AWS cost attribution: (feedback 5) Enable viewers to generate and share snapshots

2i2c-org / infrastructure

Infrastructure for configuring and deploying our community JupyterHubs.

https://infrastructure.2i2c.org

BSD 3-Clause "New" or "Revised" License

104 stars 64 forks source link

AWS cost attribution: (feedback 5) Enable viewers to generate and share snapshots #4991

Open consideRatio opened 2 days ago

consideRatio commented 2 days ago

Snapshots are a way for people to share frozen grafana dashboard views to other people that doesn't need to login etc. In a demo of the cost attribution dashboard with Tasha at nasa-cryo, we concluded that a snapshot could be helpful, but that access to those wasn't available for those logged in via GitHub.

Snapshot permissions are hardcoded, only those with editor permissions are granted snapshot permissions currently. For details, see https://github.com/grafana/grafana/issues/88326#issuecomment-2428829574.

For us to enable viewers to generate and share snapshots, we need grafana to be updated. Until then, we can workaround this by granting people edit access to the dashboards they'd like to snapshot.

consideRatio commented 1 day ago

@Gman0909 @jnywong a status update about snapshots.

In grafana 11, latest, which we use, snapshots can only be done by users with edit permissions on a specific dashboard. So the permissions go hand in hand.

We could workaround this by raising the permissions by default for users we invite to editor etc.

I think currently the people accessing grafana via github gets Viewer role by default
I think currently the people we invite personally by providing a invite link we often invite as admins

@yuvipanda do you think we should raise the permissions for people accessing grafana via github to editors?

jnywong commented 1 day ago

Can I ask a clarifying question about who is and isn't invited to access Grafana?

If we roll this out as a feature, then a request for access is initiated by the hub admin, right? This in turn grants them an admin/editor role.

What use cases would require a GitHub viewer role and who manages that?

consideRatio commented 1 day ago

We have no definitive practice here i think, i think we should do an invite to community champions by default, and grant them admin, allowing them to invite others as well.

However, we have used github organization membership to grant access as well, which could make sense for some communities.

consideRatio commented 1 day ago

We should work on systematicizing how we provide grafana access, but doing that is out of scope for rolling out the AWS cost attribution dashboard and ought to be worked independently. Of course, community champs needs access to make use of the cost attribution dashboard, and the way to provide it if they don't already have it, is to generate a link and send it to them I think.

If they already have access via GitHub identity as a viewer role, by virtue of membership in a github organization granted access to their grafana instance, then raising the default permission from Viewer to Editor is a workaround to ensure they can make use of snapshots.