Support username/password authentication (#259)

Author: ire4ever1190

.github/workflows/e2e.yml

@@ -21,6 +21,10 @@ jobs:
     permissions:
       id-token: write
       contents: read
+    env:
+      # Set auth here so stdio transport and background process pick them up
+      GRAFANA_USERNAME: admin
+      GRAFANA_PASSWORD: admin
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

Makefile

@@ -45,7 +45,7 @@ endif
 .PHONY: test-python-e2e
 test-python-e2e: ## Run Python E2E tests (requires docker-compose services and SSE server to be running, use `make run-test-services` and `make run-sse` to start them).
 	cd tests && uv sync --all-groups
-	cd tests && uv run pytest
+	cd tests && GRAFANA_USERNAME=admin GRAFANA_PASSWORD=admin uv run pytest
 
 .PHONY: run
 run: ## Run the MCP server in stdio mode.

README.md

@@ -201,7 +201,7 @@ Scopes define the specific resources that permissions apply to. Each action requ
 
 This MCP server works with both local Grafana instances and Grafana Cloud. For Grafana Cloud, use your instance URL (e.g., `https://myinstance.grafana.net`) instead of `http://localhost:3000` in the configuration examples below.
 
-1. Create a service account in Grafana with enough permissions to use the tools you want to use,
+1. If using API key authentication, create a service account in Grafana with enough permissions to use the tools you want to use,
    generate a service account token, and copy it to the clipboard for use in the configuration file.
    Follow the [Grafana documentation][service-account] for details.
 
@@ -264,7 +264,10 @@ This MCP server works with both local Grafana instances and Grafana Cloud. For G
          "args": [],
          "env": {
            "GRAFANA_URL": "http://localhost:3000",  // Or "https://myinstance.grafana.net" for Grafana Cloud
-           "GRAFANA_API_KEY": "<your service account token>"
+           "GRAFANA_API_KEY": "<your service account token>",
+           // If using username/password authentication
+           "GRAFANA_USERNAME": "<your username>",
+           "GRAFANA_PASSWORD": "<your password>"
          }
        }
      }
@@ -294,7 +297,10 @@ This MCP server works with both local Grafana instances and Grafana Cloud. For G
       ],
       "env": {
         "GRAFANA_URL": "http://localhost:3000",  // Or "https://myinstance.grafana.net" for Grafana Cloud
-        "GRAFANA_API_KEY": "<your service account token>"
+        "GRAFANA_API_KEY": "<your service account token>",
+        // If using username/password authentication
+        "GRAFANA_USERNAME": "<your username>",
+        "GRAFANA_PASSWORD": "<your password>"
       }
     }
   }

docker-compose.yaml

@@ -2,8 +2,7 @@ services:
   grafana:
     image: grafana/grafana
     environment:
-      GF_AUTH_ANONYMOUS_ENABLED: "true"
-      GF_AUTH_ANONYMOUS_ORG_ROLE: "Admin"
+      GF_AUTH_ANONYMOUS_ENABLED: "false"
       GF_LOG_LEVEL: debug
       GF_SERVER_ROUTER_LOGGING: "true"
     ports:

mcpgrafana.go

@@ -28,6 +28,9 @@ const (
 	grafanaURLEnvVar = "GRAFANA_URL"
 	grafanaAPIEnvVar = "GRAFANA_API_KEY"
 
+	grafanaUsernameEnvVar = "GRAFANA_USERNAME"
+	grafanaPasswordEnvVar = "GRAFANA_PASSWORD"
+
 	grafanaURLHeader    = "X-Grafana-URL"
 	grafanaAPIKeyHeader = "X-Grafana-API-Key"
 )
@@ -38,6 +41,18 @@ func urlAndAPIKeyFromEnv() (string, string) {
 	return u, apiKey
 }
 
+func userAndPassFromEnv() *url.Userinfo {
+	username := os.Getenv(grafanaUsernameEnvVar)
+	password, exists := os.LookupEnv(grafanaPasswordEnvVar)
+	if username == "" && password == "" {
+		return nil
+	}
+	if !exists {
+		return url.User(username)
+	}
+	return url.UserPassword(username, password)
+}
+
 func urlAndAPIKeyFromHeaders(req *http.Request) (string, string) {
 	u := strings.TrimRight(req.Header.Get(grafanaURLHeader), "/")
 	apiKey := req.Header.Get(grafanaAPIKeyHeader)
@@ -76,6 +91,9 @@ type GrafanaConfig struct {
 	// It may be empty if we are using on-behalf-of auth.
 	APIKey string
 
+	// Credentials if user is using basic auth
+	BasicAuth *url.Userinfo
+
 	// AccessToken is the Grafana Cloud access policy token used for on-behalf-of auth in Grafana Cloud.
 	AccessToken string
 	// IDToken is an ID token identifying the user for the current request.
@@ -216,24 +234,59 @@ func wrapWithUserAgent(rt http.RoundTripper) http.RoundTripper {
 	return NewUserAgentTransport(rt)
 }
 
+// Gets info from environment
+func extractKeyGrafanaInfoFromEnv() (url, apiKey string, auth *url.Userinfo) {
+	url, apiKey = urlAndAPIKeyFromEnv()
+	if url == "" {
+		url = defaultGrafanaURL
+	}
+	auth = userAndPassFromEnv()
+	return
+}
+
+// Tries to get grafana info from a request.
+// Gets info from environment if it can't get it from request
+func extractKeyGrafanaInfoFromReq(req *http.Request) (grafanaUrl, apiKey string, auth *url.Userinfo) {
+	eUrl, eApiKey, eAuth := extractKeyGrafanaInfoFromEnv()
+	username, password, _ := req.BasicAuth()
+
+	grafanaUrl, apiKey = urlAndAPIKeyFromHeaders(req)
+	// If anything is missing, check if we can get it from the environment
+	if grafanaUrl == "" {
+		grafanaUrl = eUrl
+	}
+
+	if apiKey == "" {
+		apiKey = eApiKey
+	}
+
+	// Use environment configured auth if nothing was passed in request
+	if username == "" && password == "" {
+		auth = eAuth
+	} else {
+		auth = url.UserPassword(username, password)
+	}
+
+	return
+}
+
 // ExtractGrafanaInfoFromEnv is a StdioContextFunc that extracts Grafana configuration from environment variables.
 // It reads GRAFANA_URL and GRAFANA_API_KEY environment variables and adds the configuration to the context for use by Grafana clients.
 var ExtractGrafanaInfoFromEnv server.StdioContextFunc = func(ctx context.Context) context.Context {
-	u, apiKey := urlAndAPIKeyFromEnv()
-	if u == "" {
-		u = defaultGrafanaURL
-	}
+	u, apiKey, basicAuth := extractKeyGrafanaInfoFromEnv()
 	parsedURL, err := url.Parse(u)
 	if err != nil {
 		panic(fmt.Errorf("invalid Grafana URL %s: %w", u, err))
 	}
-	slog.Info("Using Grafana configuration", "url", parsedURL.Redacted(), "api_key_set", apiKey != "")
+
+	slog.Info("Using Grafana configuration", "url", parsedURL.Redacted(), "api_key_set", apiKey != "", "basic_auth_set", basicAuth != nil)
 
 	// Get existing config or create a new one.
 	// This will respect the existing debug flag, if set.
 	config := GrafanaConfigFromContext(ctx)
 	config.URL = u
 	config.APIKey = apiKey
+	config.BasicAuth = basicAuth
 	return WithGrafanaConfig(ctx, config)
 }
 
@@ -245,23 +298,14 @@ type httpContextFunc func(ctx context.Context, req *http.Request) context.Contex
 // ExtractGrafanaInfoFromHeaders is a HTTPContextFunc that extracts Grafana configuration from HTTP request headers.
 // It reads X-Grafana-URL and X-Grafana-API-Key headers, falling back to environment variables if headers are not present.
 var ExtractGrafanaInfoFromHeaders httpContextFunc = func(ctx context.Context, req *http.Request) context.Context {
-	u, apiKey := urlAndAPIKeyFromHeaders(req)
-	uEnv, apiKeyEnv := urlAndAPIKeyFromEnv()
-	if u == "" {
-		u = uEnv
-	}
-	if u == "" {
-		u = defaultGrafanaURL
-	}
-	if apiKey == "" {
-		apiKey = apiKeyEnv
-	}
+	u, apiKey, basicAuth := extractKeyGrafanaInfoFromReq(req)
 
 	// Get existing config or create a new one.
 	// This will respect the existing debug flag, if set.
 	config := GrafanaConfigFromContext(ctx)
 	config.URL = u
 	config.APIKey = apiKey
+	config.BasicAuth = basicAuth
 	return WithGrafanaConfig(ctx, config)
 }
 
@@ -295,7 +339,7 @@ func makeBasePath(path string) string {
 
 // NewGrafanaClient creates a Grafana client with the provided URL and API key.
 // The client is automatically configured with the correct HTTP scheme, debug settings from context, custom TLS configuration if present, and OpenTelemetry instrumentation for distributed tracing.
-func NewGrafanaClient(ctx context.Context, grafanaURL, apiKey string) *client.GrafanaHTTPAPI {
+func NewGrafanaClient(ctx context.Context, grafanaURL, apiKey string, auth *url.Userinfo) *client.GrafanaHTTPAPI {
 	cfg := client.DefaultTransportConfig()
 
 	var parsedURL *url.URL
@@ -322,6 +366,10 @@ func NewGrafanaClient(ctx context.Context, grafanaURL, apiKey string) *client.Gr
 		cfg.APIKey = apiKey
 	}
 
+	if auth != nil {
+		cfg.BasicAuth = auth
+	}
+
 	config := GrafanaConfigFromContext(ctx)
 	cfg.Debug = config.Debug
 
@@ -338,7 +386,7 @@ func NewGrafanaClient(ctx context.Context, grafanaURL, apiKey string) *client.Gr
 			"skip_verify", tlsConfig.SkipVerify)
 	}
 
-	slog.Debug("Creating Grafana client", "url", parsedURL.Redacted(), "api_key_set", apiKey != "")
+	slog.Debug("Creating Grafana client", "url", parsedURL.Redacted(), "api_key_set", apiKey != "", "basic_auth_set", config.BasicAuth != nil)
 	grafanaClient := client.NewHTTPClientWithConfig(strfmt.Default, cfg)
 
 	// Always enable HTTP tracing for context propagation (no-op when no exporter configured)
@@ -364,36 +412,27 @@ func NewGrafanaClient(ctx context.Context, grafanaURL, apiKey string) *client.Gr
 }
 
 // ExtractGrafanaClientFromEnv is a StdioContextFunc that creates and injects a Grafana client into the context.
-// It uses configuration from GRAFANA_URL and GRAFANA_API_KEY environment variables to initialize the client with proper authentication.
+// It uses configuration from GRAFANA_URL, GRAFANA_API_KEY, GRAFANA_USERNAME/PASSWORD environment variables to initialize
+// the client with proper authentication.
 var ExtractGrafanaClientFromEnv server.StdioContextFunc = func(ctx context.Context) context.Context {
 	// Extract transport config from env vars
 	grafanaURL, ok := os.LookupEnv(grafanaURLEnvVar)
 	if !ok {
 		grafanaURL = defaultGrafanaURL
 	}
 	apiKey := os.Getenv(grafanaAPIEnvVar)
-
-	grafanaClient := NewGrafanaClient(ctx, grafanaURL, apiKey)
+	auth := userAndPassFromEnv()
+	grafanaClient := NewGrafanaClient(ctx, grafanaURL, apiKey, auth)
 	return context.WithValue(ctx, grafanaClientKey{}, grafanaClient)
 }
 
 // ExtractGrafanaClientFromHeaders is a HTTPContextFunc that creates and injects a Grafana client into the context.
 // It prioritizes configuration from HTTP headers (X-Grafana-URL, X-Grafana-API-Key) over environment variables for multi-tenant scenarios.
 var ExtractGrafanaClientFromHeaders httpContextFunc = func(ctx context.Context, req *http.Request) context.Context {
 	// Extract transport config from request headers, and set it on the context.
-	u, apiKey := urlAndAPIKeyFromHeaders(req)
-	uEnv, apiKeyEnv := urlAndAPIKeyFromEnv()
-	if u == "" {
-		u = uEnv
-	}
-	if u == "" {
-		u = defaultGrafanaURL
-	}
-	if apiKey == "" {
-		apiKey = apiKeyEnv
-	}
+	u, apiKey, basicAuth := extractKeyGrafanaInfoFromReq(req)
 
-	grafanaClient := NewGrafanaClient(ctx, u, apiKey)
+	grafanaClient := NewGrafanaClient(ctx, u, apiKey, basicAuth)
 	return WithGrafanaClient(ctx, grafanaClient)
 }
 
@@ -453,17 +492,7 @@ var ExtractIncidentClientFromEnv server.StdioContextFunc = func(ctx context.Cont
 // ExtractIncidentClientFromHeaders is a HTTPContextFunc that creates and injects a Grafana Incident client into the context.
 // It uses HTTP headers for configuration with environment variable fallbacks, enabling per-request incident management configuration.
 var ExtractIncidentClientFromHeaders httpContextFunc = func(ctx context.Context, req *http.Request) context.Context {
-	grafanaURL, apiKey := urlAndAPIKeyFromHeaders(req)
-	grafanaURLEnv, apiKeyEnv := urlAndAPIKeyFromEnv()
-	if grafanaURL == "" {
-		grafanaURL = grafanaURLEnv
-	}
-	if grafanaURL == "" {
-		grafanaURL = defaultGrafanaURL
-	}
-	if apiKey == "" {
-		apiKey = apiKeyEnv
-	}
+	grafanaURL, apiKey, _ := extractKeyGrafanaInfoFromReq(req)
 	incidentURL := fmt.Sprintf("%s/api/plugins/grafana-irm-app/resources/api/v1/", grafanaURL)
 	client := incident.NewClient(incidentURL, apiKey)
 

mcpgrafana_test.go

@@ -87,6 +87,7 @@ func TestExtractGrafanaInfoFromHeaders(t *testing.T) {
 		config := GrafanaConfigFromContext(ctx)
 		assert.Equal(t, defaultGrafanaURL, config.URL)
 		assert.Equal(t, "", config.APIKey)
+		assert.Nil(t, config.BasicAuth)
 	})
 
 	t.Run("no headers, with env", func(t *testing.T) {
@@ -126,6 +127,44 @@ func TestExtractGrafanaInfoFromHeaders(t *testing.T) {
 		assert.Equal(t, "http://my-test-url.grafana.com", config.URL)
 		assert.Equal(t, "my-test-api-key", config.APIKey)
 	})
+
+	t.Run("no headers, with env", func(t *testing.T) {
+		t.Setenv("GRAFANA_USERNAME", "foo")
+		t.Setenv("GRAFANA_PASSWORD", "bar")
+
+		req, err := http.NewRequest("GET", "http://example.com", nil)
+		require.NoError(t, err)
+		ctx := ExtractGrafanaInfoFromHeaders(context.Background(), req)
+		config := GrafanaConfigFromContext(ctx)
+		assert.Equal(t, "foo", config.BasicAuth.Username())
+		password, _ := config.BasicAuth.Password()
+		assert.Equal(t, "bar", password)
+	})
+
+	t.Run("user auth with headers, no env", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "http://example.com", nil)
+		req.SetBasicAuth("foo", "bar")
+		require.NoError(t, err)
+		ctx := ExtractGrafanaInfoFromHeaders(context.Background(), req)
+		config := GrafanaConfigFromContext(ctx)
+		assert.Equal(t, "foo", config.BasicAuth.Username())
+		password, _ := config.BasicAuth.Password()
+		assert.Equal(t, "bar", password)
+	})
+
+	t.Run("user auth with headers, with env", func(t *testing.T) {
+		t.Setenv("GRAFANA_USERNAME", "will-not-be-used")
+		t.Setenv("GRAFANA_PASSWORD", "will-not-be-used")
+
+		req, err := http.NewRequest("GET", "http://example.com", nil)
+		req.SetBasicAuth("foo", "bar")
+		require.NoError(t, err)
+		ctx := ExtractGrafanaInfoFromHeaders(context.Background(), req)
+		config := GrafanaConfigFromContext(ctx)
+		assert.Equal(t, "foo", config.BasicAuth.Username())
+		password, _ := config.BasicAuth.Password()
+		assert.Equal(t, "bar", password)
+	})
 }
 
 func TestExtractGrafanaClientPath(t *testing.T) {
@@ -522,7 +561,7 @@ func TestHTTPTracingConfiguration(t *testing.T) {
 		ctx := WithGrafanaConfig(context.Background(), config)
 
 		// Create Grafana client
-		client := NewGrafanaClient(ctx, "http://localhost:3000", "test-api-key")
+		client := NewGrafanaClient(ctx, "http://localhost:3000", "test-api-key", nil)
 		require.NotNil(t, client)
 
 		// Verify the client was created successfully (should not panic)
@@ -537,7 +576,7 @@ func TestHTTPTracingConfiguration(t *testing.T) {
 		ctx := WithGrafanaConfig(context.Background(), config)
 
 		// Create Grafana client (should not panic even without OTEL configured)
-		client := NewGrafanaClient(ctx, "http://localhost:3000", "test-api-key")
+		client := NewGrafanaClient(ctx, "http://localhost:3000", "test-api-key", nil)
 		require.NotNil(t, client)
 
 		// Verify the client was created successfully

tests/conftest.py

@@ -2,6 +2,7 @@
 import os
 import asyncio
 import gc
+import base64
 from dotenv import load_dotenv
 from mcp.client.sse import sse_client
 from mcp.client.stdio import stdio_client
@@ -47,6 +48,9 @@ def grafana_env():
     env = {"GRAFANA_URL": os.environ.get("GRAFANA_URL", DEFAULT_GRAFANA_URL)}
     if key := os.environ.get("GRAFANA_API_KEY"):
         env["GRAFANA_API_KEY"] = key
+    elif (username := os.environ.get("GRAFANA_USERNAME")) and (password := os.environ.get("GRAFANA_USERNAME")):
+        env["GRAFANA_USERNAME"] = username
+        env["GRAFANA_PASSWORD"] = password
     return env
 
 
@@ -57,6 +61,9 @@ def grafana_headers():
     }
     if key := os.environ.get("GRAFANA_API_KEY"):
         headers["X-Grafana-API-Key"] = key
+    elif (username := os.environ.get("GRAFANA_USERNAME")) and (password := os.environ.get("GRAFANA_PASSWORD")):
+        credentials = f"{username}:{password}"
+        headers["Authorization"] = "Basic " + base64.b64encode(credentials.encode("utf-8")).decode()
     return headers