Affected by 
Documentation
¶
Index ¶
- Constants
- Variables
- func BuildPermissionsMap(permissions []*Permission) map[string]bool
- func Field(key string) string
- func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{}
- func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool
- func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool
- func Parameter(key string) string
- func Scope(parts ...string) string
- func ValidateBuiltInRoles(builtInRoles []string) error
- func ValidateFixedRole(role RoleDTO) error
- func ValidateScope(scope string) bool
- type AccessControl
- type BuiltinRole
- type Evaluator
- type GetResourcesPermissionsQuery
- type GetUserPermissionsQuery
- type KeywordScopeResolveFunc
- type Permission
- type PermissionsProvider
- type RegistrationList
- type RemoveResourcePermissionCommand
- type ResourceManager
- func (r *ResourceManager) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]ResourcePermission, error)
- func (r *ResourceManager) GetPermissionsByIds(ctx context.Context, orgID int64, resourceIDs []string) ([]ResourcePermission, error)
- func (r *ResourceManager) RemovePermission(ctx context.Context, orgID int64, resourceID string, permissionID int64) error
- func (r *ResourceManager) SetBuiltinRolePermissions(ctx context.Context, orgID int64, resourceID string, actions []string, ...) ([]ResourcePermission, error)
- func (r *ResourceManager) SetTeamPermission(ctx context.Context, orgID int64, resourceID string, actions []string, ...) ([]ResourcePermission, error)
- func (r *ResourceManager) SetUserPermissions(ctx context.Context, orgID int64, resourceID string, actions []string, ...) ([]ResourcePermission, error)
- func (r *ResourceManager) Validate(ctx context.Context, orgID int64, resourceID string) error
- type ResourcePermission
- type ResourceStore
- type ResourceValidator
- type Role
- type RoleDTO
- type RoleRegistration
- type RoleRegistry
- type ScopeParams
- type ScopeResolver
- type SetResourcePermissionsCommand
- type TeamRole
- type UserRole
Constants ¶
View Source
const ( GlobalOrgID = 0 // Users actions ActionUsersRead = "users:read" ActionUsersWrite = "users:write" ActionUsersTeamRead = "users.teams:read" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersAuthTokenList = "users.authtoken:list" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersAuthTokenUpdate = "users.authtoken:update" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersPasswordUpdate = "users.password:update" ActionUsersDelete = "users:delete" ActionUsersCreate = "users:create" ActionUsersEnable = "users:enable" ActionUsersDisable = "users:disable" ActionUsersPermissionsUpdate = "users.permissions:update" ActionUsersLogout = "users:logout" ActionUsersQuotasList = "users.quotas:list" ActionUsersQuotasUpdate = "users.quotas:update" // Org actions ActionOrgUsersRead = "org.users:read" ActionOrgUsersAdd = "org.users:add" ActionOrgUsersRemove = "org.users:remove" ActionOrgUsersRoleUpdate = "org.users.role:update" // LDAP actions ActionLDAPUsersRead = "ldap.user:read" ActionLDAPUsersSync = "ldap.user:sync" ActionLDAPStatusRead = "ldap.status:read" ActionLDAPConfigReload = "ldap.config:reload" // Server actions ActionServerStatsRead = "server.stats:read" // Settings actions ActionSettingsRead = "settings:read" // Datasources actions ActionDatasourcesExplore = "datasources:explore" // Plugin actions ActionPluginsManage = "plugins:manage" // Global Scopes ScopeGlobalUsersAll = "global:users:*" // Users scope ScopeUsersAll = "users:*" // Settings scope ScopeSettingsAll = "settings:*" // Licensing related actions ActionLicensingRead = "licensing:read" ActionLicensingUpdate = "licensing:update" ActionLicensingDelete = "licensing:delete" ActionLicensingReportsRead = "licensing.reports:read" )
View Source
const FixedRolePrefix = "fixed:"
View Source
const RoleGrafanaAdmin = "Grafana Admin"
Variables ¶
View Source
var ( ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'") ErrInvalidBuiltinRole = errors.New("built-in role is not valid") )
View Source
var ( // FixedRoles provides a map of permission sets/roles which can be // assigned to a set of users. When adding a new resource protected by // Grafana access control the default permissions should be added to a // new fixed role in this set so that users can access the new // resource. FixedRoleGrants lists which built-in roles are // assigned which fixed roles in this list. FixedRoles = map[string]RoleDTO{ // contains filtered or unexported fields } // FixedRoleGrants specifies which built-in roles are assigned // to which set of FixedRoles by default. Alphabetically sorted. FixedRoleGrants = map[string][]string{ RoleGrafanaAdmin: { ldapReader, ldapWriter, orgUsersReader, orgUsersWriter, settingsReader, statsReader, usersReader, usersWriter, }, string(models.ROLE_ADMIN): { orgUsersReader, orgUsersWriter, }, string(models.ROLE_EDITOR): { datasourcesExplorer, }, } )
View Source
var LicensingPageReaderAccess = EvalAny( EvalPermission(ActionLicensingRead), EvalPermission(ActionServerStatsRead), )
LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
View Source
var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
return c.IsGrafanaAdmin
}
View Source
var ReqOrgAdmin = func(c *models.ReqContext) bool { return c.OrgRole == models.ROLE_ADMIN }
Functions ¶
func BuildPermissionsMap ¶
func BuildPermissionsMap(permissions []*Permission) map[string]bool
func Field ¶
Field returns an injectable scope part for selected fields from the request's context available in accesscontrol.ScopeParams. e.g. Scope("orgs", Parameter("OrgID")) or "orgs:" + Parameter("OrgID")
func GroupScopesByAction ¶
func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{}
GroupScopesByAction will group scopes on action
func HasAccess ¶
func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool
func HasGlobalAccess ¶
func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool
HasGlobalAccess checks user access with globally assigned permissions only
func Parameter ¶
Parameter returns injectable scope part, based on URL parameters. e.g. Scope("users", Parameter(":id")) or "users:" + Parameter(":id")
func ValidateBuiltInRoles ¶
ValidateBuiltInRoles errors when a built-in role does not match expected pattern
func ValidateFixedRole ¶
ValidateFixedRole errors when a fixed role does not match expected pattern
func ValidateScope ¶
Types ¶
type AccessControl ¶
type AccessControl interface {
// Evaluate evaluates access to the given resources.
Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)
// GetUserPermissions returns user permissions.
GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*Permission, error)
// GetUserRoles returns user roles.
GetUserRoles(ctx context.Context, user *models.SignedInUser) ([]*RoleDTO, error)
//IsDisabled returns if access control is enabled or not
IsDisabled() bool
// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
DeclareFixedRoles(...RoleRegistration) error
}
type BuiltinRole ¶
type Evaluator ¶
type Evaluator interface {
// Evaluate permissions that are grouped by action
Evaluate(permissions map[string]map[string]struct{}) (bool, error)
// Inject params into the evaluator's templated scopes. e.g. "settings:" + eval.Parameters(":id") and returns a new Evaluator
Inject(params ScopeParams) (Evaluator, error)
// String returns a string representation of permission required by the evaluator
String() string
}
func EvalAny ¶
EvalAny returns evaluator that requires at least one of passed evaluators to evaluate to true
func EvalPermission ¶
EvalPermission returns an evaluator that will require all scopes in combination with action to match
type GetUserPermissionsQuery ¶
type KeywordScopeResolveFunc ¶
type KeywordScopeResolveFunc func(*models.SignedInUser) (string, error)
type Permission ¶
type Permission struct {
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
RoleID int64 `json:"-" xorm:"role_id"`
Action string `json:"action"`
Scope string `json:"scope"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
}
Permission is the model for access control permissions.
func ConcatPermissions ¶
func ConcatPermissions(permissions ...[]Permission) []Permission
func (Permission) OSSPermission ¶
func (p Permission) OSSPermission() Permission
type PermissionsProvider ¶
type PermissionsProvider interface {
GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
}
type RegistrationList ¶
type RegistrationList struct {
// contains filtered or unexported fields
}
func (*RegistrationList) Append ¶
func (m *RegistrationList) Append(regs ...RoleRegistration)
func (*RegistrationList) Range ¶
func (m *RegistrationList) Range(f func(registration RoleRegistration) bool)
type ResourceManager ¶
type ResourceManager struct {
// contains filtered or unexported fields
}
func NewResourceManager ¶
func NewResourceManager(resource string, actions []string, validator ResourceValidator, store ResourceStore) *ResourceManager
func (*ResourceManager) GetPermissions ¶
func (r *ResourceManager) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]ResourcePermission, error)
func (*ResourceManager) GetPermissionsByIds ¶
func (r *ResourceManager) GetPermissionsByIds(ctx context.Context, orgID int64, resourceIDs []string) ([]ResourcePermission, error)
func (*ResourceManager) RemovePermission ¶
func (*ResourceManager) SetBuiltinRolePermissions ¶
func (r *ResourceManager) SetBuiltinRolePermissions(ctx context.Context, orgID int64, resourceID string, actions []string, builtinRole string) ([]ResourcePermission, error)
func (*ResourceManager) SetTeamPermission ¶
func (r *ResourceManager) SetTeamPermission(ctx context.Context, orgID int64, resourceID string, actions []string, teamID int64) ([]ResourcePermission, error)
func (*ResourceManager) SetUserPermissions ¶
func (r *ResourceManager) SetUserPermissions(ctx context.Context, orgID int64, resourceID string, actions []string, userID int64) ([]ResourcePermission, error)
type ResourcePermission ¶
type ResourcePermission struct {
ID int64 `xorm:"id"`
ResourceID string `xorm:"resource_id"`
RoleName string
Action string
Scope string
UserId int64
UserLogin string
UserEmail string
TeamId int64
TeamEmail string
Team string
BuiltInRole string
Created time.Time
Updated time.Time
}
func (*ResourcePermission) Managed ¶
func (p *ResourcePermission) Managed() bool
type ResourceStore ¶
type ResourceStore interface {
// SetUserResourcePermissions sets permissions for managed user role on a resource
SetUserResourcePermissions(ctx context.Context, orgID, userID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
// SetTeamResourcePermissions sets permissions for managed team role on a resource
SetTeamResourcePermissions(ctx context.Context, orgID, teamID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
// SetBuiltinResourcePermissions sets permissions for managed builtin role on a resource
SetBuiltinResourcePermissions(ctx context.Context, orgID int64, builtinRole string, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
// RemoveResourcePermission remove permission for resource
RemoveResourcePermission(ctx context.Context, orgID int64, cmd RemoveResourcePermissionCommand) error
// GetResourcesPermissions will return all permission for all supplied resource ids
GetResourcesPermissions(ctx context.Context, orgID int64, query GetResourcesPermissionsQuery) ([]ResourcePermission, error)
}
type ResourceValidator ¶
type Role ¶
type Role struct {
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"-" xorm:"org_id"`
Version int64 `json:"version"`
UID string `xorm:"uid" json:"uid"`
Name string `json:"name"`
DisplayName string `json:"displayName"`
Group string `xorm:"group_name" json:"group"`
Description string `json:"description"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
}
Role is the model for Role in RBAC.
func (Role) GetDisplayName ¶
func (Role) MarshalJSON ¶
type RoleDTO ¶
type RoleDTO struct {
Version int64 `json:"version"`
UID string `xorm:"uid" json:"uid"`
Name string `json:"name"`
DisplayName string `json:"displayName"`
Description string `json:"description"`
Group string `xorm:"group_name" json:"group"`
Permissions []Permission `json:"permissions,omitempty"`
Delegatable *bool `json:"delegatable,omitempty"`
ID int64 `json:"-" xorm:"pk autoincr 'id'"`
OrgID int64 `json:"-" xorm:"org_id"`
Updated time.Time `json:"updated"`
Created time.Time `json:"created"`
}
func (RoleDTO) GetDisplayName ¶
func (RoleDTO) MarshalJSON ¶
type RoleRegistration ¶
RoleRegistration stores a role and its assignments to built-in roles (Viewer, Editor, Admin, Grafana Admin)
type RoleRegistry ¶
type RoleRegistry interface {
// RegisterFixedRoles registers all roles declared to AccessControl
RegisterFixedRoles() error
}
type ScopeParams ¶
ScopeParams holds the parameters used to fill in scope templates
type ScopeResolver ¶
type ScopeResolver struct {
// contains filtered or unexported fields
}
ScopeResolver contains a map of functions to resolve scope keywords such as `self` or `current` into `id` based scopes
func NewScopeResolver ¶
func NewScopeResolver() ScopeResolver
func (*ScopeResolver) ResolveKeyword ¶
func (s *ScopeResolver) ResolveKeyword(user *models.SignedInUser, permission Permission) (*Permission, error)
ResolveKeyword resolves scope with keywords such as `self` or `current` into `id` based scopes
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.