ContextQMD
Back to Grafana

Configure LBAC for data sources for Prometheus

docs/sources/administration/data-source-management/teamlbac/configure-teamlbac-for-prometheus/index.md

13.0.15.8 KB
Original Source

Configure LBAC for data sources for Prometheus data source

Grafana Cloud

LBAC for data sources is available on Grafana Cloud using a new Prometheus data source with basic authentication configured. A new data source can be created as described in LBAC Configuration for New Prometheus Data Source.

Before you begin

To be able to use LBAC for Prometheus data sources, you need to enable the feature toggle teamHttpHeadersMimir on your Grafana instance. Go to the feature toggles page in setting to enable the feature.

  • Be sure that you have the permission setup to create a Prometheus tenant in Grafana Cloud
  • Be sure that you have admin data source permissions for Grafana.

Grafana Cloud

LBAC for data sources is available in private preview on Grafana Cloud for Prometheus created with basic authentication. Prometheus data sources for LBAC for data sources can only be created, provisioning is currently not available.

You cannot configure LBAC rules for Grafana-provisioned data sources from the UI. We recommend that you replicate the setting of the provisioned data source in a new data source as described in LBAC Configuration for New Prometheus Data Source and then add the LBAC configuration to the new data source.

Permissions

We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are Admin permission and only add the teams Query permissions that you want to add LBAC for data sources rules for.

Task 1: LBAC Configuration for new Prometheus data source

  1. Access Prometheus data sources details for your stack through grafana.com
  2. Copy Prometheus details and create a CAP
    • Copy the details of your Prometheus setup.
    • Create a Cloud Access Policy (CAP) for the Prometheus data source in grafana.com.
    • Ensure the CAP includes metrics:read permissions.
    • Ensure the CAP does not include labels rules.
  3. Create a new Prometheus data source
    • In Grafana, proceed to add a new data source and select Prometheus as the type.
  4. Navigate back to the Prometheus data source
    • Set up the Prometheus data source using basic authentication. Use the userID as the username. Use the generated CAP token as the password.
    • Save and connect.
  5. Navigate to data source permissions
    • Go to the permissions tab of the newly created Prometheus data source. Here, you'll find the LBAC for data sources rules section.

For more information on how to setup LBAC for data sources rules for a Prometheus data source, refer to Create LBAC for data sources rules for the Prometheus data source.

Grafana Enterprise

LBAC for data sources is available in Grafana Enterprise for Prometheus connected to GEM created with basic authentication.

You cannot configure LBAC rules for Grafana-provisioned data sources from the UI. Alternatively, you can replicate the setting of the provisioned data source in a new data source as described in LBAC Configuration for new Prometheus data source and then add the LBAC configuration to the new data source.

Before you begin

To be able to use LBAC for Prometheus data sources, you need to enable the feature toggle teamHttpHeadersMimir on your Grafana instance. Contact support to enable the feature toggle for you.

  • Be sure that you have the permission setup to create a cluster in your Grafana
  • Be sure that you have admin plugins permissions for Grafana.
  • Be sure that you have admin data source permissions for Grafana.

Permissions

We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are Admin permission and only add the teams Query permissions that you want to add LBAC for data sources rules for.

Task 0: Setup Grafana Enterprise Metrics tenant and access policies

  1. Access the plugins page and install Grafana Enterprise Metrics plugins
  2. Connect your plugin and use app as the cluster
  3. Access the app Grafana Enterprise Metrics and configure a tenant
  4. Store the uid of the tenant to be used as the username for the basic authentication
  5. Access the policies page inside of the app and create a AP
    • Create a Access Policy (CAP) for the Prometheus data source.
    • Ensure the CAP includes metrics:read permissions.
    • Ensure the CAP does not include labels rules.
    • Store the token to be used as password for authentication.

Task 1: LBAC Configuration for new Prometheus data source

  1. Create a new Prometheus data source
    • In Grafana, proceed to add a new data source and select Prometheus as the type.
  2. Navigate back to the Prometheus data source
    • Set up the Prometheus data source using basic authentication. Use the uid as the username. Use the generated token as the password.
    • Save and connect.
  3. Navigate to data source permissions
    • Go to the permissions tab of the newly created Prometheus data source. Here, you'll find the LBAC for data sources rules section.

For more information on how to setup LBAC for data sources rules for a Prometheus data source, refer to Create LBAC for data sources rules for the Prometheus data source.