Add global_admin and read_editor roles to keystone

Ryan Bak · Ryan Bak · commit 6fd1377b4725 · 2016-04-15T11:13:17.000-06:00
If a user has the global_admin roles in any keystone project
they will be marked as a grafana admin.
diff --git a/conf/defaults.ini b/conf/defaults.ini
@@ -202,8 +202,10 @@ config_file = /etc/grafana/ldap.toml
 enabled = false
 auth_url = http://localhost:5000
 default_domain = default
+global_admin_roles =
 admin_roles = admin
 editor_roles = _member_
+read_editor_roles =
 viewer_roles =
 
 #################################### SMTP / Emailing ##########################
diff --git a/conf/sample.ini b/conf/sample.ini
@@ -195,8 +195,10 @@
 ;auth_url = http://localhost:5000
 ;v3 = false
 ;default_domain = default
+;global_admin_roles =
 ;admin_roles = admin
 ;editor_roles = _member_
+;read_editor_roles =
 ;viewer_roles =
 
 #################################### SMTP / Emailing ##########################
diff --git a/pkg/login/auth.go b/pkg/login/auth.go
@@ -43,8 +43,10 @@ func AuthenticateUser(query *LoginUserQuery) error {
 	if setting.KeystoneEnabled {
 		auther := NewKeystoneAuthenticator(setting.KeystoneURL,
 			setting.KeystoneDefaultDomain,
+			setting.KeystoneGlobalAdminRoles,
 			setting.KeystoneAdminRoles,
 			setting.KeystoneEditorRoles,
+			setting.KeystoneReadEditorRoles,
 			setting.KeystoneViewerRoles)
 		err = auther.login(query)
 		if err == nil || err != ErrInvalidCredentials {
diff --git a/pkg/login/keystone.go b/pkg/login/keystone.go
@@ -9,21 +9,24 @@ import (
 )
 
 type keystoneAuther struct {
-	server     string
-	domainname string
-	roles      map[m.RoleType][]string
+	server      string
+	domainname  string
+	roles       map[m.RoleType][]string
+	admin_roles []string
 
 	token        string
 	project_list map[string][]string
 }
 
-func NewKeystoneAuthenticator(server, domainname string, admin_roles, editor_roles, viewer_roles []string) *keystoneAuther {
+func NewKeystoneAuthenticator(server, domainname string, global_admin_roles, admin_roles, editor_roles,
+	read_editor_roles, viewer_roles []string) *keystoneAuther {
 	roles := map[m.RoleType][]string{
-		m.ROLE_ADMIN:  admin_roles,
-		m.ROLE_EDITOR: editor_roles,
-		m.ROLE_VIEWER: viewer_roles,
+		m.ROLE_ADMIN:            admin_roles,
+		m.ROLE_EDITOR:           editor_roles,
+		m.ROLE_READ_ONLY_EDITOR: read_editor_roles,
+		m.ROLE_VIEWER:           viewer_roles,
 	}
-	return &keystoneAuther{server: server, domainname: domainname, roles: roles}
+	return &keystoneAuther{server: server, domainname: domainname, roles: roles, admin_roles: global_admin_roles}
 }
 
 func (a *keystoneAuther) login(query *LoginUserQuery) error {
@@ -86,6 +89,19 @@ func (a *keystoneAuther) createGrafanaUser(username string) (*m.User, error) {
 	return &cmd.Result, nil
 }
 
+func (a *keystoneAuther) updateGrafanaUserPermissions(userid int64, isAdmin bool) error {
+	cmd := m.UpdateUserPermissionsCommand{
+		UserId:         userid,
+		IsGrafanaAdmin: isAdmin,
+	}
+
+	if err := bus.Dispatch(&cmd); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (a *keystoneAuther) getGrafanaOrgFor(orgname string) (*m.Org, error) {
 	// get org from grafana db
 	orgQuery := m.GetOrgByNameQuery{Name: orgname}
@@ -204,6 +220,30 @@ func (a *keystoneAuther) syncOrgRoles(username, password string, user *m.User) e
 		}
 	}
 
+	// set or unset admin permissions
+	isAdmin := false
+	role_map := make(map[string]bool)
+	for _, role := range a.admin_roles {
+		role_map[role] = true
+	}
+	for project, _ := range a.project_list {
+		if isAdmin == true {
+			break
+		}
+		project_roles := a.project_list[project]
+		for _, role := range project_roles {
+			if _, ok := role_map[role]; ok {
+				isAdmin = true
+				break
+			}
+		}
+	}
+	if isAdmin != user.IsAdmin {
+		if err := a.updateGrafanaUserPermissions(user.Id, isAdmin); err != nil {
+			return err
+		}
+	}
+
 	orgsQuery = m.GetUserOrgListQuery{UserId: user.Id}
 	if err := bus.Dispatch(&orgsQuery); err != nil {
 		return err
@@ -268,7 +308,7 @@ func (a *keystoneAuther) getRole(user_roles []string) m.RoleType {
 	for _, role := range user_roles {
 		role_map[role] = true
 	}
-	role_order := []m.RoleType{m.ROLE_ADMIN, m.ROLE_EDITOR, m.ROLE_VIEWER}
+	role_order := []m.RoleType{m.ROLE_ADMIN, m.ROLE_EDITOR, m.ROLE_READ_ONLY_EDITOR, m.ROLE_VIEWER}
 	for _, role_type := range role_order {
 		for _, role := range a.roles[role_type] {
 			if _, ok := role_map[role]; ok {
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
@@ -127,12 +127,14 @@ var (
 	LdapConfigFile string
 
 	// Keystone
-	KeystoneEnabled       bool
-	KeystoneURL           string
-	KeystoneDefaultDomain string
-	KeystoneViewerRoles   []string
-	KeystoneEditorRoles   []string
-	KeystoneAdminRoles    []string
+	KeystoneEnabled          bool
+	KeystoneURL              string
+	KeystoneDefaultDomain    string
+	KeystoneViewerRoles      []string
+	KeystoneReadEditorRoles  []string
+	KeystoneEditorRoles      []string
+	KeystoneAdminRoles       []string
+	KeystoneGlobalAdminRoles []string
 
 	// SMTP email settings
 	Smtp SmtpSettings
@@ -480,8 +482,10 @@ func NewConfigContext(args *CommandLineArgs) error {
 	KeystoneURL = keystone.Key("auth_url").String()
 	KeystoneDefaultDomain = keystone.Key("default_domain").String()
 	KeystoneViewerRoles = strings.Split(keystone.Key("viewer_roles").String(), ",")
+	KeystoneReadEditorRoles = strings.Split(keystone.Key("read_editor_roles").String(), ",")
 	KeystoneEditorRoles = strings.Split(keystone.Key("editor_roles").String(), ",")
 	KeystoneAdminRoles = strings.Split(keystone.Key("admin_roles").String(), ",")
+	KeystoneGlobalAdminRoles = strings.Split(keystone.Key("global_admin_roles").String(), ",")
 
 	readSessionConfig()
 	readSmtpSettings()
