Skip to content

Amoolaa/prom-grafana-lbac

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

prom-grafana-lbac

A label-based access control proxy to enable multi-tenant read access in Prometheus by enforcing label restrictions based on Grafana teams membership.

prom-grafana-lbac enforces a given label in a given PromQL query, in Prometheus API responses or in Alertmanager API requests coming from a Grafana instance based on the teams the requestor is a member of. This enables read multi-tenancy for observability platforms using Prometheus (or Prometheus-compatible backends, such as Thanos and Mimir) as a Grafana datasource purely through Grafana teams.

This project is heavily inspired by prom-label-proxy and uses the same CLI argments.

How it works

Grafana sends an X-Grafana-Id header when it proxies datasources. This header is a signed JWT with the user and org that the request was made from. We can validate and verify the token using Grafana's public JWKS exposed on /api/signing-keys/keys.

Once the user is verified, we call Grafana to fetch the list of teams that the user is a member of. The User API requires authenticating using basic auth with a Grafana admin's credentials.

The names of teams that the requestor is part of are then used as the label values enforced in the query, using prom-label-proxy.

Installation

  • Docker: images are published at ghcr.io/amoolaa/prom-grafana-lbac:latest
  • Binary: download a precompiled binary from the Releases page
  • or clone and build from source

Motivation

I help run an LGTM stack using Grafana Orgs to handle tenancy. This works alright for small tenants, but as they grow larger tenants need fine-grained RBAC on their datasources. This project provides a way to provide additional label-based-access controls (LBAC) on their Prometheus-compatible datasources in addition to the other RBAC features in Grafana Teams. This is also a way to restrict read access in a single org, multi-team setup in Grafana OSS similar to LBAC offerings in Grafana Enterprise and Cloud.

About

A label-based access control proxy to enable multi-tenant read access in Prometheus by enforcing label restrictions based on Grafana teams membership.

Topics

Resources

License

Stars

Watchers

Forks

Packages