Auth Token or API key?

[jotka]

hi The authentication with Auth Token doesn't seem to work, even when created with Admin permission. Is it the API key I need to create or am I missing something here? Thanks a lot!

[safaci2000]

Everything I've been using has been with the API Token and has been working fine. One thing to note though the User API requires Basic Auth since tokens aren't supported. Can you tell me a bit more about your environment? Or show me what your config looks like (minus the sensitive info)

[jotka]

i have the Azure Active Directory integrated for users to login. I also need to interact with Grafana using API, so I've created the API key. As soon I run the grafana-dashboard-manager with this key in the config, I get 403 getting organizations...

[jotka]

that's my importer.yaml:

context_name: spyglass
    contexts:
      spyglass:
        dashboards_output: /tmp
        url: http://grafana.spyglass.svc.cluster.local:3000
        token: [removed]
        organization: Main Org
        watched:
          - General
          - Other

and this is what I get when executing gdg dashboards list:

root@grafana-sync-5955cfbb9-hq6kf:/# gdg dashboards list
time="2021-07-17T04:51:51Z" level=fatal msg="Error getting organizations: HTTP error 403: returns {\"message\":\"Permission denied\"}"

[jotka]

it seems it's related to a missing Server Admin role. I mean, using this API token I'm not able to list the organization using REST API also.

the question is: do we really need gdg to have an Server Admin role? Having just the Admin role (within the organization) should be enough. I mean, there is no need to read organizations.

[jotka]

this is where it fails: https://github.com/netsage-project/grafana-dashboard-manager/blob/c03561b2c7e0371c9e184fb82ee90d42246e357f/api/dashboards.go#L24

if the organization is specified in the config (as it is in my case), this should not query all organizations. That would allow limiting the permission for the API key to the organization admin only.

[safaci2000]

For the most part, GDG is used for all kinds of operations like, datasources import for example, granting a user admin permissions. I think of it as a grafana management tool. I realize that permissions will vary a lot based on what you're trying to do but as there's no easy way to manage which endpoint needs what permissions without building a whole permissioning tracking system, you really should just assume god mod is required.

GDG will always try to do a best effort if you give it lower level of permission. If you want to contribute a patch that will gracefully fail when it can't get the Orgs you can but IMO assume server admin is required to use GDG.

[jotka]

GDG will always try to do a best effort if you give it lower level of permission

it is simply not true, as all I want is to pull/put a dashboard. It starts by listing the organisations, which requires the server admin role. So it's not the lowest level of permissions ;)

[safaci2000]

I mean it will try to make the call no matter which credentials you give it. If it succeeds, it'll give you the response if not it'll fail and did it's best efforts.

See if this fixes it for you, but I honestly think you should assume this is an admin tool: https://github.com/netsage-project/grafana-dashboard-manager/commit/19cd76b0f2206cb0d4aee05522eed8991ffe376b

[safaci2000]

I opened up a new ticket for this: https://github.com/netsage-project/grafana-dashboard-manager/issues/37 Will close this out and will try to fix this behavior in 1.6 release. That being said, I still think you should assume 'Server Admin' is required, but will try to make it fail more gracefully and continue to do the best it can when it encounters recoverable issues.

[jotka]

super, many thanks, @safaci2000

[safaci2000]

@jotka I need to get someone to do the code review, but https://github.com/netsage-project/grafana-dashboard-manager/pull/38 will address your concerns.