search

hassio-addons / addon-grafana

Grafana - Home Assistant Community Add-ons
https://addons.community
MIT License
221 stars 61 forks source link

Allow non-admins to use Grafana #239

Closed CarlosGS closed 2 years ago

CarlosGS commented 2 years ago

Proposed Changes

Set panel_admin: false to also allow non-administrators to use the addon.

It is this change https://github.com/hassio-addons/addon-grocy/pull/256 but for Grafana :)

Related Issues

https://github.com/hassio-addons/addon-grafana/issues/100, https://github.com/home-assistant/frontend/issues/5907

frenck commented 2 years ago

I am not sure I would consider this an non-admin tool to be honest

CarlosGS commented 2 years ago

The issue with making it available to non admins is that they could potentially change Grafana's configuration/dashboards, isn't it? In my view Grafana is a reasonably non-admin feature, though maybe it would be better to make this configurable. But I'm not sure it would be possible to do this without other changes higher up.

As always this depends on the use case. I use it as a visualization addon, where it would be very useful to allow non admins to see the data while avoiding trusting them to modify sensor nodes, system settings, automations, etc. In this case the setup would benefit from not giving them full admin rights, to reduce the risk of breaking things.

frenck commented 2 years ago

In my view Grafana is a reasonably non-admin feature,

I don't share that vision, sorry.

though maybe it would be better to make this configurable

That is a limitation of the platform, an add-on cannot make this configurable.

I'm going to friendly decline this PR. Thanks for willing to contribute though 👍

CarlosGS commented 2 years ago

No problem, Frankness is a virtue :smile: Thinking of another solution though. Currently to have non-admins view Grafana it seems to be necessary to set up anonymous access and then expose an additional port. At least that is the consensus in the forum and the other github threads. Another problem is that it can't be done with Cloud as the exposed port goes outside ingress.

The new proposal is to keep using the Grafana admin credentials when opening it via a HASS administrator account; but when logging in through a non-admin account, then select the anonymous read-only credentials. As everything would go through ingress we'd avoid exposing an extra port, and non-admins would be read-only in Grafana. Would this be more reasonable?