I would like to expose certain Grafana dashboards to certain Home Assistant users, and otherwise enforce certain permissions so that other users of my Home Assistant instance cannot alter or delete dashboards I have made. Ideally, I would be able to do this without disabling Home Assistant's ingress or built-in authentication.
Proposed changes
I manged to get this working (possibly?) by setting the grafana_ingress_user variable to $http_x_remote_user_name. This leverages the fact that Grafana is already configured to use the auth proxy feature, and simply passing it the user's credentials from Ingress.
It seems to work at least tolerably, with Grafana having created a new admin user for me automatically upon first login:
I'm unsure how well this capability would scale, nor if there are any other side effects to this, but it does look like this could pave the way to HASS users getting special permissions in Grafana as well.
Is this a viable strategy moving forward for this use case, and is there anything that the configuration can do to better handle this case (e.g. reading from X-Remote-User-Name directly?)
Problem/Motivation
I would like to expose certain Grafana dashboards to certain Home Assistant users, and otherwise enforce certain permissions so that other users of my Home Assistant instance cannot alter or delete dashboards I have made. Ideally, I would be able to do this without disabling Home Assistant's ingress or built-in authentication.
Proposed changes
I manged to get this working (possibly?) by setting the
grafana_ingress_uservariable to$http_x_remote_user_name. This leverages the fact that Grafana is already configured to use the auth proxy feature, and simply passing it the user's credentials from Ingress.It seems to work at least tolerably, with Grafana having created a new admin user for me automatically upon first login:
I'm unsure how well this capability would scale, nor if there are any other side effects to this, but it does look like this could pave the way to HASS users getting special permissions in Grafana as well.
Is this a viable strategy moving forward for this use case, and is there anything that the configuration can do to better handle this case (e.g. reading from
X-Remote-User-Namedirectly?)