Making API requests to Grafana from plugin backend

Hello all,

I have a scenario that I will try to explain with one of the super helpful plugin examples. The plugin I am developing has similar architecture as app-with-backend in the examples. I would like to make API requests to Grafana from plugin’s resource handler to fetch resources like, say, dashboard’s JSON model.

If the user is interacting with plugin from browser, Cookie header is available inside plugin’s request headers and I am forwarding the same cookie to make API requests to Grafana. This ensures the user to only access the resources that they have permissions as cookie will take care of that. However, if the operators wants to set up a service account and use the service account’s token to interact with plugin using clients like, say, curl, the plugin’s request headers do not have Authorization header to forward to Grafana for making API requests. Somewhere Grafana is stripping this header. My question is:

• Why does cookie is available in plugin’s resource request but not Authorization header? Is there a way that I can make Authorization header in the plugin’s request header?

There is another nice example of using externalServiceAccounts to provision a token for the plugin automatically. However, with this approach user will be able to access resources that they are not autorised to as these provisioned token might/will have wider scopes and permissions. Another question is:

• Is there a realiable way to identify if the account is service account or regular account? The User model that plugin context gives does not seem to provide this info.

Please let me know if my approach is nonsensical and if there is a better and elegant way to tackle this issue.

Cheers and have a good day y’all!

Hello,

The “Authorization” header is indeed removed to avoid accidentally forwarding it to thirdparty services.

While it’s not possible to configure that, if Grafana is configured to use OAuth to authenticate users, you can configure a data source to forward the auth info to the plugin. See: Add authentication for data source plugins | Grafana Plugin Tools.

In general, it’s expected that a user with access to the data source, will have access to the same resources that the data source has. If necessary, administrators can create multiple data sources with limited access to resources and assign the right users to them.

In a request, the User field of the PluginContext will only be populated with user info if a user originated the request.

Hope that helps!

Cheers @andresmartinez for the response.

The “Authorization” header is indeed removed to avoid accidentally forwarding it to thirdparty services.

Makes sense!

In a request, the User field of the PluginContext will only be populated with user info if a user originated the request.

Yes, I noticed that when a service account is making a request the User field is being populated as well. But I guess I can verify that is really a service account by checking against service account API I guess.

Thanks again for pointers!!