diff --git a/.betterer.results b/.betterer.results index 3a494c83187..14950426b59 100644 --- a/.betterer.results +++ b/.betterer.results @@ -62,7 +62,7 @@ exports[`no enzyme tests`] = { "packages/jaeger-ui-components/src/TraceTimelineViewer/VirtualizedTraceView.test.js:551014442": [ [13, 26, 13, "RegExp match", "2409514259"] ], - "packages/jaeger-ui-components/src/TraceTimelineViewer/index.test.js:276996587": [ + "packages/jaeger-ui-components/src/TraceTimelineViewer/index.test.js:1541367299": [ [14, 19, 13, "RegExp match", "2409514259"] ], "public/app/core/components/Select/MetricSelect.test.tsx:1074737147": [ @@ -3910,9 +3910,6 @@ exports[`better eslint`] = { [0, 0, 0, "Do not use any type assertions.", "0"], [0, 0, 0, "Do not use any type assertions.", "1"] ], - "public/app/features/alerting/unified/components/rules/RulesGroup.test.tsx:5381": [ - [0, 0, 0, "Unexpected any. Specify a different type.", "0"] - ], "public/app/features/alerting/unified/components/silences/SilencesEditor.tsx:5381": [ [0, 0, 0, "Do not use any type assertions.", "0"] ], @@ -7778,10 +7775,6 @@ exports[`better eslint`] = { [0, 0, 0, "Do not use any type assertions.", "1"], [0, 0, 0, "Do not use any type assertions.", "2"] ], - "public/app/plugins/datasource/mssql/config_ctrl.ts:5381": [ - [0, 0, 0, "Unexpected any. Specify a different type.", "0"], - [0, 0, 0, "Unexpected any. Specify a different type.", "1"] - ], "public/app/plugins/datasource/mysql/datasource.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], [0, 0, 0, "Unexpected any. Specify a different type.", "1"], @@ -7802,8 +7795,7 @@ exports[`better eslint`] = { ], "public/app/plugins/datasource/mysql/module.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], - [0, 0, 0, "Unexpected any. Specify a different type.", "1"], - [0, 0, 0, "Unexpected any. Specify a different type.", "2"] + [0, 0, 0, "Unexpected any. Specify a different type.", "1"] ], "public/app/plugins/datasource/mysql/mysql_query_model.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], @@ -8006,15 +7998,6 @@ exports[`better eslint`] = { "public/app/plugins/datasource/opentsdb/types.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"] ], - "public/app/plugins/datasource/postgres/config_ctrl.ts:5381": [ - [0, 0, 0, "Unexpected any. Specify a different type.", "0"], - [0, 0, 0, "Unexpected any. Specify a different type.", "1"], - [0, 0, 0, "Unexpected any. Specify a different type.", "2"], - [0, 0, 0, "Unexpected any. Specify a different type.", "3"], - [0, 0, 0, "Unexpected any. Specify a different type.", "4"], - [0, 0, 0, "Unexpected any. Specify a different type.", "5"], - [0, 0, 0, "Unexpected any. Specify a different type.", "6"] - ], "public/app/plugins/datasource/postgres/datasource.test.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], [0, 0, 0, "Unexpected any. Specify a different type.", "1"], @@ -8035,9 +8018,7 @@ exports[`better eslint`] = { [0, 0, 0, "Do not use any type assertions.", "11"], [0, 0, 0, "Unexpected any. Specify a different type.", "12"], [0, 0, 0, "Unexpected any. Specify a different type.", "13"], - [0, 0, 0, "Unexpected any. Specify a different type.", "14"], - [0, 0, 0, "Unexpected any. Specify a different type.", "15"], - [0, 0, 0, "Unexpected any. Specify a different type.", "16"] + [0, 0, 0, "Unexpected any. Specify a different type.", "14"] ], "public/app/plugins/datasource/postgres/module.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], @@ -8922,6 +8903,9 @@ exports[`better eslint`] = { "public/app/plugins/panel/canvas/editor/PlacementEditor.tsx:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"] ], + "public/app/plugins/panel/canvas/editor/TreeNavigationEditor.tsx:5381": [ + [0, 0, 0, "Unexpected any. Specify a different type.", "0"] + ], "public/app/plugins/panel/canvas/editor/elementEditor.tsx:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], [0, 0, 0, "Do not use any type assertions.", "1"], @@ -9390,13 +9374,7 @@ exports[`better eslint`] = { [0, 0, 0, "Unexpected any. Specify a different type.", "3"], [0, 0, 0, "Unexpected any. Specify a different type.", "4"], [0, 0, 0, "Unexpected any. Specify a different type.", "5"], - [0, 0, 0, "Unexpected any. Specify a different type.", "6"], - [0, 0, 0, "Unexpected any. Specify a different type.", "7"], - [0, 0, 0, "Unexpected any. Specify a different type.", "8"], - [0, 0, 0, "Unexpected any. Specify a different type.", "9"], - [0, 0, 0, "Unexpected any. Specify a different type.", "10"], - [0, 0, 0, "Unexpected any. Specify a different type.", "11"], - [0, 0, 0, "Unexpected any. Specify a different type.", "12"] + [0, 0, 0, "Unexpected any. Specify a different type.", "6"] ], "public/app/plugins/panel/graph/time_regions_form.ts:5381": [ [0, 0, 0, "Unexpected any. Specify a different type.", "0"], diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index e202f47c2e4..c0a6188a87a 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -74,7 +74,7 @@ jobs: repository: "grafana/grafana-github-actions" path: ./actions ref: main - - uses: actions/setup-node@v3.3.0 + - uses: actions/setup-node@v3.4.0 with: node-version: '16' - name: Install Actions diff --git a/.github/workflows/cloud-data-sources-code-coverage.yml b/.github/workflows/cloud-data-sources-code-coverage.yml index f49cd30e3a2..8e1e0767c50 100644 --- a/.github/workflows/cloud-data-sources-code-coverage.yml +++ b/.github/workflows/cloud-data-sources-code-coverage.yml @@ -14,4 +14,7 @@ on: jobs: workflow-call: - uses: grafana/code-coverage/.github/workflows/code-coverage.yml@v0.1.2 + uses: grafana/code-coverage/.github/workflows/code-coverage.yml@v0.1.6 + with: + frontend-path-regexp: public\/app\/plugins\/datasource\/(grafana-azure-monitor-datasource|cloud-monitoring|cloudwatch) + backend-path-regexp: pkg\/tsdb\/(azuremonitor|cloudmonitoring|cloudwatch) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6a6b6387ac3..b809b1030e1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v3 - run: git clone --single-branch --no-tags --depth 1 -b master https://grafanabot:${{ secrets.GH_BOT_ACCESS_TOKEN }}@github.com/grafana/website-sync ./.github/actions/website-sync - name: generate-packages-docs - uses: actions/setup-node@v3.3.0 + uses: actions/setup-node@v3.4.0 id: generate-docs with: node-version: '16' diff --git a/.pa11yci-pr.conf.js b/.pa11yci-pr.conf.js index dc01c7857c2..36990b28bde 100644 --- a/.pa11yci-pr.conf.js +++ b/.pa11yci-pr.conf.js @@ -96,7 +96,7 @@ var config = { url: '${HOST}/org/apikeys', wait: 500, rootElement: '.main-view', - threshold: 0, + threshold: 4, }, { url: '${HOST}/dashboards', diff --git a/conf/defaults.ini b/conf/defaults.ini index 9aa4a63459f..394c5dee1a0 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -877,6 +877,11 @@ max_concurrent_screenshots = 5 # screenshots will be persisted to disk for up to temp_data_lifetime. upload_external_image_storage = false +[unified_alerting.reserved_labels] +# Comma-separated list of reserved labels added by the Grafana Alerting engine that should be disabled. +# For example: `disabled_labels=grafana_folder` +disabled_labels = + #################################### Alerting ############################ [alerting] # Enable the legacy alerting sub-system and interface. If Unified Alerting is already enabled and you try to go back to legacy alerting, all data that is part of Unified Alerting will be deleted. When this configuration section and flag are not defined, the state is defined at runtime. See the documentation for more details. diff --git a/conf/sample.ini b/conf/sample.ini index 5a2d623dec8..17fbf9cc500 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -847,6 +847,11 @@ # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m. ;min_interval = 10s +[unified_alerting.reserved_labels] +# Comma-separated list of reserved labels added by the Grafana Alerting engine that should be disabled. +# For example: `disabled_labels=grafana_folder` +;disabled_labels = + #################################### Alerting ############################ [alerting] # Disable legacy alerting engine & UI features diff --git a/contribute/localisation.md b/contribute/localization.md similarity index 98% rename from contribute/localisation.md rename to contribute/localization.md index 97f4ed8d284..97a220732b8 100644 --- a/contribute/localisation.md +++ b/contribute/localization.md @@ -191,4 +191,4 @@ import { Plural } from "@lingui/macro" ## Documentation -[Grafana's documentation](https://grafana.com/docs/grafana/latest/) is not yet open for translation and should be authored in English only. +[Grafana's documentation](https://grafana.com/docs/grafana/latest/) is not yet open for translation and should be authored in American English only. diff --git a/docs/sources/administration/api-keys/_index.md b/docs/sources/administration/api-keys/_index.md index 630058d9c85..db87e5aff97 100644 --- a/docs/sources/administration/api-keys/_index.md +++ b/docs/sources/administration/api-keys/_index.md @@ -18,7 +18,7 @@ An API key is a randomly generated string that external systems use to interact When you create an API key, you specify a **Role** that determines the permissions associated with the API key. Role permissions control that actions the API key can perform on Grafana resources. -> **Note:** If you use Grafana v8.5 or newer, use service accounts instead of API keys. For more information, refer to [Service accounts]({{< relref "../service-accounts/" >}}). +> **Note:** If you use Grafana v8.5 or newer, use service accounts instead of API keys. For more information, refer to [Grafana service accounts]({{< relref "../service-accounts/" >}}). {{< section >}} @@ -30,7 +30,7 @@ This topic shows you how to create an API key using the Grafana UI. You can also ### Before you begin: -- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}). +- Ensure you have permission to create and edit API keys. For more information about permissions, refer to [Roles and permissions]({{< relref "../roles-and-permissions/#" >}}). **To create an API key:** @@ -44,3 +44,28 @@ This topic shows you how to create an API key using the Grafana UI. You can also - The maximum length of time is 30 days (one month). You enter a number and a letter. Valid letters include `s` for seconds,`m` for minutes, `h` for hours, `d `for days, `w` for weeks, and `M `for month. For example, `12h` is 12 hours and `1M` is 1 month (30 days). - If you are unsure about how long an API key should be valid, we recommend that you choose a short duration, such as a few hours. This approach limits the risk of having API keys that are valid for a long time. 1. Click **Add**. + +## Migrate API Keys to Grafana service accounts + +You can migrate one or all API keys to [Grafana service accounts]({{< relref "../service-accounts/" >}}). When you migrate an API key to a service account, a service account will be created with a service account token. +The API key will continue to work, and you can find it in the [Grafana service account tokens]({{< relref "../service-accounts/#service-account-benefits/#service-account-tokens" >}}) details. +For more information about benefits of service accounts, refer to [Grafana service account benefits]({{< relref "../service-accounts/#service-account-benefits" >}}). + +You can choose to migrate a single API key or all API keys. Note that when you migrate all API keys, you can't create new API keys anymore and will have to use service accounts instead. + +### Before you begin + +- Ensure you have permission to create Grafana service accounts. For more information about permissions, refer to [Roles and permissions]({{< relref "../roles-and-permissions/#" >}}). + +**To migrate all API keys to service accounts:** + +1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**. +1. In the top of the page, find the section which says **Switch from API keys to service accounts** +1. Click **Migrate now**. +1. Once migration is successful, you can choose to forever hide the API keys tab and use service accounts from there on. Click **Go to service accounts tab and never show API keys tab again** if you want to do that. + +**To migrate single API key to a service account:** + +1. Sign in to Grafana, hover your cursor over **Configuration** (the gear icon), and click **API Keys**. +1. Find the API Key you want to migrate. +1. Click **Migrate**. diff --git a/docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles.md b/docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles.md index c0406946b60..923ce7112ba 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles.md +++ b/docs/sources/administration/roles-and-permissions/access-control/assign-rbac-roles.md @@ -17,39 +17,37 @@ In this topic you'll learn how to use the role picker, provisioning, and the HTT This section describes how to: -- Assign a fixed role to a user or team as an organization administrator. +- Assign a fixed role to a user, team or service account as an organization administrator. - Assign a fixed role to a user as a server administrator. This approach enables you to assign a fixed role to a user in multiple organizations, without needing to switch organizations. -In both cases, the assignment applies only to the user or team within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations. - -> **Note:** After you apply your changes, user and team permissions update immediately, and the UI reflects the new permissions the next time they reload their browser or visit another page. +In both cases, the assignment applies only to the user, team or service account within the affected organization, and no other organizations. For example, if you grant the user the **Data source editor** role in the **Main** organization, then the user can edit data sources in the **Main** organization, but not in other organizations.
**Before you begin:** - [Plan your RBAC rollout strategy]({{< relref "./plan-rbac-rollout-strategy/" >}}). -- Identify the fixed roles that you want to assign to the user or team. +- Identify the fixed roles that you want to assign to the user, team or service account. For more information about available fixed roles, refer to [RBAC role definitions]({{< relref "./rbac-fixed-basic-role-definitions/" >}}). - Ensure that your own user account has the correct permissions: - - If you are assigning permissions to a user or team within an organization, you must have organization administrator or server administrator permissions. + - If you are assigning permissions to a user, team or service account within an organization, you must have organization administrator or server administrator permissions. - If you are assigning permissions to a user who belongs to multiple organizations, you must have server administrator permissions. - Your Grafana user can also assign fixed role if it has either the `fixed:roles:writer` fixed role assigned to the same organization to which you are assigning RBAC to a user, or a custom role with `users.roles:add` and `users.roles:remove` permissions. - Your own user account must have the roles you are granting. For example, if you would like to grant the `fixed:users:writer` role to a team, you must have that role yourself.
-**To assign a fixed role to a user or team:** +**To assign a fixed role to a user, team or service account:** 1. Sign in to Grafana. -2. Switch to the organization that contains the user or team. +2. Switch to the organization that contains the user, team or service account. For more information about switching organizations, refer to [Switch organizations]({{< relref "../../user-management/user-preferences/_index.md#switch-organizations" >}}). -3. Hover your cursor over **Configuration** (the gear icon) in the left navigation menu, and click **Users** or **Teams**. -4. In the **Role** column, select the fixed role that you want to assign to the user or team. +3. Hover your cursor over **Configuration** (the gear icon) in the left navigation menu, and click **Users** or **Teams** or **Service Accounts**. +4. In the **Role** column, select the fixed role that you want to assign to the user, team or service account. 5. Click **Update**. ![User role picker in an organization](/static/img/docs/enterprise/user_role_picker_in_org.png) diff --git a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes.md b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes.md index 9723acdb64d..a2689969228 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes.md +++ b/docs/sources/administration/roles-and-permissions/access-control/custom-role-actions-scopes.md @@ -101,6 +101,12 @@ The following list contains role-based access control actions. | `roles:write` | `permissions:type:delegate` | Create or update a custom role. | | `roles:write` | `permissions:type:escalate` | Reset basic roles to their default permissions. | | `server.stats:read` | n/a | Read Grafana instance statistics. | +| `serviceaccounts:write` | `serviceaccounts:*` | Create Grafana service accounts. | +| `serviceaccounts:create` | n/a | Update Grafana service accounts. | +| `serviceaccounts:delete` | `serviceaccounts:*` | Delete Grafana service accounts. | +| `serviceaccounts:read` | `serviceaccounts:*` | Read Grafana service accounts. | +| `serviceaccounts.permissions:write` | `serviceaccounts:*` | Update Grafana service account permissions to control who can do what with the service account. | +| `serviceaccounts.permissions:read` | `serviceaccounts:*` | Read Grafana service account permissions to see who can do what with the service account. | | `settings:read` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Read the [Grafana configuration settings]({{< relref "../../../setup-grafana/configure-grafana/" >}}) | | `settings:write` | `settings:*`
`settings:auth.saml:*`
`settings:auth.saml:enabled` (property level) | Update any Grafana configuration settings that can be [updated at runtime]({{< relref "../../../enterprise/settings-updates/" >}}). | | `status:accesscontrol` | `services:accesscontrol` | Get access-control enabled status. | @@ -120,9 +126,9 @@ The following list contains role-based access control actions. | `users.permissions:write` | `global.users:*`
`global.users:id:*` | Update a user’s organization-level permissions. | | `users.quotas:read` | `global.users:*`
`global.users:id:*` | List a user’s quotas. | | `users.quotas:write` | `global.users:*`
`global.users:id:*` | Update a user’s quotas. | -| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user. | -| `users.roles:read` | `users:*` | List roles assigned directly to a user. | -| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user. | +| `users.roles:add` | `permissions:type:delegate` | Assign a role to a user or a service account. | +| `users.roles:read` | `users:*` | List roles assigned directly to a user or a service account. | +| `users.roles:remove` | `permissions:type:delegate` | Unassign a role from a user or a service account. | | `users:create` | n/a | Create a user. | | `users:delete` | `global.users:*`
`global.users:id:*` | Delete a user. | | `users:disable` | `global.users:*`
`global.users:id:*` | Disable a user. | @@ -135,21 +141,22 @@ The following list contains role-based access control actions. The following list contains role-based access control scopes. -| Scopes | Descriptions | -| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations:*`
`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. | -| `apikeys:*`
`apikeys:id:*` | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. | -| `dashboards:*`
`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. | -| `datasources:*`
`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. | -| `folders:*`
`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. | -| `global.users:*`
`global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. | -| `orgs:*`
`orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | -| `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | -| `permissions:type:escalate` | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. | -| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./rbac-provisioning/" >}}). | -| `reports:*`
`reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. | -| `roles:*`
`roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. | -| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. | -| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | -| `teams:*`
`teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | -| `users:*`
`users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | +| Scopes | Descriptions | +| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `annotations:*`
`annotations:type:*` | Restrict an action to a set of annotations. For example, `annotations:*` matches any annotation, `annotations:type:dashboard` matches annotations associated with dashboards and `annotations:type:organization` matches organization annotations. | +| `apikeys:*`
`apikeys:id:*` | Restrict an action to a set of API keys. For example, `apikeys:*` matches any API key, `apikey:id:1` matches the API key whose id is `1`. | +| `dashboards:*`
`dashboards:uid:*` | Restrict an action to a set of dashboards. For example, `dashboards:*` matches any dashboard, and `dashboards:uid:1` matches the dashboard whose UID is `1`. | +| `datasources:*`
`datasources:uid:*` | Restrict an action to a set of data sources. For example, `datasources:*` matches any data source, and `datasources:uid:1` matches the data source whose UID is `1`. | +| `folders:*`
`folders:uid:*` | Restrict an action to a set of folders. For example, `folders:*` matches any folder, and `folders:uid:1` matches the folder whose UID is `1`. | +| `global.users:*`
`global.users:id:*` | Restrict an action to a set of global users. For example, `global.users:*` matches any user and `global.users:id:1` matches the user whose ID is `1`. | +| `orgs:*`
`orgs:id:*` | Restrict an action to a set of organizations. For example, `orgs:*` matches any organization and `orgs:id:1` matches the organization whose ID is `1`. | +| `permissions:type:delegate` | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment. | +| `permissions:type:escalate` | The scope is required to trigger the reset of basic roles permissions. It indicates that users might acquire additional permissions they did not previously have. | +| `provisioners:*` | Restrict an action to a set of provisioners. For example, `provisioners:*` matches any provisioner, and `provisioners:accesscontrol` matches the role-based access control [provisioner]({{< relref "./rbac-provisioning/" >}}). | +| `reports:*`
`reports:id:*` | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report whose ID is `1`. | +| `roles:*`
`roles:uid:*` | Restrict an action to a set of roles. For example, `roles:*` matches any role and `roles:uid:randomuid` matches only the role whose UID is `randomuid`. | +| `services:accesscontrol` | Restrict an action to target only the role-based access control service. You can use this in conjunction with the `status:accesscontrol` actions. | +| `serviceaccounts:*`
`serviceaccounts:id:*` | Restrict an action to a set of service account from an organization. For example, `serviceaccounts:*` matches any service account and `serviceaccount:id:1` matches the service account whose ID is `1`. | +| `settings:*` | Restrict an action to a subset of settings. For example, `settings:*` matches all settings, `settings:auth.saml:*` matches all SAML settings, and `settings:auth.saml:enabled` matches the enable property on the SAML settings. | +| `teams:*`
`teams:id:*` | Restrict an action to a set of teams from an organization. For example, `teams:*` matches any team and `teams:id:1` matches the team whose ID is `1`. | +| `users:*`
`users:id:*` | Restrict an action to a set of users from an organization. For example, `users:*` matches any user and `users:id:1` matches the user whose ID is `1`. | diff --git a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md index 28e3437b11f..113c5f38459 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md +++ b/docs/sources/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions.md @@ -71,6 +71,9 @@ The following tables list permissions associated with basic and fixed roles. | `fixed:roles:reader` | `roles:read`
`teams.roles:read`
`users.roles:read`
`users.permissions:read` | Read all access control roles, roles and permissions assigned to users, teams. | | `fixed:roles:writer` | All permissions from `fixed:roles:reader` and
`roles:write`
`roles:delete`
`teams.roles:add`
`teams.roles:remove`
`users.roles:add`
`users.roles:remove` | Create, read, update, or delete all roles, assign or unassign roles to users, teams. | | `fixed:roles:resetter` | `roles:write` with scope `permissions:type:escalate` | Reset basic roles to their default. | +| `fixed:serviceaccounts:reader` | `serviceaccounts:read` | Read Grafana service accounts. | +| `fixed:serviceaccounts:creator` | `serviceaccounts:create` | Create Grafana service accounts. | +| `fixed:serviceaccounts:writer` | `serviceaccounts:read`
`serviceaccounts:create`
`serviceaccounts:write`
`serviceaccounts:delete`
`serviceaccounts.permissions:read`
`serviceaccounts.permissions:write` | Create, update, read and delete all Grafana service accounts and manage service account permissions. | | `fixed:settings:reader` | `settings:read` | Read Grafana instance settings. | | `fixed:settings:writer` | All permissions from `fixed:settings:reader` and
`settings:write` | Read and update Grafana instance settings. | | `fixed:stats:reader` | `server.stats:read` | Read Grafana instance statistics. | diff --git a/docs/sources/administration/service-accounts/_index.md b/docs/sources/administration/service-accounts/_index.md index 6d6fd60764c..1187a4ddeaa 100644 --- a/docs/sources/administration/service-accounts/_index.md +++ b/docs/sources/administration/service-accounts/_index.md @@ -24,7 +24,7 @@ You can use service accounts to run automated or compute workloads. A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. Create service accounts and tokens to authenticate applications like Terraform with the Grafana API. -> **Note:** Service accounts are available in Grafana 8.5+ as a beta feature. To enable service accounts, refer to the [Enable service accounts]({{< ref "#enable-service-accounts" >}}) section. Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana. +> **Note:** Service accounts will eventually replace [API keys]({{< relref "../api-keys/" >}}) as the primary way to authenticate applications that interact with Grafana. A common use case for creating a service account is to perform operations on automated or triggered tasks. You can use service accounts to: @@ -59,47 +59,16 @@ The added benefits of service accounts to API keys include: - Unlike API keys, service account tokens are not associated with a specific user, which means that applications can be authenticated even if a Grafana user is deleted. - You can grant granular permissions to service accounts by leveraging [role-based access control]({{< relref "../roles-and-permissions/access-control/" >}}). For more information about permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/" >}}). -## Enable service accounts in Grafana - -Service accounts are available behind the `serviceAccounts` feature toggle, available in Grafana 8.5+. - -You can enable service accounts by: - -- modifying the Grafana configuration file, or -- configuring an environment variable - -### Enable service accounts in the Grafana configuration file - -This topic shows you how to enable service accounts by modifying the Grafana configuration file. - -1. Sign in to the Grafana server and locate the configuration file. For more information about finding the configuration file, refer to LINK. -2. Open the configuration file and locate the [feature toggles section]({{< relref "../../setup-grafana/configure-grafana/#feature_toggles" >}}). Add `serviceAccounts` as a [feature_toggle]({{< relref "../../setup-grafana/configure-grafana/#feature_toggle" >}}). - -``` -[feature_toggles] -# enable features, separated by spaces -enable = serviceAccounts -``` - -1. Save your changes, Grafana should recognize your changes; in case of any issues we recommend restarting the Grafana server. - -### Enable service accounts with an environment variable - -This topic shows you how to enable service accounts by setting environment variables before starting Grafana. - -Follow the instructions to [override configuration with environment variables]({{< relref "../../setup-grafana/configure-grafana/#override-configuration-with-environment-variables" >}}). Set the following environment variable: `GF_FEATURE_TOGGLES_ENABLE = serviceAccounts`. - -> **Note:** Environment variables override configuration file settings. - ## Create a service account in Grafana A service account can be used to run automated workloads in Grafana, like dashboard provisioning, configuration, or report generation. For more information about how you can use service accounts, refer to [About service accounts]({{< ref "#about-service-accounts" >}}). For more information about creating service accounts via the API, refer to [Create a service account in the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#create-service-account" >}}). +Note that the user who created a service account will also be able to read, update and delete the service account that they created, as well as permissions associated with that service account. + ### Before you begin -- Ensure you have added the feature toggle for service accounts `serviceAccounts`. For more information about adding the feature toggle, refer to [Enable service accounts]({{< ref "#enable-service-accounts" >}}). - Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}). ### To create a service account @@ -121,7 +90,6 @@ You can create a service account token using the Grafana UI or via the API. For ### Before you begin -- Ensure you have added the `serviceAccounts` feature toggle to Grafana. For more information about adding the feature toggle, refer to [Enable service accounts]({{< ref "#enable-service-accounts" >}}). - Ensure you have permission to create and edit service accounts. By default, the organization administrator role is required to create and edit service accounts. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}). ### To add a token to a service account @@ -135,3 +103,22 @@ You can create a service account token using the Grafana UI or via the API. For - The expiry date specifies how long you want the key to be valid. - If you are unsure of an expiration date, we recommend that you set the token to expire after a short time, such as a few hours or less. This limits the risk associated with a token that is valid for a long time. 1. Click **Generate service account token**. + +## Assign roles to a service account in Grafana + +You can assign roles to a Grafana service account to control access for the associated service account tokens. +You can assign roles to a service account using the Grafana UI or via the API. For more information about assigning a role to a service account via the API, refer to [Update service account using the HTTP API]({{< relref "../../developers/http_api/serviceaccount/#update-service-account" >}}). + +In [Grafana Enterprise]({{< relref "../../enterprise/" >}}), you can also [assign RBAC roles]({{< relref "../roles-and-permissions/access-control/assign-rbac-roles" >}}) to grant very specific permissions to applications that interact with Grafana. + +### Before you begin + +- Ensure you have permission to update service accounts permissions. By default, the organization administrator role is required to update service accounts permissions. For more information about user permissions, refer to [About users and permissions]({{< relref "../roles-and-permissions/#" >}}). + +### To assign a role to a service account + +1. Sign in to Grafana, then hover your cursor over **Configuration** (the gear icon) in the sidebar. +1. Click **Service accounts**. +1. Click the service account to which you want to assign a role. As an alternative, find the service account in the list view, +1. Assign a role using the role picker. +1. Click **Update**. diff --git a/docs/sources/administration/team-management/_index.md b/docs/sources/administration/team-management/_index.md index 5a5075f9051..e46a582fcee 100644 --- a/docs/sources/administration/team-management/_index.md +++ b/docs/sources/administration/team-management/_index.md @@ -10,9 +10,9 @@ weight: 400 # Team management -A team is a group of users within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user can belong to multiple teams. +A team is a group of users or service accounts within an organization that have common dashboard and data source permission needs. For example, instead of assigning five users access to the same dashboard, you can create a team that consists of those users and assign dashboard permissions to the team. A user or a service account can belong to multiple teams. -A user can be a Member or an Administrator for a given team. Members of a team inherit permissions from the team, but they cannot edit the team itself. Team Administrators can add members to a team and update its settings, such as the team name, team member's team roles, UI preferences, and home dashboard. +A user or a service account can be a Member or an Administrator for a given team. Members of a team inherit permissions from the team, but they cannot edit the team itself. Team Administrators can add members to a team and update its settings, such as the team name, team member's team roles, UI preferences, and home dashboard. For more information about teams, refer to [Teams and permissions]({{< relref "../roles-and-permissions/#teams-and-permissions" >}}). @@ -39,7 +39,7 @@ A user can belong to multiple teams. ## Add a team member -Add a team member to an existing team whenever you want to provide access to team dashboards and folders to another user. +Add a team member to an existing team whenever you want to provide access to team dashboards and folders to another user or a service account. ### Before you begin @@ -51,7 +51,9 @@ Add a team member to an existing team whenever you want to provide access to tea 1. Sign in to Grafana as an organization administrator. 1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**. 1. Click the name of the team to which you want to add members, and click **Add member**. -1. In the **Add team member** field, locate and select a user. +1. In the **Add team member** field, choose if you want to add a user or a service account. +1. Locate and select a user or a service account. +1. Choose if you want to add a user or a service account as a team Member or an Admin. 1. Click **Add to team**. ![Add team member](/static/img/docs/manage-users/add-team-member-7-3.png) @@ -69,14 +71,14 @@ Complete this task when you want to add or modify team member permissions. 1. Sign in to Grafana as an organization administrator or a team administrator. 1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**. 1. Click the name of the team for which you want to add or modify team member permissions. -1. In the team member list, find and click the user account that you want to change. You can use the search field to filter the list if necessary. +1. In the team member list, find and click the user or service account that you want to change. You can use the search field to filter the list if necessary. 1. Click the **Permission** list, and then click the new user permission level. ![Change team member permissions](/static/img/docs/manage-users/change-team-permissions-7-3.png) ## Remove a team member -You can remove a team member when you no longer want to apply team permissions to the user. +You can remove a team member when you no longer want to apply team permissions to the user or service account. ### Before you begin @@ -86,8 +88,8 @@ You can remove a team member when you no longer want to apply team permissions t 1. Sign in to Grafana as an organization administrator or team administrator. 1. Hover your cursor over the **Configuration** (gear) icon in the side menu and click **Teams**. -1. Click a team from which you want to remove a user. -1. Click the **X** next to the name of the user. +1. Click a team from which you want to remove a user or a service account. +1. Click the **X** next to the name of the user or service account. 1. Click **Delete**. ## Delete a team diff --git a/docs/sources/alerting/alerting-limitations.md b/docs/sources/alerting/alerting-limitations.md index 58b9a955f95..b0f36ea5548 100644 --- a/docs/sources/alerting/alerting-limitations.md +++ b/docs/sources/alerting/alerting-limitations.md @@ -21,7 +21,7 @@ As an example, if the current Prometheus version is `2.31.1`, we support >= `2.2 ## Grafana is not an alert receiver -Grafana is not an alert receiver; is it an alert generator. This means that Grafana cannot receive alerts from anything other than its internal alert generator. +Grafana is not an alert receiver; it is an alert generator. This means that Grafana cannot receive alerts from anything other than its internal alert generator. Receiving alerts from Prometheus (or anything else) is not supported at the time. diff --git a/docs/sources/alerting/fundamentals/annotation-label/how-to-use-labels.md b/docs/sources/alerting/fundamentals/annotation-label/how-to-use-labels.md index 36236a822e1..af9959c7c98 100644 --- a/docs/sources/alerting/fundamentals/annotation-label/how-to-use-labels.md +++ b/docs/sources/alerting/fundamentals/annotation-label/how-to-use-labels.md @@ -26,6 +26,7 @@ This topic explains why labels are a fundamental component of alerting. # Grafana reserved labels > **Note:** Labels prefixed with `grafana_` are reserved by Grafana for special use. If a manually configured label is added beginning with `grafana_` it may be overwritten in case of collision. +> To stop the Grafana Alerting engine from adding a reserved label, you can disable it via the `disabled_labels` option in [unified_alerting.reserved_labels]({{< relref "../../../setup-grafana/configure-grafana/#unified_alertingreserved_labels" >}}) configuration. Grafana reserved labels can be used in the same way as manually configured labels. The current list of available reserved labels are: diff --git a/docs/sources/alerting/fundamentals/data-source-alerting.md b/docs/sources/alerting/fundamentals/data-source-alerting.md index 08ad66165e7..63b37387626 100644 --- a/docs/sources/alerting/fundamentals/data-source-alerting.md +++ b/docs/sources/alerting/fundamentals/data-source-alerting.md @@ -19,11 +19,11 @@ These are the data sources that are compatible with and supported by Grafana Ale - [AWS CloudWatch]({{< relref "../../datasources/aws-cloudwatch/" >}}) - [Azure Monitor]({{< relref "../../datasources/azuremonitor/" >}}) - [Elasticsearch]({{< relref "../../datasources/elasticsearch/" >}}) -- [Google Cloud Monitoring]({{< relref "../../google-cloud-monitoring/" >}}) +- [Google Cloud Monitoring]({{< relref "../../datasources/google-cloud-monitoring/" >}}) - [Graphite]({{< relref "../../datasources/graphite/" >}}) - [InfluxDB]({{< relref "influxdb/" >}}) - [Loki]({{< relref "../../datasources/loki/" >}}) -- ]Microsoft SQL Server (MSSQL)]({{< relref "../../datasources/mssql/" >}}) +- [Microsoft SQL Server (MSSQL)]({{< relref "../../datasources/mssql/" >}}) - [MySQL]({{< relref "../../datasources/mysql/" >}}) - [Open TSDB]({{< relref "../../datasources/opentsdb/" >}}) - [PostgreSQL]({{< relref "../../datasources/postgres/" >}}) diff --git a/docs/sources/alerting/migrating-alerts/_index.md b/docs/sources/alerting/migrating-alerts/_index.md index 1805123f29e..83b714edd6a 100644 --- a/docs/sources/alerting/migrating-alerts/_index.md +++ b/docs/sources/alerting/migrating-alerts/_index.md @@ -3,6 +3,7 @@ aliases: - /docs/grafana/latest/alerting/migrating-alerts/ - /docs/grafana/latest/alerting/unified-alerting/ - /docs/grafana/latest/alerting/unified-alerting/difference-old-new/ + - /docs/grafana/latest/alerting/difference-old-new/ description: Upgrade Grafana alerts title: Upgrade to Grafana Alerting weight: 101 diff --git a/docs/sources/alerting/silences/linking-to-silence-form.md b/docs/sources/alerting/silences/linking-to-silence-form.md index 84111b88294..15104e8ed97 100644 --- a/docs/sources/alerting/silences/linking-to-silence-form.md +++ b/docs/sources/alerting/silences/linking-to-silence-form.md @@ -14,8 +14,8 @@ weight: 451 # Create a URL to link to a silence form -When linking to a silence form, provide the default matching labels and comment via `matchers` and `comment` query parameters. The `matchers` parameter requires one more matching labels of the type `[label][operator][value]` joined by a comma while the `operator` parameter can be one of the following: `=` (equals, not regex), `!=` (not equals, not regex), `=~` (equals, regex), `!~` (not equals, regex). - -For example, to link to silence form with matching labels `severity=critical` & `cluster!~europe-.*` and comment `Silence critical EU alerts`, create a URL `https://mygrafana/alerting/silence/new?matchers=severity%3Dcritical%2Ccluster!~europe-*&comment=Silence%20critical%20EU%20alert`. +When linking to a silence form, provide the default matching labels and comment via `matcher` and `comment` query parameters. The `matcher` parameter should be in the following format `[label][operator][value]` where the `operator` parameter can be one of the following: `=` (equals, not regex), `!=` (not equals, not regex), `=~` (equals, regex), `!~` (not equals, regex). +The URL can contain many query parameters with the key `matcher`. +For example, to link to silence form with matching labels `severity=critical` & `cluster!~europe-.*` and comment `Silence critical EU alerts`, create a URL `https://mygrafana/alerting/silence/new?matcher=severity%3Dcritical&matcher=cluster!~europe-*&comment=Silence%20critical%20EU%20alert`. To link to a new silence page for an [external Alertmanager]({{< relref "../../datasources/alertmanager/" >}}), add a `alertmanager` query parameter with the Alertmanager data source name. diff --git a/docs/sources/best-practices/best-practices-for-managing-dashboards.md b/docs/sources/best-practices/best-practices-for-managing-dashboards.md index cc7c3e29881..bf9ffe8a48b 100644 --- a/docs/sources/best-practices/best-practices-for-managing-dashboards.md +++ b/docs/sources/best-practices/best-practices-for-managing-dashboards.md @@ -31,9 +31,9 @@ What is your dashboard maturity level? Analyze your current dashboard setup and - If you create a temporary dashboard, perhaps to test something, prefix the name with `TEST: `. Delete the dashboard when you are finished. - Copying dashboards with no significant changes is not a good idea. - You miss out on updates to the original dashboard, such as documentation changes, bug fixes, or additions to metrics. - - In many cases copies are being made to simply customize the view by setting template parameters. This should instead be done by maintaining a link to the master dashboard and customizing the view with [URL parameters]({{< relref "../linking/data-link-variables/" >}}). + - In many cases copies are being made to simply customize the view by setting template parameters. This should instead be done by maintaining a link to the master dashboard and customizing the view with [URL parameters]({{< relref "../panels/configure-data-links/#data-link-variables" >}}). - When you must copy a dashboard, clearly rename it and _do not_ copy the dashboard tags. Tags are important metadata for dashboards that are used during search. Copying tags can result in false matches. - Maintain a dashboard of dashboards or cross-reference dashboards. This can be done in several ways: - - Create dashboard links, panel, or data links. Links can go to other dashboards or to external systems. For more information, refer to [Linking]({{< relref "../linking/" >}}). + - Create dashboard links, panel, or data links. Links can go to other dashboards or to external systems. For more information, refer to [Manage dashboard links]({{< relref "../dashboards/manage-dashboard-links/" >}}). - Add a [Dashboard list panel]({{< relref "../visualizations/dashboard-list-panel/" >}}). You can then customize what you see by doing tag or folder searches. - Add a [Text panel]({{< relref "../visualizations/text-panel/" >}}) and use markdown to customize the display. diff --git a/docs/sources/best-practices/dashboard-management-maturity-levels.md b/docs/sources/best-practices/dashboard-management-maturity-levels.md index 4f9c59b4288..ec7d735a1f8 100644 --- a/docs/sources/best-practices/dashboard-management-maturity-levels.md +++ b/docs/sources/best-practices/dashboard-management-maturity-levels.md @@ -53,7 +53,7 @@ How can you tell you are here? - Directed browsing cuts down on "guessing." - Template variables make it harder to “just browse” randomly or aimlessly. - Most dashboards should be linked to by alerts. - - Browsing is directed with links. For more information, refer to [Linking]({{< relref "../linking/" >}}). + - Browsing is directed with links. For more information, refer to [Manage dashboard links]({{< relref "../dashboards/manage-dashboard-links/" >}}). - Version-controlled dashboard JSON. ## High - optimized use diff --git a/docs/sources/linking/dashboard-links.md b/docs/sources/dashboards/manage-dashboard-links/index.md similarity index 52% rename from docs/sources/linking/dashboard-links.md rename to docs/sources/dashboards/manage-dashboard-links/index.md index 6024b854d11..e641d9179c6 100644 --- a/docs/sources/linking/dashboard-links.md +++ b/docs/sources/dashboards/manage-dashboard-links/index.md @@ -1,20 +1,53 @@ --- aliases: + - /docs/grafana/latest/linking/ + - /docs/grafana/latest/features/navigation-links/ + - /docs/grafana/latest/linking/linking-overview/ - /docs/grafana/latest/linking/dashboard-links/ -description: '' + - /docs/grafana/latest/dashboards/manage-dashboard-links/ + - /docs/grafana/latest/panels/working-with-panels/add-link-to-panel/ +description: How to link Grafana dashboards. keywords: + - link + - dashboard - grafana - linking - create links - link dashboards - navigate -title: Dashboard links -weight: 200 +title: Manage dashboard links +menuTitle: Manage dashboard links +weight: 400 --- -# Dashboard links +# Manage dasboard links -When you create a dashboard link, you can include the time range and current template variables to directly jump to the same context in another dashboard. This way, you don’t have to worry whether the person you send the link to is looking at the right data. For other types of links, refer to [Data link variables]({{< relref "data-link-variables/" >}}). +You can use links to navigate between commonly-used dashboards or to connect others to your visualizations. Links let you create shortcuts to other dashboards, panels, and even external websites. + +Grafana supports dashboard links, panel links, and data links. Dashboard links are displayed at the top of the dashboard. Panel links are accessible by clicking an icon on the top left corner of the panel. + +## Which link should you use? + +Start by figuring out how you're currently navigating between dashboards. If you're often jumping between a set of dashboards and struggling to find the same context in each, links can help optimize your workflow. + +The next step is to figure out which link type is right for your workflow. Even though all the link types in Grafana are used to create shortcuts to other dashboards or external websites, they work in different contexts. + +- If the link relates to most if not all of the panels in the dashboard, use [dashboard links]({{< relref "#dashboard-links" >}}). +- If you want to drill down into specific panels, use [panel links]({{< relref "#panel-links" >}}). +- If you want to link to an external site, you can use either a dashboard link or a panel link. +- If you want to drill down into a specific series, or even a single measurement, use [data links]({{< relref "../../panels/configure-data-links/#data-links" >}}). + +## Controlling time range using the URL + +You can control the time range of a panel or dashboard by providing following query parameters in dashboard URL: + +- `from` - defines lower limit of the time range, specified in ms epoch +- `to` - defines upper limit of the time range, specified in ms epoch +- `time` and `time.window` - defines a time range from `time-time.window/2` to `time+time.window/2`. Both params should be specified in ms. For example `?time=1500000000000&time.window=10000` will result in 10s time range from 1499999995000 to 1500000005000 + +## Dashboard links + +When you create a dashboard link, you can include the time range and current template variables to directly jump to the same context in another dashboard. This way, you don’t have to worry whether the person you send the link to is looking at the right data. For other types of links, refer to [Data link variables]({{< relref "../../panels/configure-data-links/#data-link-variables/" >}}). Dashboard links can also be used as shortcuts to external systems, such as submitting [a GitHub issue with the current dashboard name](https://github.com/grafana/grafana/issues/new?title=Dashboard%3A%20HTTP%20Requests). @@ -25,7 +58,7 @@ To see an example of dashboard links in action, check out: Once you've added a dashboard link, it appears in the upper right corner of your dashboard. -## Add links to dashboards +### Add links to dashboards Add links to other dashboards at the top of your current dashboard. @@ -40,7 +73,7 @@ Add links to other dashboards at the top of your current dashboard. - **Open in new tab** – Select this option if you want the dashboard link to open in a new tab or window. 1. Click **Add**. -## Add a URL link to a dashboard +### Add a URL link to a dashboard Add a link to a URL at the top of your current dashboard. You can link to any available URL, including dashboards, panels, or external sites. You can even control the time range to ensure the user is zoomed in on the right data in Grafana. @@ -60,7 +93,7 @@ Add a link to a URL at the top of your current dashboard. You can link to any av - **Open in new tab** – Select this option if you want the dashboard link to open in a new tab or window. 1. Click **Add**. -## Update a dashboard link +### Update a dashboard link To change or update an existing dashboard link, follow this procedure. @@ -71,6 +104,43 @@ To change or update an existing dashboard link, follow this procedure. To duplicate an existing dashboard link, click the duplicate icon next to the existing link that you want to duplicate. -## Delete a dashboard link +### Delete a dashboard link To delete an existing dashboard link, click the trash icon next to the duplicate icon that you want to delete. + +## Panel links + +Each panel can have its own set of links that are shown in the upper left corner of the panel. You can link to any available URL, including dashboards, panels, or external sites. You can even control the time range to ensure the user is zoomed in on the right data in Grafana. + +Click the icon on the top left corner of a panel to see available panel links. + +{{< figure src="/static/img/docs/linking/panel-links.png" width="200px" >}} + +### Add a panel link + +1. Hover your cursor over the panel that you want to add a link to and then press `e`. Or click the dropdown arrow next to the panel title and then click **Edit**. +1. On the Panel tab, scroll down to the Links section. +1. Expand Links and then click **Add link**. +1. Enter a **Title**. **Title** is a human-readable label for the link that will be displayed in the UI. +1. Enter the **URL** you want to link to. + You can even add one of the template variables defined in the dashboard. Press Ctrl+Space or Cmd+Space and click in the **URL** field to see the available variables. By adding template variables to your panel link, the link sends the user to the right context, with the relevant variables already set. You can also use time variables: + - `from` - Defines the lower limit of the time range, specified in ms epoch. + - `to` - Defines the upper limit of the time range, specified in ms epoch. + - `time` and `time.window` - Define a time range from `time-time.window/2` to `time+time.window/2`. Both params should be specified in ms. For example `?time=1500000000000&time.window=10000` will result in 10s time range from 1499999995000 to 1500000005000. +1. If you want the link to open in a new tab, then select **Open in a new tab**. +1. Click **Save** to save changes and close the window. +1. Click **Save** in the upper right to save your changes to the dashboard. + +### Update a panel link + +1. On the Panel tab, find the link that you want to make changes to. +1. Click the Edit (pencil) icon to open the Edit link window. +1. Make any necessary changes. +1. Click **Save** to save changes and close the window. +1. Click **Save** in the upper right to save your changes to the dashboard. + +### Delete a panel link + +1. On the Panel tab, find the link that you want to delete. +1. Click the **X** icon next to the link you want to delete. +1. Click **Save** in the upper right to save your changes to the dashboard. diff --git a/docs/sources/datasources/azuremonitor/template-variables.md b/docs/sources/datasources/azuremonitor/template-variables.md index da6f53567d8..979c0a3b19a 100644 --- a/docs/sources/datasources/azuremonitor/template-variables.md +++ b/docs/sources/datasources/azuremonitor/template-variables.md @@ -62,3 +62,67 @@ Perf | summarize avg(CounterValue) by bin(TimeGenerated, $__interval), Computer | order by TimeGenerated asc ``` + +## Limitations + +As of Grafana 9.0, a resource URI is constructed to identify resources using the resource picker. On dashboards created prior to Grafana 9.0, Grafana automatically migrates any queries using the prior resource-picking mechanism to use this method. + +Some resource types use nested namespaces and resource names, such as `Microsoft.Storage/storageAccounts/tableServices` and `storageAccount/default`, or `Microsoft.Sql/servers/databases` and `serverName/databaseName`. Such template variables cannot be used because the result could be a malformed resource URI. + +### Supported cases + +#### Standard namespaces and resource names + +```kusto +metricDefinition = $ns +$ns = Microsoft.Compute/virtualMachines +resourceName = $rs +$rs = testvirtualmachine +``` + +#### Namespaces with a non-templated sub-namespace + +```kusto +metricDefinition = $ns/tableServices +$ns = Microsoft.Storage/storageAccounts +resourceName = $rs/default +$rs = storageaccount +``` + +#### Storage namespaces missing the `default` keyword + +```kusto +metricDefinition = $ns/tableServices +$ns = Microsoft.Storage/storageAccounts +resourceName = $rs +$rs = storageaccount +``` + +#### Namespaces with a templated sub-namespace + +```kusto +metricDefinition = $ns/$sns +$ns = Microsoft.Storage/storageAccounts +$sns = tableServices +resourceName = $rs +$rs = storageaccount +``` + +### Unsupported case + +If a dashboard uses this unsupported case, migrate it to one of the [supported cases](#supported-cases). + +If a namespace or resource name template variable contains multiple segments, Grafana will construct the resource URI incorrectly because the template variable cannot be appropriately split. + +For example: + +```kusto +metricDefinition = $ns +resourceName = $rs +$ns = 'Microsoft.Storage/storageAccounts/tableServices' +$rs = 'storageaccount/default' +``` + +This would result in an incorrect resource URI containing `Microsoft.Storage/storageAccounts/tableServices/storageaccount/default`. However, the correct URI would have the format `Microsoft.Storage/storageAccounts/storageaccount/tableServices/default`. + +An appropriate fix would be to update the template variable that does not match a supported case. If the namespace variable `$ns` is of the form `Microsoft.Storage/storageAccounts/tableServices` this could be split into two variables: `$ns1 = Microsoft.Storage/storageAccounts` and `$ns2 = tableServices`. The metric definition would then take the form `$ns1/$ns2` which leads to a correctly formatted URI. diff --git a/docs/sources/datasources/postgres.md b/docs/sources/datasources/postgres.md index 27f37a6c3a6..1f3a7881bc1 100644 --- a/docs/sources/datasources/postgres.md +++ b/docs/sources/datasources/postgres.md @@ -462,7 +462,7 @@ datasources: timescaledb: false ``` -> **Note:** In the above code, the `postgresVersion` value of `10` refers to version PotgreSQL 10 and above. +> **Note:** In the above code, the `postgresVersion` value of `10` refers to version PostgreSQL 10 and above. If you encounter metric request errors or other issues: diff --git a/docs/sources/developers/http_api/access_control.md b/docs/sources/developers/http_api/access_control.md index fa92323ad2c..6984524a9e4 100644 --- a/docs/sources/developers/http_api/access_control.md +++ b/docs/sources/developers/http_api/access_control.md @@ -747,6 +747,280 @@ Content-Type: application/json; charset=UTF-8 | 404 | Role not found. | | 500 | Unexpected error. Refer to body and/or server logs for more details. | +## Create and remove service account role assignments + +### List roles assigned to a service account + +`GET /api/access-control/users/:serviceAccountId/roles` + +Lists the roles that have been directly assigned to a given service account. The list does not include basic roles (Viewer, Editor, Admin or Grafana Admin), and it does not include roles that have been inherited from a team. + +Query Parameters: + +- `includeHidden`: Optional. Set to `true` to include roles that are `hidden`. + +#### Required permissions + +| Action | Scope | +| ---------------- | ------------------------------- | +| users.roles:read | users:id:`` | + +#### Example request + +```http +GET /api/access-control/users/1/roles +Accept: application/json +``` + +#### Example response + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 + +[ + { + "version": 4, + "uid": "6dNwJq57z", + "name": "fixed:reports:writer", + "displayName": "Report writer", + "description": "Create, read, update, or delete all reports and shared report settings.", + "group": "Reports", + "updated": "2021-11-19T10:48:00+01:00", + "created": "2021-11-19T10:48:00+01:00", + "global": false + } +] +``` + +#### Status codes + +| Code | Description | +| ---- | -------------------------------------------------------------------- | +| 200 | Set of assigned roles is returned. | +| 403 | Access denied. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | + +### List permissions assigned to a service account + +`GET /api/access-control/users/:serviceAccountId/permissions` + +Lists the permissions that a given service account has. + +#### Required permissions + +| Action | Scope | +| ---------------------- | ------------------------------- | +| users.permissions:read | users:id:`` | + +#### Example request + +```http +GET /api/access-control/users/1/permissions +Accept: application/json +``` + +#### Example response + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 + +[ + { + "action": "ldap.status:read", + "scope": "" + }, + { + "action": "ldap.user:read", + "scope": "" + } +] +``` + +#### Status codes + +| Code | Description | +| ---- | -------------------------------------------------------------------- | +| 200 | Set of assigned permissions is returned. | +| 403 | Access denied. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | + +### Add a service account role assignment + +`POST /api/access-control/users/:serviceAccountId/roles` + +Assign a role to a specific service account. + +For bulk updates consider +[Set service account role assignments]({{< ref "#set-service-account-role-assignments" >}}). + +#### Required permissions + +`permissions:type:delegate` scope ensures that users can only assign roles which have same, or a subset of permissions which the user has. +For example, if a user does not have required permissions for creating users, they won't be able to assign a role which will allow to do that. This is done to prevent escalation of privileges. + +| Action | Scope | +| --------------- | ------------------------- | +| users.roles:add | permissions:type:delegate | + +#### Example request + +```http +POST /api/access-control/users/1/roles +Accept: application/json +Content-Type: application/json + +{ + "global": false, + "roleUid": "XvHQJq57z" +} +``` + +#### JSON body schema + +| Field Name | Data Type | Required | Description | +| ---------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| roleUid | string | Yes | UID of the role. | +| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request to create organization local assignment. | + +#### Example response + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 + +{ + "message": "Role added to the user." +} +``` + +#### Status codes + +| Code | Description | +| ---- | -------------------------------------------------------------------- | +| 200 | Role is assigned to a user. | +| 403 | Access denied. | +| 404 | Role not found. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | + +## Remove a service account role assignment + +`DELETE /api/access-control/users/:serviceAccountId/roles/:roleUID` + +Revoke a role from a service account. + +For bulk updates consider +[Set service account role assignments]({{< ref "#set-service-account-role-assignments" >}}). + +#### Required permissions + +`permissions:type:delegate` scope ensures that users can only unassign roles which have same, or a subset of permissions which the user has. +For example, if a user does not have required permissions for creating users, they won't be able to unassign a role which will allow to do that. This is done to prevent escalation of privileges. + +| Action | Scope | +| ------------------ | ------------------------- | +| users.roles:remove | permissions:type:delegate | + +#### Query parameters + +| Param | Type | Required | Description | +| ------ | ------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request to remove assignment. | + +#### Example request + +```http +DELETE /api/access-control/users/1/roles/AFUXBHKnk +Accept: application/json +``` + +#### Example response + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 + +{ + "message": "Role removed from user." +} +``` + +#### Status codes + +| Code | Description | +| ---- | -------------------------------------------------------------------- | +| 200 | Role is unassigned. | +| 403 | Access denied. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | + +### Set service account role assignments + +`PUT /api/access-control/users/:serviceAccountId/roles` + +Update the service accounts's role assignments to match the provided set of UIDs. +This will remove any assigned roles that aren't in the request and add +roles that are in the set but are not already assigned to the service account. + +If you want to add or remove a single role, consider using +[Add a service account role assignment]({{< ref "#add-a-service-account-role-assignment" >}}) or +[Remove a service account role assignment]({{< ref "#remove-a-service-account-role-assignment" >}}) +instead. + +#### Required permissions + +`permissions:type:delegate` scope ensures that users can only assign or unassign roles which have same, or a subset of permissions which the user has. +For example, if a user does not have required permissions for creating users, they won't be able to assign or unassign a role which will allow to do that. This is done to prevent escalation of privileges. + +| Action | Scope | +| ------------------ | ------------------------- | +| users.roles:add | permissions:type:delegate | +| users.roles:remove | permissions:type:delegate | + +#### Example request + +```http +PUT /api/access-control/users/1/roles +Accept: application/json +Content-Type: application/json + +{ + "global": false, + "roleUids": [ + "ZiHQJq5nk", + "GzNQ1357k" + ] +} +``` + +#### JSON body schema + +| Field Name | Date Type | Required | Description | +| ------------- | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| global | boolean | No | A flag indicating if the assignment is global or not. If set to `false`, the default org ID of the authenticated user will be used from the request. | +| roleUids | list | Yes | List of role UIDs. | +| includeHidden | boolean | No | Specify whether the hidden role assignments should be updated. | + +#### Example response + +```http +HTTP/1.1 200 OK +Content-Type: application/json; charset=UTF-8 + +{ + "message": "User roles have been updated." +} +``` + +#### Status codes + +| Code | Description | +| ---- | -------------------------------------------------------------------- | +| 200 | Roles have been assigned. | +| 403 | Access denied. | +| 404 | Role not found. | +| 500 | Unexpected error. Refer to body and/or server logs for more details. | + ## Create and remove team role assignments ### List roles assigned to a team diff --git a/docs/sources/developers/http_api/serviceaccount.md b/docs/sources/developers/http_api/serviceaccount.md index 7fe15a9c298..a2c5d6fbfae 100644 --- a/docs/sources/developers/http_api/serviceaccount.md +++ b/docs/sources/developers/http_api/serviceaccount.md @@ -24,9 +24,9 @@ title: 'Service account HTTP API' See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation. -| Action | Scope | -| -------------------- | ------------------------- | -| serviceaccounts:read | global:serviceaccounts:\* | +| Action | Scope | +| -------------------- | ----- | +| serviceaccounts:read | n/a | **Example Request**: @@ -91,9 +91,9 @@ Content-Type: application/json See note in the [introduction]({{< ref "#service-account-api" >}}) for an explanation. -| Action | Scope | -| --------------------- | ------------------ | -| serviceaccounts:write | serviceaccounts:\* | +| Action | Scope | +| ---------------------- | ----- | +| serviceaccounts:create | n/a | **Example Request**: diff --git a/docs/sources/linking/_index.md b/docs/sources/linking/_index.md deleted file mode 100644 index 7dee41357b3..00000000000 --- a/docs/sources/linking/_index.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -aliases: - - /docs/grafana/latest/linking/ -title: Linking -weight: 120 ---- - -# Linking overview - -You can use links to navigate between commonly-used dashboards or to connect others to your visualizations. Links let you create shortcuts to other dashboards, panels, and even external websites. - -Grafana supports dashboard links, panel links, and data links. Dashboard links are displayed at the top of the dashboard. Panel links are accessible by clicking an icon on the top left corner of the panel. - -## Which link should you use? - -Start by figuring out how you're currently navigating between dashboards. If you're often jumping between a set of dashboards and struggling to find the same context in each, links can help optimize your workflow. - -The next step is to figure out which link type is right for your workflow. Even though all the link types in Grafana are used to create shortcuts to other dashboards or external websites, they work in different contexts. - -- If the link relates to most if not all of the panels in the dashboard, use [dashboard links]({{< relref "dashboard-links/" >}}). -- If you want to drill down into specific panels, use [panel links]({{< relref "panel-links/" >}}). -- If you want to link to an external site, you can use either a dashboard link or a panel link. -- If you want to drill down into a specific series, or even a single measurement, use [data links]({{< relref "data-links/" >}}). - -## Controlling time range using the URL - -You can control the time range of a panel or dashboard by providing following query parameters in dashboard URL: - -- `from` - defines lower limit of the time range, specified in ms epoch -- `to` - defines upper limit of the time range, specified in ms epoch -- `time` and `time.window` - defines a time range from `time-time.window/2` to `time+time.window/2`. Both params should be specified in ms. For example `?time=1500000000000&time.window=10000` will result in 10s time range from 1499999995000 to 1500000005000 diff --git a/docs/sources/linking/data-link-variables.md b/docs/sources/linking/data-link-variables.md deleted file mode 100644 index 76faf455886..00000000000 --- a/docs/sources/linking/data-link-variables.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -aliases: - - /docs/grafana/latest/linking/data-link-variables/ - - /docs/grafana/latest/variables/url-variables/ - - /docs/grafana/latest/variables/variable-types/url-variables/ -keywords: - - grafana - - url variables - - documentation - - variables - - data link -title: URL variables -weight: 400 ---- - -# Data link variables - -You can use variables in data links to refer to series fields, labels, and values. For more information about data links, refer to [Data links]({{< relref "data-links/" >}}). - -To see a list of available variables, type `$` in the data link **URL** field to see a list of variables that you can use. - -> **Note:** These variables changed in 6.4 so if you have an older version of Grafana, then use the version picker to select docs for an older version of Grafana. - -You can also use template variables in your data links URLs, refer to [Templates and variables]({{< relref "../variables/" >}}) for more information on template variables. - -## Time range panel variables - -These variables allow you to include the current time range in the data link URL. - -- `__url_time_range` - current dashboard's time range (i.e. `?from=now-6h&to=now`) -- `$__from and $__to` - For more information, refer to [Global variables]({{< relref "../variables/variable-types/global-variables/#__from-and-__to" >}}). - -## Series variables - -Series specific variables are available under `__series` namespace: - -- `__series.name` - series name to the URL - -## Field variables - -Field-specific variables are available under `__field` namespace: - -- `__field.name` - the name of the field -- `__field.labels.