I’m sorry for the dumb question I’m about to ask, but consider that I’m very new to Grafana and I want to know if it fits my use case.
I’m looking forward in building custom dashboards for each user registered on a system which uses Elasticsearch for storing data.
The system does not have an API from which you can fetch the data. It just stores the data in Elasticsearch.
My goal is to present a custom dashboard for each user registered in the system.
However, since the user would NOT be allowed to interact with the Elasticsearch datasource itself (so not be able to run any query by tampering with the dashboard) I am looking for a component which can provide a layer for handling this kind of situation.
Also, the user would NOT be allowed to modify the dashboard view itself.
So, my (dumb) question is: is the open source version of Grafana only a “front-end” dashboard that communicates with Elasticsearch by directly running queries to fetch the data it needs, or is there also some kind of “back-end” that handles the requests?
Not a dumb question at all! I do not personally use Elasticsearch, but I believe it’s just like any other datasource (Prometheus, SQL, InfluxDB, etc.). Grafana OSS (or Grafana Cloud) is used as a “front end” to run the queries of that datasource.
I still don’t understand a thing.
You said that “Grafana OSS (or Grafana Cloud) is used as a “front end” to run the queries of that datasource”.
So, considering it’s the front end (the dashboard) that builds the queries to send to the datasource (in this case elasticsearch), how is it possible that the user won’t be able to tamper with the dashboard and launch a query by himself to send to elasticsearch?
If the control of the queries is in the front end itself, shouldn’t the user be able to tamper with them?
Hi @ginoliuz For each Grafana user, there is a View Only setting that would restrict the person from being able to edit the query. All they could do is use the time selector or select a variable if you put it in there. So each View Only user could not tamper with the data source or the query being run. Does that make sense?
And what if the user tampers directly with the request being sent by the browser?
Like by going to chrome developer tools, intercept the request, analyse it and edit the request being sent to elasticsearch API?
Would that be feasible for a skilled enough user?
P.S. I’m not questioning the validity of your answers. I just want to understand and be 100% sure the user CANNOT interact with the db in any scenario whatsoever, even if he/she is skilled enough to tamper the requests being sent to the elasticsearch API.
@ginoliuz I have never considered the security of traffic being sent by the browser to the data source (e.g. using Chrome developer tools, etc.). Maybe someone else on the forum with more experience in that area can comment.
I think the important point here is that the browser asks Grafana to display a
particular dashboard - the dashboard panels then tell Grafana what queries to
make against the back-end data store/s in order to produce that dashboard.
Provided your data source access mode is “Server” (which is the only possible
choice for Elastic Search), the browser neither sees nor has access to the
actual queries between Grafana and ES.
So, the browser does not specify the queries, nor does it talk to the back-end
data store/s. All it could do differently is ask Grafana for another dashboard
(which for that user would also be view-only / read-only).