opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 20:32:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Document new permissions restricting data source access. (#39091)

Browse Source 
* Add data sources roles and permissions to docs

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Gabriel MABILLE
2021-09-29 17:45:27 +02:00
committed by GitHub
parent ff009bee9f
commit 6aa006b699
4 changed files with 246 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
docs/sources/enterprise/access-control/fine-grained-access-control-references.md
View File

@ -11,28 +11,32 @@ The reference information that follows complements conceptual information about
## Fine-grained access fixed roles ## Fine-grained access fixed roles
| Fixed roles | Permissions | Descriptions | | Fixed roles | Permissions | Descriptions |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. | | `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. | | `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. | | `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. | | `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. | | `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. | | `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. | | `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. | | `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. | | `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. | | `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. | | `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
| `fixed:server:admin:read` | `server.stats:read` | Read server stats | | `fixed:server:admin:read` | `server.stats:read` | Read server stats |
| `fixed:settings:admin:read` | `settings:read` | Read settings | | `fixed:settings:admin:read` | `settings:read` | Read settings |
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings | | `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
| `fixed:datasource:editor:read` | `datasources:explore` | Explore datasources | | `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
| `fixed:datasources:admin` | `datasources:read`<br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Allows to create, read, update, delete data sources. |
| `fixed:datasources:id:viewer` | `datasources:id:read` | Allows to read data source IDs. |
| `fixed:datasources:permissions:admin` | `datasources.permissions:create`<br> `datasources.permissions:read`<br> `datasources.permissions:delete`<br>`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
## Default built-in role assignments ## Default built-in role assignments
| Built-in role | Associated role | Description | | Built-in role | Associated role | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default. | | Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read` | Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default. | | Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:datasources:admin`<br>`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Editor | `fixed:datasource:editor:read` | | Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |

118
docs/sources/enterprise/access-control/permissions.md
View File

@ -23,62 +23,72 @@ scope
The following list contains fine-grained access control actions. The following list contains fine-grained access control actions.
| Action | Applicable scope | Description | | Action | Applicable scope | Description |
| -------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | -------------------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:list` | `roles:*` | List available roles without permissions. | | `roles:list` | `roles:*` | List available roles without permissions. |
| `roles:read` | `roles:*` | Read a specific role with its permissions. | | `roles:read` | `roles:*` | Read a specific role with its permissions. |
| `roles:write` | `permissions:delegate` | Create or update a custom role. | | `roles:write` | `permissions:delegate` | Create or update a custom role. |
| `roles:delete` | `permissions:delegate` | Delete a custom role. | | `roles:delete` | `permissions:delegate` | Delete a custom role. |
| `roles.builtin:list` | `roles:*` | List built-in role assignments. | | `roles.builtin:list` | `roles:*` | List built-in role assignments. |
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. | | `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. | | `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
| `reports.admin:create` | `reports:*` | Create reports. | | `reports.admin:create` | `reports:*` | Create reports. |
| `reports.admin:write` | `reports:*` | Update reports. | | `reports.admin:write` | `reports:*` | Update reports. |
| `reports:delete` | `reports:*` | Delete reports. | | `reports:delete` | `reports:*` | Delete reports. |
| `reports:read` | `reports:*` | List all available reports or get a specific report. | | `reports:read` | `reports:*` | List all available reports or get a specific report. |
| `reports:send` | `reports:*` | Send a report email. | | `reports:send` | `reports:*` | Send a report email. |
| `reports.settings:write` | n/a | Update report settings. | | `reports.settings:write` | n/a | Update report settings. |
| `reports.settings:read` | n/a | Read report settings. | | `reports.settings:read` | n/a | Read report settings. |
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). | | `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
| `users:read` | `global:users:*` | Read or search user profiles. | | `users:read` | `global:users:*` | Read or search user profiles. |
| `users:write` | `global:users:*` | Update a users profile. | | `users:write` | `global:users:*` | Update a users profile. |
| `users.teams:read` | `global:users:*` | Read a users teams. | | `users.teams:read` | `global:users:*` | Read a users teams. |
| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. | | `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. | | `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
| `users.password:update` | `global:users:*` | Update a users password. | | `users.password:update` | `global:users:*` | Update a users password. |
| `users:delete` | `global:users:*` | Delete a user. | | `users:delete` | `global:users:*` | Delete a user. |
| `users:create` | n/a | Create a user. | | `users:create` | n/a | Create a user. |
| `users:enable` | `global:users:*` | Enable a user. | | `users:enable` | `global:users:*` | Enable a user. |
| `users:disable` | `global:users:*` | Disable a user. | | `users:disable` | `global:users:*` | Disable a user. |
| `users.permissions:update` | `global:users:*` | Update a users organization-level permissions. | | `users.permissions:update` | `global:users:*` | Update a users organization-level permissions. |
| `users:logout` | `global:users:*` | Sign out a user. | | `users:logout` | `global:users:*` | Sign out a user. |
| `users.quotas:list` | `global:users:*` | List a users quotas. | | `users.quotas:list` | `global:users:*` | List a users quotas. |
| `users.quotas:update` | `global:users:*` | Update a users quotas. | | `users.quotas:update` | `global:users:*` | Update a users quotas. |
| `org.users.read` | `users:*` | Get user profiles within an organization. | | `org.users:read` | `users:*` | Get user profiles within an organization. |
| `org.users.add` | `users:*` | Add a user to an organization. | | `org.users:add` | `users:*` | Add a user to an organization. |
| `org.users.remove` | `users:*` | Remove a user from an organization. | | `org.users:remove` | `users:*` | Remove a user from an organization. |
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. | | `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
| `ldap.user:read` | n/a | Get a user via LDAP. | | `ldap.user:read` | n/a | Get a user via LDAP. |
| `ldap.user:sync` | n/a | Sync a user via LDAP. | | `ldap.user:sync` | n/a | Sync a user via LDAP. |
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. | | `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
| `ldap.config:reload` | n/a | Reload the LDAP configuration. | | `ldap.config:reload` | n/a | Reload the LDAP configuration. |
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | | `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) | | `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). | | `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
| `server.stats:read` | n/a | Read server stats | | `server.stats:read` | n/a | Read server stats |
| `datasources:explore` | n/a | Enable explore | | `datasources:explore` | n/a | Enable access to the **Explore** tab. |
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
| `datasources:id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
| `datasources:create` | n/a | Create data sources. |
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
| `datasources.permissions:create` | `datasources:*`<br>`datasources:id:*` | Create data source permissions. |
| `datasources.permissions:delete` | `datasources:*`<br>`datasources:id:*` | Delete data source permissions. |
| `datasources.permissions:toggle` | `datasources:*`<br>`datasources:id:*` | Enable or disable data source permissions. |
## Scope definitions ## Scope definitions
The following list contains fine-grained access control scopes. The following list contains fine-grained access control scopes.
| Scopes | Descriptions | | Scopes | Descriptions |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. | | `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | | `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. | | `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. | | `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
| `global:users:*` | Restrict an action to a set of global users. | | `global:users:*` | Restrict an action to a set of global users. |
| `users:*` | Restrict an action to a set of users from an organization. | | `users:*` | Restrict an action to a set of users from an organization. |
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | | `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). | | `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |

103
docs/sources/http_api/data_source.md
View File

@ -7,10 +7,23 @@ aliases = ["/docs/grafana/latest/http_api/datasource/"]
# Data source API # Data source API
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
## Get all data sources ## Get all data sources
`GET /api/datasources` `GET /api/datasources`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ---------------- | -------------- |
| datasources:read | datasources:\* |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -57,6 +70,16 @@ Content-Type: application/json
HTTP/1.1 200 HTTP/1.1 200
Content-Type: application/json Content-Type: application/json
```
## Get a single data source by UID
`GET /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope | | Action | Scope |
| ---------------- | -------------------------------------------------------------------------------------- | | ---------------- | -------------------------------------------------------------------------------------- |
| datasources:read | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) | | datasources:read | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
@ -103,6 +126,16 @@ Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
``` ```
**Example Response**:
```http
HTTP/1.1 200
Content-Type: application/json
```
## Get data source Id by Name
`GET /api/datasources/id/:name` `GET /api/datasources/id/:name`
### Required permissions ### Required permissions
@ -149,6 +182,16 @@ Content-Type: application/json
**Example Graphite Request**: **Example Graphite Request**:
```http ```http
POST /api/datasources HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
```
**Example Graphite Response**:
```http
HTTP/1.1 200 HTTP/1.1 200
Content-Type: application/json Content-Type: application/json
@ -195,6 +238,16 @@ Content-Type: application/json
| Action | Scope | | Action | Scope |
| ----------------- | ---------------------------------------------------------------------------- | | ----------------- | ---------------------------------------------------------------------------- |
| datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) | | datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**:
```http
PUT /api/datasources/1 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
``` ```
@ -219,6 +272,16 @@ Content-Type: application/json
| Action | Scope | | Action | Scope |
| ------------------ | ---------------------------------------------------------------------------- | | ------------------ | ---------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) | | datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**:
```http
DELETE /api/datasources/1 HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
``` ```
**Example Response**: **Example Response**:
@ -357,6 +420,16 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
`PUT /api/datasources/:datasourceId` `PUT /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ----------------- | ---------------------------------------------------------------------------- |
| datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -427,6 +500,16 @@ Content-Type: application/json
`DELETE /api/datasources/:datasourceId` `DELETE /api/datasources/:datasourceId`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http
@ -449,6 +532,16 @@ Content-Type: application/json
`DELETE /api/datasources/uid/:uid` `DELETE /api/datasources/uid/:uid`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | -------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -471,6 +564,16 @@ Content-Type: application/json
`DELETE /api/datasources/name/:datasourceName` `DELETE /api/datasources/name/:datasourceName`
### Required permissions
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
| Action | Scope |
| ------------------ | ---------------------------------------------------------------------------------------------- |
| datasources:delete | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
### Examples
**Example Request**: **Example Request**:
```http ```http

53
docs/sources/http_api/datasource_permissions.md
View File

@ -9,6 +9,9 @@ aliases = ["/docs/grafana/latest/http_api/datasourcepermissions/"]
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}). > The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
> Refer to specific resources to understand what permissions are required.
This API can be used to enable, disable, list, add and remove permissions for a data source. This API can be used to enable, disable, list, add and remove permissions for a data source.
Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything. Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything.
@ -23,6 +26,16 @@ The permission levels for the permission field:
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source. Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http
@ -58,6 +71,16 @@ Status codes:
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source. Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
### Required permissions ### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http ```http
POST /api/datasources/1/disable-permissions POST /api/datasources/1/disable-permissions
@ -93,6 +116,16 @@ Status codes:
### Required permissions ### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ---------------------------- | ---------------------------------------------------------------------------- |
| datasources.permissions:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:**
```http ```http
GET /api/datasources/1/permissions HTTP/1.1 GET /api/datasources/1/permissions HTTP/1.1
Accept: application/json Accept: application/json
@ -154,6 +187,16 @@ Status codes:
Content-Length: 35 Content-Length: 35
``` ```
Adds a team permission for the data source with the given `id`.
**Example request:**
```http
POST /api/datasources/1/permissions
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{ {
"teamId": 1, "teamId": 1,
@ -218,6 +261,16 @@ Status codes:
- **401** - Unauthorized - **401** - Unauthorized
- **403** - Access denied - **403** - Access denied
- **404** - Datasource not found or permission not found - **404** - Datasource not found or permission not found
### Required permissions
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
| Action | Scope |
| ------------------------------ | ---------------------------------------------------------------------------- |
| datasources.permissions:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
### Examples
**Example request:** **Example request:**
```http ```http