Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change mapping of permission NOTIFICATIONS_READ to legacy role #5358

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from

Conversation

brat002
Copy link

@brat002 brat002 commented Dec 12, 2024

The problem the PR solves is a user must have EDITOR role in Grafana to be included into a Schedule.

If we compare other _READ level privileges with their legacy roles, they are mapped to VIEWER role (except API keys read).

In short, the main idea of this change is to avoid granting a user EDITOR role in a whole organization only because a user should be a part of some Schedule.

What this PR does

This PR changes a mapping of NOTIFICATIONS_READ permission from EDITOR to VIEWER role.

Which issue(s) this PR closes

Checklist

  • Unit, integration, and e2e (if applicable) tests updated
  • Documentation added (or pr:no public docs PR label added if not required)
  • Added the relevant release notes label (see labels prefixed w/ release:). These labels dictate how your PR will
    show up in the autogenerated release notes.

@CLAassistant
Copy link

CLAassistant commented Dec 12, 2024

CLA assistant check
All committers have signed the CLA.

@brat002 brat002 marked this pull request as ready for review December 12, 2024 12:26
@brat002 brat002 requested a review from a team as a code owner December 12, 2024 12:26
@brat002 brat002 changed the title Change mapping of permission NORIFICATION_READ to legacy role Change mapping of permission NOTIFICATION_READ to legacy role Dec 12, 2024
@brat002 brat002 changed the title Change mapping of permission NOTIFICATION_READ to legacy role Change mapping of permission NOTIFICATIONS_READ to legacy role Dec 12, 2024
@alexandr-ku-MA
Copy link

Guys, could you take a look?
@matiasb ?

@matiasb
Copy link
Contributor

matiasb commented Dec 17, 2024

Hey,

I see your point. But if you allow Viewers to receive notifications, I guess you will also need them to act on alert groups (requiring alert groups write perm), and/or allow them to setup their notification policies (user settings write), right? So the main decision on our side would be if we should allow Viewers to be on-call, that AFAICT was discarded at some point (but it may make sense to have a global project setting enabling this? eg. ALLOW_VIEWERS_ON_CALL).

@brat002
Copy link
Author

brat002 commented Dec 17, 2024

I see your point. But if you allow Viewers to receive notifications, I guess you will also need them to act on alert groups (requiring alert groups write perm), and/or allow them to setup their notification policies (user settings write), right? So the main decision on our side would be if we should allow Viewers to be on-call, that AFAICT was discarded at some point (but it may make sense to have a global project setting enabling this? eg. ALLOW_VIEWERS_ON_CALL).

The reasons make sense, although we use Grafana oncall mostly as an engine for Schedules. None of actual actions are expected from users.

I think adding ALLOW_VIEWERS_ON_CALL is a good tradeoff. If so, I'll add the changes.

@brat002
Copy link
Author

brat002 commented Dec 19, 2024

Added. I've found a block of settings with FEATURE_ prefix. I suppose the setting also may be considered as a FEATURE.

@xemekk
Copy link

xemekk commented Dec 23, 2024

We've also encountered a problem here and moving users to editors only to let them be part of schedule isn't an option. Would love to have this merged

@matiasb
Copy link
Contributor

matiasb commented Dec 26, 2024

The reasons make sense, although we use Grafana oncall mostly as an engine for Schedules. None of actual actions are expected from users.

Ok, but I think if we have this toggle to enable Viewers to be on-call, we should allow them to perform all on-call related actions (so I would expect them to have the same perms as the OnCaller role we have defined), to have a more reusable/generally useful approach, makes sense?

@brat002
Copy link
Author

brat002 commented Dec 27, 2024

I've added dynamic definition of Permission class based on feature toggle. I think this looks better then 5 If/else. @matiasb wdyt?

@brat002
Copy link
Author

brat002 commented Jan 8, 2025

So, any suggestions, ideas, complaints? Can we merge it?

Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.VIEWER
)

permissions: Permissions = Permissions if not settings.FEATURE_ALLOW_VIEWERS_ON_CALL else ViewerOnCallPermissions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be sure, what happens with the other permissions when the setting is enabled? This seems like it could break if combined with an RBAC-based setup?
OTOH, what if permissions are added or changed? I think we would prefer a more general/reusable approach to avoid potential unexpected behaviors in the future (I still think allowing viewers to be on-call may make sense in some cases, but it would be nice to make the change as simple and future-proof as possible)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be sure, what happens with the other permissions when the setting is enabled? This seems like it could break if combined with an RBAC-based setup?

I don't see how the changes may break something. When FEATURE_ALLOW_VIEWERS_ON_CALL == false - previously existing logic is being used. Class Permissions doesn't have any modifications. ViewerOnCallPermissions simply redefines several permissions. Do I miss something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants