-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Allow scoping access to root level dashboards #76987
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job and thanks for fixing this quickly. 🎉
I tested this with a service account with only the following permissions:
"permissions": [
{ "action": "dashboards:create", "scope": "folders:uid:general" },
{ "action": "dashboards:read", "scope": "folders:uid:general"}
]
I could search dashboards at the root level and not the other ones.
@@ -163,7 +163,7 @@ func ProvideDashboardPermissions( | |||
} | |||
return append([]string{parentScope}, nestedScopes...), nil | |||
} | |||
return []string{}, nil | |||
return []string{dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand this change correctly?
If the FolderID == 0
then user permissions targeting the General Folder will apply.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, exactly! Otherwise the correct permissions were not displayed in the UI for dashboards under the root.
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> (cherry picked from commit 159bb3c)
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> (cherry picked from commit 159bb3c) Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
What is this feature?
Take into account dashboard listing permissions scoped to the root (
folders:uid:general
) when listing dashboards.Why do we need this feature?
To allow scoping access to root level dashboards.
Who is this feature for?
Anyone
Which issue(s) does this PR fix?:
Fixes https://github.com/grafana/grafana-enterprise/issues/5920
Special notes for your reviewer:
Please check that: