I’ve read all the posts and through my personal experience, this feature doesn’t seem to be currently supported in Grafana Cloud but is supported in self hosted… For completeness purposes, we have a web application where users are authenticated using external auth and also have id’s in Grafana (so no anonymous access). We want to embed an iframe in the app. Is there any offering the Grafana Cloud offers to make this available before we go down the self hosted route.
Hi @billdatacotton great question, embedding dashboard panels is indeed a popular use case and there are some major differences for how this feature functions between Grafana open source software license and Grafana Cloud.
As of July 2023, the allow_embed configuration setting is disabled by default in Grafana Cloud as it usually requires disabling cookie_samesite in order to be a useful feature. Embedded panels requiring for users to log in to view visualizations is often a poor user experience. We do have an open feature request to support this, however cross-site request forgery attacks (CSRF) prevent us from offering this in our managed environment at this time. This is a security concern for self-managed environments as well, which is why we caution against using embedded panels with anonymous access viewers. See Implications of enabling anonymous access to dashboards for more details.
If your specific use case does not require disabling
cookie_samesite then the Support team can
allow_embed for your hosted Grafana instance. Open a ticket from your account portal so they can further discuss this with you for your organization.
The relatively new Public Dashboards feature might be an alternative approach, however this is still in public preview status and under active development. Check out the limitations and supported data sources and visualization types to see if this might be a suitable solution. Once this feature is generally available, we might be able to support embedding public dashboard panels however this is not yet confirmed.
Note for future readers, this policy is subject to change over time as the security landscape is dynamic and Grafana Cloud must adhere to industry-standard security technologies and procedures. Self-managed Grafana environments provide more customization options as individual organization risk tolerance can allow for more flexibility than managed platforms. If this feature is required for your environment then I recommend the self-managed offerings (Grafana OSS or Grafana Enterprise). To review Grafana Cloud security and compliance details, visit our portal at trust.grafana.com.
@Melody 's answer is already awesome and complete, but I wanted to add some things here because I’ve taken an interest in this space myself. Wanted to share a few extra tidbits and ask a question or two.
Specifically the thing that’s hard about this request is (in my opinion) satisfying all of the following requirements:
- Embedded in an app, with app auth
- With a private Grafana dashboard
- Without any wiring of the auth for the app to the auth for Grafana
Melody’s answer and other posts talks about how we can do it with public dashboards (violating requirement 2) or we can do it with auth via grafana (violating requirement 1) but the real missing piece that usually doesn’t get discussed in these threads is point 3.
From my perspective, this conflict between 2 & 3 is the core of why – well, it’s not that this is hard, (much can be accomplished with some gumption and JS code) but it’s hard to do safely, and why there might be some wisdom in considering a different path.
So, questions back to you @billdatacotton
- How does auth for your current app work?
- How does auth for your Grafana work? (Do you integrate with an auth provider? Built-in?)
- How do you imagine the security flow to work such that requirements 2 & 3 are both satisfied?
- What have you tried?
I’m not trying to challenge or push back but genuinely trying to learn. You aren’t the only person who has had this question and if there’s a good answer I’d love to write it up for the Grafana blog, because I think it would help a lot of people.
I think this is best answered by someone with deep security knowledge. iframes inherently can be a huge security risk, unless it is an on prem web server hosting both grafana and the host app. usually people will embed tokens etc in the landing html page that has the iframe. nice and easy when it is all inhouse but even this is risky approach. I am challenging and pushing back on this
This is an interesting read
Hi all, just wanted to share this engineering blog post as it is relevant for this topic: