Does Plugin have to ensure API Key Security?

I have made a custom datasource plugin, and it works fine…except…

Today I wanted to create a tool that accesses that datasource directly, and it took me a while to realize that the X-Grafana-Org-Id was needed. But then quickly checked that my plugin would need to make sure that the API key used to access belongs to the Organization of the OrgId in the X-Grafana-Org-Id header.

Is this really expected? And if so, how do I even do that (i.e. plugin looking up the API keys of the OrgId)? Can’t find any “key”, “auth” and similar in the Grafana Go module (except in the tests).


On test system;
curl -vvvv -H "X-Grafana-Org-Id: 1" -H "Authorization: Bearer eyJrIjoiSGM2TjhyUnFUanpKOHo1OW5lN0tVdEdkd1piT3EwMzAiLCJuIjoiTGluazJXZWJMb2FkZXIiLCJpZCI6NX0="

That API key belongs to OrgId=5, but returns resource of OrgId=1.

To answer this myself after digging in Grafana source code… (well, I could have missed something)

The Grafana instance doesn’t ensure that the X-Grafana-Org-Id is correct, and MUST NOT be used to determine the OrgId on the plugin side.

And I can’t figure out any way to securely get the OrgId in my plugin, so I will modify Grafana to always overwrite the X-Grafana-Org-Id on calls to the plugin instances. I don’t see any other way.

I am an idiot!
There is a backend.CallResourceRequest.PluginContext.OrgID, which is set correctly. The header is some auxiliary thingy, that should not be used at all.

Sorry for the noise.

Thanks for taking the time to update your question for those who might run into the same issue :pray: