Passthrough Authentication #106

macmowl · 2025-04-02T08:40:33Z

macmowl
Apr 2, 2025

Hi Peter,
First of all, great job on your Databricks ↔ Grafana plugin! It’s a fantastic tool. 🎉

I wanted to check if you have any plans to support passthrough authentication. Specifically, the goal would be to pass users' Microsoft Entra ID credentials from Grafana to Databricks via your plugin, instead of relying on static credentials in the datasource configuration.

This would enhance security and access control by ensuring that each user connects with their own identity rather than shared tokens. Is this something you have on your roadmap, or would you consider adding it?

Looking forward to your thoughts, and thanks again for your great work!

Best regards,

mullerpeter · 2025-04-11T21:43:17Z

mullerpeter
Apr 11, 2025
Maintainer

Hi @macmowl

Thanks for your feedback, yes I thought about supporting Entra ID credential passthrough. But the underlying databricks-sql-golang SDK does not support this type of Auth Passtrough yet (See databricks/databricks-sql-go#221)

Without this we would need to implement a Custom Authentication handler. Which then generates an on-behalf token via Azure to access Databricks, as the passtrough Grafana Entra Token probably has the wrong scopes.

Since the Authentication Handler in the SDK is currently not really build for this kind of passtrough, this would be quite some work.

0 replies

mullerpeter · 2025-04-19T15:23:32Z

mullerpeter
Apr 19, 2025
Maintainer

Hi @macmowl

I managed to build a PoC implementation for Azure Entra Pass Thru. It's not perfect yet, but worked fine in my tests. (There is no fallback configured yet, so it won't work if the user is not authenticated via Entra or in any backend refreshes like Alerts)
Would you be able to give it a test and see if you run into any issues?

There is a pre-release build here with the feature: https://github.com/mullerpeter/databricks-grafana/releases/tag/v1.3.6-rc.2
For this to work, you have to add 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default to the scopes in the Grafana Azure Entra Configuration (this is the Databricks API Scope).

0 replies

mullerpeter · 2025-04-19T18:00:28Z

mullerpeter
Apr 19, 2025
Maintainer

I refactored some more and it seems to be working fine. Added it to the latest release. Let me know if this work for you.

0 replies

macmowl · 2025-04-23T11:42:13Z

macmowl
Apr 23, 2025
Author

Hi Peter,

I'm really impressed by your responsiveness – that was quick!
I just tested the feature and it works exactly as I was hoping. Everything went smoothly on my side.

Huge thanks for your work on this, it's very much appreciated!

Best,
Macmowl

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Passthrough Authentication #106

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Passthrough Authentication #106

Uh oh!

macmowl Apr 2, 2025

Replies: 4 comments

Uh oh!

mullerpeter Apr 11, 2025 Maintainer

Uh oh!

Uh oh!

mullerpeter Apr 19, 2025 Maintainer

Uh oh!

mullerpeter Apr 19, 2025 Maintainer

Uh oh!

macmowl Apr 23, 2025 Author

macmowl
Apr 2, 2025

mullerpeter
Apr 11, 2025
Maintainer

mullerpeter
Apr 19, 2025
Maintainer

mullerpeter
Apr 19, 2025
Maintainer

macmowl
Apr 23, 2025
Author