IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-16 18:34:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Adds a new security section (#18508)

Browse Source 
Co-Authored-By: Leonard Gram <leo@xlson.com>
This commit is contained in:
Marcus Efraimsson 2019-08-12 13:23:20 +02:00 committed by GitHub
parent b3a75cee68
commit 5459e7c9af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/sources/installation/security.md Normal file
View File

@ -0,0 +1,40 @@
+++
title = "Security"
description = "Security Docs"
keywords = ["grafana", "security", "documentation"]
type = "docs"
[menu.docs]
name = "Security"
identifier = "security"
parent = "admin"
weight = 2
+++
# Security
## Data source proxy and protecting internal services
If you have non-Grafana web services running on your Grafana server or within its local network, these may be vulnerable to exploitation via the Grafana data source proxy.
To prevent this type of exploitation from happening we explain a couple of different solutions below.
### Configure Grafana to only allow certain IP addresses/hostnames to be used as datasource url
You can configure Grafana to only allow certain IP addresses/hostnames to be used as data source url and by that proxied through the Grafana data source proxy. See [data_source_proxy_whitelist](/installation/configuration/#data-source-proxy-whitelist) for usage instructions.
### Firewall rules
You should be able to configure a firewall, for example using iptables, to restrict Grafana from making network requests to certain internal web services.
### Proxy server
You should be able to require all network requests being made by Grafana to go through a proxy server.
## Viewer query permissions
Important to understand that users with Viewer role can still issue any possible query to all data sources available in the **organization**. Not just the queries that are defined on the dashboards the user with Viewer role has permissions to view.
There are a couple of ways you can restrict data source query access:
- Create multiple data sources with some restrictions added in data source config that restrict access (like database name or credentials). Then use the [Data Source Permissions]({{< relref "permissions/datasource_permissions.md" >}}) Enterprise feature to restrict user access to the data source in Grafana.
- Create a separate Grafana organization and in that organization create a separate data source. Make sure the data source has some option/user/credentials setting that limits access to a subset of the data. Not all data sources have an option to limit access.