admin

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Grafana Cloud Admin

Grafana Cloud 账户管理

Docs: https://grafana.com/docs/grafana-cloud/account-management/

文档：https://grafana.com/docs/grafana-cloud/account-management/

Organization and Stack Structure

组织与堆栈结构

Grafana Cloud Account
└── Organization (billing unit)
    ├── Stack 1 (prod)   → dedicated Grafana, Prometheus, Loki, Tempo URLs
    ├── Stack 2 (staging)
    └── Stack 3 (dev)

Organization: top-level account with billing, users, API keys, stacks
Stack: dedicated Grafana + LGTM instance with its own URLs and credentials

Grafana Cloud Account
└── Organization (billing unit)
    ├── Stack 1 (prod)   → dedicated Grafana, Prometheus, Loki, Tempo URLs
    ├── Stack 2 (staging)
    └── Stack 3 (dev)

组织：包含计费、用户、API密钥、堆栈的顶级账户
堆栈：独立的Grafana + LGTM实例，拥有专属URL和凭证

User Roles

用户角色

Role	Scope	Permissions
Org Admin	Organization	Manage stacks, users, billing, API keys
Admin	Stack	Data sources, plugins, users, provisioning
Editor	Stack	Create/edit dashboards, alerts
Viewer	Stack	Read-only dashboards

角色	作用范围	权限
Org Admin	组织	管理堆栈、用户、计费、API密钥
Admin	堆栈	数据源、插件、用户、配置
Editor	堆栈	创建/编辑仪表盘、告警
Viewer	堆栈	只读访问仪表盘

RBAC (Cloud / Enterprise)

RBAC（云版/企业版）

yaml

undefined

yaml

undefined

provisioning/access-control/roles.yaml

apiVersion: 1 roles:

name: TeamDashboardEditor description: Edit dashboards within team folder permissions:
- action: dashboards:read scope: folders:UID:team-folder
- action: dashboards:write scope: folders:UID:team-folder
- action: dashboards:create scope: folders:UID:team-folder


```yaml

apiVersion: 1 roles:

name: TeamDashboardEditor description: Edit dashboards within team folder permissions:
- action: dashboards:read scope: folders:UID:team-folder
- action: dashboards:write scope: folders:UID:team-folder
- action: dashboards:create scope: folders:UID:team-folder


```yaml

provisioning/access-control/assignments.yaml

apiVersion: 1 roleAssignments:

roleName: TeamDashboardEditor users:
- alice@example.com
- bob@example.com teams:
- platform-team

undefined

apiVersion: 1 roleAssignments:

roleName: TeamDashboardEditor users:
- alice@example.com
- bob@example.com teams:
- platform-team

undefined

Service Accounts

服务账户

Service accounts are the recommended way for programmatic access (CI/CD, Terraform, agents):

bash

undefined

服务账户是程序化访问（CI/CD、Terraform、代理）的推荐方式：

bash

undefined

Create service account via API

通过API创建服务账户

curl -X POST https://yourstack.grafana.net/api/serviceaccounts
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "terraform-provisioner", "role": "Admin", "isDisabled": false}'

Create token for service account

为服务账户创建令牌

curl -X POST https://yourstack.grafana.net/api/serviceaccounts/{id}/tokens
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "ci-token", "secondsToLive": 0}'


Provisioning via YAML:
```yaml

curl -X POST https://yourstack.grafana.net/api/serviceaccounts/{id}/tokens
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "ci-token", "secondsToLive": 0}'


通过YAML配置：
```yaml

provisioning/access-control/service_accounts.yaml

apiVersion: 1 serviceAccounts:

name: alloy-writer orgId: 1 role: Editor tokens:
- name: alloy-token

undefined

apiVersion: 1 serviceAccounts:

name: alloy-writer orgId: 1 role: Editor tokens:
- name: alloy-token

undefined

SSO / Auth Configuration

SSO/身份认证配置

OAuth (grafana.ini)

OAuth（grafana.ini）

ini

[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = your_client_id
client_secret = your_client_secret
scopes = openid profile email groups
auth_url = https://your-org.okta.com/oauth2/v1/authorize
token_url = https://your-org.okta.com/oauth2/v1/token
api_url = https://your-org.okta.com/oauth2/v1/userinfo
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
groups_attribute_path = groups

ini

[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = your_client_id
client_secret = your_client_secret
scopes = openid profile email groups
auth_url = https://your-org.okta.com/oauth2/v1/authorize
token_url = https://your-org.okta.com/oauth2/v1/token
api_url = https://your-org.okta.com/oauth2/v1/userinfo
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
groups_attribute_path = groups

SAML (Enterprise)

SAML（企业版）

ini

[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_name = displayName
assertion_attribute_role = role
role_values_admin = grafana-admins
role_values_editor = grafana-editors

ini

[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_name = displayName
assertion_attribute_role = role
role_values_admin = grafana-admins
role_values_editor = grafana-editors

GitHub OAuth

ini

[auth.github]
enabled = true
allow_sign_up = true
client_id = your_github_client_id
client_secret = your_github_client_secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = ["your-org"]
team_ids = [123456]
role_attribute_path = "Admin"

ini

[auth.github]
enabled = true
allow_sign_up = true
client_id = your_github_client_id
client_secret = your_github_client_secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = ["your-org"]
team_ids = [123456]
role_attribute_path = "Admin"

Cloud API for Stack Management

用于堆栈管理的Cloud API

bash

undefined

bash

undefined

List stacks

列出堆栈

curl https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"

Create stack

创建堆栈

curl -X POST https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"
-H "Content-Type: application/json"
-d '{"name": "my-new-stack", "slug": "my-new-stack", "region": "us-east-0", "plan": "grafana-cloud-free"}'

Delete stack

删除堆栈

curl -X DELETE https://grafana.com/api/instances/{id}
-H "Authorization: Bearer <grafana-com-api-key>"

undefined

curl -X DELETE https://grafana.com/api/instances/{id}
-H "Authorization: Bearer <grafana-com-api-key>"

undefined

Terraform Provider

Terraform 提供者

hcl

terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "~> 2.0"
    }
  }
}

provider "grafana" {
  url  = "https://yourstack.grafana.net"
  auth = var.grafana_service_account_token
}

resource "grafana_team" "platform" {
  name  = "Platform Team"
  email = "platform@example.com"
}

resource "grafana_user" "alice" {
  email    = "alice@example.com"
  login    = "alice"
  name     = "Alice"
  password = "changeme"
}

resource "grafana_team_member" "platform_alice" {
  team_id = grafana_team.platform.id
  user_id = grafana_user.alice.id
}

resource "grafana_folder" "platform_dashboards" {
  title = "Platform Dashboards"
}

resource "grafana_dashboard" "overview" {
  folder      = grafana_folder.platform_dashboards.uid
  config_json = file("dashboards/overview.json")
}

hcl

terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "~> 2.0"
    }
  }
}

provider "grafana" {
  url  = "https://yourstack.grafana.net"
  auth = var.grafana_service_account_token
}

resource "grafana_team" "platform" {
  name  = "Platform Team"
  email = "platform@example.com"
}

resource "grafana_user" "alice" {
  email    = "alice@example.com"
  login    = "alice"
  name     = "Alice"
  password = "changeme"
}

resource "grafana_team_member" "platform_alice" {
  team_id = grafana_team.platform.id
  user_id = grafana_user.alice.id
}

resource "grafana_folder" "platform_dashboards" {
  title = "Platform Dashboards"
}

resource "grafana_dashboard" "overview" {
  folder      = grafana_folder.platform_dashboards.uid
  config_json = file("dashboards/overview.json")
}

Audit Logs

审计日志

bash

undefined

bash

undefined

Query audit logs (Enterprise/Cloud)

查询审计日志（企业版/云版）

GET /api/admin/auditlogs?query=login&from=1706745600&to=1706832000&limit=50

undefined

GET /api/admin/auditlogs?query=login&from=1706745600&to=1706832000&limit=50

undefined

Key Admin API Endpoints

核心管理员API端点

bash

undefined

bash

undefined

List org users

列出组织用户

GET /api/org/users

Invite user to org

邀请用户加入组织

POST /api/org/invites { "loginOrEmail": "user@example.com", "role": "Editor", "sendEmail": true }

Update user org role

更新用户组织角色

PATCH /api/org/users/{userId} { "role": "Admin" }

List teams

列出团队

GET /api/teams/search?name=platform

Create team

创建团队

POST /api/teams { "name": "Platform Team", "email": "platform@example.com" }

Add user to team

添加用户到团队

POST /api/teams/{teamId}/members { "userId": 2 }

undefined

POST /api/teams/{teamId}/members { "userId": 2 }

undefined