forked from grafana/grafana
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathservice_account.go
76 lines (69 loc) · 2.6 KB
/
service_account.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package ossaccesscontrol
import (
"context"
"strconv"
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/serviceaccounts"
"github.com/grafana/grafana/pkg/services/serviceaccounts/retriever"
"github.com/grafana/grafana/pkg/services/team"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
)
var (
ServiceAccountEditActions = []string{
serviceaccounts.ActionRead,
serviceaccounts.ActionWrite,
}
ServiceAccountAdminActions = []string{
serviceaccounts.ActionRead,
serviceaccounts.ActionWrite,
serviceaccounts.ActionDelete,
serviceaccounts.ActionPermissionsRead,
serviceaccounts.ActionPermissionsWrite,
}
)
type ServiceAccountPermissionsService struct {
*resourcepermissions.Service
}
func ProvideServiceAccountPermissions(
cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB, ac accesscontrol.AccessControl,
license licensing.Licensing, serviceAccountRetrieverService *retriever.Service, service accesscontrol.Service,
teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,
) (*ServiceAccountPermissionsService, error) {
options := resourcepermissions.Options{
Resource: "serviceaccounts",
ResourceAttribute: "id",
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
ctx, span := tracer.Start(ctx, "accesscontrol.ossaccesscontrol.ProvideServiceAccountPermissions.ResourceValidator")
defer span.End()
id, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
_, err = serviceAccountRetrieverService.RetrieveServiceAccount(ctx, orgID, id)
return err
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: true,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Edit": ServiceAccountEditActions,
"Admin": ServiceAccountAdminActions,
},
ReaderRoleName: "Service account permission reader",
WriterRoleName: "Service account permission writer",
RoleGroup: "Service accounts",
}
srv, err := resourcepermissions.New(cfg, options, features, router, license, ac, service, sql, teamService, userService, actionSetService)
if err != nil {
return nil, err
}
return &ServiceAccountPermissionsService{srv}, nil
}