DEV-1004 Manage Grafana Dashboard Permissions

group_vars/all/grafana.yml

@@ -0,0 +1,16 @@
+---
+# Define a list of unprivileged Grafana users which will be assigned to the 'Viewer' role
+# Set initial login password for all users, needs to be changed by the user afterwards!
+grafana_users:
+  - name: "smardigo"
+    login: "smardigo"
+    email: "{{ grafana_smardigo_email }}"
+    password: "{{ grafana_smardigo_password }}"
+
+# Define Grafana Dashboards which should be visible users without admin role
+# See uids from in hetzner-ansible/templates/prometheus/config/grafana/provisioning/dashboards/*.json
+grafana_dashboard_whitelist:
+  - "hb7fSE0Zz" # Servers
+  - "spring_boot_21" # Spring Boot Statistics
+  - "000000039" # PostgreSQL Database
+  - "549c2bf8936f7767ea6ac47c47b00f2a" # MySQL

group_vars/all/plain.yml

@@ -24,7 +24,7 @@ ssh_ciphers:
   - aes256-ctr
   - aes128-gcm@openssh.com
   - aes256-gcm@openssh.com
-ssh_permit_root_login: 'yes'
+ssh_permit_root_login: "yes"
 
 docker_enabled: true
 docker_config_enabled: true
@@ -97,19 +97,11 @@ hetzner_server_labels: "stage={{ stage }}"
 
 admin_user: "root"
 
-sudo_groups: [
+sudo_groups:
-  {
+  [
-    id:   "CentOS",
+    { id: "CentOS", sudo_group: "wheel" },
-    sudo_group:   "wheel",
+    { id: "RedHat", sudo_group: "wheel" },
-  },
+    { id: "Ubuntu", sudo_group: "sudo" },
-  {
-    id:   "RedHat",
-    sudo_group:   "wheel",
-  },
-  {
-    id:   "Ubuntu",
-    sudo_group:   "sudo",
-  },
   ]
 sudo_group: "{{ sudo_groups
   | selectattr('id', 'match', '' + ansible_distribution + '' )
@@ -120,20 +112,20 @@ sudo_group: "{{ sudo_groups
 
 # whitelist for outdated user detection - they wont't be deleted at all
 default_users:
-  - 'nobody'
+  - "nobody"
-  - 'elastic'
+  - "elastic"
-  - 'postgres'
+  - "postgres"
-  - 'administrator'
+  - "administrator"
-  - '{{ admin_user }}'
+  - "{{ admin_user }}"
 
 default_plattform_users:
-  - 'claus.paetow'
+  - "claus.paetow"
-  - 'friedrich.goerz'
+  - "friedrich.goerz"
-  - 'sven.ketelsen'
+  - "sven.ketelsen"
-  - 'michael.haehnel'
+  - "michael.haehnel"
-  - 'hoan.to'
+  - "hoan.to"
-  - '{{ awx_ansible_user_name }}'
+  - "{{ awx_ansible_user_name }}"
-  - '{{ gitlab_ansible_user_name }}'
+  - "{{ gitlab_ansible_user_name }}"
 
 smardigo_plattform_users: "{{
   default_plattform_users
@@ -156,17 +148,18 @@ docker_group: "{{ admin_user }}"
 docker_users: "{{ smardigo_plattform_users }}"
 docker_compose_path: "/usr/bin/docker-compose"
 
-service_base_path: '/etc/smardigo'
+service_base_path: "/etc/smardigo"
 
 devops_email_address: "nso.devops@netgo.de"
-gitea_admin_email: '{{ devops_email_address }}'
+gitea_admin_email: "{{ devops_email_address }}"
-lets_encrypt_email: '{{ devops_email_address }}'
+lets_encrypt_email: "{{ devops_email_address }}"
-connect_admin_email: '{{ devops_email_address }}'
+connect_admin_email: "{{ devops_email_address }}"
-keycloak_admin_email: '{{ devops_email_address }}'
+keycloak_admin_email: "{{ devops_email_address }}"
-pgadmin4_admin_email: '{{ devops_email_address }}'
+pgadmin4_admin_email: "{{ devops_email_address }}"
-harbor_oidc_admin_email: '{{ devops_email_address }}'
+harbor_oidc_admin_email: "{{ devops_email_address }}"
-grafana_admin_email: '{{ devops_email_address }}'
+grafana_admin_email: "{{ devops_email_address }}"
-argocd_admin_email: '{{ devops_email_address }}'
+grafana_smardigo_email: "{{ devops_email_address }}"
+argocd_admin_email: "{{ devops_email_address }}"
 
 http_port: "80"
 https_port: "443"
@@ -223,7 +216,7 @@ k8s_basic_services:
   - kubelet
   - containerd
 
-selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}'
+selfsigned_ca_private_key_passphrase: "{{ selfsigned_ca_private_key_passphrase_vault }}"
 
 # hetzner upstream DNSservers
 upstream_dns_servers:

group_vars/stage_dev/grafana.yml

@@ -0,0 +1,2 @@
+---
+grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"

group_vars/stage_dev/plain.yml

@@ -1,5 +1,4 @@
 ---
-
 stage: "dev"
 stage_kube: "{{ stage }}nso"
 
@@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
-grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@@ -104,7 +102,7 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"
 
 custom_stage_plattform_users:
   - hp.wissenbach

group_vars/stage_prodnso/grafana.yml

@@ -0,0 +1,2 @@
+---
+grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"

group_vars/stage_prodnso/plain.yml

@@ -1,5 +1,4 @@
 ---
-
 stage: "prodnso"
 stage_kube: "{{ stage }}"
 
@@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
-grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@@ -104,4 +102,4 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"

group_vars/stage_qa/grafana.yml

@@ -0,0 +1,2 @@
+---
+grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"

group_vars/stage_qa/plain.yml

@@ -1,5 +1,4 @@
 ---
-
 stage: "qa"
 stage_kube: "{{ stage }}nso"
 
@@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
-grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@@ -104,4 +102,4 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"

roles/prometheus/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
-
 ### tags:
 ###   update_config
 ###   update_deployment
 ###   update-digitalocean-metrics
 ###   update-hetzner-metrics
+###   grafana-user-update
 
 - name: "Create/Resize LVM for datadir"
   include_role:
@@ -28,7 +28,7 @@
 
 - name: "Check if {{ inventory_hostname }}/docker-compose.yml exists"
   stat:
-    path: '{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml'
+    path: "{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml"
   register: check_docker_compose_file
   tags:
     - update_config
@@ -36,7 +36,7 @@
 
 - name: "Stop {{ inventory_hostname }}"
   community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    project_src: "{{ service_base_path }}/{{ inventory_hostname }}"
     state: absent
   when: check_docker_compose_file.stat.exists
   tags:
@@ -58,7 +58,7 @@
 
 - name: "Update {{ inventory_hostname }}"
   community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    project_src: "{{ service_base_path }}/{{ inventory_hostname }}"
     state: present
     pull: yes
   tags:
@@ -69,40 +69,88 @@
   tags:
     - update_config
 
-- name: "Wait for {{ http_s }}://{{ inventory_hostname }}-grafana.{{ domain }}"
+- name: Create or update Grafana users
+  community.grafana.grafana_user:
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}"
+    url_username: "{{ grafana_admin_username }}"
+    url_password: "{{ grafana_admin_password }}"
+    name: "{{ item.name }}"
+    email: "{{ item.email }}"
+    login: "{{ item.login }}"
+    password: "{{ item.password }}"
+    is_admin: false
+    state: present
+  loop: "{{ grafana_users }}"
+  tags:
+    - grafana-user-update
+
+- name: "Get all Dashboard uids from {{ http_s }}://{{ inventory_hostname }}-grafana.{{ domain }}"
   uri:
-    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/admin/stats"
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/search"
     url_username: "{{ grafana_admin_username }}"
     url_password: "{{ grafana_admin_password }}"
     force_basic_auth: yes
     method: GET
     status_code: 200
     return_content: yes
-  register: grafana_stats
+  register: grafana_dashboards
-  until: grafana_stats.status == 200
+  until: grafana_dashboards.status == 200
   retries: 10
   delay: 60
+  tags:
+    - grafana-user-update
 
-- name: Create grafana users
+- name: "Get all existing Dashboard uids"
+  set_fact:
+    grafana_dashboards_uids: "{{ grafana_dashboards.json | json_query('[].uid') }}"
+  tags:
+    - grafana-user-update
+
+- name: "Printing Grafana Dashboard IDs"
+  debug:
+    msg: "{{ grafana_dashboards_uids }}"
+  tags:
+    - grafana-user-update
+  when:
+    - debug
+
+- name: Restrict admin dashboard permissions
   uri:
-    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/admin/users"
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/dashboards/uid/{{ item }}/permissions"
     url_username: "{{ grafana_admin_username }}"
     url_password: "{{ grafana_admin_password }}"
     force_basic_auth: yes
     method: POST
-    status_code: 200
+    headers:
+      Content-Type: application/json
     body_format: json
-    body: "{\"name\":\"{{ item.name }}\", \"email\":\"{{ item.email }}\", \"login\":\"{{ item.login }}\", \"password\":\"{{ item.password }}\" }"
+    body:
+      items:
+        - role: Admin
+          permission: 4
+    return_content: yes
+  loop: "{{ grafana_dashboards_uids | difference(grafana_dashboard_whitelist) | list }}"
+  tags:
+    - grafana-user-update
+
+- name: Allow viewer dashboard permissions
+  uri:
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/dashboards/uid/{{ item }}/permissions"
+    url_username: "{{ grafana_admin_username }}"
+    url_password: "{{ grafana_admin_password }}"
+    force_basic_auth: yes
+    method: POST
     headers:
       Content-Type: application/json
-  loop:
+    body_format: json
-     - {
+    body:
-      name: "{{ grafana_user_smardigo_login }}",
+      items:
-      login: "{{ grafana_user_smardigo_login }}",
+        - role: Viewer
-      password: "{{ grafana_user_smardigo_password }}",
+          permission: 1
-      email: "smardigo@netgo.de"
+    return_content: yes
-     }
+  loop: "{{ grafana_dashboard_whitelist }}"
-  when: grafana_stats.json.users == 1
+  tags:
+    - grafana-user-update
 
 - name: "Create digitalocean api metric script from template"
   template: