admin

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Grafana Cloud Admin

Grafana Cloud 账户管理

Organization and Stack Structure

组织与堆栈结构

Grafana Cloud Account
└── Organization (billing unit)
    ├── Stack 1 (prod)   → dedicated Grafana, Prometheus, Loki, Tempo URLs
    ├── Stack 2 (staging)
    └── Stack 3 (dev)
  • Organization: top-level account with billing, users, API keys, stacks
  • Stack: dedicated Grafana + LGTM instance with its own URLs and credentials
Grafana Cloud Account
└── Organization (billing unit)
    ├── Stack 1 (prod)   → dedicated Grafana, Prometheus, Loki, Tempo URLs
    ├── Stack 2 (staging)
    └── Stack 3 (dev)
  • 组织:包含计费、用户、API密钥、堆栈的顶级账户
  • 堆栈:独立的Grafana + LGTM实例,拥有专属URL和凭证

User Roles

用户角色

RoleScopePermissions
Org AdminOrganizationManage stacks, users, billing, API keys
AdminStackData sources, plugins, users, provisioning
EditorStackCreate/edit dashboards, alerts
ViewerStackRead-only dashboards
角色作用范围权限
Org Admin组织管理堆栈、用户、计费、API密钥
Admin堆栈数据源、插件、用户、配置
Editor堆栈创建/编辑仪表盘、告警
Viewer堆栈只读访问仪表盘

RBAC (Cloud / Enterprise)

RBAC(云版/企业版)

yaml
undefined
yaml
undefined

provisioning/access-control/roles.yaml

provisioning/access-control/roles.yaml

apiVersion: 1 roles:
  • name: TeamDashboardEditor description: Edit dashboards within team folder permissions:
    • action: dashboards:read scope: folders:UID:team-folder
    • action: dashboards:write scope: folders:UID:team-folder
    • action: dashboards:create scope: folders:UID:team-folder

```yaml
apiVersion: 1 roles:
  • name: TeamDashboardEditor description: Edit dashboards within team folder permissions:
    • action: dashboards:read scope: folders:UID:team-folder
    • action: dashboards:write scope: folders:UID:team-folder
    • action: dashboards:create scope: folders:UID:team-folder

```yaml

provisioning/access-control/assignments.yaml

provisioning/access-control/assignments.yaml

apiVersion: 1 roleAssignments:
  • roleName: TeamDashboardEditor users:
    • alice@example.com
    • bob@example.com teams:
    • platform-team
undefined
apiVersion: 1 roleAssignments:
  • roleName: TeamDashboardEditor users:
    • alice@example.com
    • bob@example.com teams:
    • platform-team
undefined

Service Accounts

服务账户

Service accounts are the recommended way for programmatic access (CI/CD, Terraform, agents):
bash
undefined
服务账户是程序化访问(CI/CD、Terraform、代理)的推荐方式:
bash
undefined

Create service account via API

通过API创建服务账户

curl -X POST https://yourstack.grafana.net/api/serviceaccounts
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "terraform-provisioner", "role": "Admin", "isDisabled": false}'
curl -X POST https://yourstack.grafana.net/api/serviceaccounts
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "terraform-provisioner", "role": "Admin", "isDisabled": false}'

Create token for service account

为服务账户创建令牌

curl -X POST https://yourstack.grafana.net/api/serviceaccounts/{id}/tokens
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "ci-token", "secondsToLive": 0}'

Provisioning via YAML:
```yaml
curl -X POST https://yourstack.grafana.net/api/serviceaccounts/{id}/tokens
-H "Authorization: Bearer <admin-token>"
-H "Content-Type: application/json"
-d '{"name": "ci-token", "secondsToLive": 0}'

通过YAML配置:
```yaml

provisioning/access-control/service_accounts.yaml

provisioning/access-control/service_accounts.yaml

apiVersion: 1 serviceAccounts:
  • name: alloy-writer orgId: 1 role: Editor tokens:
    • name: alloy-token
undefined
apiVersion: 1 serviceAccounts:
  • name: alloy-writer orgId: 1 role: Editor tokens:
    • name: alloy-token
undefined

SSO / Auth Configuration

SSO/身份认证配置

OAuth (grafana.ini)

OAuth(grafana.ini)

ini
[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = your_client_id
client_secret = your_client_secret
scopes = openid profile email groups
auth_url = https://your-org.okta.com/oauth2/v1/authorize
token_url = https://your-org.okta.com/oauth2/v1/token
api_url = https://your-org.okta.com/oauth2/v1/userinfo
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
groups_attribute_path = groups
ini
[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = your_client_id
client_secret = your_client_secret
scopes = openid profile email groups
auth_url = https://your-org.okta.com/oauth2/v1/authorize
token_url = https://your-org.okta.com/oauth2/v1/token
api_url = https://your-org.okta.com/oauth2/v1/userinfo
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
groups_attribute_path = groups

SAML (Enterprise)

SAML(企业版)

ini
[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_name = displayName
assertion_attribute_role = role
role_values_admin = grafana-admins
role_values_editor = grafana-editors
ini
[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_name = displayName
assertion_attribute_role = role
role_values_admin = grafana-admins
role_values_editor = grafana-editors

GitHub OAuth

GitHub OAuth

ini
[auth.github]
enabled = true
allow_sign_up = true
client_id = your_github_client_id
client_secret = your_github_client_secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = ["your-org"]
team_ids = [123456]
role_attribute_path = "Admin"
ini
[auth.github]
enabled = true
allow_sign_up = true
client_id = your_github_client_id
client_secret = your_github_client_secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = ["your-org"]
team_ids = [123456]
role_attribute_path = "Admin"

Cloud API for Stack Management

用于堆栈管理的Cloud API

bash
undefined
bash
undefined

List stacks

列出堆栈

curl https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"
curl https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"

Create stack

创建堆栈

curl -X POST https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"
-H "Content-Type: application/json"
-d '{"name": "my-new-stack", "slug": "my-new-stack", "region": "us-east-0", "plan": "grafana-cloud-free"}'
curl -X POST https://grafana.com/api/instances
-H "Authorization: Bearer <grafana-com-api-key>"
-H "Content-Type: application/json"
-d '{"name": "my-new-stack", "slug": "my-new-stack", "region": "us-east-0", "plan": "grafana-cloud-free"}'

Delete stack

删除堆栈

curl -X DELETE https://grafana.com/api/instances/{id}
-H "Authorization: Bearer <grafana-com-api-key>"
undefined
curl -X DELETE https://grafana.com/api/instances/{id}
-H "Authorization: Bearer <grafana-com-api-key>"
undefined

Terraform Provider

Terraform 提供者

hcl
terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "~> 2.0"
    }
  }
}

provider "grafana" {
  url  = "https://yourstack.grafana.net"
  auth = var.grafana_service_account_token
}

resource "grafana_team" "platform" {
  name  = "Platform Team"
  email = "platform@example.com"
}

resource "grafana_user" "alice" {
  email    = "alice@example.com"
  login    = "alice"
  name     = "Alice"
  password = "changeme"
}

resource "grafana_team_member" "platform_alice" {
  team_id = grafana_team.platform.id
  user_id = grafana_user.alice.id
}

resource "grafana_folder" "platform_dashboards" {
  title = "Platform Dashboards"
}

resource "grafana_dashboard" "overview" {
  folder      = grafana_folder.platform_dashboards.uid
  config_json = file("dashboards/overview.json")
}
hcl
terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "~> 2.0"
    }
  }
}

provider "grafana" {
  url  = "https://yourstack.grafana.net"
  auth = var.grafana_service_account_token
}

resource "grafana_team" "platform" {
  name  = "Platform Team"
  email = "platform@example.com"
}

resource "grafana_user" "alice" {
  email    = "alice@example.com"
  login    = "alice"
  name     = "Alice"
  password = "changeme"
}

resource "grafana_team_member" "platform_alice" {
  team_id = grafana_team.platform.id
  user_id = grafana_user.alice.id
}

resource "grafana_folder" "platform_dashboards" {
  title = "Platform Dashboards"
}

resource "grafana_dashboard" "overview" {
  folder      = grafana_folder.platform_dashboards.uid
  config_json = file("dashboards/overview.json")
}

Audit Logs

审计日志

bash
undefined
bash
undefined

Query audit logs (Enterprise/Cloud)

查询审计日志(企业版/云版)

GET /api/admin/auditlogs?query=login&from=1706745600&to=1706832000&limit=50
undefined
GET /api/admin/auditlogs?query=login&from=1706745600&to=1706832000&limit=50
undefined

Key Admin API Endpoints

核心管理员API端点

bash
undefined
bash
undefined

List org users

列出组织用户

GET /api/org/users
GET /api/org/users

Invite user to org

邀请用户加入组织

POST /api/org/invites { "loginOrEmail": "user@example.com", "role": "Editor", "sendEmail": true }
POST /api/org/invites { "loginOrEmail": "user@example.com", "role": "Editor", "sendEmail": true }

Update user org role

更新用户组织角色

PATCH /api/org/users/{userId} { "role": "Admin" }
PATCH /api/org/users/{userId} { "role": "Admin" }

List teams

列出团队

GET /api/teams/search?name=platform
GET /api/teams/search?name=platform

Create team

创建团队

POST /api/teams { "name": "Platform Team", "email": "platform@example.com" }
POST /api/teams { "name": "Platform Team", "email": "platform@example.com" }

Add user to team

添加用户到团队

POST /api/teams/{teamId}/members { "userId": 2 }
undefined
POST /api/teams/{teamId}/members { "userId": 2 }
undefined