RBAC for Plugins
We’re excited to announce that plugins can now leverage Grafana’s role based access control to define their own roles and permissions in order to control access to their routes.
To define roles and their default assignments, plugin developers need to add a roles
section to their plugin.json
file. Grafana will automatically register these roles and assign them to the corresponding basic roles: Viewer
, Editor
, Admin
, and Grafana Admin
.
Following is an example of defining two RBAC plugin roles and assigning them to Admins and Viewers (and thus Editors and Admins) by default:
"roles": [
{
"role": {
"name": "Patents Reader",
"description": "Read patents",
"permissions": [
{"action": "grafana-appwithrbac-app.patents:read"}
]
},
"grants": ["Admin"]
},
{
"role": {
"name": "Research papers Reader",
"description": "Read research papers",
"permissions": [
{"action": "grafana-appwithrbac-app.papers:read"}
]
},
"grants": ["Viewer"]
}
]
Protecting includes
and routes
is also straight forward, and can be done through the new action
and reqAction
field of these sections of the plugin.json
file.
Plugin example
If you’d like to test this and explore RBAC for plugins further, refer to this plugin example for guidance.
Known limitation
Plugins permissions are currently restricted to actions without scopes.