What Grafana version and what operating system are you using?
Redhat 7, Grafana 9.1.3
What are you trying to achieve?
We have a security layer in our Database, where we can create rules to access Timeseries per each user or each user group based on the Login.
It is mandatory that every user have it’s own credentials to access the data for auditing purpose and for security level.
The problem is, we have some dashboards every user should see, but if he is missing privileges, he shouldn’t see the data, so far so simple.
But I have no idea, how we can archieve this target, I think, the easiest way would be, to pass the user credentials from grafana login, to the Datasource (in our Case, postgres or json would also be an option), then login with this credentials and the complete sec-layer will be active.
But I don’t think it is possible to pass the credentials form login to the datsource, I’m right?
→ The JSON-Datasource have the option “Forward OAuth Identity” but (at the moment) we are authenticate via LDAP/Active-Directory, so no oauth so far.
Are there any ideas for my problem?
Thank you, I’ve also read over this thread, as far as I understand, I should add a where condition with a user Variable, but I see multiple problems:
- I’m unable to monitor data access via logged in user connection
- a User with the credentials to edit a dashboard can easy delete the user in the conditions and can access all data.
- the datasource have to see all Data so this seems a very insecure setup - for our usecase.
Not if you use stored procedures with username as a required parameter and verifying current user is the actual user and not faking another user.
Why do you have some users ability to edit dashboards.
on postgres you can only get the user from the connection, and as grafana is a service also the oracle/mssql user variable would have wrong infos - the info from Grafana server o the DB.
How should I verify that the current passed user is the user from the Grafana login? I can’t see a secure solution for this, if the Connection is not made with the credentials passed via grafana.
We provide just the Database and the Grafana UI for our Users, they know there Data and know what they need to see, so they make there Dashboards by there own and only contact us if they need further technical support.