11 KiB
| aliases | canonical | description | keywords | labels | title | menuTitle | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
https://grafana.com/docs/grafana/latest/developer-resources/api-reference/http-api/api-legacy/datasource_permissions/ | Data Source Permissions API |
|
|
Data source permissions HTTP API | Data source permissions HTTP API |
Data source Permissions API
{{< docs/shared lookup="developers/deprecated-apis.md" source="grafana" version="<GRAFANA_VERSION>" >}}
The Data Source Permissions is only available in Grafana Enterprise. Read more about Grafana Enterprise.
If you are running Grafana Enterprise, for some endpoints you'll need to have specific permissions. Refer to Role-based access control permissions for more information.
This API can be used to list, add and remove permissions for a data source.
Permissions can be set for a user, team, service account or a basic role (Admin, Editor, Viewer).
Optional ds_type query parameter
Every endpoint in this API accepts an optional query parameter ds_type. Set it to the data source plugin type (for example prometheus or loki). Use ds_type when more than one data source in the organization shares the same UID so Grafana can resolve the correct instance.
Get permissions for a data source
GET /api/access-control/datasources/:uid
Gets all existing permissions for the data source with the given uid.
Append ?ds_type=<TYPE> when you need to disambiguate the UID; refer to Optional ds_type query parameter.
Required permissions
See note in the introduction for an explanation.
| Action | Scope |
|---|---|
| datasources.permissions:read | datasources:* datasources:uid:* datasources:uid:my_datasource (single data source) |
Examples
Example request:
GET /api/access-control/datasources/my_datasource HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
Example request (with ds_type when the UID is not unique):
GET /api/access-control/datasources/my_datasource?ds_type=prometheus HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 551
[
{
"id": 1,
"roleName": "fixed:datasources:reader",
"isManaged": false,
"isInherited": false,
"isServiceAccount": false,
"userId": 1,
"userLogin": "admin_user",
"userAvatarUrl": "/avatar/admin_user",
"actions": [
"datasources:read",
"datasources:query",
"datasources:read",
"datasources:query",
"datasources:write",
"datasources:delete"
],
"permission": "Edit"
},
{
"id": 2,
"roleName": "managed:teams:1:permissions",
"isManaged": true,
"isInherited": false,
"isServiceAccount": false,
"team": "A team",
"teamId": 1,
"teamAvatarUrl": "/avatar/523d70c8551046f441727d690431858c",
"actions": [
"datasources:read",
"datasources:query"
],
"permission": "Query"
},
{
"id": 3,
"roleName": "basic:admin",
"isManaged": false,
"isInherited": false,
"isServiceAccount": false,
"builtInRole": "Admin",
"actions": [
"datasources:query",
"datasources:read",
"datasources:write",
"datasources:delete"
],
"permission": "Edit"
},
]
Status codes:
- 200 - Ok
- 401 - Unauthorized
- 403 - Access denied
- 500 - Internal error
Add or revoke access to a data source for a user
POST /api/access-control/datasources/:uid/users/:id
Sets user permission for the data source with the given uid.
Append ?ds_type=<TYPE> when you need to disambiguate the UID; refer to Optional ds_type query parameter.
To add a permission, set the permission field to either Query, Edit, or Admin.
To remove a permission, set the permission field to an empty string.
Required permissions
See note in the introduction for an explanation.
| Action | Scope |
|---|---|
| datasources.permissions:write | datasources:* datasources:uid:* datasources:uid:my_datasource (single data source) |
Examples
Example request:
POST /api/access-control/datasources/my_datasource/users/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "Query",
}
When granting a Query permission, the user also has read access to the data source.
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission updated"}
Example request:
POST /api/access-control/datasources/my_datasource/users/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "",
}
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission removed"}
Status codes:
- 200 - Ok
- 400 - Permission cannot be added, see response body for details
- 401 - Unauthorized
- 403 - Access denied
Add or revoke access to a data source for a team
POST /api/access-control/datasources/:uid/teams/:id
Sets team permission for the data source with the given uid.
Append ?ds_type=<TYPE> when you need to disambiguate the UID; refer to Optional ds_type query parameter.
To add a permission, set the permission field to either Query, Edit, or Admin.
To remove a permission, set the permission field to an empty string.
When adding Query, Edit, or Admin permissions, the user implicitly has Read access.
Required permissions
See note in the introduction for an explanation.
| Action | Scope |
|---|---|
| datasources.permissions:write | datasources:* datasources:uid:* datasources:uid:my_datasource (single data source) |
Examples
Example request:
POST /api/access-control/datasources/my_datasource/teams/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "Edit",
}
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission updated"}
Example request:
POST /api/access-control/datasources/my_datasource/teams/1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "",
}
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission removed"}
Status codes:
- 200 - Ok
- 400 - Permission cannot be added, see response body for details
- 401 - Unauthorized
- 403 - Access denied
Add or revoke access to a data source for a basic role
POST /api/access-control/datasources/:uid/builtInRoles/:builtinRoleName
Sets permission for the data source with the given uid to all users who have the specified basic role.
Append ?ds_type=<TYPE> when you need to disambiguate the UID; refer to Optional ds_type query parameter.
You can set permissions for the following basic roles: Admin, Editor, Viewer.
To add a permission, set the permission field to either Query, Edit, or Admin.
To remove a permission, set the permission field to an empty string.
Required permissions
See note in the introduction for an explanation.
| Action | Scope |
|---|---|
| datasources.permissions:write | datasources:* datasources:uid:* datasources:uid:my_datasource (single data source) |
Examples
Example request:
POST /api/access-control/datasources/my_datasource/builtInRoles/Admin
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "Edit",
}
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission updated"}
Example request:
POST /api/access-control/datasources/my_datasource/builtInRoles/Viewer
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"permission": "",
}
Example response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{"message": "Permission removed"}
Status codes:
- 200 - Ok
- 400 - Permission cannot be added, see response body for details
- 401 - Unauthorized
- 403 - Access denied