I have a dashboard in superset, to which I want to give readonly access to some users and that user should also be able to view that dashboard in Dashboard tab.
I have created a Readonly user and have given him datasource access used in that dashboard and Gamma role. After logging into superset with the user I don't see any dashbaord in Dashboard tab, but I am able to open the dashboard using the direct url. And the Edit dashboard button is disabled over there.
If add this user to the owner of the dashboard, I can see the dashboard in the Dashboard tab, but opening it enables Edit button also which I don't want.
Is there a mid way to assign access to the user to see dashboard in list of dahsboard and able to open the same but not able to edit it?
Set the following permissions for the public role and assign the user to that role:
[can dashboard on Superset, can explorev2 on Superset, can explore json on Superset, can csrf token on Superset, can csv on Superset, datasource access on [DATASOURCE][DATABASE], can list on DashboardModelViewAsync, can list on DashboardModelView]
You just need to replace datasource access on [DATASOURCE][DATABASE] with your public datasource and database name
Related
When I create a User in my realm, and click the Role Mappings tab, according to every SO post I see there should be a way to select the realm roles to apply. But in my case I am not seeing them.
This is what I see:
I am trying to add the manage_users role, so I can use this User to manage users via the API. But almost all the realm roles are missing from the Role Mapping tab.
Can anyone enlighten me about what else I need to do so the realm roles appear, especially the realm_management ones?
In the Role Mappings tab
You need to click on the Assign role button
which will popup the following menu:
and from there you can find the client and realm roles.
I am trying to add the manage_users role, so I can use this User to
manage users via the API.
If the previous menu you would change Filter by realm roles to Filter by clients, and the following menu would show up:
and in the Search by role name field type realm-management:
select manage_users and then click Assign. You should see that role being assigned to your user
I want to automatize creating users and adding permissisons. Is it possible in grafana, to dynamicaly adds permission to user based on AD group?
Lets say user inputs his data including AD group he is in, and the app will create folder, and sets read/edit permissions only to users that are in AD group (that can be any group )?
I know you can set viewer/editor/admin roles to people based on AD group in config file, but is it possible to do so dynamicaly, with their http api?
You can set permissions for folders and permissions for dashboards using the Grafana HTTP API:
Folder Permissions API
Dashboard Permissions API
The logic, what permission should be set for which user, needs to be determined in your code (e.g. based on the user input you mentioned) before making the request.
I need to inspect a possibility to create role in a keycloak admin GUI with predefined attributes. Can this attributes been saved and appear in every new role?
I've searched many resources and repos but could not find the answer.
I use keycloak 18.0.2 working on quarkus.
You can add(or update) list of attributes for role
Get the master realm token
see the Create a oauth-token for integration tests
Get the my-realm roles list - copy the name you want to add attributes
Update attribute
Check it attributes added
All of the following options leak all your accounts CloudWatch data.
1. Sharing dashboards via AWS console
Warning
All people who you share the dashboard with are granted the permissions listed in Permissions that are granted to people who you share the dashboard with for the account. If you share the dashboard publicly, then everyone who has the link to the dashboard has these permissions.
The cloudwatch:GetMetricData and ec2:DescribeTags permissions cannot be scoped down to specific metrics or EC2 instances, so the people with access to the dashboard can query all CloudWatch metrics and the names and tags of all EC2 instances in the account.
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
2. Adding CloudWatch datasource to Grafana and permit user access to the dashboards in scope only
For example: In a Grafana instance with one data source, one dashboard, and one panel that has one query defined, you might assume that a Viewer can only see the result of the query defined in that panel. Actually, the Viewer has access to send any query to the data source. With a command-line tool like curl (there are lots of tools for this), the Viewer can make their own query to the data source and potentially access sensitive data.
Reference: https://grafana.com/docs/grafana/latest/administration/security/
3. Cross account sharing
Same problem arises that all accounts CloudWatch data is being shared.
Reference: https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html
Cumbersome approach:
Build a backend service that fetches the dashboard relevant data and exposes it in a format that can be read by Grafana. Afterwards one still has to build a dashboard based on that data. Is there an easier way?
Is it possible to list all roles stored in a vault backend? I can't seem to find any reference on how to do so.
From the documentation, it seems possible to list a role given the role name, through auth/approle/role/my-role, for example, but I don't see any references on how to list all roles stored in a vault server.
EDIT
I would recommend viewing roles through the CLI. Viewing roles through the UI seems show all roles instead of those assigned to a given auth method.
Viewing roles using the UI
Click the "Access" tab
Click "View Configuration" under the three dot dropdown for the auth method you're interested in
Click the "Roles" tab at the top
Viewing roles using the CLI
Roles are listed under Authentication Methods in Vault. You can view which authentication methods you have enabled (or enable new ones) by visiting the UI and clicking on the "Access" tab at the top.
From there you can list roles using the following command:
vault list auth/{auth_method}/role
Where {auth_method} is one of the enabled authentication methods listed in the "Access" tab.
For example, if you enabled the kubernetes auth method, you would list roles associated with this method by running the following:
vault list auth/kubernetes/role
It depends on what auth method you created, based on auth method you can list roles.
Example:
# vault list auth/aws/role
# vault read auth/aws/role/role-name