External users management

elektryx · July 13, 2023, 9:05pm

Hello, could someone tell me how to solve this case:
I have external website, on this website is free content, users can register account.
If they decided to use premium featuers of website and additionaly use my grafana charts they have to activate payeble subscription in store.
Now is the problem. How to connect grafana autorization with accounts on my website? I want to copy username/password/email to grafana and create the same account.
After the subscription expire I want to run process everymornig which deactivate unpaid acounts on my website do the same in grafana users db.

What Grafana version and what operating system are you using?
9.5
What are you trying to achieve?
I am trying to find solution to create user in external website and copy it to grafana users db.
How are you trying to achieve it?
I am thinking about HTTP API or keeping user outside grafana but introducing external autenthication key
What happened?
I can not find good way to do this
What did you expect to happen?
I expect to create user in grafana via api, deactivate his account via api oraz introduce authkey which allow user to enter grafana only when he will be logged into my website
Any ideas how to solve this case?
Regards Elektryx

davidallen5 · July 13, 2023, 9:12pm

To connect Grafana authorization with accounts on your website, you should probably use the Grafana API to create and manage user accounts programmatically. Big picture here’s how that might go

When a user registers an account on your website you capture some details about them and whether they should see the grafana dashboards.
If they should, you would use the Grafana API /api/admin/users endpoint to create a user account in Grafana with the same details
Set up a process that runs every morning to check the status of the subscriptions. If a subscription has expired or is unpaid, you can deactivate the corresponding account on your website. This is unfortunately necessary since grafana has a different auth store
If you need to disable/delete access you would use /api/admin/users/:id to update their status.

Basically, this approach is synchronizing accounts between what you have and grafana.

Alternatively, if you use any of the auth providers on this page, you could set up auth in grafana to follow the same auth of whatever your regular provider would be, but with the caveat that you need a separate step to work out who should have permissions to see Grafana (not just have an account without permissions)

hope this helps

elektryx · July 14, 2023, 7:54pm

Thank you for quick answer, it helped me to move on with this problem.
I will try first option because in second one, user will have to log in every visit? In first one independent account in grafana can stay logged in - I am right?

elektryx · July 14, 2023, 10:27pm

On the way to solution I meet another problem with API.
I have postman configured, I can send POST/PUT/GET methods succesfully but with new user command:

POST /api/admin/users HTTP/1.1
Accept: application/json
Content-Type: application/json

{
  "name":"User",
  "email":"user@graf.com",
  "login":"user",
  "password":"userpassword",
  "OrgId": 1
}

I got premission error:
“accessErrorId”: “ACE1145061089”,
“message”: “You’ll need additional permissions to perform this action. Permissions needed: users:create”,
“title”: “Access denied”

I was trying to update premission with:
{users:create}
{“users”: “create”}
{“users:create”: true}

Everytime I have succes “message”: “User permissions updated” but still POST on adding new user doesn’t work, maybe this premission look a little bit different?

yosiasz · July 15, 2023, 5:00am

Did you base it on this?

elektryx · July 15, 2023, 9:08am

Yes, on admin http api

yosiasz · July 15, 2023, 1:13pm

And how are you authenticating in Postman

elektryx · July 15, 2023, 2:57pm

Service account api key, it probably works because grafana noticed “last used on…”

yosiasz · July 15, 2023, 3:11pm

I think doco says for user management you use basic auth not token

Admin API

The Admin HTTP API does not currently work with an API Token. API Tokens are currently only linked to an organization and an organization role. They cannot be given the permission of server admin, only users can be given that permission. So in order to use these API calls you will have to use Basic Auth and the Grafana user must have the Grafana Admin permission. (The default admin user is called admin and has permission to use this API.)

elektryx · July 15, 2023, 8:46pm

You are right, I made mistake with wrong auth, but I change it and the request which is in documentation still doesn’t work. I got answer in logs with empty password:

logger=context userId=1 orgId=1 uname=admin t=2023-07-15T22:37:49.6236294+02:00 level=info msg=“Request Completed” method=POST path=/api/admin/users status=400 remote_addr=[::1] time_ms=10 duration=10.6697ms size=43 referer= handler=/api/admin/users/
logger=context userId=1 orgId=1 uname=admin t=2023-07-15T22:38:24.9658686+02:00 level=error msg=“bad request data” error=“required value Password must not be empty” remote_addr=[::1] traceID=

When I sent :
{
“name”:“UserA”,
“email":"user@graf.com”,
“login”:“usera”,
“Password”:“Uerpass123”,
“OrgId”: 1
}

yosiasz · July 16, 2023, 1:50am

So you have a new issue or you are all set?