Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC: Remove the accessControlOnCall feature toggle #1592

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

RBAC: Remove the accessControlOnCall feature toggle #1592

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 5 additions & 17 deletions docusaurus/docs/how-to-guides/app-plugins/implement-rbac-in-app-plugins.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,7 @@ You can find an example app plugin that makes use of RBAC in our [grafana-plugin

## Before you begin

Ensure your development environment meets the following prerequisites:

- **Grafana version:** Use Grafana version 11.2.0 or later to access the most up-to-date RBAC features.
- **Feature toggle:** Activate the `accessControlOnCall` feature toggle to enable RBAC features in Grafana, which are essential for managing access controls within your plugin.

You can ensure the correct feature toggle is enabled by adding the following to your `docker-compose.yaml` file:

```yaml
environment:
- GF_FEATURE_TOGGLES_ENABLE=accessControlOnCall
```
Requires Grafana version 11.6.0 or later.

## Defining roles

Expand Down Expand Up @@ -119,18 +109,16 @@ To safeguard your proxied routes with action checks, include the `reqAction` par

If your backend exposes resources, you can secure them with action-based checks.

To enable this protection, activate the following features:

- `externalServiceAccounts`: Allows the use of managed service accounts to access Grafana user permissions.
- `idForwarding`: Required to provide an ID token to identify the requester, whether it's a user or a service account.
To enable this protection, activate the `externalServiceAccounts` feature to allow the use of managed service accounts to access Grafana user permissions.

:::note

These features can be enabled in your Grafana instance by modifying the `docker-compose.yaml` file as follows:
The `externalServiceAccounts` feature only supports single organization setups.
It can be enabled in your Grafana instance by modifying the `docker-compose.yaml` file as follows:

```yaml
environment:
- GF_FEATURE_TOGGLES_ENABLE=accessControlOnCall,idForwarding,externalServiceAccounts
- GF_FEATURE_TOGGLES_ENABLE=externalServiceAccounts
```

:::
Expand Down
2 changes: 1 addition & 1 deletion docusaurus/docs/reference/metadata.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ For data source plugins. There is a query options section in the plugin's query

List of RBAC roles defined by the plugin and their default assignments to basic roles (`Viewer`, `Editor`, `Admin`, `Grafana Admin`).

Requires Grafana version 9.4.0 or later. Currently, this is behind the `accessControlOnCall` feature toggle.
Requires Grafana version 11.6.0 or later.

### Properties

Expand Down
Loading