英文:
In Grafana, how to limit users to view data belonging to their org's only?
问题
在Prometheus中,我们有不同的任务来从不同的团队收集数据,命名方式类似于 "Team A - Node exporter, Team B - node exporter"。在Grafana中,我们通过团队名称定义了组织,以便其组织中的用户仅能为自己设置仪表板。然而,这不会分隔收集的数据,Org A(Team A)中的用户仍然可以看到Org B(Team B)的服务器指标。
作为Grafana服务器管理员,是否有一种方式可以在Grafana中配置,以限制Org A中的用户仅查看Team A的服务器指标?
希望找到一种方法来限制Grafana Org中的用户只能看到他/她团队的数据。
英文:
In Prometheus, we have different jobs to collect data from different teams, naming like "Team A - Node exporter, Team B - node exporter". In Grafana, we defined Orgs by team name so that user in their Org can set dashboard for themselves only. However, this will not segregate collected data, user in Org A(Team A) can still see metrics of servers from Org B (Team B).
As a Grafana Server Admin, is there any way that I can configure in Grafana to restrict users in Org A to check metrics of servers in Team A only?
Hope to find a way to restrict users in Grafana Org can see the data from his/her team only.
答案1
得分: 1
[I]s there any way that I can configure in Grafana to restrict users in Org A to check metrics of servers in Team A only?
没有。Prometheus 不提供任何访问控制功能。没有这样的功能,Grafana 将需要引入查询修改算法,以添加某些选择器以进行访问控制。
我唯一能想象实现您的想法的方式(没有查询代理,将基于组织重写所有查询)是完全隔离您的数据:创建第二个 Prometheus 实例,将组织 B 的目标移至其中,并将此实例配置为 Grafana 中组织 B 的数据源。
英文:
>[I]s there any way that I can configure in Grafana to restrict users in Org A to check metrics of servers in Team A only?
No. Prometheus doesn't provide any access control functionality. Without such a functionality Grafana would need to introduce query modification algorithm, that will add some selectors for such access control.
The only way I could imagine realization of your idea (without query proxy, that will rewrite all queries based on organization) is to completely segregate your data: create second instance of Prometheus, move targets of organization B to it, and configure this instance as data source for organization B in Grafana.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论