RBAC: enforce permissions in frontend using user roles #986
Conversation
VikaCep
force-pushed
the
rbac-permissions-front
branch
3 times, most recently
from
f167e0b to
75b7eb3
Compare
|
Note: need to supply Grafana with an enterprise license to review this PR. :) |
There was a problem hiding this comment.
The config page, probably dont need to be visible for non-writers?
Without a basic role (`orgRole), it seems I cannot do much, even if I have SM checks:reader and probe:reader/writer
The only thing that changes are the nav items.
When logged in as admin, you can clearly see that the app is already initialized
The reason this happens is because if no basic roles are set (at least
I tried to include this permission by default in the custom permissions we define (similar to how I added the plugin:access permission here) to avoid requiring users to manually configure it. However, it doesn't seem to be possible. I suspect the permission is too broad to be auto-granted in the plugin's definition. I wonder if @d0ugal has encountered a similar issue when implementing this in k6. For reference, this is the error I get when trying to grant In any case, I think the simplest solution is to recommend to always set the |
VikaCep
force-pushed
the
rbac-permissions-front
branch
from
75b7eb3 to
e9c3969
Compare
I've discussed this issue with @d0ugal, as it seems to be a common scenario. If a user is assigned a custom role but lacks the necessary fixed roles required for an action, the custom role alone will not be sufficient. In these cases, it’s important to highlight the missing roles in the UI so that users understand what’s happening and can request the required roles. In Synthetic Monitoring, if a user is not assigned the global Note no Note the new error message indicating missing permissions: When the user is assigned the Note Note the app loads correctly: |
| @@ -39,7 +39,7 @@ const Alerting = () => { | |||
| Learn more about alerting for Synthetic Monitoring. | |||
| </a> | |||
| </p> | |||
| {canRead ? <AlertingPageContent /> : <InsufficientPermissions />} | |||
| {canReadAlerts ? <AlertingPageContent /> : <InsufficientPermissions />} | |||
There was a problem hiding this comment.
I saw the insufficient permissions when I just had the basic 'Viewer' role (I didn't look into why). Should we provide more detail what permissions are missing as there are two places you would need to update to have the right permissions?
There was a problem hiding this comment.
Hmm I'm confused as I'm not sure how you got to that screen.
Users with only the Viewer role assigned, should see this:
assigned roles:
Users without the Viewer role, but with the Alerts reader role, see the following:
assigned roles:
The difference lies in that Viewer assigns fixed:alerting:reader by default and without it it needs to be manually added.
VikaCep
force-pushed
the
rbac-permissions-front
branch
from
588556f to
d11f6d4
Compare
- instead, we should query permissions from getUserPermissions
VikaCep
force-pushed
the
rbac-permissions-front
branch
from
64e4f79 to
96541a2
Compare
src/hooks/useAlertPermissions.ts
Outdated
| const canEditAlertInDs = useDSPermission(`metrics`, `alert.instances.external:write`); | ||
|
|
||
| return { | ||
| canReadAlerts, |
There was a problem hiding this comment.
I removed Query permissions for Viewer in my metrics datasource and I get faced with an infinitely loading spinner. This should be a simple case of checking if there is a value being returned for useMetricsDS() and adding it to the return for each of the canReadAlerts / canWriteAlerts / canDeleteAlerts.
There was a problem hiding this comment.
Nice catch. I've added that check and changed the message to indicate the missing permissions:
* feat: create useUserPermissions hook * feat: define PluginPermissions type * feat: enforce Check permissions using RBAC * feat: enforce Probe permissions usign RBAC * feat: enforce Alert permissions using RBAC * fix: lint * feat: enforce Config permissions using RBAC * feat: apply new permissions to plugin installation * fix: remove console.log * fix: fallback to basic user roles contemplating roles hierarchy * fix: change PluginPermission to use write instead of edit * fix: add tests * fix: update types for access-tokens permissions * fix: lint * fix: tests * fix: show missing permissions alert * fix: adjust types to match plugin definitions * fix: refactor getUserPermissions function * fix: change plugin permissions to use template literal types * fix: uppercase RBAC in function names * fix: updates after rebasing with main * fix: adapt after rebasing with main * fix: remove useCanWriteSM hook - instead, we should query permissions from getUserPermissions * fix: lint * fix: check for metrics ds query access in order to display alerts
* feat: create useUserPermissions hook * feat: define PluginPermissions type * feat: enforce Check permissions using RBAC * feat: enforce Probe permissions usign RBAC * feat: enforce Alert permissions using RBAC * fix: lint * feat: enforce Config permissions using RBAC * feat: apply new permissions to plugin installation * fix: remove console.log * fix: fallback to basic user roles contemplating roles hierarchy * fix: change PluginPermission to use write instead of edit * fix: add tests * fix: update types for access-tokens permissions * fix: lint * fix: tests * fix: show missing permissions alert * fix: adjust types to match plugin definitions * fix: refactor getUserPermissions function * fix: change plugin permissions to use template literal types * fix: uppercase RBAC in function names * fix: updates after rebasing with main * fix: adapt after rebasing with main * fix: remove useCanWriteSM hook - instead, we should query permissions from getUserPermissions * fix: lint * fix: check for metrics ds query access in order to display alerts
* feat: create useUserPermissions hook * feat: define PluginPermissions type * feat: enforce Check permissions using RBAC * feat: enforce Probe permissions usign RBAC * feat: enforce Alert permissions using RBAC * fix: lint * feat: enforce Config permissions using RBAC * feat: apply new permissions to plugin installation * fix: remove console.log * fix: fallback to basic user roles contemplating roles hierarchy * fix: change PluginPermission to use write instead of edit * fix: add tests * fix: update types for access-tokens permissions * fix: lint * fix: tests * fix: show missing permissions alert * fix: adjust types to match plugin definitions * fix: refactor getUserPermissions function * fix: change plugin permissions to use template literal types * fix: uppercase RBAC in function names * fix: updates after rebasing with main * fix: adapt after rebasing with main * fix: remove useCanWriteSM hook - instead, we should query permissions from getUserPermissions * fix: lint * fix: check for metrics ds query access in order to display alerts
* feat: create useUserPermissions hook * feat: define PluginPermissions type * feat: enforce Check permissions using RBAC * feat: enforce Probe permissions usign RBAC * feat: enforce Alert permissions using RBAC * fix: lint * feat: enforce Config permissions using RBAC * feat: apply new permissions to plugin installation * fix: remove console.log * fix: fallback to basic user roles contemplating roles hierarchy * fix: change PluginPermission to use write instead of edit * fix: add tests * fix: update types for access-tokens permissions * fix: lint * fix: tests * fix: show missing permissions alert * fix: adjust types to match plugin definitions * fix: refactor getUserPermissions function * fix: change plugin permissions to use template literal types * fix: uppercase RBAC in function names * fix: updates after rebasing with main * fix: adapt after rebasing with main * fix: remove useCanWriteSM hook - instead, we should query permissions from getUserPermissions * fix: lint * fix: check for metrics ds query access in order to display alerts
* feat: define new roles * feat: add role requirements for routes and pages * fix: add plugin access permission for all roles * fix: configure general read/write permissions for ds plugin.json config * fix: remove redundant granted roles * fix: improve names and remove token writer access for editors * fix: rename edit permission * fix: rename tokens to access-tokens * fix: restrict config page to writers * fix: change required permissions to register a ds * fix: change access-token create for write to match convention * fix: add missing threshold: delete permission in Threshold Writer role * fix: change required permissions to see SM home page * RBAC: enforce permissions in frontend using user roles (#986) * feat: create useUserPermissions hook * feat: define PluginPermissions type * feat: enforce Check permissions using RBAC * feat: enforce Probe permissions usign RBAC * feat: enforce Alert permissions using RBAC * fix: lint * feat: enforce Config permissions using RBAC * feat: apply new permissions to plugin installation * fix: remove console.log * fix: fallback to basic user roles contemplating roles hierarchy * fix: change PluginPermission to use write instead of edit * fix: add tests * fix: update types for access-tokens permissions * fix: lint * fix: tests * fix: show missing permissions alert * fix: adjust types to match plugin definitions * fix: refactor getUserPermissions function * fix: change plugin permissions to use template literal types * fix: uppercase RBAC in function names * fix: updates after rebasing with main * fix: adapt after rebasing with main * fix: remove useCanWriteSM hook - instead, we should query permissions from getUserPermissions * fix: lint * fix: check for metrics ds query access in order to display alerts * fix: lint * fix: add generic UnauthorizedPage and enforce permissions on home and view pages * fix: display missing write alerts permission * fix: lint * fix: consolidate enable/disable plugin actions into a single write one * fix: lint * fix: prevent displaying missing write message to readers * fix: addressing review comments * chore: remove ConfigActions as not user after rebase with main * fix: add message when missing access token write permission * fix: remove Access Tokens Reader role * fix: remove access-tokens: read and delete actions - There's no use for them right now * fix: list missing permissions to initialize plugin * fix: change Unauthorized page layout - Remove card to get rid of hover effect - Only dispay the relevant message * fix: restrict terraform access * fix: lint * chore: add rbac feature flag * fix: update test after rebase with main * fix: change fallback role required to generate access tokens - When the RBAC FF is off, canWriteTokens requires a min role of Editor to respect current behavior
This PR integrates the newly defined roles from #982 into the app. The roles are used to restrict access to different parts of the app where applicable, providing more granular control over permissions and user access.
Resolves https://github.com/grafana/synthetic-monitoring/issues/167
Reader
Screen.Recording.2024-11-13.at.17.55.42.mov
Editor
Screen.Recording.2024-11-13.at.18.07.33.mov
Admin
Screen.Recording.2024-11-13.at.18.10.14.mov
Mixed: Viewer + can write checks
Screen.Recording.2024-11-13.at.18.11.37.mov
Mixed: Viewer + can write probes
https://github.com/user-attachments/assets/65d268b9-62c8-4a7f-adb5-a7f5381f7c27