Grafana templating by logged in user

Hi Team,

I have an elastic search backend configured to grafana. I have my grafana integrated to ldap serach.

The grafana document has a field namely email:ttt@domain.com for example.

The user logs into grafana with the same email id.

My elastic search has many user records. There is a use case that a logged in user should be able to see only his record graphs. Can you please help me how to achieve this? May be templating the user name thats logged in dynamically?

Not sure but this sounds difficult. From a security perspective, It is hard to limit access to a data source with Grafana. With a Chrome plugin, postman etc, it is possible to send any query to a data source that you have been given access to. Maybe this is possible with Shield or a proxy layer between Grafana and Elasticsearch.

The way this is currently done (at least until the dashboard folders feature is released in 5.0.0) is to create an organization for each user/team. You would have to create a custom login page or proxy script outside of Grafana that would call the Grafana API and create an organization for the user when they log in the first time. Then create a special dashboard with their email hardcoded into the query and make the user a viewer so that they cannot change the query.

But even with this one user per organization structure if they are all sharing the same data source then it will still be possible to view another users’ records if they use a tool like Postman, curl or a Chrome plugin like Tamper.

1 Like

Hi Danielle,

I just understand the security perspective vaguely. We are not concerned about the security. We just want to limit the number of records to the logged in user. The users generally donot care writing a curl query or other ways to fetch data from elastic search.

On the approach we have said on creating organizations, does grafana limit the number of organizations that can be created ?

Any other approaches to solve this problem will also help…

Thanks

Hi @coolshiva123, Have you find any solution for this? I also need to address the same use case where I need to display logged in user specific graphs only. Any help would be appreciated, thanks.

Hi
I don’t assume there has been a solution to this problem meanwhile? I’m trying to write a NGSI data-source plug-in for Grafana and having at least one user-depended string to use would make things a lot easier.
Cheers,
Jan

You can get the logged in user like this:

  • Import config: import config from 'app/core/config';
  • Access the user class like this: console.log(config.bootData.user)

The user object looks like this:

{
  "isSignedIn": true,
  "id": 1,
  "login": "admin",
  "email": "admin@localhost",
  "name": "admin",
  "lightTheme": false,
  "orgCount": 6,
  "orgId": 1,
  "orgName": "Main Org.",
  "orgRole": "Admin",
  "isGrafanaAdmin": true,
  "gravatarUrl": "/avatar/46d229b033af06a191ff2267bca9ae56",
  "timezone": "browser",
  "locale": "sv",
  "helpFlags1": 0
}
2 Likes

Hi Daniellee,

We would like to access the logged-in user in our provisioned dashboard queries and this bootData object looks like a way that we might best achieve this functionality.

It seems to me that access to this required a plug-in.
Does such a plugin exist?
Would there be interest amongst the community if we made such a plugin that exposes this user class to dashboards?

My best wishes,
Eric

I posted the above and see that as of yesterday, we have a commit to support this :tada:

:pray: :smiley:

I have been trying to use the __user.email variable with no luck. The __user.login variable seems to work. I use postgres and my grafana variable query is:
SELECT privileges.site as __text
FROM privileges
WHERE privileges.email = ‘{__user.email}' UNION SELECT name as __text FROM sites WHERE '{__user.login}’ = ‘admin’;

I get an error on line 3 if I use __user.email, but not if I use __user.login (although then my code doesn’t work correctly).