Hi Grafana community,
I’m building a custom monitoring dashboard with the following architecture and would appreciate your guidance on the most secure implementation approach:
Current Setup:
-
Python/Flask backend application
-
Custom frontend (HTML/JavaScript)
-
Grafana instance for visualization
-
Authentik (OAuth/OIDC) handling all authentication
-
Users should never see Grafana’s native login
Requirements:
-
All Grafana requests must flow through my Python backend (no direct frontend-to-Grafana communication)
-
Single sign-on via Authentik for the entire application
-
Secure dashboard embedding without exposing Grafana credentials
-
Role-based access control managed by my backend
Questions:
-
Auth Proxy vs API approach: Should I use Grafana’s auth proxy feature with nginx, or implement everything through Grafana’s HTTP API? What are the security trade-offs?
-
Session handling: How do you recommend handling user sessions between my application and Grafana? Currently considering:
-
Service account tokens for backend-to-Grafana communication
-
Auth proxy headers based on my application’s authenticated user
-
API key rotation strategies
-
-
Dashboard embedding: For secure iframe embedding of dashboards, should I:
-
Proxy all dashboard requests through my backend
-
Use Grafana’s snapshot functionality
-
Generate temporary access tokens for each user session
-
-
Best practices: Are there established patterns for this type of integration? I want to ensure I’m not reinventing the wheel or introducing security vulnerabilities.
Current Considerations: I’m leaning toward auth proxy configuration where my Python backend validates sessions and forwards appropriate headers to Grafana, but I’m concerned about session synchronization and potential security gaps.
Has anyone implemented a similar architecture? What pitfalls should I watch out for, especially regarding cookie handling and cross-origin requests in embedded scenarios?
Any insights or references to documentation would be greatly appreciated.
Thanks in advance!