I have written custom exporter that pushes some custom metrics to my victoriametrics instance deployed in cloud.
Some time ago I was the only user and admin of Grafana/ It was fine, but now I have multiply users of my exporter+Grafana and i faced a problem.
Problem: user USER1 must not have any opportunity to get metrics of USER2.
What i have now:
For example, USER1 sends metric some_metric{hostname=user1_hostname[1:N]), USER2 sends metric some_metric{hostname=user2_hostname[1:N]). Instance name is set on a user’s side in settings of exporter (this can not be changed as I have no other option to get his “business” instance name).
I create new user, create new folder named as user, copy “golden” set of dashboards (with HOSTNAME var) to a new user’s folder, delete folder common permissions “Editor, Viewer”, add user permission as Viewer only to that folder.
To restrict usage of only user’s set of hostname i go to Settings → Variables → HOSTNAME → Regex and set “/user1_/”. Now, user can see only his metrics changing variable “HOSTNAME”
What i need:
The problem is that I what user to create/edit dashboards in their folder as they need, but only within the set of their instances they push.
I can not set Editor permissions to dashboards as user can simply change Regex.
“Organization” and “Teams” features does not give me what i need.
“Project” is in beta state, I can change anything: delete dashboards, add new labels, reorganize permissions, change exporter logic, etc
Hello @levtol ,
As much as I have understood your problem, I think this is what you’re trying to do. And I hope it will be helpful.
Step1. Organize Dashboards into Folders
Folder A – For General users
Folder B – For Special users
Step 2. Set Folder Permissions.
Navigate to the folder>Manage Permissions
Remove the default Viewer or Editor roles (these apply to all users by default) Add specific Users or Teams
Click “Add Permission”
Choose User or Team
Set role: Viewer (view only) or Editor (can edit dashboards)
VictoriaMetrics API allows applying extra filters to the queries in GET params via extra_label=<label_name>=<label_value> or /api/v1/query_range?extra_filters[]={env=~"prod|staging",user="xyz"}&query=<query> filters - see VictoriaMetrics.
Using these, you can create a DatasourceUser1 and set extra_filters[]={hostname=~"user1.*"} in its extra params and allow to use only this data source for actual user1. And do the same for user2 but with slightly different extra filter. Now, both users will have access only to their datasources, and thouse datasources will be filtering data for them for every type of request.
It would be performance wise better to have a dedicated label user=<user1> in every time series instead of relying on regex expressions. Or use the actual multitenancy in VictoriaMetrics to isolate access between datasets.
For Grafana, they will be completely real. Just pointing to the same URL, with difference in extra params.