Feature Request - Authenticate to ADX using user credentials instead of a single application credentials

[gilkgit]

We'd prefer if the ADX plugin would not use a single App ID for authenticating to ADX, but instead will propagate user credentials for the query.

For us this will enable a few more scenarios that we now restrict due to this single app authentication.

It'll also make managing permissions easier since users will automatically be restricted to view panels results according to their permissions over the "raw data".

[gilkgit]

this was added in 7.4.0 :
"Backend plugins: Support Forward OAuth Identity for backend data source plugins"
grafana/grafana#27055.
It might aid in the way to implement this user credentials authentication ask

[brycefisher]

This is a great idea! At my org, we have a much easier time provisioning access to Grafana user accounts than Azure AD user principals, so it would be ideal if we could preserve the current implementation when building this feature.

The ability to track some notion of a user from grafana on a per Kusto API call in #166 sort of relates to this as an alternative way to get observability into the user/dashboard/panel which somewhat overlaps with the possible goals behind this feature request.

[jkrauska]

Agreed -- maintain user auth instead of broadly granting the service account database access would make this much more fine grained for security concerns.

[kkerssem]

Hi, I see some refactoring ongoing in pull request #227 by Erik Sundell. Will this feature be part of that refactoring?
We could really use an oauth forwarding feature in order to implement a row-based authorization policy in ADX.

[Dammi87]

I have the exact same issue - We want to implement row-level security per user, but there is no way of knowing which user is viewing the dashboard in Grafana.

This is the result I get straight from ADX

While this is what is shown in Grafana

We are using AD to login to our Grafana server.

[vickyyyyyyy]

related to #274

[andresmgot]

This is now possible enabling the On-Behalf-Of workflow: https://github.com/grafana/azure-data-explorer-datasource/blob/main/doc/on-behalf-of.md

It's in beta for the moment so feedback is very much appreciated! Please open new issues if you find trouble with the feature.