Datasource for organization not protected?


we’ve tested by creating a separate datasource for each organisation. We then manipulated the headers on the msearch queries on the client and forged a different index name in the query. We were not pleased to see that it was passed nicely to Elasticsearch by Grafana and we accessed data meant for a different organisation.

I was under the impression that Grafana does protect the datasource of an org but obviosly this is not the case?

We’re running 4.6.3.

Could you verify this please?


In general Grafana doesn’t do any authorization of datasources that is protecting certain indices to be used, only authentication (if enabled). If you have different datasources in different organizations Grafana will protect against accessing datasource D from organization O if you don’t belong to organization O.

Most of the datasource plugins right now are implemented so they’re running solely in the frontend, elasticsearch included. This makes it very hard to protect them with authorization since that would have to be implemented in the frontend. And as you just showed frontend code can easily be manipulated.

We’re having plans for implementing support for backend plugins that will allow a much greater control over authentication and authorization. You can subscribe/upvote the issue here if your interested.