From 7e452e0e8eb53fb9279e8eb5297392a6f0e0b9a0 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:38:57 +0300
Subject: [PATCH 01/23] add logic for per user authentication

---
 pkg/datasource/datasource.go | 43 ++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/pkg/datasource/datasource.go b/pkg/datasource/datasource.go
index 4fe9a73ee..2b1bae3a6 100644
--- a/pkg/datasource/datasource.go
+++ b/pkg/datasource/datasource.go
@@ -112,6 +112,49 @@ func (ds *ZabbixDatasource) QueryData(ctx context.Context, req *backend.QueryDat
 		return nil, err
 	}
 
+	// --- Per-user authentication logic START ---
+	if zabbixDS.Settings.PerUserAuth {
+		user := backend.UserFromContext(ctx)
+		if user == nil {
+			return nil, errors.New("no Grafana user found in request context")
+		}
+
+		var identity string
+		switch zabbixDS.Settings.PerUserAuthField {
+		case "email":
+			identity = user.Email
+		default:
+			identity = user.Login
+		}
+
+		zabbixVersion, err := zabbixDS.zabbix.GetVersion(ctx)
+		if err != nil {
+			return nil, errors.New("error getting Zabbix version: " + err.Error())
+		}
+
+		// Query Zabbix for the user
+		zabbixUser, err := zabbixDS.zabbix.GetAPI().GetUserByIdentity(ctx, zabbixDS.Settings.PerUserAuthField, identity, zabbixVersion)
+		if err != nil {
+			return nil, errors.New("error querying Zabbix for user: " + err.Error())
+		}
+		if zabbixUser == nil || len(zabbixUser.MustArray()) == 0 {
+			return nil, errors.New("user " + identity + " not found in Zabbix. Contact your administrator to provision access")
+		}
+		userId := zabbixUser.GetIndex(0).Get("userid").MustString()
+
+		// Generate or retrieve Zabbix API token
+		token, err := zabbixDS.zabbix.GetAPI().GenerateUserAPIToken(ctx, userId, zabbixVersion)
+		if err != nil {
+			return nil, errors.New("failed to generate Zabbix API token for user: " + err.Error())
+		}
+
+		zabbixDS.zabbix.GetAPI().SetAuth(token)
+
+		ds.logger.Debug("Per-user authentication enabled", "identity", identity)
+	}
+
+	// --- Per-user authentication logic END ---
+
 	for _, q := range req.Queries {
 		res := backend.DataResponse{}
 		query, err := ReadQuery(q)

From 379b71accb631133061d6de9ef6136a1eb1ff591 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:39:29 +0300
Subject: [PATCH 02/23] extend the models with new fields

---
 pkg/settings/models.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/pkg/settings/models.go b/pkg/settings/models.go
index 60679611e..d47f43c85 100644
--- a/pkg/settings/models.go
+++ b/pkg/settings/models.go
@@ -16,8 +16,10 @@ type ZabbixDatasourceSettingsDTO struct {
 	CacheTTL    string      `json:"cacheTTL"`
 	Timeout     interface{} `json:"timeout"`
 
-	DisableDataAlignment    bool `json:"disableDataAlignment"`
-	DisableReadOnlyUsersAck bool `json:"disableReadOnlyUsersAck"`
+	DisableDataAlignment    bool   `json:"disableDataAlignment"`
+	DisableReadOnlyUsersAck bool   `json:"disableReadOnlyUsersAck"`
+	PerUserAuth             bool   `json:"perUserAuth"`
+	PerUserAuthField        string `json:"perUserAuthField"` // "username" or "email"
 }
 
 // ZabbixDatasourceSettings model
@@ -29,6 +31,8 @@ type ZabbixDatasourceSettings struct {
 	CacheTTL    time.Duration
 	Timeout     time.Duration
 
-	DisableDataAlignment    bool `json:"disableDataAlignment"`
-	DisableReadOnlyUsersAck bool `json:"disableReadOnlyUsersAck"`
+	DisableDataAlignment    bool   `json:"disableDataAlignment"`
+	DisableReadOnlyUsersAck bool   `json:"disableReadOnlyUsersAck"`
+	PerUserAuth             bool   `json:"perUserAuth"`
+	PerUserAuthField        string `json:"perUserAuthField"` // "username"
 }

From 2cbc92605c7b08cdb6ca48fa58dfefe3447ff7ae Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:40:07 +0300
Subject: [PATCH 03/23] extend the zabbixSettings with new fields

---
 pkg/settings/settings.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/settings/settings.go b/pkg/settings/settings.go
index ac05c5d0c..e33a09f8c 100644
--- a/pkg/settings/settings.go
+++ b/pkg/settings/settings.go
@@ -79,6 +79,8 @@ func ReadZabbixSettings(dsInstanceSettings *backend.DataSourceInstanceSettings)
 		Timeout:                 time.Duration(timeout) * time.Second,
 		DisableDataAlignment:    zabbixSettingsDTO.DisableDataAlignment,
 		DisableReadOnlyUsersAck: zabbixSettingsDTO.DisableReadOnlyUsersAck,
+		PerUserAuth:             zabbixSettingsDTO.PerUserAuth,
+		PerUserAuthField:        zabbixSettingsDTO.PerUserAuthField,
 	}
 
 	return zabbixSettings, nil

From 89f53b4241b23a5e7fc17cef34ba022e03a416cb Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:40:30 +0300
Subject: [PATCH 04/23] add integration tests for newly created feature

---
 .../zabbix_api_60_integration_test.go         | 34 +++++++++++++++++++
 .../zabbix_api_70_integration_test.go         | 34 +++++++++++++++++++
 .../zabbix_api_72_integration_test.go         | 34 +++++++++++++++++++
 .../zabbix_api_74_integration_test.go         | 34 +++++++++++++++++++
 4 files changed, 136 insertions(+)

diff --git a/pkg/zabbixapi/zabbix_api_60_integration_test.go b/pkg/zabbixapi/zabbix_api_60_integration_test.go
index d6bfe4e11..090a2f471 100644
--- a/pkg/zabbixapi/zabbix_api_60_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_60_integration_test.go
@@ -31,12 +31,14 @@ func TestIntegrationZabbixAPI60(t *testing.T) {
 	zabbixURL := os.Getenv("ZABBIX_URL")
 	zabbixUser := os.Getenv("ZABBIX_USER")
 	zabbixPassword := os.Getenv("ZABBIX_PASSWORD")
+	targetUsername := os.Getenv("ZABBIX_TARGET_USER")
 	zabbixVersion := 60
 
 	// Validate required environment variables
 	require.NotEmpty(t, zabbixURL, "ZABBIX_URL environment variable is required")
 	require.NotEmpty(t, zabbixUser, "ZABBIX_USER environment variable is required")
 	require.NotEmpty(t, zabbixPassword, "ZABBIX_PASSWORD environment variable is required")
+	require.NotEmpty(t, targetUsername, "ZABBIX_TARGET_USER environment variable is required")
 
 	dsSettings := backend.DataSourceInstanceSettings{
 		URL:              zabbixURL,
@@ -144,4 +146,36 @@ func TestIntegrationZabbixAPI60(t *testing.T) {
 		assert.True(t, hasAuth, "Auth parameter should be present in request body for v6.0")
 		assert.Equal(t, api.GetAuth(), auth, "Auth parameter should match the set auth token")
 	})
+
+	// Test per-user authentication
+	t.Run("Per-User Authentication", func(t *testing.T) {
+		// First authenticate
+		err := api.Authenticate(context.Background(), zabbixUser, zabbixPassword, zabbixVersion)
+		require.NoError(t, err)
+
+		// Query Zabbix for the target user
+		zabbixUserResp, err := api.GetUserByIdentity(context.Background(), "username", targetUsername, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, zabbixUserResp)
+
+		if len(zabbixUserResp.MustArray()) == 0 {
+			t.Skipf("User %s not found in Zabbix. Skipping per-user auth test.", targetUsername)
+		}
+
+		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+
+		// Generate or retrieve Zabbix API token for the user
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token, "Generated token should not be empty")
+
+		api.SetAuth(token)
+
+		// Optionally, perform a simple API call as the user
+		resp, err := api.Request(context.Background(), "hostgroup.get", map[string]interface{}{"output": "extend"}, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+
+		t.Logf("Per-user authentication successful for identity %s (userId %s)", targetUsername, userId)
+	})
 }
diff --git a/pkg/zabbixapi/zabbix_api_70_integration_test.go b/pkg/zabbixapi/zabbix_api_70_integration_test.go
index c8a06d4bc..7bb11dd51 100644
--- a/pkg/zabbixapi/zabbix_api_70_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_70_integration_test.go
@@ -33,12 +33,14 @@ func TestIntegrationZabbixAPI70(t *testing.T) {
 	zabbixURL := os.Getenv("ZABBIX_URL")
 	zabbixUser := os.Getenv("ZABBIX_USER")
 	zabbixPassword := os.Getenv("ZABBIX_PASSWORD")
+	targetUsername := os.Getenv("ZABBIX_TARGET_USER")
 	zabbixVersion := 70
 
 	// Validate required environment variables
 	require.NotEmpty(t, zabbixURL, "ZABBIX_URL environment variable is required")
 	require.NotEmpty(t, zabbixUser, "ZABBIX_USER environment variable is required")
 	require.NotEmpty(t, zabbixPassword, "ZABBIX_PASSWORD environment variable is required")
+	require.NotEmpty(t, targetUsername, "ZABBIX_TARGET_USER environment variable is required")
 
 	dsSettings := backend.DataSourceInstanceSettings{
 		URL:              zabbixURL,
@@ -146,4 +148,36 @@ func TestIntegrationZabbixAPI70(t *testing.T) {
 		assert.True(t, hasAuth, "Auth parameter should be present in request body for v7.0")
 		assert.Equal(t, api.GetAuth(), auth, "Auth parameter should match the set auth token")
 	})
+
+	// Test per-user authentication
+	t.Run("Per-User Authentication", func(t *testing.T) {
+		// First authenticate
+		err := api.Authenticate(context.Background(), zabbixUser, zabbixPassword, zabbixVersion)
+		require.NoError(t, err)
+
+		// Query Zabbix for the target user
+		zabbixUserResp, err := api.GetUserByIdentity(context.Background(), "username", targetUsername, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, zabbixUserResp)
+
+		if len(zabbixUserResp.MustArray()) == 0 {
+			t.Skipf("User %s not found in Zabbix. Skipping per-user auth test.", targetUsername)
+		}
+
+		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+
+		// Generate or retrieve Zabbix API token for the user
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token, "Generated token should not be empty")
+
+		api.SetAuth(token)
+
+		// Optionally, perform a simple API call as the user
+		resp, err := api.Request(context.Background(), "hostgroup.get", map[string]interface{}{"output": "extend"}, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+
+		t.Logf("Per-user authentication successful for identity %s (userId %s)", targetUsername, userId)
+	})
 }
diff --git a/pkg/zabbixapi/zabbix_api_72_integration_test.go b/pkg/zabbixapi/zabbix_api_72_integration_test.go
index 9a8bfec88..2f7b653e1 100644
--- a/pkg/zabbixapi/zabbix_api_72_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_72_integration_test.go
@@ -30,12 +30,14 @@ func TestIntegrationZabbixAPI72(t *testing.T) {
 	zabbixURL := os.Getenv("ZABBIX_URL")
 	zabbixUser := os.Getenv("ZABBIX_USER")
 	zabbixPassword := os.Getenv("ZABBIX_PASSWORD")
+	targetUsername := os.Getenv("ZABBIX_TARGET_USER")
 	zabbixVersion := 72
 
 	// Validate required environment variables
 	require.NotEmpty(t, zabbixURL, "ZABBIX_URL environment variable is required")
 	require.NotEmpty(t, zabbixUser, "ZABBIX_USER environment variable is required")
 	require.NotEmpty(t, zabbixPassword, "ZABBIX_PASSWORD environment variable is required")
+	require.NotEmpty(t, targetUsername, "ZABBIX_TARGET_USER environment variable is required")
 
 	// Create new Zabbix API instance
 	dsSettings := backend.DataSourceInstanceSettings{
@@ -158,4 +160,36 @@ func TestIntegrationZabbixAPI72(t *testing.T) {
 		assert.Contains(t, err.Error(), "Basic Auth is not supported for Zabbix v7.2 and later")
 		assert.True(t, backend.IsDownstreamError(err))
 	})
+
+	// Test per-user authentication
+	t.Run("Per-User Authentication", func(t *testing.T) {
+		// First authenticate
+		err := api.Authenticate(context.Background(), zabbixUser, zabbixPassword, zabbixVersion)
+		require.NoError(t, err)
+
+		// Query Zabbix for the target user
+		zabbixUserResp, err := api.GetUserByIdentity(context.Background(), "username", targetUsername, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, zabbixUserResp)
+
+		if len(zabbixUserResp.MustArray()) == 0 {
+			t.Skipf("User %s not found in Zabbix. Skipping per-user auth test.", targetUsername)
+		}
+
+		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+
+		// Generate or retrieve Zabbix API token for the user
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token, "Generated token should not be empty")
+
+		api.SetAuth(token)
+
+		// Optionally, perform a simple API call as the user
+		resp, err := api.Request(context.Background(), "hostgroup.get", map[string]interface{}{"output": "extend"}, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+
+		t.Logf("Per-user authentication successful for identity %s (userId %s)", targetUsername, userId)
+	})
 }
diff --git a/pkg/zabbixapi/zabbix_api_74_integration_test.go b/pkg/zabbixapi/zabbix_api_74_integration_test.go
index 32516cae2..bcae3c1fe 100644
--- a/pkg/zabbixapi/zabbix_api_74_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_74_integration_test.go
@@ -30,12 +30,14 @@ func TestIntegrationZabbixAPI74(t *testing.T) {
 	zabbixURL := os.Getenv("ZABBIX_URL")
 	zabbixUser := os.Getenv("ZABBIX_USER")
 	zabbixPassword := os.Getenv("ZABBIX_PASSWORD")
+	targetUsername := os.Getenv("ZABBIX_TARGET_USER")
 	zabbixVersion := 74
 
 	// Validate required environment variables
 	require.NotEmpty(t, zabbixURL, "ZABBIX_URL environment variable is required")
 	require.NotEmpty(t, zabbixUser, "ZABBIX_USER environment variable is required")
 	require.NotEmpty(t, zabbixPassword, "ZABBIX_PASSWORD environment variable is required")
+	require.NotEmpty(t, targetUsername, "ZABBIX_TARGET_USER environment variable is required")
 
 	// Create new Zabbix API instance
 	dsSettings := backend.DataSourceInstanceSettings{
@@ -158,4 +160,36 @@ func TestIntegrationZabbixAPI74(t *testing.T) {
 		assert.Contains(t, err.Error(), "Basic Auth is not supported for Zabbix v7.2 and later")
 		assert.True(t, backend.IsDownstreamError(err))
 	})
+
+	// Test per-user authentication
+	t.Run("Per-User Authentication", func(t *testing.T) {
+		// First authenticate
+		err := api.Authenticate(context.Background(), zabbixUser, zabbixPassword, zabbixVersion)
+		require.NoError(t, err)
+
+		// Query Zabbix for the target user
+		zabbixUserResp, err := api.GetUserByIdentity(context.Background(), "username", targetUsername, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, zabbixUserResp)
+
+		if len(zabbixUserResp.MustArray()) == 0 {
+			t.Skipf("User %s not found in Zabbix. Skipping per-user auth test.", targetUsername)
+		}
+
+		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+
+		// Generate or retrieve Zabbix API token for the user
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token, "Generated token should not be empty")
+
+		api.SetAuth(token)
+
+		// Optionally, perform a simple API call as the user
+		resp, err := api.Request(context.Background(), "hostgroup.get", map[string]interface{}{"output": "extend"}, zabbixVersion)
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+
+		t.Logf("Per-user authentication successful for identity %s (userId %s)", targetUsername, userId)
+	})
 }

From d960e0de82895cef068bb181a02d2070a7c34936 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:41:03 +0300
Subject: [PATCH 05/23] helper functions for getting a user and generating a
 token for the user

---
 pkg/zabbixapi/zabbix_api.go | 64 +++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/pkg/zabbixapi/zabbix_api.go b/pkg/zabbixapi/zabbix_api.go
index 7eb56ad44..899716d91 100644
--- a/pkg/zabbixapi/zabbix_api.go
+++ b/pkg/zabbixapi/zabbix_api.go
@@ -189,6 +189,70 @@ func (api *ZabbixAPI) AuthenticateWithToken(ctx context.Context, token string) e
 	return nil
 }
 
+// GetUserByIdentity queries Zabbix for a user by username or email
+func (api *ZabbixAPI) GetUserByIdentity(ctx context.Context, field, value string, version int) (*simplejson.Json, error) {
+	params := map[string]interface{}{
+		"filter": map[string]interface{}{
+			field: value,
+		},
+		"output": "extend",
+	}
+	return api.Request(ctx, "user.get", params, version)
+}
+
+// GenerateUserAPIToken generates or retrieves a Zabbix API token for a user
+func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, version int) (string, error) {
+	// Check for existing token with the desired name
+	getParams := map[string]interface{}{
+		"userids": userId,
+		"output":  "extend",
+		"filter": map[string]interface{}{
+			"name": "Zabbix-Grafana-Session-Token",
+		},
+	}
+	resp, err := api.Request(ctx, "token.get", getParams, version)
+	if err != nil {
+		return "", err
+	}
+
+	var tokenId string
+	if resp != nil && len(resp.MustArray()) > 0 {
+		// Token exists, use its tokenid
+		tokenId = resp.GetIndex(0).Get("tokenid").MustString()
+	} else {
+		// Token does not exist, create a new one
+		createParams := map[string]interface{}{
+			"userid": userId,
+			"name":   "Zabbix-Grafana-Session-Token",
+		}
+
+		createResp, err := api.Request(ctx, "token.create", createParams, version)
+		if err != nil {
+			return "", err
+		}
+
+		tokenId := createResp.GetIndex(0).Get("tokenid").MustString()
+		if tokenId == "" {
+			return "", errors.New("failed to create Zabbix API token, token ID is empty")
+		}
+	}
+
+	// Generate the actual token value
+
+	genParams := map[string]interface{}{
+		"tokenids": []string{tokenId},
+	}
+	genResp, err := api.Request(ctx, "token.generate", genParams, version)
+	if err != nil {
+		return "", err
+	}
+	token := genResp.GetIndex(0).Get("token").MustString()
+	if token == "" {
+		return "", errors.New("failed to generate Zabbix API token, token is empty")
+	}
+	return token, nil
+}
+
 func isDeprecatedUserParamError(err error) bool {
 	if err == nil {
 		return false

From 134f5da21f4f6c3010e63a73323b0676812ec6cf Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 10:41:41 +0300
Subject: [PATCH 06/23] add new fields on datasource configuration

---
 src/datasource/components/ConfigEditor.tsx | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/src/datasource/components/ConfigEditor.tsx b/src/datasource/components/ConfigEditor.tsx
index 200ee3a70..89b8a3521 100644
--- a/src/datasource/components/ConfigEditor.tsx
+++ b/src/datasource/components/ConfigEditor.tsx
@@ -378,6 +378,53 @@ export const ConfigEditor = (props: Props) => {
               onChange={jsonDataSwitchHandler('disableDataAlignment', options, onOptionsChange)}
             />
           </Field>
+
+          <Field
+            label={
+              <Label>
+                <EditorStack gap={0.5}>
+                  <span>Enable per-user authentication</span>
+                  <Tooltip
+                    content={
+                      <span>
+                        Enable this option if you want to use per-user authentication. This will map Grafana users to
+                        Zabbix users respecting the RBAC already setup in Zabbix.
+                      </span>
+                    }
+                  >
+                    <Icon name="info-circle" size="sm" />
+                  </Tooltip>
+                </EditorStack>
+              </Label>
+            }
+          >
+            <Switch
+              value={!!options.jsonData.perUserAuth}
+              onChange={jsonDataSwitchHandler('perUserAuth', options, onOptionsChange)}
+            />
+          </Field>
+
+          {options.jsonData.perUserAuth && (
+            <Field
+              label={
+                <Label>
+                  <EditorStack gap={0.5}>
+                    <span>User identity field</span>
+                    <Select
+                      width={40}
+                      options={[
+                        { label: 'Username', value: 'username' },
+                        { label: 'Email', value: 'email' },
+                      ]}
+                      value={options.jsonData.perUserAuthField || 'username' }
+                      onChange={jsonDataSelectHandler('perUserAuthField', options, onOptionsChange)}
+                    />
+                  </EditorStack>
+                </Label>
+              }
+            >
+            </Field>
+          )}
         </ConfigSubSection>
 
         {config.secureSocksDSProxyEnabled && gte(config.buildInfo.version, '10.0.0-0') && (

From 22356ff8cee63ecdc4ce93727fc3f14191f908a1 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 11:01:12 +0300
Subject: [PATCH 07/23] complete the devenv and integration tests

---
 .github/workflows/compatibility-60.yml        |  1 +
 .github/workflows/compatibility-70.yml        |  1 +
 .github/workflows/compatibility-72.yml        |  1 +
 .github/workflows/compatibility-74.yml        |  1 +
 devenv/zabbix60/bootstrap/Dockerfile          |  2 ++
 devenv/zabbix60/bootstrap/bootstrap_config.py | 26 ++++++++++++++++++-
 devenv/zabbix60/docker-compose.yml            |  2 ++
 devenv/zabbix70/bootstrap/Dockerfile          |  2 ++
 devenv/zabbix70/bootstrap/bootstrap_config.py | 25 +++++++++++++++++-
 devenv/zabbix70/docker-compose.yml            |  2 ++
 devenv/zabbix72/bootstrap/Dockerfile          |  2 ++
 devenv/zabbix72/bootstrap/bootstrap_config.py | 25 +++++++++++++++++-
 devenv/zabbix72/docker-compose.yml            |  2 ++
 devenv/zabbix74/bootstrap/Dockerfile          |  2 ++
 devenv/zabbix74/bootstrap/bootstrap_config.py | 25 +++++++++++++++++-
 devenv/zabbix74/docker-compose.yml            |  2 ++
 .../zabbix_api_60_integration_test.go         |  3 ++-
 .../zabbix_api_70_integration_test.go         |  4 +--
 .../zabbix_api_72_integration_test.go         |  3 ++-
 .../zabbix_api_74_integration_test.go         |  3 ++-
 20 files changed, 125 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/compatibility-60.yml b/.github/workflows/compatibility-60.yml
index c3201130c..ef3827133 100644
--- a/.github/workflows/compatibility-60.yml
+++ b/.github/workflows/compatibility-60.yml
@@ -32,6 +32,7 @@ jobs:
           ZABBIX_URL: 'https://localhost/api_jsonrpc.php'
           ZABBIX_USER: 'Admin'
           ZABBIX_PASSWORD: 'zabbix'
+          ZABBIX_TARGET_USER: 'grafana_test'
         run: go test -v ./pkg/zabbixapi/...
 
       - name: Cleanup
diff --git a/.github/workflows/compatibility-70.yml b/.github/workflows/compatibility-70.yml
index 6cf0f2401..c0886994f 100644
--- a/.github/workflows/compatibility-70.yml
+++ b/.github/workflows/compatibility-70.yml
@@ -32,6 +32,7 @@ jobs:
           ZABBIX_URL: 'https://localhost/api_jsonrpc.php'
           ZABBIX_USER: 'Admin'
           ZABBIX_PASSWORD: 'zabbix'
+          ZABBIX_TARGET_USER: 'grafana_test'
         run: go test -v ./pkg/zabbixapi/...
 
       - name: Cleanup
diff --git a/.github/workflows/compatibility-72.yml b/.github/workflows/compatibility-72.yml
index 8a9943ef4..cd106a6d3 100644
--- a/.github/workflows/compatibility-72.yml
+++ b/.github/workflows/compatibility-72.yml
@@ -32,6 +32,7 @@ jobs:
           ZABBIX_URL: 'http://localhost:8188/api_jsonrpc.php'
           ZABBIX_USER: 'Admin'
           ZABBIX_PASSWORD: 'zabbix'
+          ZABBIX_TARGET_USER: 'grafana_test'
         run: go test -v ./pkg/zabbixapi/...
 
       - name: Cleanup
diff --git a/.github/workflows/compatibility-74.yml b/.github/workflows/compatibility-74.yml
index 8ad3e2479..2d6ff9eef 100644
--- a/.github/workflows/compatibility-74.yml
+++ b/.github/workflows/compatibility-74.yml
@@ -32,6 +32,7 @@ jobs:
           ZABBIX_URL: 'http://localhost:8188/api_jsonrpc.php'
           ZABBIX_USER: 'Admin'
           ZABBIX_PASSWORD: 'zabbix'
+          ZABBIX_TARGET_USER: 'grafana_test'
         run: go test -v ./pkg/zabbixapi/...
 
       - name: Cleanup
diff --git a/devenv/zabbix60/bootstrap/Dockerfile b/devenv/zabbix60/bootstrap/Dockerfile
index da6457fd1..e852df496 100644
--- a/devenv/zabbix60/bootstrap/Dockerfile
+++ b/devenv/zabbix60/bootstrap/Dockerfile
@@ -5,6 +5,8 @@ ENV ZBX_API_USER="Admin"
 ENV ZBX_API_PASSWORD="zabbix"
 ENV ZBX_CONFIG="zbx_export_hosts.xml"
 ENV ZBX_BOOTSTRAP_SCRIPT="bootstrap_config.py"
+ENV ZBX_TEST_USER="grafana_test"
+ENV ZBX_TEST_PASS="grafana_test_pass"
 
 RUN pip install pyzabbix
 
diff --git a/devenv/zabbix60/bootstrap/bootstrap_config.py b/devenv/zabbix60/bootstrap/bootstrap_config.py
index 9f4a15bfb..806ec30f4 100644
--- a/devenv/zabbix60/bootstrap/bootstrap_config.py
+++ b/devenv/zabbix60/bootstrap/bootstrap_config.py
@@ -5,7 +5,9 @@
 zabbix_url = os.environ['ZBX_API_URL']
 zabbix_user = os.environ['ZBX_API_USER']
 zabbix_password = os.environ['ZBX_API_PASSWORD']
-print(zabbix_url, zabbix_user, zabbix_password)
+zabbix_test_user = os.environ['ZBX_TEST_USER']
+zabbix_test_pass = os.environ['ZBX_TEST_PASS']
+print(zabbix_url, zabbix_user, zabbix_password, zabbix_test_user, zabbix_test_pass)
 
 zapi = ZabbixAPI(zabbix_url, timeout=5)
 
@@ -76,5 +78,27 @@
   except ZabbixAPIException as e:
     print e
 
+print("Creating a user for testing per-user auth")
+groups = zapi.usergoup.get(output="extend", filter={"name": "Zabbix administrators"})
+if not groups:
+  groups = zapi.usergroup.get(output="extend")
+groupid = groups[0]['usrgrpid']
+
+user_create_params = {
+  "alias": zabbix_test_user,
+  "passwd": zabbix_test_pass,
+  "name": "Grafana",
+  "surname": "Test",
+  "type": 1,  # Zabbix user type
+  "user_groups": [{"usrgrpid": groupid}],
+}
+
+try:
+  user = zapi.user.create(**user_create_params)
+  print("User created successfully: %s" % user['userids'][0])
+except Exception as e:
+  print("Failed to create user: %s" % e)
+
+
 for h in zapi.host.get(output="extend"):
     print(h['name'])
diff --git a/devenv/zabbix60/docker-compose.yml b/devenv/zabbix60/docker-compose.yml
index 3a28bc655..a7df300da 100644
--- a/devenv/zabbix60/docker-compose.yml
+++ b/devenv/zabbix60/docker-compose.yml
@@ -89,6 +89,8 @@ services:
       ZBX_API_URL: http://zabbix-web:8080
       ZBX_API_USER: Admin
       ZBX_API_PASSWORD: zabbix
+      ZBX_TEST_USER: grafana_test
+      ZBX_TEST_PASS: grafana_test_pass
     depends_on:
       - database
       - zabbix-server
diff --git a/devenv/zabbix70/bootstrap/Dockerfile b/devenv/zabbix70/bootstrap/Dockerfile
index ac31af8e7..b6c13e9a0 100644
--- a/devenv/zabbix70/bootstrap/Dockerfile
+++ b/devenv/zabbix70/bootstrap/Dockerfile
@@ -5,6 +5,8 @@ ENV ZBX_API_USER="Admin"
 ENV ZBX_API_PASSWORD="zabbix"
 ENV ZBX_CONFIG="zbx_export_hosts.json"
 ENV ZBX_BOOTSTRAP_SCRIPT="bootstrap_config.py"
+ENV ZBX_TEST_USER="grafana_test"
+ENV ZBX_TEST_PASS="grafana_test_pass"
 
 RUN pip install zabbix_utils
 
diff --git a/devenv/zabbix70/bootstrap/bootstrap_config.py b/devenv/zabbix70/bootstrap/bootstrap_config.py
index c75721f50..8a9b8fe05 100644
--- a/devenv/zabbix70/bootstrap/bootstrap_config.py
+++ b/devenv/zabbix70/bootstrap/bootstrap_config.py
@@ -4,7 +4,9 @@
 zabbix_url = os.environ['ZBX_API_URL']
 zabbix_user = os.environ['ZBX_API_USER']
 zabbix_password = os.environ['ZBX_API_PASSWORD']
-print(zabbix_url, zabbix_user, zabbix_password)
+zabbix_test_user = os.environ['ZBX_TEST_USER']
+zabbix_test_pass = os.environ['ZBX_TEST_PASS']
+print(zabbix_url, zabbix_user, zabbix_password, zabbix_test_user, zabbix_test_pass)
 
 zapi = ZabbixAPI(zabbix_url)
 
@@ -71,5 +73,26 @@
   except Exception as e:
     print(e)
 
+print("Creating a user for testing per-user auth")
+groups = zapi.usergoup.get(output="extend", filter={"name": "Zabbix administrators"})
+if not groups:
+  groups = zapi.usergroup.get(output="extend")
+groupid = groups[0]['usrgrpid']
+
+user_create_params = {
+  "alias": zabbix_test_user,
+  "passwd": zabbix_test_pass,
+  "name": "Grafana",
+  "surname": "Test",
+  "type": 1,  # Zabbix user type
+  "user_groups": [{"usrgrpid": groupid}],
+}
+
+try:
+  user = zapi.user.create(**user_create_params)
+  print("User created successfully: %s" % user['userids'][0])
+except Exception as e:
+  print("Failed to create user: %s" % e)
+
 for h in zapi.host.get(output="extend"):
     print(h['name'])
diff --git a/devenv/zabbix70/docker-compose.yml b/devenv/zabbix70/docker-compose.yml
index 6ed975de5..4bda6e502 100644
--- a/devenv/zabbix70/docker-compose.yml
+++ b/devenv/zabbix70/docker-compose.yml
@@ -89,6 +89,8 @@ services:
       ZBX_API_URL: http://zabbix-web:8080
       ZBX_API_USER: Admin
       ZBX_API_PASSWORD: zabbix
+      ZBX_TEST_USER: grafana_test
+      ZBX_TEST_PASS: grafana_test_pass
     depends_on:
       - database
       - zabbix-server
diff --git a/devenv/zabbix72/bootstrap/Dockerfile b/devenv/zabbix72/bootstrap/Dockerfile
index ac31af8e7..b6c13e9a0 100644
--- a/devenv/zabbix72/bootstrap/Dockerfile
+++ b/devenv/zabbix72/bootstrap/Dockerfile
@@ -5,6 +5,8 @@ ENV ZBX_API_USER="Admin"
 ENV ZBX_API_PASSWORD="zabbix"
 ENV ZBX_CONFIG="zbx_export_hosts.json"
 ENV ZBX_BOOTSTRAP_SCRIPT="bootstrap_config.py"
+ENV ZBX_TEST_USER="grafana_test"
+ENV ZBX_TEST_PASS="grafana_test_pass"
 
 RUN pip install zabbix_utils
 
diff --git a/devenv/zabbix72/bootstrap/bootstrap_config.py b/devenv/zabbix72/bootstrap/bootstrap_config.py
index c75721f50..8a9b8fe05 100644
--- a/devenv/zabbix72/bootstrap/bootstrap_config.py
+++ b/devenv/zabbix72/bootstrap/bootstrap_config.py
@@ -4,7 +4,9 @@
 zabbix_url = os.environ['ZBX_API_URL']
 zabbix_user = os.environ['ZBX_API_USER']
 zabbix_password = os.environ['ZBX_API_PASSWORD']
-print(zabbix_url, zabbix_user, zabbix_password)
+zabbix_test_user = os.environ['ZBX_TEST_USER']
+zabbix_test_pass = os.environ['ZBX_TEST_PASS']
+print(zabbix_url, zabbix_user, zabbix_password, zabbix_test_user, zabbix_test_pass)
 
 zapi = ZabbixAPI(zabbix_url)
 
@@ -71,5 +73,26 @@
   except Exception as e:
     print(e)
 
+print("Creating a user for testing per-user auth")
+groups = zapi.usergoup.get(output="extend", filter={"name": "Zabbix administrators"})
+if not groups:
+  groups = zapi.usergroup.get(output="extend")
+groupid = groups[0]['usrgrpid']
+
+user_create_params = {
+  "alias": zabbix_test_user,
+  "passwd": zabbix_test_pass,
+  "name": "Grafana",
+  "surname": "Test",
+  "type": 1,  # Zabbix user type
+  "user_groups": [{"usrgrpid": groupid}],
+}
+
+try:
+  user = zapi.user.create(**user_create_params)
+  print("User created successfully: %s" % user['userids'][0])
+except Exception as e:
+  print("Failed to create user: %s" % e)
+
 for h in zapi.host.get(output="extend"):
     print(h['name'])
diff --git a/devenv/zabbix72/docker-compose.yml b/devenv/zabbix72/docker-compose.yml
index 17860a082..86524003c 100644
--- a/devenv/zabbix72/docker-compose.yml
+++ b/devenv/zabbix72/docker-compose.yml
@@ -70,6 +70,8 @@ services:
       ZBX_API_URL: http://zabbix-web:8080
       ZBX_API_USER: Admin
       ZBX_API_PASSWORD: zabbix
+      ZBX_TEST_USER: grafana_test
+      ZBX_TEST_PASS: grafana_test_pass
     depends_on:
       - database
       - zabbix-server
diff --git a/devenv/zabbix74/bootstrap/Dockerfile b/devenv/zabbix74/bootstrap/Dockerfile
index bb92a63b1..bc36f4e47 100644
--- a/devenv/zabbix74/bootstrap/Dockerfile
+++ b/devenv/zabbix74/bootstrap/Dockerfile
@@ -5,6 +5,8 @@ ENV ZBX_API_USER="Admin"
 ENV ZBX_API_PASSWORD="zabbix"
 ENV ZBX_CONFIG="zbx_export_hosts.json"
 ENV ZBX_BOOTSTRAP_SCRIPT="bootstrap_config.py"
+ENV ZBX_TEST_USER="grafana_test"
+ENV ZBX_TEST_PASS="grafana_test_pass"
 
 RUN pip install zabbix_utils
 
diff --git a/devenv/zabbix74/bootstrap/bootstrap_config.py b/devenv/zabbix74/bootstrap/bootstrap_config.py
index ff6a975bc..cd1426e2e 100644
--- a/devenv/zabbix74/bootstrap/bootstrap_config.py
+++ b/devenv/zabbix74/bootstrap/bootstrap_config.py
@@ -4,7 +4,9 @@
 zabbix_url = os.environ['ZBX_API_URL']
 zabbix_user = os.environ['ZBX_API_USER']
 zabbix_password = os.environ['ZBX_API_PASSWORD']
-print(zabbix_url, zabbix_user, zabbix_password)
+zabbix_test_user = os.environ['ZBX_TEST_USER']
+zabbix_test_pass = os.environ['ZBX_TEST_PASS']
+print(zabbix_url, zabbix_user, zabbix_password, zabbix_test_user, zabbix_test_pass)
 
 zapi = ZabbixAPI(zabbix_url)
 
@@ -71,5 +73,26 @@
   except Exception as e:
     print(e)
 
+print("Creating a user for testing per-user auth")
+groups = zapi.usergoup.get(output="extend", filter={"name": "Zabbix administrators"})
+if not groups:
+  groups = zapi.usergroup.get(output="extend")
+groupid = groups[0]['usrgrpid']
+
+user_create_params = {
+  "alias": zabbix_test_user,
+  "passwd": zabbix_test_pass,
+  "name": "Grafana",
+  "surname": "Test",
+  "type": 1,  # Zabbix user type
+  "user_groups": [{"usrgrpid": groupid}],
+}
+
+try:
+  user = zapi.user.create(**user_create_params)
+  print("User created successfully: %s" % user['userids'][0])
+except Exception as e:
+  print("Failed to create user: %s" % e)
+
 for h in zapi.host.get(output="extend"):
     print(h['name'])
\ No newline at end of file
diff --git a/devenv/zabbix74/docker-compose.yml b/devenv/zabbix74/docker-compose.yml
index 28350f9a8..53176de63 100644
--- a/devenv/zabbix74/docker-compose.yml
+++ b/devenv/zabbix74/docker-compose.yml
@@ -70,6 +70,8 @@ services:
       ZBX_API_URL: http://zabbix-web:8080
       ZBX_API_USER: Admin
       ZBX_API_PASSWORD: zabbix
+      ZBX_TEST_USER: grafana_test
+      ZBX_TEST_PASS: grafana_test_pass
     depends_on:
       - database
       - zabbix-server
diff --git a/pkg/zabbixapi/zabbix_api_60_integration_test.go b/pkg/zabbixapi/zabbix_api_60_integration_test.go
index 090a2f471..22574f028 100644
--- a/pkg/zabbixapi/zabbix_api_60_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_60_integration_test.go
@@ -20,7 +20,8 @@ import (
 // ZABBIX_URL - URL of the Zabbix server (e.g., http://localhost/zabbix/api_jsonrpc.php)
 // ZABBIX_USER - Username for authentication
 // ZABBIX_PASSWORD - Password for authentication
-// To run locally, start devenv/zabbix60 and run INTEGRATION_TEST60=true ZABBIX_URL="https://localhost/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" go test -v ./pkg/zabbixapi/...
+// ZABBIX_TARGET_USER - Username for per-user authentication
+// To run locally, start devenv/zabbix60 and run INTEGRATION_TEST60=true ZABBIX_URL="https://localhost/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" ZABBIX_TARGET_USER="grafana_test" go test -v ./pkg/zabbixapi/...
 func TestIntegrationZabbixAPI60(t *testing.T) {
 	// Skip if not running integration tests
 	if os.Getenv("INTEGRATION_TEST60") != "true" {
diff --git a/pkg/zabbixapi/zabbix_api_70_integration_test.go b/pkg/zabbixapi/zabbix_api_70_integration_test.go
index 7bb11dd51..b45577e30 100644
--- a/pkg/zabbixapi/zabbix_api_70_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_70_integration_test.go
@@ -20,8 +20,8 @@ import (
 // ZABBIX_URL - URL of the Zabbix server (e.g., http://localhost/zabbix/api_jsonrpc.php)
 // ZABBIX_USER - Username for authentication
 // ZABBIX_PASSWORD - Password for authentication
-// ZABBIX_VERSION - Zabbix API version (e.g., 65 for 6.5)
-// To run locally, start devenv/zabbix70 and run INTEGRATION_TEST70=true ZABBIX_URL="https://localhost/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" go test -v ./pkg/zabbixapi/...
+// ZABBIX_TARGET_USER - Username for per-user authentication
+// To run locally, start devenv/zabbix70 and run INTEGRATION_TEST70=true ZABBIX_URL="https://localhost/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" ZABBIX_TARGET_USER="grafana_test" go test -v ./pkg/zabbixapi/...
 
 func TestIntegrationZabbixAPI70(t *testing.T) {
 	// Skip if not running integration tests
diff --git a/pkg/zabbixapi/zabbix_api_72_integration_test.go b/pkg/zabbixapi/zabbix_api_72_integration_test.go
index 2f7b653e1..f1049993a 100644
--- a/pkg/zabbixapi/zabbix_api_72_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_72_integration_test.go
@@ -18,7 +18,8 @@ import (
 // ZABBIX_URL - URL of the Zabbix server (e.g., http://localhost/zabbix/api_jsonrpc.php)
 // ZABBIX_USER - Username for authentication
 // ZABBIX_PASSWORD - Password for authentication
-// To run locally, start devenv/zabbix72 and run INTEGRATION_TEST72=true ZABBIX_URL="http://localhost:8188/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" go test -v ./pkg/zabbixapi/...
+// ZABBIX_TARGET_USER - Username for per-user authentication
+// To run locally, start devenv/zabbix72 and run INTEGRATION_TEST72=true ZABBIX_URL="http://localhost:8188/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" ZABBIX_TARGET_USER="grafana_test" go test -v ./pkg/zabbixapi/...
 
 func TestIntegrationZabbixAPI72(t *testing.T) {
 	// Skip if not running integration tests
diff --git a/pkg/zabbixapi/zabbix_api_74_integration_test.go b/pkg/zabbixapi/zabbix_api_74_integration_test.go
index bcae3c1fe..05cdc1440 100644
--- a/pkg/zabbixapi/zabbix_api_74_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_74_integration_test.go
@@ -18,7 +18,8 @@ import (
 // ZABBIX_URL - URL of the Zabbix server (e.g., http://localhost/zabbix/api_jsonrpc.php)
 // ZABBIX_USER - Username for authentication
 // ZABBIX_PASSWORD - Password for authentication
-// To run locally, start devenv/zabbix74 and run INTEGRATION_TEST74=true ZABBIX_URL="http://localhost:8188/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" go test -v ./pkg/zabbixapi/...
+// ZABBIX_TARGET_USER - Username for per-user authentication
+// To run locally, start devenv/zabbix74 and run INTEGRATION_TEST74=true ZABBIX_URL="http://localhost:8188/api_jsonrpc.php" ZABBIX_USER="Admin" ZABBIX_PASSWORD="zabbix" ZABBIX_TARGET_USER="grafana_test" go test -v ./pkg/zabbixapi/...
 
 func TestIntegrationZabbixAPI74(t *testing.T) {
 	// Skip if not running integration tests

From 20b2ab4260bf3a63533d529755af821d364fbe09 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 11:03:44 +0300
Subject: [PATCH 08/23] add new major feature

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 054ea158d..4cb32593e 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@
 - Transform and shape your data with [metric processing functions](https://grafana.com/docs/plugins/alexanderzobnin-zabbix-app/latest/reference/functions/) (Avg, Median, Min, Max, Multiply, Summarize, Time shift, Alias)
 - Find problems faster with [Alerting](https://grafana.com/docs/plugins/alexanderzobnin-zabbix-app/latest/reference/alerting/) feature
 - Mix metrics from multiple data sources in the same dashboard or even graph
+- Per user authentication using Bearer tokens, so that Grafana respects the RBAC on Zabbix
 - Discover and share [dashboards](https://grafana.com/dashboards) in the official library
 
 See all features overview and dashboards examples at Grafana-Zabbix [Live demo](http://play.grafana-zabbix.org) site.

From 1b00278e8fc658c75d1b78a677d83798de413853 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 11:28:50 +0300
Subject: [PATCH 09/23] fix an error

---
 src/datasource/components/ConfigEditor.tsx | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/datasource/components/ConfigEditor.tsx b/src/datasource/components/ConfigEditor.tsx
index 89b8a3521..c99b449f0 100644
--- a/src/datasource/components/ConfigEditor.tsx
+++ b/src/datasource/components/ConfigEditor.tsx
@@ -410,19 +410,19 @@ export const ConfigEditor = (props: Props) => {
                 <Label>
                   <EditorStack gap={0.5}>
                     <span>User identity field</span>
-                    <Select
-                      width={40}
-                      options={[
-                        { label: 'Username', value: 'username' },
-                        { label: 'Email', value: 'email' },
-                      ]}
-                      value={options.jsonData.perUserAuthField || 'username' }
-                      onChange={jsonDataSelectHandler('perUserAuthField', options, onOptionsChange)}
-                    />
                   </EditorStack>
                 </Label>
               }
             >
+              <Select
+                width={40}
+                options={[
+                  { label: 'Username', value: 'username' },
+                  { label: 'Email', value: 'email' },
+                ]}
+                value={options.jsonData.perUserAuthField || 'username' }
+                onChange={jsonDataSelectHandler('perUserAuthField', options, onOptionsChange)}
+              />
             </Field>
           )}
         </ConfigSubSection>

From e01eb5387d0c3381604a8b83c635619a4bc186eb Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 11:29:03 +0300
Subject: [PATCH 10/23] add the correct types on the ds definition

---
 src/datasource/types/config.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/datasource/types/config.ts b/src/datasource/types/config.ts
index 06d424079..758d7ea7a 100644
--- a/src/datasource/types/config.ts
+++ b/src/datasource/types/config.ts
@@ -21,6 +21,8 @@ export type ZabbixDSOptions = {
   disableReadOnlyUsersAck: boolean;
   disableDataAlignment: boolean;
   enableSecureSocksProxy?: boolean;
+  perUserAuth?: boolean;
+  perUserAuthField?: 'username' | 'email';
 } & DataSourceJsonData;
 
 type ZabbixSecureJSONDataKeys = 'password' | 'apiToken';

From 617331cb19873179360a96fc056dfe063d27bb4b Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Sun, 3 Aug 2025 11:32:36 +0300
Subject: [PATCH 11/23] update changeset

---
 .changeset/curvy-lizards-report.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/curvy-lizards-report.md

diff --git a/.changeset/curvy-lizards-report.md b/.changeset/curvy-lizards-report.md
new file mode 100644
index 000000000..43bf96e6c
--- /dev/null
+++ b/.changeset/curvy-lizards-report.md
@@ -0,0 +1,5 @@
+---
+'grafana-zabbix': major
+---
+
+Add the ability to have per-user authentication

From 828b9316b94d35a34e5e7c1a5232c5bb7d425001 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Mon, 4 Aug 2025 10:27:25 +0300
Subject: [PATCH 12/23] added the ability to exclude specific users from the
 per-user auth

---
 pkg/datasource/datasource.go               |  57 ++++++----
 pkg/settings/models.go                     |  18 ++--
 src/datasource/components/ConfigEditor.tsx | 119 +++++++++++++++++----
 src/datasource/types/config.ts             |   1 +
 4 files changed, 149 insertions(+), 46 deletions(-)

diff --git a/pkg/datasource/datasource.go b/pkg/datasource/datasource.go
index 2b1bae3a6..0332e9266 100644
--- a/pkg/datasource/datasource.go
+++ b/pkg/datasource/datasource.go
@@ -3,6 +3,7 @@ package datasource
 import (
 	"context"
 	"errors"
+	"strings"
 
 	"github.com/alexanderzobnin/grafana-zabbix/pkg/httpclient"
 	"github.com/alexanderzobnin/grafana-zabbix/pkg/metrics"
@@ -127,30 +128,48 @@ func (ds *ZabbixDatasource) QueryData(ctx context.Context, req *backend.QueryDat
 			identity = user.Login
 		}
 
-		zabbixVersion, err := zabbixDS.zabbix.GetVersion(ctx)
-		if err != nil {
-			return nil, errors.New("error getting Zabbix version: " + err.Error())
+		// Check if the user is excluded from per-user auth
+		excluded := false
+		exclusionList := zabbixDS.Settings.PerUserAuthExcludeUsers
+		if exclusionList == nil {
+			exclusionList = []string{"admin"} // Default exclusion
 		}
-
-		// Query Zabbix for the user
-		zabbixUser, err := zabbixDS.zabbix.GetAPI().GetUserByIdentity(ctx, zabbixDS.Settings.PerUserAuthField, identity, zabbixVersion)
-		if err != nil {
-			return nil, errors.New("error querying Zabbix for user: " + err.Error())
-		}
-		if zabbixUser == nil || len(zabbixUser.MustArray()) == 0 {
-			return nil, errors.New("user " + identity + " not found in Zabbix. Contact your administrator to provision access")
+		for _, excludedUser := range exclusionList {
+			if strings.EqualFold(identity, excludedUser) {
+				excluded = true
+				break
+			}
 		}
-		userId := zabbixUser.GetIndex(0).Get("userid").MustString()
 
-		// Generate or retrieve Zabbix API token
-		token, err := zabbixDS.zabbix.GetAPI().GenerateUserAPIToken(ctx, userId, zabbixVersion)
-		if err != nil {
-			return nil, errors.New("failed to generate Zabbix API token for user: " + err.Error())
-		}
+		if excluded {
+			ds.logger.Debug("User is excluded from per-user authentication", "identity", identity)
+		} else {
+			zabbixVersion, err := zabbixDS.zabbix.GetVersion(ctx)
+			if err != nil {
+				return nil, errors.New("error getting Zabbix version: " + err.Error())
+			}
 
-		zabbixDS.zabbix.GetAPI().SetAuth(token)
+			// Query Zabbix for the user
+			zabbixUser, err := zabbixDS.zabbix.GetAPI().GetUserByIdentity(ctx, zabbixDS.Settings.PerUserAuthField, identity, zabbixVersion)
+			if err != nil {
+				return nil, errors.New("error querying Zabbix for user: " + err.Error())
+			}
+			if zabbixUser == nil || len(zabbixUser.MustArray()) == 0 {
+				return nil, errors.New("user " + identity + " not found in Zabbix. Contact your administrator to provision access")
+			}
+			userId := zabbixUser.GetIndex(0).Get("userid").MustString()
+			userName := zabbixUser.GetIndex(0).Get("username").MustString()
 
-		ds.logger.Debug("Per-user authentication enabled", "identity", identity)
+			// Generate or retrieve Zabbix API token
+			token, err := zabbixDS.zabbix.GetAPI().GenerateUserAPIToken(ctx, userId, userName, zabbixVersion)
+			if err != nil {
+				return nil, errors.New("failed to generate Zabbix API token for user: " + err.Error())
+			}
+
+			zabbixDS.zabbix.GetAPI().SetAuth(token)
+
+			ds.logger.Debug("Per-user authentication enabled", "identity", identity)
+		}
 	}
 
 	// --- Per-user authentication logic END ---
diff --git a/pkg/settings/models.go b/pkg/settings/models.go
index d47f43c85..0ee598a5b 100644
--- a/pkg/settings/models.go
+++ b/pkg/settings/models.go
@@ -16,10 +16,11 @@ type ZabbixDatasourceSettingsDTO struct {
 	CacheTTL    string      `json:"cacheTTL"`
 	Timeout     interface{} `json:"timeout"`
 
-	DisableDataAlignment    bool   `json:"disableDataAlignment"`
-	DisableReadOnlyUsersAck bool   `json:"disableReadOnlyUsersAck"`
-	PerUserAuth             bool   `json:"perUserAuth"`
-	PerUserAuthField        string `json:"perUserAuthField"` // "username" or "email"
+	DisableDataAlignment    bool     `json:"disableDataAlignment"`
+	DisableReadOnlyUsersAck bool     `json:"disableReadOnlyUsersAck"`
+	PerUserAuth             bool     `json:"perUserAuth"`
+	PerUserAuthField        string   `json:"perUserAuthField"`
+	PerUserAuthExcludeUsers []string `json:"perUserAuthExcludeUsers"`
 }
 
 // ZabbixDatasourceSettings model
@@ -31,8 +32,9 @@ type ZabbixDatasourceSettings struct {
 	CacheTTL    time.Duration
 	Timeout     time.Duration
 
-	DisableDataAlignment    bool   `json:"disableDataAlignment"`
-	DisableReadOnlyUsersAck bool   `json:"disableReadOnlyUsersAck"`
-	PerUserAuth             bool   `json:"perUserAuth"`
-	PerUserAuthField        string `json:"perUserAuthField"` // "username"
+	DisableDataAlignment    bool     `json:"disableDataAlignment"`
+	DisableReadOnlyUsersAck bool     `json:"disableReadOnlyUsersAck"`
+	PerUserAuth             bool     `json:"perUserAuth"`
+	PerUserAuthField        string   `json:"perUserAuthField"`
+	PerUserAuthExcludeUsers []string `json:"perUserAuthExcludeUsers"`
 }
diff --git a/src/datasource/components/ConfigEditor.tsx b/src/datasource/components/ConfigEditor.tsx
index c99b449f0..8102a0ced 100644
--- a/src/datasource/components/ConfigEditor.tsx
+++ b/src/datasource/components/ConfigEditor.tsx
@@ -6,6 +6,7 @@ import {
   Icon,
   Input,
   Label,
+  MultiSelect,
   SecretInput,
   SecureSocksProxySettings,
   Select,
@@ -44,6 +45,38 @@ export const ConfigEditor = (props: Props) => {
   const [selectedDBDatasource, setSelectedDBDatasource] = useState(null);
   const [currentDSType, setCurrentDSType] = useState('');
 
+  const [grafanaUsers, setGrafanaUsers] = useState<SelectableValue<string>[]>([{ label: 'admin', value: 'admin' }]);
+  const [canEditExcludedUsers, setCanEditExcludedUsers] = useState(true);
+  const [userFetchWarning, setUserFetchWarning] = useState<string | null>(null);
+
+  // Fetch Grafana users on mount
+  useEffect(() => {
+    const fetchGrafanaUsers = async () => {
+      try {
+        const res = await fetch('/api/users');
+        if (res.status === 403) {
+          setUserFetchWarning(
+            'You need Grafana Admin permissions to list users. Please contact your Grafana administrator to configure per-user authentication.'
+          );
+          setCanEditExcludedUsers(false);
+          return;
+        }
+        if (!res.ok) throw new Error('Failed to fetch Grafana users');
+        const users = await res.json();
+        setGrafanaUsers(users.map((u: any) => ({
+          label: u.login,
+          value: u.login,
+        })));
+        setUserFetchWarning(null);
+        setCanEditExcludedUsers(true);
+      } catch {
+        setUserFetchWarning('Failed to fetch Grafana users. Using default user "admin".');
+        setCanEditExcludedUsers(false);
+      }
+    };
+    fetchGrafanaUsers();
+  }, []);
+
   // Apply some defaults on initial render
   useEffect(() => {
     const { jsonData, secureJsonFields } = options;
@@ -405,25 +438,73 @@ export const ConfigEditor = (props: Props) => {
           </Field>
 
           {options.jsonData.perUserAuth && (
-            <Field
-              label={
-                <Label>
-                  <EditorStack gap={0.5}>
-                    <span>User identity field</span>
-                  </EditorStack>
-                </Label>
-              }
-            >
-              <Select
-                width={40}
-                options={[
-                  { label: 'Username', value: 'username' },
-                  { label: 'Email', value: 'email' },
-                ]}
-                value={options.jsonData.perUserAuthField || 'username' }
-                onChange={jsonDataSelectHandler('perUserAuthField', options, onOptionsChange)}
-              />
-            </Field>
+            <>
+              <Field
+                label={
+                  <Label>
+                    <EditorStack gap={0.5}>
+                      <span>User identity field</span>
+                    </EditorStack>
+                  </Label>
+                }
+              >
+                <Select
+                  width={40}
+                  options={[
+                    { label: 'Username', value: 'username' },
+                    { label: 'Email', value: 'email' },
+                  ]}
+                  value={options.jsonData.perUserAuthField || 'username' }
+                  onChange={jsonDataSelectHandler('perUserAuthField', options, onOptionsChange)}
+                />
+              </Field>
+
+              {userFetchWarning && (
+                <div style={{ color: 'orange', marginBottom: '10px' }}>
+                  <Icon name="exclamation-triangle" /> {userFetchWarning}
+                </div>
+              )}
+
+              <Field
+                label={
+                  <Label>
+                    <EditorStack gap={0.5}>
+                      <span>Exclude users from per-user authentication</span>
+                      <Tooltip 
+                        content={
+                          <span>
+                            These users will always use the global Zabbix credentials
+                          </span>
+                        }
+                      >
+                        <Icon name="info-circle" size="sm" />
+                      </Tooltip>
+                    </EditorStack>
+                  </Label>
+                }
+              >
+                <MultiSelect
+                  width={40}
+                  options={grafanaUsers}
+                  allowCustomValue
+                  value={
+                    (options.jsonData.perUserAuthExcludeUsers ?? ['admin']).map(
+                      (u) => ({ label: u, value: u } as SelectableValue<string>)
+                    )
+                  }
+                  onChange={canEditExcludedUsers ? (selected) => {
+                    onOptionsChange({
+                      ...options,
+                      jsonData: {
+                        ...options.jsonData,
+                        perUserAuthExcludeUsers: selected.map((s) => s.value),
+                      },
+                    });
+                  } : undefined}
+                  disabled={!canEditExcludedUsers}
+                />
+              </Field>
+            </>
           )}
         </ConfigSubSection>
 
diff --git a/src/datasource/types/config.ts b/src/datasource/types/config.ts
index 758d7ea7a..3b0c684ce 100644
--- a/src/datasource/types/config.ts
+++ b/src/datasource/types/config.ts
@@ -23,6 +23,7 @@ export type ZabbixDSOptions = {
   enableSecureSocksProxy?: boolean;
   perUserAuth?: boolean;
   perUserAuthField?: 'username' | 'email';
+  perUserAuthExcludeUsers?: string[];
 } & DataSourceJsonData;
 
 type ZabbixSecureJSONDataKeys = 'password' | 'apiToken';

From 50d18ec92f4a903b372bc737a3db48ba83c26dc3 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Mon, 4 Aug 2025 10:27:36 +0300
Subject: [PATCH 13/23] fix integration tests

---
 pkg/zabbixapi/zabbix_api_60_integration_test.go | 3 ++-
 pkg/zabbixapi/zabbix_api_70_integration_test.go | 3 ++-
 pkg/zabbixapi/zabbix_api_72_integration_test.go | 3 ++-
 pkg/zabbixapi/zabbix_api_74_integration_test.go | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/pkg/zabbixapi/zabbix_api_60_integration_test.go b/pkg/zabbixapi/zabbix_api_60_integration_test.go
index 22574f028..90ebaff69 100644
--- a/pkg/zabbixapi/zabbix_api_60_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_60_integration_test.go
@@ -164,9 +164,10 @@ func TestIntegrationZabbixAPI60(t *testing.T) {
 		}
 
 		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+		userName := zabbixUserResp.GetIndex(0).Get("username").MustString()
 
 		// Generate or retrieve Zabbix API token for the user
-		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, userName, zabbixVersion)
 		require.NoError(t, err)
 		assert.NotEmpty(t, token, "Generated token should not be empty")
 
diff --git a/pkg/zabbixapi/zabbix_api_70_integration_test.go b/pkg/zabbixapi/zabbix_api_70_integration_test.go
index b45577e30..ea943923d 100644
--- a/pkg/zabbixapi/zabbix_api_70_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_70_integration_test.go
@@ -165,9 +165,10 @@ func TestIntegrationZabbixAPI70(t *testing.T) {
 		}
 
 		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+		userName := zabbixUserResp.GetIndex(0).Get("username").MustString()
 
 		// Generate or retrieve Zabbix API token for the user
-		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, userName, zabbixVersion)
 		require.NoError(t, err)
 		assert.NotEmpty(t, token, "Generated token should not be empty")
 
diff --git a/pkg/zabbixapi/zabbix_api_72_integration_test.go b/pkg/zabbixapi/zabbix_api_72_integration_test.go
index f1049993a..cd5603d91 100644
--- a/pkg/zabbixapi/zabbix_api_72_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_72_integration_test.go
@@ -178,9 +178,10 @@ func TestIntegrationZabbixAPI72(t *testing.T) {
 		}
 
 		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+		userName := zabbixUserResp.GetIndex(0).Get("username").MustString()
 
 		// Generate or retrieve Zabbix API token for the user
-		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, userName, zabbixVersion)
 		require.NoError(t, err)
 		assert.NotEmpty(t, token, "Generated token should not be empty")
 
diff --git a/pkg/zabbixapi/zabbix_api_74_integration_test.go b/pkg/zabbixapi/zabbix_api_74_integration_test.go
index 05cdc1440..49bfcef2a 100644
--- a/pkg/zabbixapi/zabbix_api_74_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_74_integration_test.go
@@ -178,9 +178,10 @@ func TestIntegrationZabbixAPI74(t *testing.T) {
 		}
 
 		userId := zabbixUserResp.GetIndex(0).Get("userid").MustString()
+		userName := zabbixUserResp.GetIndex(0).Get("username").MustString()
 
 		// Generate or retrieve Zabbix API token for the user
-		token, err := api.GenerateUserAPIToken(context.Background(), userId, zabbixVersion)
+		token, err := api.GenerateUserAPIToken(context.Background(), userId, userName, zabbixVersion)
 		require.NoError(t, err)
 		assert.NotEmpty(t, token, "Generated token should not be empty")
 

From 1041d0f1d9d9c67b47942985cfdaf2ae6903857a Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Mon, 4 Aug 2025 10:27:53 +0300
Subject: [PATCH 14/23] add new method for request with params being an array
 instead of object

---
 pkg/zabbixapi/zabbix_api.go | 69 ++++++++++++++++++++++++++++++++-----
 1 file changed, 61 insertions(+), 8 deletions(-)

diff --git a/pkg/zabbixapi/zabbix_api.go b/pkg/zabbixapi/zabbix_api.go
index 899716d91..7a671dfbe 100644
--- a/pkg/zabbixapi/zabbix_api.go
+++ b/pkg/zabbixapi/zabbix_api.go
@@ -85,6 +85,14 @@ func (api *ZabbixAPI) Request(ctx context.Context, method string, params ZabbixA
 	return api.request(ctx, method, params, api.auth, version)
 }
 
+func (api *ZabbixAPI) RequestWithArrayParams(ctx context.Context, method string, params []interface{}, version int) (*simplejson.Json, error) {
+	if api.auth == "" {
+		return nil, backend.DownstreamError(ErrNotAuthenticated)
+	}
+
+	return api.requestWithArrayParams(ctx, method, params, api.auth, version)
+}
+
 // Request performs API request without authentication token
 func (api *ZabbixAPI) RequestUnauthenticated(ctx context.Context, method string, params ZabbixAPIParams, version int) (*simplejson.Json, error) {
 	return api.request(ctx, method, params, "", version)
@@ -118,7 +126,53 @@ func (api *ZabbixAPI) request(ctx context.Context, method string, params ZabbixA
 
 	if auth != "" && version >= 72 {
 		if api.dsSettings.BasicAuthEnabled {
-			return nil, backend.DownstreamError(errors.New("Basic Auth is not supported for Zabbix v7.2 and later"))
+			return nil, backend.DownstreamError(errors.New("basic Auth is not supported for Zabbix v7.2 and later"))
+		}
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth))
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", "Grafana/grafana-zabbix")
+
+	response, err := makeHTTPRequest(ctx, api.httpClient, req)
+	if err != nil {
+		return nil, err
+	}
+
+	return handleAPIResult(response)
+}
+
+// requestWithArrayParams performs API request with parameters as an array
+// This is used for methods that require an array of parameters instead of a map
+// currently `token.generate` method
+func (api *ZabbixAPI) requestWithArrayParams(ctx context.Context, method string, params []interface{}, auth string, version int) (*simplejson.Json, error) {
+	apiRequest := map[string]interface{}{
+		"jsonrpc": "2.0",
+		"id":      2,
+		"method":  method,
+		"params":  params,
+	}
+
+	// Zabbix v7.2 and later deprecated `auth` parameter and replaced it with using Auth header
+	// `auth` parameter throws an error in new versions so we need to add it only for older versions
+	if auth != "" && version < 72 {
+		apiRequest["auth"] = auth
+	}
+
+	reqBodyJSON, err := json.Marshal(apiRequest)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, api.url.String(), bytes.NewBuffer(reqBodyJSON))
+	if err != nil {
+		return nil, err
+	}
+
+	metrics.ZabbixAPIQueryTotal.WithLabelValues(method).Inc()
+
+	if auth != "" && version >= 72 {
+		if api.dsSettings.BasicAuthEnabled {
+			return nil, backend.DownstreamError(errors.New("basic Auth is not supported for Zabbix v7.2 and later"))
 		}
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth))
 	}
@@ -201,13 +255,13 @@ func (api *ZabbixAPI) GetUserByIdentity(ctx context.Context, field, value string
 }
 
 // GenerateUserAPIToken generates or retrieves a Zabbix API token for a user
-func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, version int) (string, error) {
+func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, userName string, version int) (string, error) {
 	// Check for existing token with the desired name
 	getParams := map[string]interface{}{
 		"userids": userId,
 		"output":  "extend",
 		"filter": map[string]interface{}{
-			"name": "Zabbix-Grafana-Session-Token",
+			"name": "Zabbix-Grafana-Token_" + userName,
 		},
 	}
 	resp, err := api.Request(ctx, "token.get", getParams, version)
@@ -223,7 +277,7 @@ func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, v
 		// Token does not exist, create a new one
 		createParams := map[string]interface{}{
 			"userid": userId,
-			"name":   "Zabbix-Grafana-Session-Token",
+			"name":   "Zabbix-Grafana-Token_" + userName,
 		}
 
 		createResp, err := api.Request(ctx, "token.create", createParams, version)
@@ -238,11 +292,10 @@ func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, v
 	}
 
 	// Generate the actual token value
-
-	genParams := map[string]interface{}{
-		"tokenids": []string{tokenId},
+	genParams := []interface{}{
+		tokenId,
 	}
-	genResp, err := api.Request(ctx, "token.generate", genParams, version)
+	genResp, err := api.RequestWithArrayParams(ctx, "token.generate", genParams, version)
 	if err != nil {
 		return "", err
 	}

From 10249d335d057109a482949c28f3292ef00471a8 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Mon, 4 Aug 2025 14:43:25 +0300
Subject: [PATCH 15/23] golang best practices: error should not be capitalized

---
 pkg/zabbixapi/zabbix_api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/zabbixapi/zabbix_api.go b/pkg/zabbixapi/zabbix_api.go
index 7a671dfbe..28e13e4dc 100644
--- a/pkg/zabbixapi/zabbix_api.go
+++ b/pkg/zabbixapi/zabbix_api.go
@@ -126,7 +126,7 @@ func (api *ZabbixAPI) request(ctx context.Context, method string, params ZabbixA
 
 	if auth != "" && version >= 72 {
 		if api.dsSettings.BasicAuthEnabled {
-			return nil, backend.DownstreamError(errors.New("basic Auth is not supported for Zabbix v7.2 and later"))
+			return nil, backend.DownstreamError(errors.New("basic auth is not supported for Zabbix v7.2 and later"))
 		}
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth))
 	}

From a09a63e4044577be52749e8d0f68b2b7f61492ce Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Mon, 4 Aug 2025 14:43:48 +0300
Subject: [PATCH 16/23] change the awaiting error string based on change

---
 pkg/zabbixapi/zabbix_api_72_integration_test.go | 2 +-
 pkg/zabbixapi/zabbix_api_74_integration_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/zabbixapi/zabbix_api_72_integration_test.go b/pkg/zabbixapi/zabbix_api_72_integration_test.go
index cd5603d91..1475f07c8 100644
--- a/pkg/zabbixapi/zabbix_api_72_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_72_integration_test.go
@@ -158,7 +158,7 @@ func TestIntegrationZabbixAPI72(t *testing.T) {
 		// Try to authenticate
 		_, err = apiWithBasicAuth.Request(context.Background(), "hostgroup.get", params, zabbixVersion)
 		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Basic Auth is not supported for Zabbix v7.2 and later")
+		assert.Contains(t, err.Error(), "basic auth is not supported for Zabbix v7.2 and later")
 		assert.True(t, backend.IsDownstreamError(err))
 	})
 
diff --git a/pkg/zabbixapi/zabbix_api_74_integration_test.go b/pkg/zabbixapi/zabbix_api_74_integration_test.go
index 49bfcef2a..6832cd8f3 100644
--- a/pkg/zabbixapi/zabbix_api_74_integration_test.go
+++ b/pkg/zabbixapi/zabbix_api_74_integration_test.go
@@ -158,7 +158,7 @@ func TestIntegrationZabbixAPI74(t *testing.T) {
 		// Try to authenticate
 		_, err = apiWithBasicAuth.Request(context.Background(), "hostgroup.get", params, zabbixVersion)
 		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Basic Auth is not supported for Zabbix v7.2 and later")
+		assert.Contains(t, err.Error(), "basic auth is not supported for Zabbix v7.2 and later")
 		assert.True(t, backend.IsDownstreamError(err))
 	})
 

From f5dda5d2f46ce56c00c0f58d9c41a33ac8e0a206 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:25:16 +0200
Subject: [PATCH 17/23] new file with helper funtions to cache the token

---
 pkg/cache/token_cache.go | 57 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 pkg/cache/token_cache.go

diff --git a/pkg/cache/token_cache.go b/pkg/cache/token_cache.go
new file mode 100644
index 000000000..febce7b80
--- /dev/null
+++ b/pkg/cache/token_cache.go
@@ -0,0 +1,57 @@
+package cache
+
+import (
+	"sync"
+	"time"
+)
+
+type TokenInfo struct {
+	Token     string
+	ExpiresAt time.Time
+	UserID    string
+	Username  string
+}
+
+type TokenCache struct {
+	tokens sync.Map // key: "datasourceUID:identity:userID"
+}
+
+func NewTokenCache() *TokenCache {
+	return &TokenCache{}
+}
+
+func (tc *TokenCache) Get(datasourceUID, identity, userID string) (*TokenInfo, bool) {
+	key := datasourceUID + ":" + identity + ":" + userID
+	if val, ok := tc.tokens.Load(key); ok {
+		tokenInfo := val.(*TokenInfo)
+		if time.Now().Before(tokenInfo.ExpiresAt) {
+			return tokenInfo, true
+		}
+		tc.tokens.Delete(key)
+	}
+	return nil, false
+}
+
+func (tc *TokenCache) Set(datasourceUID, identity, userID, token string, ttl time.Duration) {
+	key := datasourceUID + ":" + identity + ":" + userID
+	tokenInfo := &TokenInfo{
+		Token:     token,
+		ExpiresAt: time.Now().Add(ttl),
+		UserID:    userID,
+		Username:  identity,
+	}
+	tc.tokens.Store(key, tokenInfo)
+}
+
+func (tc *TokenCache) CleanupExpired() int {
+	count := 0
+	tc.tokens.Range(func(key, value interface{}) bool {
+		tokenInfo := value.(*TokenInfo)
+		if time.Now().After(tokenInfo.ExpiresAt) {
+			tc.tokens.Delete(key)
+			count++
+		}
+		return true
+	})
+	return count
+}

From fa972b9952918cef46ae50b0576064f710d9d3c7 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:25:58 +0200
Subject: [PATCH 18/23] authentication flow to apply per user auth

---
 pkg/datasource/auth.go | 136 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 pkg/datasource/auth.go

diff --git a/pkg/datasource/auth.go b/pkg/datasource/auth.go
new file mode 100644
index 000000000..c51fb8075
--- /dev/null
+++ b/pkg/datasource/auth.go
@@ -0,0 +1,136 @@
+package datasource
+
+import (
+	"context"
+	"errors"
+	"strings"
+	"time"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
+)
+
+const TokenTTL = 24 * time.Hour
+
+// applyPerUserAuth applies per-user authentication with token caching
+func (ds *ZabbixDatasource) applyPerUserAuth(ctx context.Context, zabbixDS *ZabbixDatasourceInstance, datasourceUID string) error {
+	if !zabbixDS.Settings.PerUserAuth {
+		ds.logger.Debug("Per-user authentication is disabled in datasource settings")
+		return nil
+	}
+
+	user := backend.UserFromContext(ctx)
+	if user == nil {
+		ds.logger.Debug("No user in context (anonymous/guest access), skipping per-user auth")
+		return errors.New("no Grafana user found in request context")
+	}
+
+	var identity string
+	switch zabbixDS.Settings.PerUserAuthField {
+	case "email":
+		identity = user.Email
+	default:
+		identity = user.Login
+	}
+
+	// If identity is empty, skip per-user auth
+	if identity == "" {
+		ds.logger.Debug("User identity is empty, skipping per-user auth")
+		return nil
+	}
+
+	// Check if the user is excluded from per-user auth
+	excluded := false
+	exclusionList := zabbixDS.Settings.PerUserAuthExcludeUsers
+	if exclusionList == nil {
+		exclusionList = []string{"admin"}
+	}
+	for _, excludedUser := range exclusionList {
+		if strings.EqualFold(identity, excludedUser) {
+			excluded = true
+			break
+		}
+	}
+
+	if excluded {
+		ds.logger.Info("User is excluded from per-user authentication, using stored credentials", "user", identity)
+		return nil
+	}
+
+	// Check token cache first
+	if tokenInfo, ok := ds.tokenCache.Get(datasourceUID, identity, identity); ok {
+		ds.logger.Debug("Using cached token", "user", identity, "expiresIn", time.Until(tokenInfo.ExpiresAt).Round(time.Minute))
+		zabbixDS.zabbix.GetAPI().SetAuth(tokenInfo.Token)
+		return nil
+	}
+
+	// Staring token generation
+	ds.logger.Info("Authenticating user with Zabbix", "user", identity)
+
+	// Ensure stored credentials are authenticated
+	storedAuth := zabbixDS.zabbix.GetAPI().GetAuth()
+	if storedAuth == "" {
+		// Stored user not authenticated yet - authenticate now
+		ds.logger.Debug("Stored user not authenticated, authenticating now")
+		err := zabbixDS.zabbix.Authenticate(ctx)
+		if err != nil {
+			ds.logger.Error("Failed to authenticate with stored credentials", "error", err)
+			return errors.New("failed to authenticate with stored credentials: " + err.Error())
+		}
+		storedAuth = zabbixDS.zabbix.GetAPI().GetAuth()
+		if storedAuth == "" {
+			ds.logger.Error("Stored auth still empty after authentication")
+			return errors.New("failed to obtain stored user authentication")
+		}
+		ds.logger.Debug("Stored user authentication successful")
+	}
+
+	// Get Zabbix version
+	zabbixVersion, err := zabbixDS.zabbix.GetVersion(ctx)
+	if err != nil {
+		ds.logger.Error("Failed to get Zabbix version", "error", err)
+		return errors.New("error getting Zabbix version: " + err.Error())
+	}
+
+	ds.logger.Debug("Got Zabbix version", "version", zabbixVersion)
+
+	// Validate field
+	if zabbixDS.Settings.PerUserAuthField == "" {
+		ds.logger.Error("PerUserAuthField is not configured")
+		return errors.New("per-user auth field is not configured in datasource settings")
+	}
+
+	// Query Zabbix for the user (using stored credentials)
+	ds.logger.Debug("Looking up Zabbix user", "identity", identity, "field", zabbixDS.Settings.PerUserAuthField)
+	zabbixUser, err := zabbixDS.zabbix.GetAPI().GetUserByIdentity(ctx, zabbixDS.Settings.PerUserAuthField, identity, zabbixVersion)
+	if err != nil {
+		ds.logger.Error("Failed to query Zabbix for user", "identity", identity, "error", err)
+		return errors.New("error querying Zabbix for user: " + err.Error())
+	}
+	if zabbixUser == nil || len(zabbixUser.MustArray()) == 0 {
+		ds.logger.Error("User not found in Zabbix", "identity", identity)
+		return errors.New("user " + identity + " not found in Zabbix. Contact your administrator to provision access")
+	}
+
+	userId := zabbixUser.GetIndex(0).Get("userid").MustString()
+	userName := zabbixUser.GetIndex(0).Get("username").MustString()
+
+	ds.logger.Debug("Found Zabbix user", "identity", identity, "userId", userId, "userName", userName)
+
+	// Generate token
+	ds.logger.Debug("Generating token for user", "zabbixUserId", userId, "userName", userName)
+	token, err := zabbixDS.zabbix.GetAPI().GenerateUserAPIToken(ctx, userId, userName, zabbixVersion)
+	if err != nil {
+		ds.logger.Error("Failed to generate token", "userId", userId, "error", err)
+		return errors.New("failed to generate Zabbix API token for user: " + err.Error())
+	}
+
+	ds.logger.Info("Per-user authentication successful", "user", identity, "zabbixUser", userName, "tokenCached", true, "ttl", TokenTTL)
+
+	// Cache the token
+	ds.tokenCache.Set(datasourceUID, identity, identity, token, TokenTTL)
+
+	// Now switch to the user's token
+	zabbixDS.zabbix.GetAPI().SetAuth(token)
+
+	return nil
+}

From 989edcb91cdf34011ae63686e6a2fca18781518b Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:26:57 +0200
Subject: [PATCH 19/23] per user auth offloaded

---
 pkg/datasource/datasource.go | 95 +++++++++++-------------------------
 1 file changed, 29 insertions(+), 66 deletions(-)

diff --git a/pkg/datasource/datasource.go b/pkg/datasource/datasource.go
index 0332e9266..0d8d76b49 100644
--- a/pkg/datasource/datasource.go
+++ b/pkg/datasource/datasource.go
@@ -3,8 +3,9 @@ package datasource
 import (
 	"context"
 	"errors"
-	"strings"
+	"time"
 
+	"github.com/alexanderzobnin/grafana-zabbix/pkg/cache"
 	"github.com/alexanderzobnin/grafana-zabbix/pkg/httpclient"
 	"github.com/alexanderzobnin/grafana-zabbix/pkg/metrics"
 	"github.com/alexanderzobnin/grafana-zabbix/pkg/settings"
@@ -21,8 +22,9 @@ var (
 )
 
 type ZabbixDatasource struct {
-	im     instancemgmt.InstanceManager
-	logger log.Logger
+	im         instancemgmt.InstanceManager
+	logger     log.Logger
+	tokenCache *cache.TokenCache
 }
 
 // ZabbixDatasourceInstance stores state about a specific datasource
@@ -35,10 +37,26 @@ type ZabbixDatasourceInstance struct {
 }
 
 func NewZabbixDatasource() *ZabbixDatasource {
-	im := datasource.NewInstanceManager(newZabbixDatasourceInstance)
-	return &ZabbixDatasource{
-		im:     im,
-		logger: log.New(),
+	ds := &ZabbixDatasource{
+		im:         datasource.NewInstanceManager(newZabbixDatasourceInstance),
+		logger:     log.New(),
+		tokenCache: cache.NewTokenCache(),
+	}
+
+	go ds.startTokenCleanup()
+
+	return ds
+}
+
+func (ds *ZabbixDatasource) startTokenCleanup() {
+	ticker := time.NewTicker(5 * time.Minute)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		cleaned := ds.tokenCache.CleanupExpired()
+		if cleaned > 0 {
+			ds.logger.Info("Cleaned up expired Zabbix authentication tokens", "count", cleaned)
+		}
 	}
 }
 
@@ -113,67 +131,12 @@ func (ds *ZabbixDatasource) QueryData(ctx context.Context, req *backend.QueryDat
 		return nil, err
 	}
 
-	// --- Per-user authentication logic START ---
-	if zabbixDS.Settings.PerUserAuth {
-		user := backend.UserFromContext(ctx)
-		if user == nil {
-			return nil, errors.New("no Grafana user found in request context")
-		}
-
-		var identity string
-		switch zabbixDS.Settings.PerUserAuthField {
-		case "email":
-			identity = user.Email
-		default:
-			identity = user.Login
-		}
-
-		// Check if the user is excluded from per-user auth
-		excluded := false
-		exclusionList := zabbixDS.Settings.PerUserAuthExcludeUsers
-		if exclusionList == nil {
-			exclusionList = []string{"admin"} // Default exclusion
-		}
-		for _, excludedUser := range exclusionList {
-			if strings.EqualFold(identity, excludedUser) {
-				excluded = true
-				break
-			}
-		}
-
-		if excluded {
-			ds.logger.Debug("User is excluded from per-user authentication", "identity", identity)
-		} else {
-			zabbixVersion, err := zabbixDS.zabbix.GetVersion(ctx)
-			if err != nil {
-				return nil, errors.New("error getting Zabbix version: " + err.Error())
-			}
-
-			// Query Zabbix for the user
-			zabbixUser, err := zabbixDS.zabbix.GetAPI().GetUserByIdentity(ctx, zabbixDS.Settings.PerUserAuthField, identity, zabbixVersion)
-			if err != nil {
-				return nil, errors.New("error querying Zabbix for user: " + err.Error())
-			}
-			if zabbixUser == nil || len(zabbixUser.MustArray()) == 0 {
-				return nil, errors.New("user " + identity + " not found in Zabbix. Contact your administrator to provision access")
-			}
-			userId := zabbixUser.GetIndex(0).Get("userid").MustString()
-			userName := zabbixUser.GetIndex(0).Get("username").MustString()
-
-			// Generate or retrieve Zabbix API token
-			token, err := zabbixDS.zabbix.GetAPI().GenerateUserAPIToken(ctx, userId, userName, zabbixVersion)
-			if err != nil {
-				return nil, errors.New("failed to generate Zabbix API token for user: " + err.Error())
-			}
-
-			zabbixDS.zabbix.GetAPI().SetAuth(token)
-
-			ds.logger.Debug("Per-user authentication enabled", "identity", identity)
-		}
+	// Apply per-user authentication
+	err = ds.applyPerUserAuth(ctx, zabbixDS, req.PluginContext.DataSourceInstanceSettings.UID)
+	if err != nil {
+		return nil, err
 	}
 
-	// --- Per-user authentication logic END ---
-
 	for _, q := range req.Queries {
 		res := backend.DataResponse{}
 		query, err := ReadQuery(q)

From 70a03bb9796461aa2813973560fa8d52f07b3d43 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:27:26 +0200
Subject: [PATCH 20/23] apply per user auth to ZabbixAPIHandler and
 DBConnectionPostProcessingHandler

---
 pkg/datasource/resource_handler.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/pkg/datasource/resource_handler.go b/pkg/datasource/resource_handler.go
index 9e20b0df3..98684c83b 100644
--- a/pkg/datasource/resource_handler.go
+++ b/pkg/datasource/resource_handler.go
@@ -56,6 +56,14 @@ func (ds *ZabbixDatasource) ZabbixAPIHandler(rw http.ResponseWriter, req *http.R
 		return
 	}
 
+	// Apply per-user authentication with caching
+	err = ds.applyPerUserAuth(ctx, dsInstance, pluginCxt.DataSourceInstanceSettings.UID)
+	if err != nil {
+		ds.logger.Error("Per-user authentication failed", "error", err)
+		writeError(rw, http.StatusForbidden, err)
+		return
+	}
+
 	apiReq := &zabbix.ZabbixAPIRequest{Method: reqData.Method, Params: reqData.Params}
 
 	result, err := dsInstance.ZabbixAPIQuery(req.Context(), apiReq)
@@ -97,6 +105,14 @@ func (ds *ZabbixDatasource) DBConnectionPostProcessingHandler(rw http.ResponseWr
 		return
 	}
 
+	// Apply per-user authentication with caching
+	err = ds.applyPerUserAuth(ctx, dsInstance, pluginCxt.DataSourceInstanceSettings.UID)
+	if err != nil {
+		ds.logger.Error("Per-user authentication failed", "error", err)
+		writeError(rw, http.StatusForbidden, err)
+		return
+	}
+
 	reqData.Query.TimeRange.From = time.Unix(reqData.TimeRange.From, 0)
 	reqData.Query.TimeRange.To = time.Unix(reqData.TimeRange.To, 0)
 

From a904e74f11cca3d284b34568da8961031d978093 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:27:46 +0200
Subject: [PATCH 21/23] when per user auth enabled, default the field to
 username

---
 pkg/settings/settings.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/settings/settings.go b/pkg/settings/settings.go
index e33a09f8c..f53012a92 100644
--- a/pkg/settings/settings.go
+++ b/pkg/settings/settings.go
@@ -32,6 +32,9 @@ func ReadZabbixSettings(dsInstanceSettings *backend.DataSourceInstanceSettings)
 	if zabbixSettingsDTO.CacheTTL == "" {
 		zabbixSettingsDTO.CacheTTL = "1h"
 	}
+	if zabbixSettingsDTO.PerUserAuth && zabbixSettingsDTO.PerUserAuthField == "" {
+		zabbixSettingsDTO.PerUserAuthField = "username"
+	}
 
 	//if zabbixSettingsDTO.Timeout == 0 {
 	//	zabbixSettingsDTO.Timeout = 30

From a4439eb112b3b5ade22670ab9976137e36b1bd89 Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Wed, 29 Oct 2025 11:28:04 +0200
Subject: [PATCH 22/23] corrections on token generation

---
 pkg/zabbixapi/zabbix_api.go | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkg/zabbixapi/zabbix_api.go b/pkg/zabbixapi/zabbix_api.go
index 28e13e4dc..9030542ae 100644
--- a/pkg/zabbixapi/zabbix_api.go
+++ b/pkg/zabbixapi/zabbix_api.go
@@ -273,6 +273,7 @@ func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, u
 	if resp != nil && len(resp.MustArray()) > 0 {
 		// Token exists, use its tokenid
 		tokenId = resp.GetIndex(0).Get("tokenid").MustString()
+		api.logger.Debug("found existing token", "tokenid", tokenId, "username", userName)
 	} else {
 		// Token does not exist, create a new one
 		createParams := map[string]interface{}{
@@ -285,10 +286,16 @@ func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, u
 			return "", err
 		}
 
-		tokenId := createResp.GetIndex(0).Get("tokenid").MustString()
+		tokenIds := createResp.GetIndex(0).Get("tokenids").MustArray()
+		if len(tokenIds) == 0 {
+			return "", errors.New("failed to create Zabbix API token, tokenids array is empty")
+		}
+
+		tokenId = fmt.Sprintf("%v", tokenIds[0])
 		if tokenId == "" {
-			return "", errors.New("failed to create Zabbix API token, token ID is empty")
+			return "", errors.New("failed to create Zabbix API token, tokenid is empty")
 		}
+		api.logger.Debug("created new token", "tokenid", tokenId, "username", userName)
 	}
 
 	// Generate the actual token value
@@ -299,10 +306,17 @@ func (api *ZabbixAPI) GenerateUserAPIToken(ctx context.Context, userId string, u
 	if err != nil {
 		return "", err
 	}
+
+	if genResp == nil || len(genResp.MustArray()) == 0 {
+		return "", errors.New("failed to generate Zabbix API token, response is empty")
+	}
+
 	token := genResp.GetIndex(0).Get("token").MustString()
 	if token == "" {
-		return "", errors.New("failed to generate Zabbix API token, token is empty")
+		return "", errors.New("failed to generate Zabbix API token, token string is empty")
 	}
+
+	api.logger.Debug("Generated token successfully", "userName", userName)
 	return token, nil
 }
 

From c45de7cee358db3363fd3e09333bb88a9d5bb5cc Mon Sep 17 00:00:00 2001
From: Christos Diamantis <cdiamantis@adaptera.gr>
Date: Thu, 30 Oct 2025 11:38:43 +0200
Subject: [PATCH 23/23] change the error to reflect the new backend method

---
 pkg/zabbixapi/zabbix_api.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/zabbixapi/zabbix_api.go b/pkg/zabbixapi/zabbix_api.go
index 9030542ae..320b23339 100644
--- a/pkg/zabbixapi/zabbix_api.go
+++ b/pkg/zabbixapi/zabbix_api.go
@@ -126,7 +126,7 @@ func (api *ZabbixAPI) request(ctx context.Context, method string, params ZabbixA
 
 	if auth != "" && version >= 72 {
 		if api.dsSettings.BasicAuthEnabled {
-			return nil, backend.DownstreamError(errors.New("basic auth is not supported for Zabbix v7.2 and later"))
+			return nil, backend.DownstreamErrorf("basic auth is not supported for Zabbix v7.2 and later")
 		}
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth))
 	}
@@ -172,7 +172,7 @@ func (api *ZabbixAPI) requestWithArrayParams(ctx context.Context, method string,
 
 	if auth != "" && version >= 72 {
 		if api.dsSettings.BasicAuthEnabled {
-			return nil, backend.DownstreamError(errors.New("basic Auth is not supported for Zabbix v7.2 and later"))
+			return nil, backend.DownstreamErrorf("basic auth is not supported for Zabbix v7.2 and later")
 		}
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", auth))
 	}