Skip to content
This repository was archived by the owner on Mar 24, 2026. It is now read-only.

feat: update RBAC permissioning to support grafana-irm-app#5149

Merged
joeyorlando merged 13 commits into
devfrom
jorlando/update-rbac-permissions-to-support-irm-app
Oct 10, 2024
Merged

feat: update RBAC permissioning to support grafana-irm-app#5149
joeyorlando merged 13 commits into
devfrom
jorlando/update-rbac-permissions-to-support-irm-app

Conversation

@joeyorlando
Copy link
Copy Markdown
Contributor

@joeyorlando joeyorlando commented Oct 9, 2024
edited
Loading

What this PR does

Closes https://github.com/grafana/irm/issues/31 (and supersedes #4784)

Main changes:

  • updates apps.api.permissions.user_is_authorized to check the value of organization.is_grafana_irm_enabled. If it is, we check for the presence of grafana-irm-app prefixed RBAC permissions rather than grafana-oncall-app
  • cleans-up engine/apps/api/tests/test_permissions.py (bulk of the changes in the PR)
  • converts apps.user_management.models.User.build_permissions_query to a UserQuerySet method instead
    • means we can now do things like this instead:
    User.objects.filter_by_permission(RBACPermission.Permissions.NOTIFICATIONS_READ, organization)

Checklist

  • Unit, integration, and e2e (if applicable) tests updated
  • Documentation added (or pr:no public docs PR label added if not required)
  • Added the relevant release notes label (see labels prefixed w/ release:). These labels dictate how your PR will
    show up in the autogenerated release notes.

@joeyorlando joeyorlando added pr:no public docs Added to a PR that does not require public documentation updates release:patch PR will be added to "Other Changes" section of release notes labels Oct 9, 2024
@joeyorlando joeyorlando requested a review from a team October 9, 2024 21:33
@joeyorlando joeyorlando marked this pull request as draft October 10, 2024 13:03
@joeyorlando joeyorlando mentioned this pull request Oct 10, 2024
Closed
3 tasks
joeyorlando
joeyorlando commented Oct 10, 2024
View reviewed changes
Comment thread engine/apps/schedules/ical_utils.py
Comment on lines -93 to -100
if organization.is_rbac_permissions_enabled:
# it is more efficient to check permissions on the subset of users filtered above
# than performing a regex query for the required permission
users_found_in_ical = [u for u in users_found_in_ical if {"action": required_permission.value} in u.permissions]
else:
users_found_in_ical = users_found_in_ical.filter(role__lte=required_permission.fallback_role.value)

return list(users_found_in_ical)
Copy link
Copy Markdown
Contributor Author

@joeyorlando joeyorlando Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this makes things much cleaner. users_in_ical shouldn't need to know anything about how to conditionally check permissions (ie. is_rbac_permissions_enabled) or the structure of RBAC permissions ({"action": required_permission.value}).

See the new LegacyAccessControlCompatiblePermission.user_has_permission method

Comment thread engine/apps/api/permissions.py
self.value = f"{prefix}.{resource.value}:{action.value}"
self.fallback_role = fallback_role

def user_has_permission(self, user: "User") -> bool:
Copy link
Copy Markdown
Contributor Author

@joeyorlando joeyorlando Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

main changes

Comment thread engine/apps/api/permissions.py Outdated


def get_permission_from_permission_string(perm: str) -> typing.Optional[LegacyAccessControlCompatiblePermission]:
def get_permission_from_permission_string(
Copy link
Copy Markdown
Contributor Author

@joeyorlando joeyorlando Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(see here for more context on how this is used; tldr; query filtering for the user's endpoint)

@joeyorlando joeyorlando marked this pull request as ready for review October 10, 2024 16:01
@joeyorlando
wip
248b0ca
@joeyorlando
Merge branch 'jorlando/update-rbac-permissions-to-support-irm-app' of…
df00e67 
… github.com:grafana/oncall into jorlando/update-rbac-permissions-to-support-irm-app
matiasb
matiasb approved these changes Oct 10, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@matiasb matiasb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor comments added.

Comment thread engine/apps/api/permissions.py Outdated
permission_class_value = permission_class.value
irm_permission_value = convert_oncall_permission_to_irm(permission_class)

if permission_class_value == perm or organization.is_grafana_irm_enabled and irm_permission_value == perm:
Copy link
Copy Markdown
Contributor

@matiasb matiasb Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Precedence works ok here, but maybe add parenthesis grouping the and conditions to make it easier to read?

Copy link
Copy Markdown
Contributor Author

@joeyorlando joeyorlando Oct 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decided to get rid of this method in favour of ALL_PERMISSION_NAME_TO_CLASS_MAP (dict lookup should be more performant than the for loop)

Comment thread engine/apps/schedules/ical_utils.py Outdated
@@ -90,14 +93,9 @@ def users_in_ical(
(Q(username__in=usernames_from_ical) | Q(email__lower__in=emails_from_ical))
).distinct()
Copy link
Copy Markdown
Contributor

@matiasb matiasb Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we should do a select_related for organization here, since we will be accessing u.organization for each user when checking user_has_permission below.

Copy link
Copy Markdown
Contributor Author

@joeyorlando joeyorlando Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch 👍 addressed in 6c9a29d

@joeyorlando joeyorlando added this pull request to the merge queue Oct 10, 2024
Merged via the queue into dev with commit 04ab676 Oct 10, 2024
@joeyorlando joeyorlando deleted the jorlando/update-rbac-permissions-to-support-irm-app branch October 10, 2024 19:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@matiasb matiasb matiasb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr:no public docs Added to a PR that does not require public documentation updates release:patch PR will be added to "Other Changes" section of release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joeyorlando @matiasb