Add --disable-write flag to control write operations (#385)

tabletenniser · web-flow · commit 48a597950ca1 · 2025-11-07T10:15:09.000+02:00
* Add --disable-write flag to control write operations

* Address PR feedback: Add alerting tools, tests, and documentation

- Add create_alert_rule, update_alert_rule, and delete_alert_rule to --disable-write flag
- Add comprehensive Read-Only Mode section to README documenting all disabled write tools
- Add tests to verify --disable-write flag behavior works correctly

* Add annotation write tools to --disable-write flag

- Include create_annotation, create_graphite_annotation, update_annotation, and patch_annotation
- Update README to document annotation tools in Read-Only Mode section
- Update tests to verify annotation write tools are properly disabled/enabled
diff --git a/README.md b/README.md
@@ -240,6 +240,7 @@ The `mcp-grafana` binary supports various command-line flags for configuration:
 - `--disable-datasource`: Disable datasource tools
 - `--disable-incident`: Disable incident tools
 - `--disable-prometheus`: Disable prometheus tools
+- `--disable-write`: Disable write tools (create/update operations)
 - `--disable-loki`: Disable loki tools
 - `--disable-alerting`: Disable alerting tools
 - `--disable-dashboard`: Disable dashboard tools
@@ -250,6 +251,44 @@ The `mcp-grafana` binary supports various command-line flags for configuration:
 - `--disable-pyroscope`: Disable pyroscope tools
 - `--disable-navigation`: Disable navigation tools
 
+### Read-Only Mode
+
+The `--disable-write` flag provides a way to run the MCP server in read-only mode, preventing any write operations to your Grafana instance. This is useful for scenarios where you want to provide safe, read-only access such as:
+
+- Using service accounts with limited read-only permissions
+- Providing AI assistants with observability data without modification capabilities
+- Running in production environments where write access should be restricted
+- Testing and development scenarios where you want to prevent accidental modifications
+
+When `--disable-write` is enabled, the following write operations are disabled:
+
+**Dashboard Tools:**
+- `update_dashboard`
+
+**Folder Tools:**
+- `create_folder`
+
+**Incident Tools:**
+- `create_incident`
+- `add_activity_to_incident`
+
+**Alerting Tools:**
+- `create_alert_rule`
+- `update_alert_rule`
+- `delete_alert_rule`
+
+**Annotation Tools:**
+- `create_annotation`
+- `create_graphite_annotation`
+- `update_annotation`
+- `patch_annotation`
+
+**Sift Tools:**
+- `find_error_pattern_logs` (creates investigations)
+- `find_slow_requests` (creates investigations)
+
+All read operations remain available, allowing you to query dashboards, run PromQL/LogQL queries, list resources, and retrieve data.
+
 **Client TLS Configuration (for Grafana connections):**
 - `--tls-cert-file`: Path to TLS certificate file for client authentication
 - `--tls-key-file`: Path to TLS private key file for client authentication
diff --git a/cmd/mcp-grafana/main.go b/cmd/mcp-grafana/main.go
@@ -41,7 +41,7 @@ type disabledTools struct {
 	search, datasource, incident,
 	prometheus, loki, alerting,
 	dashboard, folder, oncall, asserts, sift, admin,
-	pyroscope, navigation, proxied, annotations bool
+	pyroscope, navigation, proxied, annotations, write bool
 }
 
 // Configuration for the Grafana client.
@@ -73,6 +73,7 @@ func (dt *disabledTools) addFlags() {
 	flag.BoolVar(&dt.pyroscope, "disable-pyroscope", false, "Disable pyroscope tools")
 	flag.BoolVar(&dt.navigation, "disable-navigation", false, "Disable navigation tools")
 	flag.BoolVar(&dt.proxied, "disable-proxied", false, "Disable proxied tools (tools from external MCP servers)")
+	flag.BoolVar(&dt.write, "disable-write", false, "Disable write tools (create/update operations)")
 	flag.BoolVar(&dt.annotations, "disable-annotations", false, "Disable annotation tools")
 }
 
@@ -88,21 +89,22 @@ func (gc *grafanaConfig) addFlags() {
 
 func (dt *disabledTools) addTools(s *server.MCPServer) {
 	enabledTools := strings.Split(dt.enabledTools, ",")
+	enableWriteTools := !dt.write
 	maybeAddTools(s, tools.AddSearchTools, enabledTools, dt.search, "search")
 	maybeAddTools(s, tools.AddDatasourceTools, enabledTools, dt.datasource, "datasource")
-	maybeAddTools(s, tools.AddIncidentTools, enabledTools, dt.incident, "incident")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddIncidentTools(mcp, enableWriteTools) }, enabledTools, dt.incident, "incident")
 	maybeAddTools(s, tools.AddPrometheusTools, enabledTools, dt.prometheus, "prometheus")
 	maybeAddTools(s, tools.AddLokiTools, enabledTools, dt.loki, "loki")
-	maybeAddTools(s, tools.AddAlertingTools, enabledTools, dt.alerting, "alerting")
-	maybeAddTools(s, tools.AddDashboardTools, enabledTools, dt.dashboard, "dashboard")
-	maybeAddTools(s, tools.AddFolderTools, enabledTools, dt.folder, "folder")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddAlertingTools(mcp, enableWriteTools) }, enabledTools, dt.alerting, "alerting")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddDashboardTools(mcp, enableWriteTools) }, enabledTools, dt.dashboard, "dashboard")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddFolderTools(mcp, enableWriteTools) }, enabledTools, dt.folder, "folder")
 	maybeAddTools(s, tools.AddOnCallTools, enabledTools, dt.oncall, "oncall")
 	maybeAddTools(s, tools.AddAssertsTools, enabledTools, dt.asserts, "asserts")
-	maybeAddTools(s, tools.AddSiftTools, enabledTools, dt.sift, "sift")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddSiftTools(mcp, enableWriteTools) }, enabledTools, dt.sift, "sift")
 	maybeAddTools(s, tools.AddAdminTools, enabledTools, dt.admin, "admin")
 	maybeAddTools(s, tools.AddPyroscopeTools, enabledTools, dt.pyroscope, "pyroscope")
 	maybeAddTools(s, tools.AddNavigationTools, enabledTools, dt.navigation, "navigation")
-	maybeAddTools(s, tools.AddAnnotationTools, enabledTools, dt.annotations, "annotations")
+	maybeAddTools(s, func(mcp *server.MCPServer) { tools.AddAnnotationTools(mcp, enableWriteTools) }, enabledTools, dt.annotations, "annotations")
 }
 
 func newServer(transport string, dt disabledTools) (*server.MCPServer, *mcpgrafana.ToolManager) {
diff --git a/examples/tls_example.go b/examples/tls_example.go
@@ -157,7 +157,7 @@ func runServerWithTLS() {
 	// Add some basic tools
 	tools.AddSearchTools(s)
 	tools.AddDatasourceTools(s)
-	tools.AddDashboardTools(s)
+	tools.AddDashboardTools(s, false) // Read-only mode (no write tools)
 
 	// Create stdio server with TLS-enabled context function
 	srv := server.NewStdioServer(s)
diff --git a/tests/disable_write_test.py b/tests/disable_write_test.py
@@ -0,0 +1,122 @@
+import pytest
+import os
+from mcp.client.stdio import stdio_client
+from mcp import ClientSession, StdioServerParameters
+
+pytestmark = pytest.mark.anyio
+
+
+@pytest.fixture
+def grafana_env():
+    env = {"GRAFANA_URL": os.environ.get("GRAFANA_URL", "http://localhost:3000")}
+    # Check for the new service account token environment variable first
+    if key := os.environ.get("GRAFANA_SERVICE_ACCOUNT_TOKEN"):
+        env["GRAFANA_SERVICE_ACCOUNT_TOKEN"] = key
+    elif key := os.environ.get("GRAFANA_API_KEY"):
+        env["GRAFANA_API_KEY"] = key
+    return env
+
+
+async def test_disable_write_flag_disables_write_tools(grafana_env):
+    """Test that --disable-write flag disables write tools."""
+    params = StdioServerParameters(
+        command=os.environ.get("MCP_GRAFANA_PATH", "../dist/mcp-grafana"),
+        args=["--disable-write"],
+        env=grafana_env,
+    )
+    async with stdio_client(params) as (read, write):
+        async with ClientSession(read, write) as session:
+            await session.initialize()
+            
+            # List all available tools
+            tools_result = await session.list_tools()
+            tool_names = [tool.name for tool in tools_result.tools]
+            
+            # Verify write tools are NOT present
+            write_tools = [
+                "update_dashboard",
+                "create_folder",
+                "create_incident",
+                "add_activity_to_incident",
+                "create_alert_rule",
+                "update_alert_rule",
+                "delete_alert_rule",
+                "create_annotation",
+                "create_graphite_annotation",
+                "update_annotation",
+                "patch_annotation",
+                "find_error_pattern_logs",
+                "find_slow_requests",
+            ]
+            
+            for tool in write_tools:
+                assert tool not in tool_names, f"Write tool '{tool}' should not be available with --disable-write flag"
+            
+            # Verify read tools ARE still present
+            read_tools = [
+                "get_dashboard_by_uid",
+                "list_alert_rules",
+                "get_alert_rule_by_uid",
+                "list_contact_points",
+                "list_incidents",
+                "get_incident",
+                "get_sift_investigation",
+                "get_annotations",
+                "get_annotation_tags",
+            ]
+            
+            for tool in read_tools:
+                assert tool in tool_names, f"Read tool '{tool}' should still be available with --disable-write flag"
+
+
+async def test_without_disable_write_flag_enables_write_tools(grafana_env):
+    """Test that without --disable-write flag, write tools are enabled."""
+    params = StdioServerParameters(
+        command=os.environ.get("MCP_GRAFANA_PATH", "../dist/mcp-grafana"),
+        args=[],  # No --disable-write flag
+        env=grafana_env,
+    )
+    async with stdio_client(params) as (read, write):
+        async with ClientSession(read, write) as session:
+            await session.initialize()
+            
+            # List all available tools
+            tools_result = await session.list_tools()
+            tool_names = [tool.name for tool in tools_result.tools]
+            
+            # Verify write tools ARE present
+            write_tools = [
+                "update_dashboard",
+                "create_folder",
+                "create_incident",
+                "add_activity_to_incident",
+                "create_alert_rule",
+                "update_alert_rule",
+                "delete_alert_rule",
+                "create_annotation",
+                "create_graphite_annotation",
+                "update_annotation",
+                "patch_annotation",
+                "find_error_pattern_logs",
+                "find_slow_requests",
+            ]
+            
+            for tool in write_tools:
+                assert tool in tool_names, f"Write tool '{tool}' should be available without --disable-write flag"
+            
+            # Verify read tools are also present
+            read_tools = [
+                "get_dashboard_by_uid",
+                "list_alert_rules",
+                "get_alert_rule_by_uid",
+                "list_contact_points",
+                "list_incidents",
+                "get_incident",
+                "get_sift_investigation",
+                "get_annotations",
+                "get_annotation_tags",
+            ]
+            
+            for tool in read_tools:
+                assert tool in tool_names, f"Read tool '{tool}' should be available without --disable-write flag"
+
diff --git a/tools/alerting.go b/tools/alerting.go
@@ -638,11 +638,13 @@ var DeleteAlertRule = mcpgrafana.MustTool(
 	mcp.WithTitleAnnotation("Delete alert rule"),
 )
 
-func AddAlertingTools(mcp *server.MCPServer) {
+func AddAlertingTools(mcp *server.MCPServer, enableWriteTools bool) {
 	ListAlertRules.Register(mcp)
 	GetAlertRuleByUID.Register(mcp)
-	CreateAlertRule.Register(mcp)
-	UpdateAlertRule.Register(mcp)
-	DeleteAlertRule.Register(mcp)
+	if enableWriteTools {
+		CreateAlertRule.Register(mcp)
+		UpdateAlertRule.Register(mcp)
+		DeleteAlertRule.Register(mcp)
+	}
 	ListContactPoints.Register(mcp)
 }
diff --git a/tools/annotations.go b/tools/annotations.go
@@ -262,11 +262,13 @@ var GetAnnotationTagsTool = mcpgrafana.MustTool(
 	mcp.WithReadOnlyHintAnnotation(true),
 )
 
-func AddAnnotationTools(mcp *server.MCPServer) {
+func AddAnnotationTools(mcp *server.MCPServer, enableWriteTools bool) {
 	GetAnnotationsTool.Register(mcp)
-	CreateAnnotationTool.Register(mcp)
-	CreateGraphiteAnnotationTool.Register(mcp)
-	UpdateAnnotationTool.Register(mcp)
-	PatchAnnotationTool.Register(mcp)
+	if enableWriteTools {
+		CreateAnnotationTool.Register(mcp)
+		CreateGraphiteAnnotationTool.Register(mcp)
+		UpdateAnnotationTool.Register(mcp)
+		PatchAnnotationTool.Register(mcp)
+	}
 	GetAnnotationTagsTool.Register(mcp)
 }
diff --git a/tools/dashboard.go b/tools/dashboard.go
@@ -644,9 +644,11 @@ func extractVariableSummary(variable map[string]interface{}) VariableSummary {
 	}
 }
 
-func AddDashboardTools(mcp *server.MCPServer) {
+func AddDashboardTools(mcp *server.MCPServer, enableWriteTools bool) {
 	GetDashboardByUID.Register(mcp)
-	UpdateDashboard.Register(mcp)
+	if enableWriteTools {
+		UpdateDashboard.Register(mcp)
+	}
 	GetDashboardPanelQueries.Register(mcp)
 	GetDashboardProperty.Register(mcp)
 	GetDashboardSummary.Register(mcp)
diff --git a/tools/folder.go b/tools/folder.go
@@ -47,6 +47,8 @@ var CreateFolder = mcpgrafana.MustTool(
 	mcp.WithReadOnlyHintAnnotation(false),
 )
 
-func AddFolderTools(mcp *server.MCPServer) {
-	CreateFolder.Register(mcp)
+func AddFolderTools(mcp *server.MCPServer, enableWriteTools bool) {
+	if enableWriteTools {
+		CreateFolder.Register(mcp)
+	}
 }
diff --git a/tools/incident.go b/tools/incident.go
@@ -120,10 +120,12 @@ var AddActivityToIncident = mcpgrafana.MustTool(
 	mcp.WithTitleAnnotation("Add activity to incident"),
 )
 
-func AddIncidentTools(mcp *server.MCPServer) {
+func AddIncidentTools(mcp *server.MCPServer, enableWriteTools bool) {
 	ListIncidents.Register(mcp)
-	CreateIncident.Register(mcp)
-	AddActivityToIncident.Register(mcp)
+	if enableWriteTools {
+		CreateIncident.Register(mcp)
+		AddActivityToIncident.Register(mcp)
+	}
 	GetIncident.Register(mcp)
 }
 
diff --git a/tools/sift.go b/tools/sift.go
@@ -417,12 +417,14 @@ var FindSlowRequests = mcpgrafana.MustTool(
 )
 
 // AddSiftTools registers all Sift tools with the MCP server
-func AddSiftTools(mcp *server.MCPServer) {
+func AddSiftTools(mcp *server.MCPServer, enableWriteTools bool) {
 	GetSiftInvestigation.Register(mcp)
 	GetSiftAnalysis.Register(mcp)
 	ListSiftInvestigations.Register(mcp)
-	FindErrorPatternLogs.Register(mcp)
-	FindSlowRequests.Register(mcp)
+	if enableWriteTools {
+		FindErrorPatternLogs.Register(mcp)
+		FindSlowRequests.Register(mcp)
+	}
 }
 
 // makeRequest is a helper method to make HTTP requests and handle common response patterns

Original file line number	Diff line number	Diff line change
`@@ -644,9 +644,11 @@ func extractVariableSummary(variable map[string]interface{}) VariableSummary {`
`644`	`644`	`}`
`645`	`645`	`}`
`646`	`646`
`647`		`-func AddDashboardTools(mcp *server.MCPServer) {`
	`647`	`+func AddDashboardTools(mcp *server.MCPServer, enableWriteTools bool) {`
`648`	`648`	`GetDashboardByUID.Register(mcp)`
`649`		`- UpdateDashboard.Register(mcp)`
	`649`	`+ if enableWriteTools {`
	`650`	`+ UpdateDashboard.Register(mcp)`
	`651`	`+ }`
`650`	`652`	`GetDashboardPanelQueries.Register(mcp)`
`651`	`653`	`GetDashboardProperty.Register(mcp)`
`652`	`654`	`GetDashboardSummary.Register(mcp)`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,8 @@ var CreateFolder = mcpgrafana.MustTool(`
`47`	`47`	`mcp.WithReadOnlyHintAnnotation(false),`
`48`	`48`	`)`
`49`	`49`
`50`		`-func AddFolderTools(mcp *server.MCPServer) {`
`51`		`- CreateFolder.Register(mcp)`
	`50`	`+func AddFolderTools(mcp *server.MCPServer, enableWriteTools bool) {`
	`51`	`+ if enableWriteTools {`
	`52`	`+ CreateFolder.Register(mcp)`
	`53`	`+ }`
`52`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -120,10 +120,12 @@ var AddActivityToIncident = mcpgrafana.MustTool(`
`120`	`120`	`mcp.WithTitleAnnotation("Add activity to incident"),`
`121`	`121`	`)`
`122`	`122`
`123`		`-func AddIncidentTools(mcp *server.MCPServer) {`
	`123`	`+func AddIncidentTools(mcp *server.MCPServer, enableWriteTools bool) {`
`124`	`124`	`ListIncidents.Register(mcp)`
`125`		`- CreateIncident.Register(mcp)`
`126`		`- AddActivityToIncident.Register(mcp)`
	`125`	`+ if enableWriteTools {`
	`126`	`+ CreateIncident.Register(mcp)`
	`127`	`+ AddActivityToIncident.Register(mcp)`
	`128`	`+ }`
`127`	`129`	`GetIncident.Register(mcp)`
`128`	`130`	`}`
`129`	`131`