Lovelace panel, grafana, panel links, 401: Unauthorized

Linwood · November 7, 2024, 2:23am

I had something working some time (years possibly) ago, that no longer works.

I use a yaml lovelace UI, not a regular dashboard.

I have a bunch of panels and one is for my home energy dashboard. It looks like this:

- title: Energy 
    path: energy
    panel: true
    cards: 
      - type: iframe
        url: http://ha:3000/api/hassio_ingress/jBqQvdcUYZjviv- TvGbTV0H5_6hmZ2VBCLygoO0dFK0/d/tUE2_BuWk/home-energy?orgId=1

This works. Inside that dashboard I have a graph with a panel link, which is intended to link to a different graphy. It looks like this:

http://ha:8123/api/hassio_ingress/jBqQvdcUYZjviv-TvGbTV0H5_6hmZ2VBCLygoO0dFK0/d/md_NyluWz/one-item?orgId=1&var-Circuit=Main

If I run that URL directly it works fine.

If I click on the panel link inside lovelace it says “401: Unauthorized”.

I’m stuck where to start looking. First – it used to work. But more to the point with that same browser it works in a separate new tab. It just won’t work in context from Lovelace.

I also get a 401 if I go to a new browser not connected to HA and enter the panel link URL. Which I think tells me that it is losing some kind of HA Context.

I have (and I think always did) anonymous enabled in grafana in the addon:

- name: GF_AUTH_ANONYMOUS_ENABLED
  value: "true"

Can someone give me an idea where to start? The Grafana documentation doesn’t seem to help, it seems to be a Lovelace issue of some sort?

And yes, I suspect somewhere in the recent years I missed a release note. These panel links are not something I use much at all, so by the time I noticed (i.e. last few days) it could have been years.

Linwood

Linwood · November 7, 2024, 2:36pm

One thing I noticed in follow-up which is kind of interesting.

If I select the panel link from lovelace, which is set to display in a separate tab, it gets the 401.

In that tab if I simply select the address bar and hit enter – no changes, same URL it just did a 401 for – it comes up fine.

lovelylain · November 8, 2024, 3:13am

It’s related to hassio supervisor, before you access /api/hassio_ingress/addon_url you must create an ingress session.
You can try use GitHub - lovelylain/hass_ingress: Home Assistant ingress feature, add additional ingress panels to your Home Assistant frontend. to to achieve your goal.

configuration.yaml:

ingress:
  grafana:
    require_admin: true
    work_mode: hassio
    title: Grafana
    icon: mdi:chart-timeline
    url: a0d7b954_grafana

lovelace:

- type: iframe
  url: /api/ingress/grafana/d/md_NyluWz/one-item?orgId=1&var-Circuit=Main

However, this method cannot refresh the session validity period, which is only valid for 15 minutes. If you want a complete solution, you can deploy grafana with docker and then integrate it into the HA sidebar with ingress.

Linwood · November 8, 2024, 3:25pm

I have grafana there, and it’s in the side panel, but it’s the full thing and when you select it you get the various menus. The one invoked as a lovelace … tab? Is that the right word? … that can be invoked from the menu across the top, is a specific URL, and is a display only version I think (there’s no edit button on graphs for example).

While I myself am the main user, having it go straight to the URL is what I want, especially for displays like on a smart TV. It sounds like iFrame is basically not supported (or fully supported). I would love to understand a better approach, so my YAML lovelace display can put up and manipulate (e.g. panel links) graphs without hitting security issues. Is “And then integrate it into the HA Sidebar” a solution and if so, some kind of pointer perhaps?

lovelylain · November 8, 2024, 4:11pm

You may try method one first. The problem of session expiration in 15 minutes can be solved through auto refresh.

Linwood · November 8, 2024, 5:10pm

Reading now.

Though I just stumbled across “Public dashboards”. That may be a simpler choice, just get out of Lovelace entirely. Experimenting now also.

Thank you for all the pointers. I have some homework to do.

Linwood · November 9, 2024, 3:09am

There seems to be an easier way – enable anonymous access, and configure the URL’s with 3000 instead of 8123.

That is likely not acceptable for some especially if anything is visible outside, but with anonymous set to view only, and with a separate guest wifi VLAN/SSID, I cannot see a downside.

At least so far – unless something is going to blow up. But so far in an evening of experimenting it all seems to work.

Am I missing something?

PS. Public views don’t work because of template variables.