Checking for permissions of users and teams

[meyerder]

This is a work in progress but you seem to be a major WIZ at json (I stink at it) This is something I am working on as well.. The output needs to be worked on and the for each loop for each dashboard is not quite right yet either. You might be able to modify this.

Ideally, I would like to know if any users or teams have access to the folder and or the dashboards. I have NOT thought about doing this down at the data source levels (In my case that may be overkill but others MIGHT like it).

#!/bin/bash

GRAFANA_API_URL="https://xxx/api"
API_KEY="xxxxx"

get_permissions() {
    local uid="$1"
    local endpoint="$2"
    curl -s -H "Authorization: Bearer ${API_KEY}" "$GRAFANA_API_URL/$endpoint/$uid/permissions"
}

response=$(curl -s -H "Authorization: Bearer ${API_KEY}" "$GRAFANA_API_URL/search")

IFS=$'\n' dash_folders=($(echo "$response" | jq -r '.[] | select(.type=="dash-folder") | .uid'))
IFS=$'\n' dash_folder_titles=($(echo "$response" | jq -r '.[] | select(.type=="dash-folder") | .title'))

for index in "${!dash_folders[@]}"; do
    folder_uid=${dash_folders[$index]}
    folder_title=${dash_folder_titles[$index]}
    echo "$folder_title, $folder_uid,"

    permissions=$(get_permissions "$folder_uid" "folders")
    length=$(echo "$permissions" | jq length)
    for ((i=0; i<$length; i++)); do
        team=$(echo "$permissions" | jq -r ".[$i].team // \"N/A\"")
        user=$(echo "$permissions" | jq -r ".[$i].user // \"N/A\"")
        permissionName=$(echo "$permissions" | jq -r ".[$i].permissionName // \"N/A\"")

        if [[ "$team" != "N/A" ]]; then
            echo "Team $team - $permissionName"
        fi

        if [[ "$user" != "N/A" ]]; then
            echo "User $user - $permissionName"
        fi
    done

    echo "-------Dashboards in Folder ---"
    IFS=$'\n' dash_dbs_in_folder=($(echo "$response" | jq -r ".[] | select(.type==\"dash-db\" and .folderId == ${dash_folders[$index]}) | .title"))
    IFS=$'\n' dash_dbs_uids=($(echo "$response" | jq -r ".[] | select(.type==\"dash-db\" and .folderId == ${dash_folders[$index]}) | .uid"))

    for dash_index in "${!dash_dbs_in_folder[@]}"; do
        dashboard_title="${dash_dbs_in_folder[$dash_index]}"
        dashboard_uid="${dash_dbs_uids[$dash_index]}"
        echo "$folder_title - $dashboard_title"

        permissions=$(get_permissions "$dashboard_uid" "dashboards")
        length=$(echo "$permissions" | jq length)
        for ((i=0; i<$length; i++)); do
            team=$(echo "$permissions" | jq -r ".[$i].team // \"N/A\"")
            user=$(echo "$permissions" | jq -r ".[$i].user // \"N/A\"")
            permissionName=$(echo "$permissions" | jq -r ".[$i].permissionName // \"N/A\"")

            if [[ "$team" != "N/A" ]]; then
                echo "Team $team - $permissionName"
            fi

            if [[ "$user" != "N/A" ]]; then
                echo "User $user - $permissionName"
            fi
        done
    done
    echo "----------------------"
done
`

[amotl]

Dear @meyerder,

this is an excellent suggestion and proposal, I love it. Would you be comfortable with making this solution part of the grafana-wtf code base?

Let me know if you would need support for coding it in the Python language, I will be be happy to do it, and then we can work together on it, in order to refine it for more advanced situations which you may not have thought into. I am sure others will use it as well, and report back correspondingly.

With kind regards,
Andreas.

[meyerder]

@amotl

Yes.. Feel free to use/modify and put into the framework that you have with the tab and csv and other format output aspects that you have in this project.. (I was kinda hopeful you would do it as I also stink in python.. Give me Bash or sql HAHAAH)

[amotl]

Hi again,

grafana-toolbox/grafana-client#124 and #104 are trying to provide you relevant infrastructure for your inquirements to the Grafana API.

Below are two basic usage examples for them. Formatting the output like your program is doing it, will probably need another iteration.

Saying this, grafana-wtf currently yields a flat list of items (both folder and dashboard items), and does not do any efforts to display a folder/dashboard hierarchy, like your program is doing it. Maybe it is still useful. Let us know which details would need to be improved so it could be a reasonable replacement for your variant.

With kind regards,
Andreas.

Usage

This command will enumerate all folders and dashboards, and accompany them with data from corresponding permissions inquiries.

grafana-wtf explore permissions

An example to compress the output a bit.

grafana-wtf explore permissions | jq '.[] | select(.type == "folder") | .item.title,(.permissions | .[] | .team,.permissionName)'

Setup

Because both grafana-client and grafana-wtf are not released yet, in order to try the above, you will need to install them like this.

pip install --upgrade 'git+https://github.com/panodata/grafana-client'
pip install --upgrade 'git+https://github.com/panodata/grafana-wtf@collab/permission-checks'

[amotl]

Dear @meyerder,

can I ask you to verify the new grafana-wtf explore permissions command by installing grafana-client and grafana-wtf like outlined above, and report back if that is something which could fulfill your needs?

If you see chances to improve, we will be happy to adjust the implementation accordingly.

With kind regards,
Andreas.