Add database security monitoring dashboards

[yota-p]

In this PR, I would like to add 2 dashboards for monitoring database security in Amazon Redshift.

Background

Currently Redshift users need to query system tables to monitor security features (e.g. user, schema, table, privileges) configured in Redshift. This requires querying multiple system tables and writing SQL.
By using this dashboard, user will be able to navigate these information in Redshift quickly without writing SQL.

Amazon Redshift Identities and Objects dashboard

This dashboard will visualize identity (user/role/group) and database objects (schema/table etc).

Amazon Redshift Privileges dashboard

This dashboard will visualize privileges (who have what access).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Yota Hamaoka seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[yota-p]

Hi team,
There are workflows failing with Error: Input required and not supplied: token.
Would someone from code owner help me resolve this, or can we just ignore?

Workflows are failing at:

redshift-datasource/.github/workflows/issue_and_pr_commands.yml

Line 22 in 58116f0

token: ${{secrets.GH_BOT_ACCESS_TOKEN}}

redshift-datasource/.github/workflows/issue_commands.yml

Line 23 in 09e086c

token: ${{secrets.GH_BOT_ACCESS_TOKEN}}

As far as I searched, this error is happening because PR from forked repository cannot reference secrets.GH_BOT_ACCESS_TOKEN due to GitHub's security feature (same as #125 ).
There's a workaround like using pull_request_target described in this article but I would like to hear your thoughts.
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

[fridgepoet]

Thanks for looking into that; I don't think you need to worry about those checks for now.

I think you'll need to add these dashboards to the plugin.json so they will be suggested on the Dashboards page. Like:

"includes": [
    {
      "type": "dashboard",
      "name": "Redshift Monitoring",
      "path": "dashboards/redshift-monitoring.json"
    },
    {
      "type": "dashboard",
      "name": "Redshift Privileges",
      "path": "dashboards/redshift-privileges.json"
    },
    {
      "type": "dashboard",
      "name": "Redshift Identities and Objects",
      "path": "dashboards/redshift-identities-and-objects.json"
    }
  ],

[sunker]

Thanks for contributing @yota-p!

When I test the dashboards, the query editors aren't loading properly.

To work around this, you may need to tips the option Export for sharing externally when exporting your dashboard.

[yota-p]

@fridgepoet @sunker Thank you for the response. I'll check plugin.json and dashboard definition file.
I need some time to build the plugin on my side and test it. WIll let you know once ready.

[yota-p]

@fridgepoet
Updated plugin.json. I built the plugin locally and confirmed the dashboards can be imported & are working.

[yota-p]

@sunker
Interesting, I didn't see the same error. The dashboards are loading properly on when I tested.
Would you try again with the latest commit?

I used the option Export for sharing externally. FYI, I also made changes to the JSON manually since exported file still contains environment specific info (e.g. datasource uid). I can still load the dashboard properly so I think it's not the cause here. Changes I made are:

• Removed __inputs, __elements, __requires, iteration
• Replaced “datasource”: {“type”: xxx, “uid”: xxx} to "datasource": "${ds}"
• Replaced values of templating.list[0].current.text, templating.list[0].current.value to default

[kevinwcyu]

Hi @yota-p, could you change the following in the dashboards

"datasource": "${ds}"

to the following

"datasource": {
  "type": "grafana-redshift-datasource",
  "uid": "${ds}"
},

I suspect that's what's causing @sunker to not be able to see the correct query editor. Just a bit of background. We changed the shape of the datasource some time in v8.3.x of Grafana I believe. It used to be a string, but now it's an object with the type and uid property. I think what's happening is when we read the datasource property after importing the dashboard, it's setting the datasource as the whatever is set as the default datasource for the Grafana instance.

I was seeing the same issue as @sunker when I changed my default datasource to a different plugin, but using the new format for the datasource property fixed it.

[yota-p]

@kevinwcyu Thank you for the suggestion. I changed the format for datasource property and confirmed it's loading properly on my end (I'm using latest v9.1.1). Would you review?

[kevinwcyu]

Thanks for the contribution @yota-p. It looks good from my end.

@sunker, could you check to see if the query editor is loading for you when you get a moment?

[sunker]

Looks good! Thanks for contributing @yota-p.

[yota-p]

Great, thank you team!

[yota-p]

Hi @sunker @kevinwcyu ,
Do you have a plan when to release the next version?

This feature is merged but not released yet. If possible, I want this feature to be released by the end of September (not a hard limit tho).

[sunker]

Yes it was just released in 1.2.0. Thanks again for contributing!

[yota-p]

Looks good. Thank you!