Move usage stats rbac action and role registration to access control …

…package
grafana · Apr 4, 2024 · 66ce6a4 · 66ce6a4
1 parent d8514c0
commit 66ce6a4
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 43 deletions.
diff --git a/pkg/infra/usagestats/service/accesscontrol.go b/pkg/infra/usagestats/service/accesscontrol.go
diff --git a/pkg/infra/usagestats/service/api.go b/pkg/infra/usagestats/service/api.go
@@ -15,7 +15,7 @@ func (uss *UsageStats) registerAPIEndpoints() {
 	authorize := accesscontrol.Middleware(uss.accesscontrol)
 
 	uss.RouteRegister.Group(rootUrl, func(subrouter routing.RouteRegister) {
-		subrouter.Get("/usage-report-preview", authorize(accesscontrol.EvalPermission(ActionRead)), routing.Wrap(uss.getUsageReportPreview))
+		subrouter.Get("/usage-report-preview", authorize(accesscontrol.EvalPermission(accesscontrol.ActionUsageStatsRead)), routing.Wrap(uss.getUsageReportPreview))
 	})
 }
 

diff --git a/pkg/infra/usagestats/service/api_test.go b/pkg/infra/usagestats/service/api_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/infra/db/dbtest"
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/stats"
@@ -28,13 +29,13 @@ func TestApi_getUsageStats(t *testing.T) {
 		{
 			desc:           "expect usage stats",
 			enabled:        true,
-			permissions:    map[string][]string{ActionRead: {}},
+			permissions:    map[string][]string{accesscontrol.ActionUsageStatsRead: {}},
 			expectedStatus: 200,
 		},
 		{
 			desc:           "expect usage stat preview still there after disabling",
 			enabled:        false,
-			permissions:    map[string][]string{ActionRead: {}},
+			permissions:    map[string][]string{accesscontrol.ActionUsageStatsRead: {}},
 			expectedStatus: 200,
 		},
 		{

diff --git a/pkg/infra/usagestats/service/service.go b/pkg/infra/usagestats/service/service.go
@@ -35,7 +35,6 @@ func ProvideService(cfg *setting.Cfg,
 	routeRegister routing.RouteRegister,
 	tracer tracing.Tracer,
 	accesscontrol ac.AccessControl,
-	accesscontrolService ac.Service,
 	bundleRegistry supportbundles.Service,
 ) (*UsageStats, error) {
 	s := &UsageStats{
@@ -47,10 +46,6 @@ func ProvideService(cfg *setting.Cfg,
 		accesscontrol: accesscontrol,
 	}
 
-	if err := declareFixedRoles(accesscontrolService); err != nil {
-		return nil, err
-	}
-
 	s.registerAPIEndpoints()
 	bundleRegistry.RegisterSupportItemCollector(s.supportBundleCollector())
 

diff --git a/pkg/infra/usagestats/service/usage_stats_test.go b/pkg/infra/usagestats/service/usage_stats_test.go
@@ -23,7 +23,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/infra/usagestats"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
 	"github.com/grafana/grafana/pkg/services/supportbundles/supportbundlestest"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/tests/testsuite"
@@ -248,7 +247,6 @@ func createService(t *testing.T, sqlStore db.DB, withDB bool) *UsageStats {
 		routing.NewRouteRegister(),
 		tracing.InitializeTracerForTest(),
 		acimpl.ProvideAccessControl(cfg),
-		actest.FakeService{},
 		supportbundlestest.NewFakeBundleService(),
 	)
 

diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go
@@ -481,6 +481,9 @@ const (
 	ActionLibraryPanelsRead   = "library.panels:read"
 	ActionLibraryPanelsWrite  = "library.panels:write"
 	ActionLibraryPanelsDelete = "library.panels:delete"
+
+	// Usage stats actions
+	ActionUsageStatsRead = "server.usagestats.report:read"
 )
 
 var (

diff --git a/pkg/services/accesscontrol/roles.go b/pkg/services/accesscontrol/roles.go
@@ -280,6 +280,16 @@ var (
 			},
 		},
 	}
+
+	usagestatsReaderRole = RoleDTO{
+		Name:        "fixed:usagestats:reader",
+		DisplayName: "Usage stats report reader",
+		Description: "View usage statistics report",
+		Group:       "Statistics",
+		Permissions: []Permission{
+			{Action: ActionUsageStatsRead},
+		},
+	}
 )
 
 // Declare OSS roles to the accesscontrol service
@@ -320,15 +330,22 @@ func DeclareFixedRoles(service Service, cfg *setting.Cfg) error {
 		Role:   generalAuthConfigWriterRole,
 		Grants: []string{RoleGrafanaAdmin},
 	}
-
 	// TODO: Move to own service when implemented
 	authenticationConfigWriter := RoleRegistration{
 		Role:   authenticationConfigWriterRole,
 		Grants: []string{RoleGrafanaAdmin},
 	}
 
-	return service.DeclareFixedRoles(ldapReader, ldapWriter, orgUsersReader, orgUsersWriter,
-		settingsReader, statsReader, usersReader, usersWriter, authenticationConfigWriter, generalAuthConfigWriter)
+	usageStatsReader := RoleRegistration{
+		Role:   usagestatsReaderRole,
+		Grants: []string{RoleGrafanaAdmin},
+	}
+
+	return service.DeclareFixedRoles(
+		ldapReader, ldapWriter, orgUsersReader, orgUsersWriter,
+		settingsReader, statsReader, usersReader, usersWriter,
+		authenticationConfigWriter, generalAuthConfigWriter, usageStatsReader,
+	)
 }
 
 func ConcatPermissions(permissions ...[]Permission) []Permission {