菜单
文档breadcrumb arrow Grafana 文档breadcrumb arrow 管理breadcrumb arrow 角色和权限breadcrumb arrow 基于角色的访问控制 (RBAC)breadcrumb arrow 使用 Grafana 进行 RBAC 供应
Grafana Cloud Enterprise

使用 Grafana 进行 RBAC 供应

注意

可用版本

Grafana EnterpriseGrafana Cloud

您可以通过在 provisioning/access-control/ 目录中添加一个或多个 YAML 配置文件来创建、更改或移除自定义角色,以及创建或移除基本角色分配

Grafana 在启动时执行供应。在更改配置文件后,您可以在运行时重新加载它。您的更改无需重启 Grafana 服务器即可生效。

开始之前

  • 确保您有权访问运行 Grafana 的服务器上的文件。

使用供应管理和分配 RBAC 角色

  1. 登录到 Grafana 服务器。

  2. 找到 Grafana 供应文件夹。

  3. 在以下文件夹中创建一个新的 YAML 文件:provisioning/access-control。例如,provisioning/access-control/custom-roles.yml

  4. 向配置文件添加 RBAC 供应详情。

    有关说明,请参阅管理 RBAC 角色分配 RBAC 角色

    有关供应文件的完整示例,请参阅角色供应文件示例

  5. 重新加载供应配置文件。

    有关在运行时重新加载供应配置的更多信息,请参阅重新加载供应配置

使用 Grafana 供应的角色配置文件示例

以下示例展示了一个完整的 YAML 配置文件,该文件可用于:

  • 创建自定义角色
  • 删除自定义角色
  • 更新基本角色权限
  • 将角色分配给团队
  • 撤销将角色分配给团队的权限

示例

yaml 
---
# config file version
apiVersion: 2

# <list> list of roles to insert/update/delete
roles:
  # <string, required> name of the role you want to create or update. Required.
  - name: 'custom:users:writer'
    # <string> uid of the role. Has to be unique for all orgs.
    uid: customuserswriter1
    # <string> description of the role, informative purpose only.
    description: 'Create, read, write users'
    # <int> version of the role, Grafana will update the role when increased.
    version: 2
    # <int> org id. Defaults to Grafana's default if not specified.
    orgId: 1
    # <list> list of the permissions granted by this role.
    permissions:
      # <string, required> action allowed.
      - action: 'users:read'
        #<string> scope it applies to.
        scope: 'users:*'
      - action: 'users:write'
        scope: 'users:*'
      - action: 'users:create'
  - name: 'custom:global:users:reader'
    # <bool> overwrite org id and creates a global role.
    global: true
    # <string> state of the role. Defaults to 'present'. If 'absent', role will be deleted.
    state: 'absent'
    # <bool> force deletion revoking all grants of the role.
    force: true
  - uid: 'basic_editor'
    # <bool> always apply the specified changes to the role, regardless of the role version in the database
    overrideRole: true
    global: true
    # <list> list of roles to copy permissions from.
    from:
      - uid: 'basic_editor'
        global: true
      - name: 'fixed:users:writer'
        global: true
    # <list> list of the permissions to add/remove on top of the copied ones.
    permissions:
      - action: 'users:read'
        scope: 'users:*'
      - action: 'users:write'
        scope: 'users:*'
        # <string> state of the permission. Defaults to 'present'. If 'absent', the permission will be removed.
        state: absent

# <list> list role assignments to teams to create or remove.
teams:
  # <string, required> name of the team you want to assign roles to. Required.
  - name: 'Users writers'
    # <int> org id. Will default to Grafana's default if not specified.
    orgId: 1
    # <list> list of roles to assign to the team
    roles:
      # <string> uid of the role you want to assign to the team.
      - uid: 'customuserswriter1'
        # <int> org id. Will default to Grafana's default if not specified.
        orgId: 1
      # <string> name of the role you want to assign to the team.
      - name: 'fixed:users:writer'
        # <bool> overwrite org id to specify the role is global.
        global: true
        # <string> state of the assignment. Defaults to 'present'. If 'absent', the assignment will be revoked.
        state: absent

使用 Terraform 设置 RBAC 供应

Grafana 供应