Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

grafana_folder: add permissions #231

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

grafana_folder: add permissions #231

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f410d3c
add create_folder_permission
CWollinger Apr 4, 2022
5de9896
ensure idempotency
CWollinger Apr 5, 2022
2c6fc2e
add more tests
CWollinger Apr 5, 2022
d52a99f
fix test
CWollinger Apr 5, 2022
8a12b5f
add missing permissions key in example
CWollinger Apr 5, 2022
d4af773
suboption permission always needed
CWollinger Apr 6, 2022
d4349c3
use loop to remove items
CWollinger Apr 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions plugins/modules/grafana_folder.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,38 @@
type: bool
default: False
version_added: "1.2.0"
permissions:
description:
- Set the permissions of the folder.
- Able to define it for a I(role), I(teamId) and I(userId)
- This will remove existing permissions if they are not included.
type: list
elements: dict
suboptions:
role:
description:
- The name of the role.
choices:
- Viewer
- Editor
type: str
username:
description:
- The name of the user.
type: str
team:
description:
- The name of the team.
type: str
permission:
description:
- The permission to be added.
choices:
- view
- edit
- admin
required: true
type: str
extends_documentation_fragment:
- community.grafana.basic_auth
- community.grafana.api_key
Expand All @@ -66,6 +98,20 @@
title: "grafana_working_group"
state: present

- name: Create a folder and set permissions
community.grafana.grafana_folder:
url: "https://grafana.example.com"
grafana_api_key: "{{ some_api_token_value }}"
title: "grafana_working_group"
state: present
permissions:
- role: "Editor"
permission: "admin"
- username: "myuser"
permission: "edit"
- team: "myteam"
permission: "view"

- name: Delete a folder
community.grafana.grafana_folder:
url: "https://grafana.example.com"
Expand Down Expand Up @@ -246,6 +292,82 @@ def delete_folder(self, folder_uid):
response = self._send_request(url, headers=self.headers, method="DELETE")
return response

def get_folder_permission(self, folder_uid):
url = "/api/folders/{folder_uid}/permissions".format(folder_uid=folder_uid)
response = self._send_request(url, headers=self.headers, method="GET")
for items in response:
del items['created']
del items['inherited']
del items['slug']
del items['teamAvatarUrl']
del items['teamEmail']
del items['title']
del items['uid']
del items['updated']
del items['url']
del items['userAvatarUrl']
del items['userEmail']
del items['userLogin']
del items['folderId']
del items['permissionName']
del items['team']
del items['isFolder']
rrey marked this conversation as resolved.
Show resolved Hide resolved
if items['userId'] == 0:
del items['userId']
if items['teamId'] == 0:
del items['teamId']
return response

def create_folder_permission(self, folder_uid, permissions):
url = "/api/folders/{folder_uid}/permissions".format(folder_uid=folder_uid)
items = {
"items": []
}
items["items"].extend(permissions)
response = self._send_request(url, data=items, headers=self.headers, method="POST")
return response

def get_user_id_from_mail(self, email):
url = "/api/users/lookup?loginOrEmail={email}".format(email=email)
user = self._send_request(url, headers=self.headers, method="GET")
if user is None:
self._module.fail_json(failed=True, msg="User '%s' does not exists" % email)
return user.get("id")

def get_team(self, name):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have code in grafana_team.py doing this (line 241).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we export these functions to module_utils and import this from both modules? Could be also interesting for other functions like

community.grafana/plugins/modules/grafana_team.py

Line 226 in 108b8b6

def get_version(self):

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that is something I'd like to do at some point ; have all Grafana API call related stuff in module_utils and have our library that we can use in all modules.

I guess it will be easier if you move the team related stuff that you need to have the big change that I will never have time to review properly.

Sorry for the delay on this PR.

url = "/api/teams/search?name={team}".format(team=quote(name))
response = self._send_request(url, headers=self.headers, method="GET")
if len(response.get("teams")) == 0:
self._module.fail_json(failed=True, msg="Team '%s' does not exists" % name)
return response.get("teams")[0]["id"]

def process_permission_input(self, input):
for i in input:
if i["username"] is None:
del i["username"]
if i["team"] is None:
del i["team"]
if i["role"] is None:
del i["role"]

if "username" in i:
i["userId"] = i.pop("username")
i["userId"] = self.get_user_id_from_mail(i["userId"])

if "team" in i:
i["teamId"] = i.pop("team")
i["teamId"] = self.get_team(i["teamId"])

if i["permission"] == "view":
i["permission"] = 1
elif i["permission"] == "edit":
i["permission"] = 2
elif i["permission"] == "admin":
i["permission"] = 4
else:
self._module.fail_json(failed=True, msg="Use view, edit or admin as value for permission")
return input


def setup_module_object():
module = AnsibleModule(
Expand All @@ -257,11 +379,19 @@ def setup_module_object():
return module


permissions_spec = dict(
role=dict(type='str', choices=['Viewer', 'Editor']),
team=dict(type='str'),
username=dict(type='str'),
permission=dict(type='str', choices=['view', 'edit', 'admin'], required=True),
)

argument_spec = base.grafana_argument_spec()
argument_spec.update(
name=dict(type='str', aliases=['title'], required=True),
state=dict(type='str', default='present', choices=['present', 'absent']),
skip_version_check=dict(type='bool', default=False),
permissions=dict(type='list', elements='dict', options=permissions_spec),
)


Expand All @@ -270,6 +400,7 @@ def main():
module = setup_module_object()
state = module.params['state']
title = module.params['name']
permissions = module.params['permissions']

grafana_iface = GrafanaFolderInterface(module)

Expand All @@ -281,6 +412,13 @@ def main():
folder = grafana_iface.get_folder(title)
changed = True
folder = grafana_iface.get_folder(title)
if permissions is not None:
rrey marked this conversation as resolved.
Show resolved Hide resolved
current_permissions = grafana_iface.get_folder_permission(folder.get("uid"))
new_permissions = grafana_iface.process_permission_input(permissions)
if current_permissions != new_permissions:
grafana_iface.create_folder_permission(folder.get("uid"), permissions)
changed = True

module.exit_json(changed=changed, folder=folder)
elif state == 'absent':
folder = grafana_iface.get_folder(title)
Expand Down
87 changes: 87 additions & 0 deletions tests/integration/targets/grafana_folder/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,93 @@
- "result.changed == false"
- "result.folder.title == 'grafana_working_group'"


- name: Change folder permissions
grafana_folder:
url: "{{ grafana_url }}"
url_username: "{{ grafana_username }}"
url_password: "{{ grafana_password }}"
title: "grafana_working_group"
state: present
permissions:
- role: "Editor"
permission: "admin"
- role: "Viewer"
permission: "view"
register: result

- assert:
that:
- "result.changed == true"
- "result.folder.title == 'grafana_working_group'"

rrey marked this conversation as resolved.
Show resolved Hide resolved
- name: Test folder permission idempotency
grafana_folder:
url: "{{ grafana_url }}"
url_username: "{{ grafana_username }}"
url_password: "{{ grafana_password }}"
title: "grafana_working_group"
state: present
permissions:
- role: "Editor"
permission: "admin"
- role: "Viewer"
permission: "view"
register: result

- assert:
that:
- "result.changed == false"
- "result.folder.title == 'grafana_working_group'"

- name: Test folder permission user lookup
grafana_folder:
url: "{{ grafana_url }}"
url_username: "{{ grafana_username }}"
url_password: "{{ grafana_password }}"
title: "grafana_working_group"
state: present
permissions:
- role: "Editor"
permission: "admin"
- role: "Viewer"
permission: "view"
- username: "unknown"
permission: "edit"
register: result
ignore_errors: true

- set_fact:
expected_error: "User 'unknown' does not exists"

- assert:
that:
- "result.changed == false"
- "result.failed == true"
- "result.msg == expected_error"

- name: Test folder permission team lookup
grafana_folder:
url: "{{ grafana_url }}"
url_username: "{{ grafana_username }}"
url_password: "{{ grafana_password }}"
title: "grafana_working_group"
state: present
permissions:
- team: "unknown"
permission: "edit"
register: result
ignore_errors: true

- set_fact:
expected_error: "Team 'unknown' does not exists"

- assert:
that:
- "result.changed == false"
- "result.failed == true"
- "result.msg == expected_error"
Comment on lines +112 to +116
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CWollinger I don't know if you still want to finish this PR but I am realizing now after coming back to this PR that we don't check the permissions in these tests.
I believe that the permissions should be in the module outputs and an assert performed to check it is the proper ones.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will check this.


- name: Delete a Folder
grafana_folder:
url: "{{ grafana_url }}"
Expand Down