Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC: Allow scoping access to root level dashboards #76987

Merged
merged 4 commits into from
Oct 24, 2023
Merged

RBAC: Allow scoping access to root level dashboards #76987

merged 4 commits into from
Oct 24, 2023

Conversation

IevaVasiljeva
Copy link
Contributor

What is this feature?

Take into account dashboard listing permissions scoped to the root (folders:uid:general) when listing dashboards.

Why do we need this feature?

To allow scoping access to root level dashboards.

Who is this feature for?

Anyone

Which issue(s) does this PR fix?:

Fixes https://github.com/grafana/grafana-enterprise/issues/5920

Special notes for your reviewer:

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

@IevaVasiljeva IevaVasiljeva added this to the 10.3.x milestone Oct 23, 2023
@IevaVasiljeva IevaVasiljeva requested review from gamab and a team October 23, 2023 16:34
@IevaVasiljeva IevaVasiljeva requested a review from a team as a code owner October 23, 2023 16:34
@IevaVasiljeva IevaVasiljeva requested review from papagian, zserge and nikimanoledaki and removed request for a team October 23, 2023 16:34
gamab
gamab approved these changes Oct 24, 2023
View reviewed changes
Copy link
Contributor

@gamab gamab left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job and thanks for fixing this quickly. 🎉

I tested this with a service account with only the following permissions:

    "permissions": [
      { "action": "dashboards:create", "scope": "folders:uid:general" },
      { "action": "dashboards:read", "scope": "folders:uid:general"}
    ]

I could search dashboards at the root level and not the other ones.

The "provisioned" permission also popped up in the UI:
image

pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go
@@ -163,7 +163,7 @@ func ProvideDashboardPermissions(
}
return append([]string{parentScope}, nestedScopes...), nil
}
return []string{}, nil
return []string{dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)}, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand this change correctly?
If the FolderID == 0 then user permissions targeting the General Folder will apply.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly! Otherwise the correct permissions were not displayed in the UI for dashboards under the root.

pkg/services/sqlstore/permissions/dashboard.go Outdated Show resolved Hide resolved
IevaVasiljeva and others added 2 commits October 24, 2023 09:44
@IevaVasiljeva IevaVasiljeva enabled auto-merge (squash) October 24, 2023 08:45
@IevaVasiljeva IevaVasiljeva merged commit 159bb3c into main Oct 24, 2023
14 checks passed
@IevaVasiljeva IevaVasiljeva deleted the fix-searching-in-general-folder branch October 24, 2023 08:55
@IevaVasiljeva IevaVasiljeva added backport v10.2.x and removed no-backport Skip backport of PR labels Nov 3, 2023
@grafana-delivery-bot grafana-delivery-bot bot mentioned this pull request Nov 3, 2023
Merged
3 tasks
grafana-delivery-bot bot pushed a commit that referenced this pull request Nov 3, 2023
@IevaVasiljeva @grafana-delivery-bot
RBAC: Allow scoping access to root level dashboards (#76987)
e705673 
* correctly check permissions to list dashboards on the root

* correctly display the access inherited from general folder for dashboards

* Update pkg/services/sqlstore/permissions/dashboard.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update dashboard_filter_no_subquery.go

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
(cherry picked from commit 159bb3c)
IevaVasiljeva added a commit that referenced this pull request Nov 3, 2023
@grafana-delivery-bot @IevaVasiljeva
[v10.2.x] RBAC: Allow scoping access to root level dashboards (#77608)
0cede69 
RBAC: Allow scoping access to root level dashboards (#76987)

* correctly check permissions to list dashboards on the root

* correctly display the access inherited from general folder for dashboards

* Update pkg/services/sqlstore/permissions/dashboard.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update dashboard_filter_no_subquery.go

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
(cherry picked from commit 159bb3c)

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
@aangelisc aangelisc modified the milestones: 10.3.x, 10.2.3 Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gamab gamab gamab approved these changes

@papagian papagian Awaiting requested review from papagian papagian was automatically assigned from grafana/backend-platform

@zserge zserge Awaiting requested review from zserge zserge was automatically assigned from grafana/backend-platform

@nikimanoledaki nikimanoledaki Awaiting requested review from nikimanoledaki nikimanoledaki was automatically assigned from grafana/backend-platform

Assignees
No one assigned
Labels
add to changelog area/backend backport v10.2.x type/bug
Projects
None yet
Milestone
10.2.3
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@IevaVasiljeva @gamab @aangelisc