Introduction
In Kommander, there is a number of default or preconfigured roles/ClusterRoles that can be added to a group. One of the default role is "Workspace Grafana View" role, which will provide read only access to Grafana dashboards, and will limit the user from creating/editing the dashboard.
Problem
When the role "Workspace Grafana View Role" is added to the group/user. The Grafana dashboard will have "No Data" for the user and the following logs are observed in traefik-forward-auth pod
time="2022-04-26T20:06:33Z" level=info msg="user gauss@ldap.forumsys.com is not authorized to `POST` in https://example.com/dkp/grafana/api/datasources/proxy/1/api/v1/series" source_ip=192.168.113.xxx
Solution/Workaround
The default roles on Kommander will be fixed in the future release. And as a workaround, a new role can be created with the following definitions
- nonResourceURLs:
- /dkp/grafana/api/datasources/proxy/*
- /dkp/grafana
- /dkp/grafana/*
verbs:
- get
- head
- nonResourceURLs:
- /dkp/grafana/api/datasources/proxy/*
- /dkp/grafana/api/ds/query
- /dkp/grafana/api/frontend-metrics
verbs:
- post