Fix RBAC service account permission checks

xnyo · xnyo · commit 79ad19e62ee9 · 2023-08-17T10:48:56.000+02:00
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ Then, create a service account token for the newly created service account and s
 
 > Warning, Angular private plugins will be ignored from the scan when using Grafana <= 10.1.0.
 
-Create a service account, with `Plugins / Plugin Writer` permissions (or "Admin" if using OSS without RBAC).
+Create a service account, with `Plugins / Plugin Maintainer` permissions (or "Admin" if using OSS without RBAC).
 
 The reason behind admin rights is that the plugins endpoint returns all plugins only if the token can view and install plugins.
 
diff --git a/main.go b/main.go
@@ -75,11 +75,15 @@ func _main() error {
 			// as we may be running against an old Grafana version without service accounts
 			log.Logf("(WARNING: could not get service account permissions: %v)", err)
 			log.Logf("Please make sure that you have created an ADMIN token or the output will be wrong")
-		} else if _, ok := permissions["datasources:create"]; !ok {
-			return fmt.Errorf(
-				`the service account does not have "datasources:create" permission, please provide a ` +
-					"token for a service account with admin privileges",
-			)
+		} else {
+			_, hasDsCreate := permissions["datasources:create"]
+			_, hasPluginsInstall := permissions["plugins:install"]
+			if !hasDsCreate && !hasPluginsInstall {
+				return fmt.Errorf(
+					`the service account does not have "datasources:create" or "plugins:install" permission, ` +
+						"please provide a token for a service account with admin privileges",
+				)
+			}
 		}
 
 		// Get the plugins
