-
Notifications
You must be signed in to change notification settings - Fork 12.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Default to plugins.app:access for plugin includes #90969
Conversation
@@ -9,6 +9,8 @@ import ( | |||
|
|||
const ( | |||
TypeDashboard = "dashboard" | |||
|
|||
ActionAppAccess = "plugins.app:access" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies - way out of the loop on this but is the "app"
in reference to the plugin type IE app plugins? I just see that technically for the CloudWatch datasource now for example, this will be returned as part of the API. I assume this is expected? I could be the only one lacking insight, but is this anything the plugin maintainers should be aware of to avoid any potential confusion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the "app" in reference to the plugin type IE app plugins?
Yes it is.
I just see that technically for the CloudWatch datasource now for example, this will be returned as part of the API. I assume this is expected?
No it's not 😅
I thought Includes
were restricted to app plugins 😮 But obviously now that I look at other tests, it seems that other kind of plugins can define their includes.
* Default to app access for includes * Check plugin type
What is this feature?
This PR sets the permission required to access a
navlink
(=include
) that was previously protected byrole: Viewer
(orwith no role/action specified) with
action: plugins.app:access
. This will allow users with theNone
role to viewnavlinks
when they have theplugins.app:access
permission.Why do we need this feature?
Because some includes don't need any permission aside from
plugins.app:access
. This permission is the bare minimum you need to access a plugin. It's sort of the RBAC equivalent toreqRole = "Viewer"
we had previously.Special notes for your reviewer:
I assume I'll need to update the documentation :)