-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change mapping of permission NOTIFICATIONS_READ to legacy role #5358
base: dev
Are you sure you want to change the base?
Conversation
Guys, could you take a look? |
Hey, I see your point. But if you allow |
The reasons make sense, although we use Grafana oncall mostly as an engine for Schedules. None of actual actions are expected from users. I think adding |
Added. I've found a block of settings with FEATURE_ prefix. I suppose the setting also may be considered as a FEATURE. |
We've also encountered a problem here and moving users to editors only to let them be part of schedule isn't an option. Would love to have this merged |
Ok, but I think if we have this toggle to enable Viewers to be on-call, we should allow them to perform all on-call related actions (so I would expect them to have the same perms as the OnCaller role we have defined), to have a more reusable/generally useful approach, makes sense? |
I've added dynamic definition of Permission class based on feature toggle. I think this looks better then 5 If/else. @matiasb wdyt? |
So, any suggestions, ideas, complaints? Can we merge it? |
Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.VIEWER | ||
) | ||
|
||
permissions: Permissions = Permissions if not settings.FEATURE_ALLOW_VIEWERS_ON_CALL else ViewerOnCallPermissions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be sure, what happens with the other permissions when the setting is enabled? This seems like it could break if combined with an RBAC-based setup?
OTOH, what if permissions are added or changed? I think we would prefer a more general/reusable approach to avoid potential unexpected behaviors in the future (I still think allowing viewers to be on-call may make sense in some cases, but it would be nice to make the change as simple and future-proof as possible)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be sure, what happens with the other permissions when the setting is enabled? This seems like it could break if combined with an RBAC-based setup?
I don't see how the changes may break something. When FEATURE_ALLOW_VIEWERS_ON_CALL == false
- previously existing logic is being used. Class Permissions
doesn't have any modifications. ViewerOnCallPermissions
simply redefines several permissions. Do I miss something?
The problem the PR solves is a user must have
EDITOR
role in Grafana to be included into a Schedule.If we compare other
_READ
level privileges with their legacy roles, they are mapped toVIEWER
role (except API keys read).In short, the main idea of this change is to avoid granting a user
EDITOR
role in a whole organization only because a user should be a part of some Schedule.What this PR does
This PR changes a mapping of
NOTIFICATIONS_READ
permission fromEDITOR
toVIEWER
role.Which issue(s) this PR closes
Checklist
pr:no public docs
PR label added if not required)release:
). These labels dictate how your PR willshow up in the autogenerated release notes.