Documentation ¶
Index ¶
- Constants
- Variables
- func AuthorizeInOrgMiddleware(ac AccessControl, authnService authn.Service) func(OrgIDGetter, Evaluator) web.Handler
- func BackgroundUser(name string, orgID int64, role org.RoleType, permissions []Permission) identity.Requester
- func BuildBasicRoleDefinitions() map[string]*RoleDTO
- func BuildPermissionsMap(permissions []Permission) map[string]bool
- func BuiltInRolesWithParents(builtInRoles []string) map[string]struct{}
- func Checker(user *user.SignedInUser, action string) func(scopes ...string) bool
- func CloneRequest(req *http.Request) (*http.Request, error)
- func CopyRequestBody(req *http.Request) (io.ReadCloser, error)
- func DeclareFixedRoles(service Service, cfg *setting.Cfg) error
- func ErrAssignmentEntityNotFoundData(assignment string) errutil.TemplateData
- func ErrInvalidBuiltinRoleData(builtInRole string) errutil.TemplateData
- func Field(key string) string
- func GetBasicRolePermissionCacheKey(role string, orgID int64) string
- func GetOrgRoles(user identity.Requester) []string
- func GetPermissionCacheKey(user identity.Requester) string
- func GetResourceAllIDScope(resource string) string
- func GetResourceAllScope(resource string) string
- func GetResourceScope(resource string, resourceID string) string
- func GetResourceScopeName(resource string, resourceID string) string
- func GetResourceScopeType(resource string, typeName string) string
- func GetResourceScopeUID(resource string, resourceID string) string
- func GetResourcesMetadata(ctx context.Context, permissions map[string][]string, prefix string, ...) map[string]Metadata
- func GetSearchPermissionCacheKey(user identity.Requester, searchOptions SearchOptions) string
- func GetTeamPermissionCacheKey(teamID int64, orgID int64) string
- func GetUserDirectPermissionCacheKey(user identity.Requester) string
- func GroupScopesByAction(permissions []Permission) map[string][]string
- func HasAccess(ac AccessControl, c *contextmodel.ReqContext) func(evaluator Evaluator) bool
- func HasGlobalAccess(ac AccessControl, authnService authn.Service, c *contextmodel.ReqContext) func(evaluator Evaluator) bool
- func ManagedBuiltInRoleName(builtInRole string) string
- func ManagedTeamRoleName(teamID int64) string
- func ManagedUserRoleName(userID int64) string
- func Middleware(ac AccessControl) func(Evaluator) web.Handler
- func Parameter(key string) string
- func ParseScopeID(scope string) (int64, error)
- func ParseScopeUID(scope string) (string, error)
- func ParseScopes(prefix string, scopes []string) (ids map[any]struct{}, hasWildcard bool)
- func PrefixedRoleUID(roleName string) string
- func Reduce(ps []Permission) map[string][]string
- func ReqHasRole(role org.RoleType) func(c *contextmodel.ReqContext) bool
- func RolePrefixesFilter(rolePrefixes []string) (string, []any)
- func Scope(parts ...string) string
- func ScopePrefix(scope string) string
- func ScopeSuffix(scope string) string
- func SetAcceptListForTest(list map[string]struct{}) func()
- func UseGlobalOrg(c *contextmodel.ReqContext) (int64, error)
- func UseOrgFromContextParams(c *contextmodel.ReqContext) (int64, error)
- func UseOrgFromRequestData(c *contextmodel.ReqContext) (int64, error)
- func UserRolesFilter(orgID, userID int64, teamIDs []int64, roles []string) (string, []any)
- func ValidateBuiltInRoles(builtInRoles []string) error
- func ValidateFixedRole(role RoleDTO) error
- func ValidateScope(scope string) bool
- type AccessControl
- type ActionResolver
- type BuiltinRole
- type DashboardPermissionsService
- type DatasourcePermissionsService
- type ErrorActionPrefixMissing
- type ErrorInvalidRole
- type ErrorRoleNameMissing
- type ErrorRolePrefixMissing
- type ErrorScopeTarget
- type Evaluator
- type FolderPermissionsService
- type GetUserPermissionsQuery
- type Metadata
- type Options
- type OrgIDGetter
- type Permission
- type PermissionsService
- type QueryWithOrg
- type RegistrationList
- type Resolvers
- type ResourcePermission
- type Role
- type RoleDTO
- func (r *RoleDTO) Global() bool
- func (r *RoleDTO) IsBasic() bool
- func (r *RoleDTO) IsExternalService() bool
- func (r *RoleDTO) IsFixed() bool
- func (r *RoleDTO) IsManaged() bool
- func (r *RoleDTO) IsPlugin() bool
- func (r *RoleDTO) LogID() string
- func (r RoleDTO) MarshalJSON() ([]byte, error)
- func (r *RoleDTO) Role() Role
- type RoleDTOStatic
- type RoleRegistration
- type RoleRegistry
- type SQLFilter
- type SaveExternalServiceRoleCommand
- type ScopeAttributeMutator
- type ScopeAttributeResolver
- type ScopeAttributeResolverFunc
- type ScopeProvider
- type SearchOptions
- type Service
- type ServiceAccountPermissionsService
- type SetResourcePermissionCommand
- type Store
- type SyncUserRolesCommand
- type TeamPermissionsService
- type TeamRole
- type User
- type UserRole
- type Wildcards
Constants ¶
const ( CacheHit = "hit" CacheMiss = "miss" )
const ( GlobalOrgID = 0 NoOrgID = int64(-1) GeneralFolderUID = "general" RoleGrafanaAdmin = "Grafana Admin" ActionAPIKeyRead = "apikeys:read" ActionAPIKeyCreate = "apikeys:create" ActionAPIKeyDelete = "apikeys:delete" // Users actions ActionUsersRead = "users:read" ActionUsersWrite = "users:write" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersAuthTokenList = "users.authtoken:read" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersAuthTokenUpdate = "users.authtoken:write" // We can ignore gosec G101 since this does not contain any credentials. // nolint:gosec ActionUsersPasswordUpdate = "users.password:write" ActionUsersDelete = "users:delete" ActionUsersCreate = "users:create" ActionUsersEnable = "users:enable" ActionUsersDisable = "users:disable" ActionUsersPermissionsUpdate = "users.permissions:write" ActionUsersLogout = "users:logout" ActionUsersQuotasList = "users.quotas:read" ActionUsersQuotasUpdate = "users.quotas:write" ActionUsersPermissionsRead = "users.permissions:read" // Org actions ActionOrgsRead = "orgs:read" ActionOrgsPreferencesRead = "orgs.preferences:read" ActionOrgsQuotasRead = "orgs.quotas:read" ActionOrgsWrite = "orgs:write" ActionOrgsPreferencesWrite = "orgs.preferences:write" ActionOrgsQuotasWrite = "orgs.quotas:write" ActionOrgsDelete = "orgs:delete" ActionOrgsCreate = "orgs:create" ActionOrgUsersRead = "org.users:read" ActionOrgUsersAdd = "org.users:add" ActionOrgUsersRemove = "org.users:remove" ActionOrgUsersWrite = "org.users:write" // LDAP actions ActionLDAPUsersRead = "ldap.user:read" ActionLDAPUsersSync = "ldap.user:sync" ActionLDAPStatusRead = "ldap.status:read" ActionLDAPConfigReload = "ldap.config:reload" // Server actions ActionServerStatsRead = "server.stats:read" // Settings actions ActionSettingsRead = "settings:read" ActionSettingsWrite = "settings:write" // Datasources actions ActionDatasourcesExplore = "datasources:explore" // Global Scopes ScopeGlobalUsersAll = "global.users:*" // APIKeys scope ScopeAPIKeysAll = "apikeys:*" // Users scope ScopeUsersAll = "users:*" ScopeUsersPrefix = "users:id:" // Settings scope ScopeSettingsAll = "settings:*" ScopeSettingsSAML = "settings:auth.saml:*" // Team related actions ActionTeamsCreate = "teams:create" ActionTeamsDelete = "teams:delete" ActionTeamsRead = "teams:read" ActionTeamsWrite = "teams:write" ActionTeamsPermissionsRead = "teams.permissions:read" ActionTeamsPermissionsWrite = "teams.permissions:write" // Team related scopes ScopeTeamsAll = "teams:*" // Annotations related actions ActionAnnotationsCreate = "annotations:create" ActionAnnotationsDelete = "annotations:delete" ActionAnnotationsRead = "annotations:read" ActionAnnotationsWrite = "annotations:write" // Alerting rules actions ActionAlertingRuleCreate = "alert.rules:create" ActionAlertingRuleRead = "alert.rules:read" ActionAlertingRuleUpdate = "alert.rules:write" ActionAlertingRuleDelete = "alert.rules:delete" // Alerting instances (+silences) actions ActionAlertingInstanceCreate = "alert.instances:create" ActionAlertingInstanceUpdate = "alert.instances:write" ActionAlertingInstanceRead = "alert.instances:read" ActionAlertingSilencesRead = "alert.silences:read" ActionAlertingSilencesCreate = "alert.silences:create" ActionAlertingSilencesWrite = "alert.silences:write" // Alerting Notification policies actions ActionAlertingNotificationsRead = "alert.notifications:read" ActionAlertingNotificationsWrite = "alert.notifications:write" // Alerting notifications time interval actions ActionAlertingNotificationsTimeIntervalsRead = "alert.notifications.time-intervals:read" ActionAlertingNotificationsTimeIntervalsWrite = "alert.notifications.time-intervals:write" // Alerting receiver actions ActionAlertingReceiversList = "alert.notifications.receivers:list" ActionAlertingReceiversRead = "alert.notifications.receivers:read" ActionAlertingReceiversReadSecrets = "alert.notifications.receivers.secrets:read" // External alerting rule actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system. ActionAlertingRuleExternalWrite = "alert.rules.external:write" ActionAlertingRuleExternalRead = "alert.rules.external:read" // External alerting instances actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system. ActionAlertingInstancesExternalWrite = "alert.instances.external:write" ActionAlertingInstancesExternalRead = "alert.instances.external:read" // External alerting notifications actions. We can only narrow it down to writes or reads, as we don't control the atomicity in the external system. ActionAlertingNotificationsExternalWrite = "alert.notifications.external:write" ActionAlertingNotificationsExternalRead = "alert.notifications.external:read" // Alerting provisioning actions ActionAlertingProvisioningRead = "alert.provisioning:read" ActionAlertingProvisioningReadSecrets = "alert.provisioning.secrets:read" ActionAlertingProvisioningWrite = "alert.provisioning:write" ActionAlertingRulesProvisioningRead = "alert.rules.provisioning:read" ActionAlertingRulesProvisioningWrite = "alert.rules.provisioning:write" ActionAlertingNotificationsProvisioningRead = "alert.notifications.provisioning:read" ActionAlertingNotificationsProvisioningWrite = "alert.notifications.provisioning:write" // ActionAlertingProvisioningSetStatus Gives access to set provisioning status to alerting resources. Cannot be used alone. Only in conjunction with other permissions. ActionAlertingProvisioningSetStatus = "alert.provisioning.provenance:write" // Feature Management actions ActionFeatureManagementRead = "featuremgmt.read" ActionFeatureManagementWrite = "featuremgmt.write" // Library Panel actions ActionLibraryPanelsCreate = "library.panels:create" ActionLibraryPanelsRead = "library.panels:read" ActionLibraryPanelsWrite = "library.panels:write" ActionLibraryPanelsDelete = "library.panels:delete" // Usage stats actions ActionUsageStatsRead = "server.usagestats.report:read" )
const ( BasicRolePrefix = "basic:" BasicRoleUIDPrefix = "basic_" ExternalServiceRolePrefix = "extsvc:" ExternalServiceRoleUIDPrefix = "extsvc_" FixedRolePrefix = "fixed:" FixedRoleUIDPrefix = "fixed_" ManagedRolePrefix = "managed:" PluginRolePrefix = "plugins:" BasicRoleNoneUID = "basic_none" BasicRoleNoneName = "basic:none" FixedCloudRolePrefix = "fixed:cloud:" FixedCloudViewerRole = "fixed:cloud:viewer" FixedCloudEditorRole = "fixed:cloud:editor" FixedCloudAdminRole = "fixed:cloud:admin" )
Variables ¶
var ( ErrInvalidBuiltinRole = errutil.BadRequest("accesscontrol.invalidBuiltInRole"). MustTemplate(invalidBuiltInRoleMessage, errutil.WithPublic(invalidBuiltInRoleMessage)) ErrNoneRoleAssignment = errutil.BadRequest("accesscontrol.noneRoleAssignment", errutil.WithPublicMessage("none role cannot receive permissions")) ErrAssignmentEntityNotFound = errutil.BadRequest("accesscontrol.assignmentEntityNotFound"). MustTemplate(assignmentEntityNotFoundMessage, errutil.WithPublic(assignmentEntityNotFoundMessage)) // Note: these are intended to be replaced by equivalent errutil implementations. // Avoid creating new errors with errors.New and prefer errutil ErrInvalidRequestBody = errors.New("invalid request body") ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'") ErrInvalidScope = errors.New("invalid scope") ErrResolverNotFound = errors.New("no resolver found") ErrPluginIDRequired = errors.New("plugin ID is required") ErrRoleNotFound = errors.New("role not found") )
var ( ErrInternal = errutil.Internal("accesscontrol.internal") CacheUsageStatuses = []string{CacheHit, CacheMiss} )
var ( // Team scope ScopeTeamsID = Scope("teams", "id", Parameter(":teamId")) ScopeSettingsOAuth = func(provider string) string { return Scope("settings", "auth."+provider, "*") } // Annotation scopes ScopeAnnotationsRoot = "annotations" ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot) ScopeAnnotationsAll = ScopeAnnotationsProvider.GetResourceAllScope() ScopeAnnotationsID = Scope(ScopeAnnotationsRoot, "id", Parameter(":annotationId")) ScopeAnnotationsTypeDashboard = ScopeAnnotationsProvider.GetResourceScopeType(annotations.Dashboard.String()) ScopeAnnotationsTypeOrganization = ScopeAnnotationsProvider.GetResourceScopeType(annotations.Organization.String()) )
var ApiKeyAccessEvaluator = EvalPermission(ActionAPIKeyRead)
ApiKeyAccessEvaluator is used to protect the "Configuration > API keys" page access
var OrgPreferencesAccessEvaluator = EvalAny( EvalAll( EvalPermission(ActionOrgsRead), EvalPermission(ActionOrgsWrite), ), EvalAll( EvalPermission(ActionOrgsPreferencesRead), EvalPermission(ActionOrgsPreferencesWrite), ), )
OrgPreferencesAccessEvaluator is used to protect the "Configure > Preferences" page access
var OrgsAccessEvaluator = EvalPermission(ActionOrgsRead)
OrgsAccessEvaluator is used to protect the "Server Admin > Orgs" page access (you need to have read access to update or delete orgs; read is the minimum)
var OrgsCreateAccessEvaluator = EvalAll( EvalPermission(ActionOrgsRead), EvalPermission(ActionOrgsCreate), )
OrgsCreateAccessEvaluator is used to protect the "Server Admin > Orgs > New Org" page access
var ReqGrafanaAdmin = func(c *contextmodel.ReqContext) bool {
return c.SignedInUser.GetIsGrafanaAdmin()
}
var ReqSignedIn = func(c *contextmodel.ReqContext) bool {
return c.IsSignedIn
}
var ( SettingsReaderRole = RoleDTO{ Name: "fixed:settings:reader", DisplayName: "Setting reader", Description: "Read Grafana instance settings.", Group: "Settings", Permissions: []Permission{ { Action: ActionSettingsRead, Scope: ScopeSettingsAll, }, }, } )
Roles definition
var TeamsAccessEvaluator = EvalAny( EvalPermission(ActionTeamsCreate), EvalAll( EvalPermission(ActionTeamsRead), EvalAny( EvalPermission(ActionTeamsWrite), EvalPermission(ActionTeamsPermissionsWrite), EvalPermission(ActionTeamsPermissionsRead), ), ), )
TeamsAccessEvaluator is used to protect the "Configuration > Teams" page access grants access to a user when they can either create teams or can read and update a team
var TeamsEditAccessEvaluator = EvalAll( EvalPermission(ActionTeamsRead), EvalAny( EvalPermission(ActionTeamsCreate), EvalPermission(ActionTeamsWrite), EvalPermission(ActionTeamsPermissionsWrite), ), )
TeamsEditAccessEvaluator is used to protect the "Configuration > Teams > edit" page access
Functions ¶
func AuthorizeInOrgMiddleware ¶
func AuthorizeInOrgMiddleware(ac AccessControl, authnService authn.Service) func(OrgIDGetter, Evaluator) web.Handler
func BackgroundUser ¶
func BuildPermissionsMap ¶
func BuildPermissionsMap(permissions []Permission) map[string]bool
func BuiltInRolesWithParents ¶
func CloneRequest ¶
CloneRequest creates request copy including request body
func CopyRequestBody ¶
func CopyRequestBody(req *http.Request) (io.ReadCloser, error)
CopyRequestBody returns copy of request body and keeps the original one to prevent error when reading closed body
func DeclareFixedRoles ¶
Declare OSS roles to the accesscontrol service
func ErrAssignmentEntityNotFoundData ¶
func ErrAssignmentEntityNotFoundData(assignment string) errutil.TemplateData
func ErrInvalidBuiltinRoleData ¶
func ErrInvalidBuiltinRoleData(builtInRole string) errutil.TemplateData
func Field ¶
Field returns an injectable scope part for selected fields from the request's context available in accesscontrol.ScopeParams. e.g. Scope("orgs", Parameter("OrgID")) or "orgs:" + Parameter("OrgID")
func GetOrgRoles ¶
GetOrgRoles returns legacy org roles for a user
func GetPermissionCacheKey ¶
func GetResourceAllIDScope ¶
func GetResourceAllScope ¶
func GetResourceScope ¶
func GetResourceScopeName ¶
func GetResourceScopeType ¶
func GetResourceScopeUID ¶
func GetResourcesMetadata ¶
func GetResourcesMetadata(ctx context.Context, permissions map[string][]string, prefix string, resourceIDs map[string]bool) map[string]Metadata
GetResourcesMetadata returns a map of accesscontrol metadata, listing for each resource, users available actions
func GetSearchPermissionCacheKey ¶
func GetSearchPermissionCacheKey(user identity.Requester, searchOptions SearchOptions) string
func GroupScopesByAction ¶
func GroupScopesByAction(permissions []Permission) map[string][]string
GroupScopesByAction will group scopes on action
func HasAccess ¶
func HasAccess(ac AccessControl, c *contextmodel.ReqContext) func(evaluator Evaluator) bool
func HasGlobalAccess ¶
func HasGlobalAccess(ac AccessControl, authnService authn.Service, c *contextmodel.ReqContext) func(evaluator Evaluator) bool
HasGlobalAccess checks user access with globally assigned permissions only
func ManagedBuiltInRoleName ¶
func ManagedTeamRoleName ¶
func ManagedUserRoleName ¶
func Middleware ¶
func Middleware(ac AccessControl) func(Evaluator) web.Handler
func Parameter ¶
Parameter returns injectable scope part, based on URL parameters. e.g. Scope("users", Parameter(":id")) or "users:" + Parameter(":id")
func ParseScopeID ¶
func ParseScopeUID ¶
func ParseScopes ¶
func PrefixedRoleUID ¶
PrefixedRoleUID generates a uid from name with the same prefix. Generated uid is 28 bytes + length of prefix: <prefix>_base64(sha1(roleName))
func Reduce ¶
func Reduce(ps []Permission) map[string][]string
Reduce will reduce a list of permissions to its minimal form, grouping scopes by action
func ReqHasRole ¶
func ReqHasRole(role org.RoleType) func(c *contextmodel.ReqContext) bool
ReqHasRole generates a fallback to check whether the user has a role ReqHasRole(org.RoleAdmin) will always return true for Grafana server admins, eg, a Grafana Admin / Viewer role combination
func RolePrefixesFilter ¶
func ScopePrefix ¶
ScopePrefix returns the prefix associated to a given scope we assume prefixes are all in the form <resource>:<attribute>:<value> ex: "datasources:name:test" returns "datasources:name:"
func ScopeSuffix ¶
func SetAcceptListForTest ¶
func SetAcceptListForTest(list map[string]struct{}) func()
SetAcceptListForTest allow us to mutate the list for blackbox testing
func UseGlobalOrg ¶
func UseGlobalOrg(c *contextmodel.ReqContext) (int64, error)
func UseOrgFromContextParams ¶
func UseOrgFromContextParams(c *contextmodel.ReqContext) (int64, error)
func UseOrgFromRequestData ¶
func UseOrgFromRequestData(c *contextmodel.ReqContext) (int64, error)
UseOrgFromRequestData returns the organization from the request data. If no org is specified, then the org where user is logged in is returned.
func UserRolesFilter ¶
func ValidateBuiltInRoles ¶
ValidateBuiltInRoles errors when a built-in role does not match expected pattern
func ValidateFixedRole ¶
ValidateFixedRole errors when a fixed role does not match expected pattern
func ValidateScope ¶
Types ¶
type AccessControl ¶
type AccessControl interface { // Evaluate evaluates access to the given resources. Evaluate(ctx context.Context, user identity.Requester, evaluator Evaluator) (bool, error) // RegisterScopeAttributeResolver allows the caller to register a scope resolver for a // specific scope prefix (ex: datasources:name:) RegisterScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver) }
type ActionResolver ¶
type ActionResolver interface {
ExpandActionSets(permissions []Permission) []Permission
}
type BuiltinRole ¶
type DashboardPermissionsService ¶
type DashboardPermissionsService interface { PermissionsService }
type DatasourcePermissionsService ¶
type DatasourcePermissionsService interface { PermissionsService }
type ErrorActionPrefixMissing ¶
func (*ErrorActionPrefixMissing) Error ¶
func (e *ErrorActionPrefixMissing) Error() string
func (*ErrorActionPrefixMissing) Unwrap ¶
func (e *ErrorActionPrefixMissing) Unwrap() error
type ErrorInvalidRole ¶
type ErrorInvalidRole struct{}
func (*ErrorInvalidRole) Error ¶
func (e *ErrorInvalidRole) Error() string
type ErrorRoleNameMissing ¶
type ErrorRoleNameMissing struct{}
func (*ErrorRoleNameMissing) Error ¶
func (e *ErrorRoleNameMissing) Error() string
func (*ErrorRoleNameMissing) Unwrap ¶
func (e *ErrorRoleNameMissing) Unwrap() error
type ErrorRolePrefixMissing ¶
func (*ErrorRolePrefixMissing) Error ¶
func (e *ErrorRolePrefixMissing) Error() string
func (*ErrorRolePrefixMissing) Unwrap ¶
func (e *ErrorRolePrefixMissing) Unwrap() error
type ErrorScopeTarget ¶
func (*ErrorScopeTarget) Error ¶
func (e *ErrorScopeTarget) Error() string
func (*ErrorScopeTarget) Unwrap ¶
func (e *ErrorScopeTarget) Unwrap() error
type Evaluator ¶
type Evaluator interface { // Evaluate permissions that are grouped by action Evaluate(permissions map[string][]string) bool // MutateScopes executes a sequence of ScopeModifier functions on all embedded scopes of an evaluator and returns a new Evaluator MutateScopes(ctx context.Context, mutate ScopeAttributeMutator) (Evaluator, error) // String returns a string representation of permission required by the evaluator fmt.Stringer fmt.GoStringer }
func EvalAny ¶
EvalAny returns evaluator that requires at least one of passed evaluators to evaluate to true
func EvalPermission ¶
EvalPermission returns an evaluator that will require at least one of passed scopes to match
type FolderPermissionsService ¶
type FolderPermissionsService interface { PermissionsService }
type GetUserPermissionsQuery ¶
type Metadata ¶
Metadata contains user accesses for a given resource Ex: map[string]bool{"create":true, "delete": true}
type OrgIDGetter ¶
type OrgIDGetter func(c *contextmodel.ReqContext) (int64, error)
func UseGlobalOrSingleOrg ¶
func UseGlobalOrSingleOrg(cfg *setting.Cfg) OrgIDGetter
UseGlobalOrSingleOrg returns the global organization or the current organization in a single organization setup
func UseGlobalOrgFromRequestData ¶
func UseGlobalOrgFromRequestData(cfg *setting.Cfg) OrgIDGetter
UseGlobalOrgFromRequestData returns global org if `global` flag is set or the org where user is logged in. If RBACSingleOrganization is set, the org where user is logged in is returned - this is intended only for cloud workflows, where instances are limited to a single organization.
func UseGlobalOrgFromRequestParams ¶
func UseGlobalOrgFromRequestParams(cfg *setting.Cfg) OrgIDGetter
UseGlobalOrgFromRequestParams returns global org if `global` flag is set or the org where user is logged in.
type Permission ¶
type Permission struct { ID int64 `json:"-" xorm:"pk autoincr 'id'"` RoleID int64 `json:"-" xorm:"role_id"` Action string `json:"action"` Scope string `json:"scope"` Kind string `json:"-"` Attribute string `json:"-"` Identifier string `json:"-"` Updated time.Time `json:"updated"` Created time.Time `json:"created"` }
Permission is the model for access control permissions.
func ConcatPermissions ¶
func ConcatPermissions(permissions ...[]Permission) []Permission
func (Permission) OSSPermission ¶
func (p Permission) OSSPermission() Permission
func (Permission) SplitScope ¶
func (p Permission) SplitScope() (string, string, string)
SplitScope returns kind, attribute and Identifier
type PermissionsService ¶
type PermissionsService interface { // GetPermissions returns all permissions for given resourceID GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]ResourcePermission, error) // SetUserPermission sets permission on resource for a user SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error) // SetTeamPermission sets permission on resource for a team SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*ResourcePermission, error) // SetBuiltInRolePermission sets permission on resource for a built-in role (Admin, Editor, Viewer) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*ResourcePermission, error) // SetPermissions sets several permissions on resource for either built-in role, team or user SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...SetResourcePermissionCommand) ([]ResourcePermission, error) // MapActions will map actions for a ResourcePermissions to it's "friendly" name configured in PermissionsToActions map. MapActions(permission ResourcePermission) string // DeleteResourcePermissions removes all permissions for a resource DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error }
type QueryWithOrg ¶
type RegistrationList ¶
type RegistrationList struct {
// contains filtered or unexported fields
}
func (*RegistrationList) Append ¶
func (m *RegistrationList) Append(regs ...RoleRegistration)
func (*RegistrationList) Range ¶
func (m *RegistrationList) Range(f func(registration RoleRegistration) bool)
func (*RegistrationList) Slice ¶
func (m *RegistrationList) Slice() []RoleRegistration
type Resolvers ¶
type Resolvers struct {
// contains filtered or unexported fields
}
func NewResolvers ¶
func (*Resolvers) AddScopeAttributeResolver ¶
func (s *Resolvers) AddScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver)
func (*Resolvers) GetScopeAttributeMutator ¶
func (s *Resolvers) GetScopeAttributeMutator(orgID int64) ScopeAttributeMutator
type ResourcePermission ¶
type ResourcePermission struct { ID int64 RoleName string Actions []string Scope string UserId int64 UserLogin string UserEmail string TeamId int64 TeamEmail string Team string BuiltInRole string IsManaged bool IsInherited bool IsServiceAccount bool Created time.Time Updated time.Time }
ResourcePermission is structure that holds all actions that either a team / user / builtin-role can perform against specific resource.
func (*ResourcePermission) Contains ¶
func (p *ResourcePermission) Contains(targetActions []string) bool
type Role ¶
type Role struct { ID int64 `json:"-" xorm:"pk autoincr 'id'"` OrgID int64 `json:"-" xorm:"org_id"` Version int64 `json:"version"` UID string `xorm:"uid" json:"uid"` Name string `json:"name"` DisplayName string `json:"displayName,omitempty"` Group string `xorm:"group_name" json:"group"` Description string `json:"description"` Hidden bool `json:"hidden"` Updated time.Time `json:"updated"` Created time.Time `json:"created"` }
Role is the model for Role in RBAC.
func (Role) MarshalJSON ¶
type RoleDTO ¶
type RoleDTO struct { Version int64 `json:"version"` UID string `xorm:"uid" json:"uid"` Name string `json:"name"` DisplayName string `json:"displayName,omitempty"` Description string `json:"description"` Group string `xorm:"group_name" json:"group"` Permissions []Permission `json:"permissions,omitempty"` Delegatable *bool `json:"delegatable,omitempty"` Hidden bool `json:"hidden,omitempty"` ID int64 `json:"-" xorm:"pk autoincr 'id'"` OrgID int64 `json:"-" xorm:"org_id"` Updated time.Time `json:"updated"` Created time.Time `json:"created"` }
swagger:ignore
func (*RoleDTO) IsExternalService ¶
func (RoleDTO) MarshalJSON ¶
type RoleDTOStatic ¶
swagger:model RoleDTO
type RoleRegistration ¶
RoleRegistration stores a role and its assignments to built-in roles (Viewer, Editor, Admin, Grafana Admin)
type RoleRegistry ¶
type SQLFilter ¶
type SaveExternalServiceRoleCommand ¶
type SaveExternalServiceRoleCommand struct { AssignmentOrgID int64 ExternalServiceID string ServiceAccountID int64 Permissions []Permission }
func (*SaveExternalServiceRoleCommand) Validate ¶
func (cmd *SaveExternalServiceRoleCommand) Validate() error
type ScopeAttributeMutator ¶
type ScopeAttributeResolver ¶
type ScopeAttributeResolver interface {
Resolve(ctx context.Context, orgID int64, scope string) ([]string, error)
}
ScopeAttributeResolver is used to resolve attributes in scopes to one or more scopes that are evaluated by logical or. E.g. "dashboards:id:1" -> "dashboards:uid:test-dashboard" or "folder:uid:test-folder"
type ScopeAttributeResolverFunc ¶
type ScopeAttributeResolverFunc func(ctx context.Context, orgID int64, scope string) ([]string, error)
ScopeAttributeResolverFunc is an adapter to allow functions to implement ScopeAttributeResolver interface
type ScopeProvider ¶
type ScopeProvider interface { GetResourceScope(resourceID string) string GetResourceScopeUID(resourceID string) string GetResourceScopeName(resourceID string) string GetResourceScopeType(typeName string) string GetResourceAllScope() string GetResourceAllIDScope() string }
ScopeProvider provides methods that construct scopes
func NewScopeProvider ¶
func NewScopeProvider(root string) ScopeProvider
NewScopeProvider creates a new ScopeProvider that is configured with specific root scope
type SearchOptions ¶
type SearchOptions struct { ActionPrefix string // Needed for the PoC v1, it's probably going to be removed. Action string Scope string NamespacedID string // ID of the identity (ex: user:3, service-account:4) RolePrefixes []string // contains filtered or unexported fields }
func (*SearchOptions) ComputeUserID ¶
func (s *SearchOptions) ComputeUserID() (int64, error)
func (*SearchOptions) Wildcards ¶
func (s *SearchOptions) Wildcards() []string
Wildcards computes the wildcard scopes that include the scope
type Service ¶
type Service interface { registry.ProvidesUsageStats // GetRoleByName returns a role by name GetRoleByName(ctx context.Context, orgID int64, roleName string) (*RoleDTO, error) // GetUserPermissions returns user permissions with only action and scope fields set. GetUserPermissions(ctx context.Context, user identity.Requester, options Options) ([]Permission, error) // SearchUsersPermissions returns all users' permissions filtered by an action prefix SearchUsersPermissions(ctx context.Context, user identity.Requester, options SearchOptions) (map[int64][]Permission, error) // ClearUserPermissionCache removes the permission cache entry for the given user ClearUserPermissionCache(user identity.Requester) // SearchUserPermissions returns single user's permissions filtered by an action prefix or an action SearchUserPermissions(ctx context.Context, orgID int64, filterOptions SearchOptions) ([]Permission, error) // DeleteUserPermissions removes all permissions user has in org and all permission to that user // If orgID is set to 0 remove permissions from all orgs DeleteUserPermissions(ctx context.Context, orgID, userID int64) error // DeleteTeamPermissions removes all role assignments and permissions granted to a team // and removes permissions scoped to the team. DeleteTeamPermissions(ctx context.Context, orgID, teamID int64) error // DeclareFixedRoles allows the caller to declare, to the service, fixed roles and their // assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin" DeclareFixedRoles(registrations ...RoleRegistration) error // SaveExternalServiceRole creates or updates an external service's role and assigns it to a given service account id. SaveExternalServiceRole(ctx context.Context, cmd SaveExternalServiceRoleCommand) error // DeleteExternalServiceRole removes an external service's role and its assignment. DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error // SyncUserRoles adds provided roles to user SyncUserRoles(ctx context.Context, orgID int64, cmd SyncUserRolesCommand) error }
type ServiceAccountPermissionsService ¶
type ServiceAccountPermissionsService interface { PermissionsService }
type Store ¶
type Store interface { GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]Permission, error) GetBasicRolesPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]Permission, error) GetTeamsPermissions(ctx context.Context, query GetUserPermissionsQuery) (map[int64][]Permission, error) SearchUsersPermissions(ctx context.Context, orgID int64, options SearchOptions) (map[int64][]Permission, error) GetUsersBasicRoles(ctx context.Context, userFilter []int64, orgID int64) (map[int64][]string, error) DeleteUserPermissions(ctx context.Context, orgID, userID int64) error DeleteTeamPermissions(ctx context.Context, orgID, teamID int64) error SaveExternalServiceRole(ctx context.Context, cmd SaveExternalServiceRoleCommand) error DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error }
type SyncUserRolesCommand ¶
type TeamPermissionsService ¶
type TeamPermissionsService interface { GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]ResourcePermission, error) SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...SetResourcePermissionCommand) ([]ResourcePermission, error) }
type Wildcards ¶
type Wildcards []string
func WildcardsFromPrefix ¶
func WildcardsFromPrefixes ¶
WildcardsFromPrefixes generates valid wildcards from prefixes datasource:uid: => "*", "datasource:*", "datasource:uid:*"