
Scope: accesscontrol.ScopeUsersAll,
},
}),
},
Grants: []string{"Admin"},
}
if err := ac.DeclareFixedRoles(apikeyAdminEditRole); err != nil {
return err
}
return nil
}