feat: add per-user authentication

[christos-diamantis]

This PR introduces per-user authentication to the Grafana Zabbix datasource plugin. When enabled, Grafana users are mapped to corresponding Zabbix users, and all API requests are performed using the permissions of the mapped Zabbix user. This allows organizations to fully leverage Zabbix RBAC and audit capabilities directly from Grafana.

Key Features

• Per-User Authentication Toggle:
  New option in the datasource config to enable/disable per-user authentication.
• Identity Field Selection:
  Admins can choose whether to map users by Grafana username or email.
• Automatic Zabbix Token Management:
  The plugin will generate and use Zabbix API tokens for each user session, ensuring secure and isolated access.
• Graceful Error Handling:
  If a Grafana user does not exist in Zabbix, a clear error is shown and access is denied.
• Backward Compatibility:
  When per-user authentication is disabled, the plugin continues to use the global Zabbix credentials as before.

How It Works

1. When per-user authentication is enabled, each Grafana request extracts the current user’s identity (username or email).
2. The plugin queries Zabbix for a matching user.
3. If found, a Zabbix API token is generated and used for all API calls in that session.
4. If not found, the user is denied access with a clear error message.

Configuration

• Enable Per-user authentication in the datasource settings.
• Select the identity field (username or email) for user mapping.
• Ensure each Grafana user has a corresponding Zabbix user.

Testing

• Integration and unit tests have been added to cover the new authentication flow.
• The devenv bootstrap script now creates a test user for integration testing.

Documentation

The README and in-app tooltips have been updated to explain the new feature and its requirements.

Feel free to test thoroughly and propose or do any changes if needed.

Closes #2016

[zoltanbedi]

@christos-diamantis thanks for your PR. I'll take a look at it shortly.

[christos-diamantis]

Did a quick review:

• Currently implemented the method only on "QueryData". Need to implement it on all methods that the frontend is using
• I think that currently a new token is generated every time the method is called (QueryData only now). Need to offload the token generation to be happening only once per session.

[CLAassistant]

All committers have signed the CLA.

[christos-diamantis]

Implemented a helper flow that runs when per user auth is enabled.
added also methods to cache the tokens and not generate them each time.
applied the method to all the methods (QueryData, ZabbixAPIHandler, DBConnectionPostProcessingHandler)
debug and logging enhanced to be meaningful.

Feel free to test thoroughly and propose or do any changes if needed. :)

[christos-diamantis]

any update?

[christos-diamantis]

any update on this?

[christos-diamantis]

@matwijec any update?

[matwijec]

@matwijec any update?

thanks for the fix. I just tried this feature (and encountered pointed errors) but I'm not a maintainer

[christos-diamantis]

@matwijec any update?

thanks for the fix. I just tried this feature (and encountered pointed errors) but I'm not a maintainer

Sorry, thought you were a maintainer! What errors did you encountered however? Can you please attach errors and screenshots?

[christos-diamantis]

@zoltanbedi any update on this?