mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
AccessControl: Document new permissions restricting data source access. (#39091)
* Add data sources roles and permissions to docs Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
parent
ff009bee9f
commit
6aa006b699
@ -11,28 +11,32 @@ The reference information that follows complements conceptual information about
|
||||
|
||||
## Fine-grained access fixed roles
|
||||
|
||||
| Fixed roles | Permissions | Descriptions |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
|
||||
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
|
||||
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
|
||||
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
|
||||
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
|
||||
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
|
||||
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
|
||||
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
|
||||
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
|
||||
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
|
||||
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
|
||||
| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
|
||||
| `fixed:settings:admin:read` | `settings:read` | Read settings |
|
||||
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
|
||||
| `fixed:datasource:editor:read` | `datasources:explore` | Explore datasources |
|
||||
| Fixed roles | Permissions | Descriptions |
|
||||
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `fixed:permissions:admin:read` | `roles:read`<br>`roles:list`<br>`roles.builtin:list` | Allows to list and get available roles and built-in role assignments. |
|
||||
| `fixed:permissions:admin:edit` | All permissions from `fixed:permissions:admin:read` and <br>`roles:write`<br>`roles:delete`<br>`roles.builtin:add`<br>`roles.builtin:remove` | Allows every read action and in addition allows to create, change and delete custom roles and create or remove built-in role assignments. |
|
||||
| `fixed:provisioning:admin` | `provisioning:reload` | Allow provisioning configurations to be reloaded. |
|
||||
| `fixed:reporting:admin:read` | `reports:read`<br>`reports:send`<br>`reports.settings:read` | Allows to read reports and report settings. |
|
||||
| `fixed:reporting:admin:edit` | All permissions from `fixed:reporting:admin:read` and <br>`reports.admin:write`<br>`reports:delete`<br>`reports.settings:write` | Allows every read action for reports and in addition allows to administer reports. |
|
||||
| `fixed:users:admin:read` | `users.authtoken:list`<br>`users.quotas:list`<br>`users:read`<br>`users.teams:read` | Allows to list and get users and related information. |
|
||||
| `fixed:users:admin:edit` | All permissions from `fixed:users:admin:read` and <br>`users.password:update`<br>`users:write`<br>`users:create`<br>`users:delete`<br>`users:enable`<br>`users:disable`<br>`users.permissions:update`<br>`users:logout`<br>`users.authtoken:update`<br>`users.quotas:update` | Allows every read action for users and in addition allows to administer users. |
|
||||
| `fixed:users:org:read` | `org.users:read` | Allows to get user organizations. |
|
||||
| `fixed:users:org:edit` | All permissions from `fixed:users:org:read` and <br>`org.users:add`<br>`org.users:remove`<br>`org.users.role:update` | Allows every read action for user organizations and in addition allows to administer user organizations. |
|
||||
| `fixed:ldap:admin:read` | `ldap.user:read`<br>`ldap.status:read` | Allows to read LDAP information and status. |
|
||||
| `fixed:ldap:admin:edit` | All permissions from `fixed:ldap:admin:read` and <br>`ldap.user:sync`<br>`ldap.config:reload` | Allows every read action for LDAP and in addition allows to administer LDAP. |
|
||||
| `fixed:server:admin:read` | `server.stats:read` | Read server stats |
|
||||
| `fixed:settings:admin:read` | `settings:read` | Read settings |
|
||||
| `fixed:settings:admin:edit` | All permissions from `fixed:settings:admin:read` and<br>`settings:write` | Update settings |
|
||||
| `fixed:datasources:editor:read` | `datasources:explore` | Allows to access the **Explore** tab |
|
||||
| `fixed:datasources:admin` | `datasources:read`<br>`datasources:create`<br>`datasources:write`<br>`datasources:delete` | Allows to create, read, update, delete data sources. |
|
||||
| `fixed:datasources:id:viewer` | `datasources:id:read` | Allows to read data source IDs. |
|
||||
| `fixed:datasources:permissions:admin` | `datasources.permissions:create`<br> `datasources.permissions:read`<br> `datasources.permissions:delete`<br>`datasources.permissions:toggle` | Allows to create, read, delete, enable, or disable data source permissions |
|
||||
|
||||
## Default built-in role assignments
|
||||
|
||||
| Built-in role | Associated role | Description |
|
||||
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Allow access to the same resources and permissions the [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) has by default. |
|
||||
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read` | Allow access to the same resources and permissions that the [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) has by default. |
|
||||
| Editor | `fixed:datasource:editor:read` |
|
||||
| Built-in role | Associated role | Description |
|
||||
| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Grafana Admin | `fixed:permissions:admin:edit`<br>`fixed:permissions:admin:read`<br>`fixed:provisioning:admin`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:users:admin:edit`<br>`fixed:users:admin:read`<br>`fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:ldap:admin:edit`<br>`fixed:ldap:admin:read`<br>`fixed:server:admin:read`<br>`fixed:settings:admin:read`<br>`fixed:settings:admin:edit` | Default [Grafana server administrator]({{< relref "../../permissions/_index.md#grafana-server-admin-role" >}}) assignments. |
|
||||
| Admin | `fixed:users:org:edit`<br>`fixed:users:org:read`<br>`fixed:reporting:admin:edit`<br>`fixed:reporting:admin:read`<br>`fixed:datasources:admin`<br>`fixed:datasources:permissions:admin` | Default [Grafana organization administrator]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
| Editor | `fixed:datasources:editor:read` | Default [Editor]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
| Viewer | `fixed:datasources:id:viewer` | Default [Viewer]({{< relref "../../permissions/organization_roles.md" >}}) assignments. |
|
||||
|
@ -23,62 +23,72 @@ scope
|
||||
|
||||
The following list contains fine-grained access control actions.
|
||||
|
||||
| Action | Applicable scope | Description |
|
||||
| -------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `roles:list` | `roles:*` | List available roles without permissions. |
|
||||
| `roles:read` | `roles:*` | Read a specific role with its permissions. |
|
||||
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
|
||||
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
|
||||
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
|
||||
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
|
||||
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
|
||||
| `reports.admin:create` | `reports:*` | Create reports. |
|
||||
| `reports.admin:write` | `reports:*` | Update reports. |
|
||||
| `reports:delete` | `reports:*` | Delete reports. |
|
||||
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
|
||||
| `reports:send` | `reports:*` | Send a report email. |
|
||||
| `reports.settings:write` | n/a | Update report settings. |
|
||||
| `reports.settings:read` | n/a | Read report settings. |
|
||||
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
|
||||
| `users:read` | `global:users:*` | Read or search user profiles. |
|
||||
| `users:write` | `global:users:*` | Update a user’s profile. |
|
||||
| `users.teams:read` | `global:users:*` | Read a user’s teams. |
|
||||
| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
|
||||
| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
|
||||
| `users.password:update` | `global:users:*` | Update a user’s password. |
|
||||
| `users:delete` | `global:users:*` | Delete a user. |
|
||||
| `users:create` | n/a | Create a user. |
|
||||
| `users:enable` | `global:users:*` | Enable a user. |
|
||||
| `users:disable` | `global:users:*` | Disable a user. |
|
||||
| `users.permissions:update` | `global:users:*` | Update a user’s organization-level permissions. |
|
||||
| `users:logout` | `global:users:*` | Sign out a user. |
|
||||
| `users.quotas:list` | `global:users:*` | List a user’s quotas. |
|
||||
| `users.quotas:update` | `global:users:*` | Update a user’s quotas. |
|
||||
| `org.users.read` | `users:*` | Get user profiles within an organization. |
|
||||
| `org.users.add` | `users:*` | Add a user to an organization. |
|
||||
| `org.users.remove` | `users:*` | Remove a user from an organization. |
|
||||
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
|
||||
| `ldap.user:read` | n/a | Get a user via LDAP. |
|
||||
| `ldap.user:sync` | n/a | Sync a user via LDAP. |
|
||||
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
|
||||
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
|
||||
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
|
||||
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
|
||||
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
|
||||
| `server.stats:read` | n/a | Read server stats |
|
||||
| `datasources:explore` | n/a | Enable explore |
|
||||
| Action | Applicable scope | Description |
|
||||
| -------------------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `roles:list` | `roles:*` | List available roles without permissions. |
|
||||
| `roles:read` | `roles:*` | Read a specific role with its permissions. |
|
||||
| `roles:write` | `permissions:delegate` | Create or update a custom role. |
|
||||
| `roles:delete` | `permissions:delegate` | Delete a custom role. |
|
||||
| `roles.builtin:list` | `roles:*` | List built-in role assignments. |
|
||||
| `roles.builtin:add` | `permissions:delegate` | Create a built-in role assignment. |
|
||||
| `roles.builtin:remove` | `permissions:delegate` | Delete a built-in role assignment. |
|
||||
| `reports.admin:create` | `reports:*` | Create reports. |
|
||||
| `reports.admin:write` | `reports:*` | Update reports. |
|
||||
| `reports:delete` | `reports:*` | Delete reports. |
|
||||
| `reports:read` | `reports:*` | List all available reports or get a specific report. |
|
||||
| `reports:send` | `reports:*` | Send a report email. |
|
||||
| `reports.settings:write` | n/a | Update report settings. |
|
||||
| `reports.settings:read` | n/a | Read report settings. |
|
||||
| `provisioning:reload` | `provisioners:*` | Reload provisioning files. To find the exact scope for specific provisioner, see [Scope definitions]({{< relref "./permissions.md#scope-definitions" >}}). |
|
||||
| `users:read` | `global:users:*` | Read or search user profiles. |
|
||||
| `users:write` | `global:users:*` | Update a user’s profile. |
|
||||
| `users.teams:read` | `global:users:*` | Read a user’s teams. |
|
||||
| `users.authtoken:list` | `global:users:*` | List authentication tokens that are assigned to a user. |
|
||||
| `users.authtoken:update` | `global:users:*` | Update authentication tokens that are assigned to a user. |
|
||||
| `users.password:update` | `global:users:*` | Update a user’s password. |
|
||||
| `users:delete` | `global:users:*` | Delete a user. |
|
||||
| `users:create` | n/a | Create a user. |
|
||||
| `users:enable` | `global:users:*` | Enable a user. |
|
||||
| `users:disable` | `global:users:*` | Disable a user. |
|
||||
| `users.permissions:update` | `global:users:*` | Update a user’s organization-level permissions. |
|
||||
| `users:logout` | `global:users:*` | Sign out a user. |
|
||||
| `users.quotas:list` | `global:users:*` | List a user’s quotas. |
|
||||
| `users.quotas:update` | `global:users:*` | Update a user’s quotas. |
|
||||
| `org.users:read` | `users:*` | Get user profiles within an organization. |
|
||||
| `org.users:add` | `users:*` | Add a user to an organization. |
|
||||
| `org.users:remove` | `users:*` | Remove a user from an organization. |
|
||||
| `org.users.role:update` | `users:*` | Update the organization role (`Viewer`, `Editor`, or `Admin`) of an organization. |
|
||||
| `ldap.user:read` | n/a | Get a user via LDAP. |
|
||||
| `ldap.user:sync` | n/a | Sync a user via LDAP. |
|
||||
| `ldap.status:read` | n/a | Verify the availability of the LDAP server or servers. |
|
||||
| `ldap.config:reload` | n/a | Reload the LDAP configuration. |
|
||||
| `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. |
|
||||
| `settings:read` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../administration/configuration/_index.md" >}}) |
|
||||
| `settings:write` | `settings:*`<br>`settings:auth.saml:*`<br>`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../enterprise/settings-updates/_index.md" >}}). |
|
||||
| `server.stats:read` | n/a | Read server stats |
|
||||
| `datasources:explore` | n/a | Enable access to the **Explore** tab. |
|
||||
| `datasources:read` | n/a<br>`datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | List data sources. |
|
||||
| `datasources:id:read` | `datasources:*`<br>`datasources:name:*` | Read data source IDs. |
|
||||
| `datasources:create` | n/a | Create data sources. |
|
||||
| `datasources:write` | `datasources:*`<br>`datasources:id:*` | Update data sources. |
|
||||
| `datasources:delete` | `datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Delete data sources. |
|
||||
| `datasources.permissions:read` | `datasources:*`<br>`datasources:id:*` | List data source permissions. |
|
||||
| `datasources.permissions:create` | `datasources:*`<br>`datasources:id:*` | Create data source permissions. |
|
||||
| `datasources.permissions:delete` | `datasources:*`<br>`datasources:id:*` | Delete data source permissions. |
|
||||
| `datasources.permissions:toggle` | `datasources:*`<br>`datasources:id:*` | Enable or disable data source permissions. |
|
||||
|
||||
## Scope definitions
|
||||
|
||||
The following list contains fine-grained access control scopes.
|
||||
|
||||
| Scopes | Descriptions |
|
||||
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
|
||||
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
|
||||
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
|
||||
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
|
||||
| `global:users:*` | Restrict an action to a set of global users. |
|
||||
| `users:*` | Restrict an action to a set of users from an organization. |
|
||||
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
|
||||
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
|
||||
| Scopes | Descriptions |
|
||||
| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `roles:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
|
||||
| `permissions:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. |
|
||||
| `reports:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`. |
|
||||
| `services:accesscontrol` | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions. |
|
||||
| `global:users:*` | Restrict an action to a set of global users. |
|
||||
| `users:*` | Restrict an action to a set of users from an organization. |
|
||||
| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. |
|
||||
| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the fine-grained access control [provisioner]({{< relref "./provisioning.md" >}}). |
|
||||
| `datasources:*`<br>`datasources:id:*`<br>`datasources:uid:*`<br>`datasources:name:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:name:postgres` matches the data source named `postgres`. |
|
||||
|
@ -7,10 +7,23 @@ aliases = ["/docs/grafana/latest/http_api/datasource/"]
|
||||
|
||||
# Data source API
|
||||
|
||||
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
|
||||
> Refer to specific resources to understand what permissions are required.
|
||||
|
||||
## Get all data sources
|
||||
|
||||
`GET /api/datasources`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ---------------- | -------------- |
|
||||
| datasources:read | datasources:\* |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -57,6 +70,16 @@ Content-Type: application/json
|
||||
|
||||
`GET /api/datasources/:datasourceId`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ---------------- | ---------------------------------------------------------------------------- |
|
||||
| datasources:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -103,6 +126,16 @@ Content-Type: application/json
|
||||
|
||||
`GET /api/datasources/uid/:uid`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ---------------- | -------------------------------------------------------------------------------------- |
|
||||
| datasources:read | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -149,6 +182,16 @@ Content-Type: application/json
|
||||
|
||||
`GET /api/datasources/name/:name`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ---------------- | ---------------------------------------------------------------------------------------------- |
|
||||
| datasources:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -195,6 +238,16 @@ Content-Type: application/json
|
||||
|
||||
`GET /api/datasources/id/:name`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------- | ---------------------------------------------------------------------------------------------- |
|
||||
| datasources:id:read | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -219,6 +272,16 @@ Content-Type: application/json
|
||||
|
||||
`POST /api/datasources`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------ | ----- |
|
||||
| datasources:create | n/a |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Graphite Request**:
|
||||
|
||||
```http
|
||||
@ -357,6 +420,16 @@ Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
|
||||
|
||||
`PUT /api/datasources/:datasourceId`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ----------------- | ---------------------------------------------------------------------------- |
|
||||
| datasources:write | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -427,6 +500,16 @@ Content-Type: application/json
|
||||
|
||||
`DELETE /api/datasources/:datasourceId`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------ | ---------------------------------------------------------------------------- |
|
||||
| datasources:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
@ -449,6 +532,16 @@ Content-Type: application/json
|
||||
|
||||
`DELETE /api/datasources/uid/:uid`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------ | -------------------------------------------------------------------------------------- |
|
||||
| datasources:delete | datasources:\*<br>datasources:uid:\*<br>datasources:uid:kLtEtcRGk (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -471,6 +564,16 @@ Content-Type: application/json
|
||||
|
||||
`DELETE /api/datasources/name/:datasourceName`
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------ | ---------------------------------------------------------------------------------------------- |
|
||||
| datasources:delete | datasources:\*<br>datasources:name:\*<br>datasources:name:test_datasource (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example Request**:
|
||||
|
||||
```http
|
||||
|
@ -9,6 +9,9 @@ aliases = ["/docs/grafana/latest/http_api/datasourcepermissions/"]
|
||||
|
||||
> The Data Source Permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
|
||||
|
||||
> If you are running Grafana Enterprise and have [Fine-grained access control]({{< relref "../enterprise/access-control/_index.md" >}}) enabled, for some endpoints you would need to have relevant permissions.
|
||||
> Refer to specific resources to understand what permissions are required.
|
||||
|
||||
This API can be used to enable, disable, list, add and remove permissions for a data source.
|
||||
|
||||
Permissions can be set for a user or a team. Permissions cannot be set for Admins - they always have access to everything.
|
||||
@ -23,6 +26,16 @@ The permission levels for the permission field:
|
||||
|
||||
Enables permissions for the data source with the given `id`. No one except Org Admins will be able to query the data source until permissions have been added which permit certain users or teams to query the data source.
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------- |
|
||||
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -58,6 +71,16 @@ Status codes:
|
||||
|
||||
Disables permissions for the data source with the given `id`. All existing permissions will be removed and anyone will be able to query the data source.
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------- |
|
||||
| datasources.permissions:toggle | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -93,6 +116,16 @@ Status codes:
|
||||
|
||||
Gets all existing permissions for the data source with the given `id`.
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ---------------------------- | ---------------------------------------------------------------------------- |
|
||||
| datasources.permissions:read | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -154,6 +187,16 @@ Status codes:
|
||||
|
||||
Adds a user permission for the data source with the given `id`.
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------- |
|
||||
| datasources.permissions:create | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
@ -218,6 +261,16 @@ Status codes:
|
||||
|
||||
Removes the permission with the given `permissionId` for the data source with the given `id`.
|
||||
|
||||
### Required permissions
|
||||
|
||||
See note in the [introduction]({{< ref "#data-source-permissions-api" >}}) for an explanation.
|
||||
|
||||
| Action | Scope |
|
||||
| ------------------------------ | ---------------------------------------------------------------------------- |
|
||||
| datasources.permissions:delete | datasources:\*<br>datasources:id:\*<br>datasources:id:1 (single data source) |
|
||||
|
||||
### Examples
|
||||
|
||||
**Example request:**
|
||||
|
||||
```http
|
||||
|
Loading…
Reference in New Issue
Block a user