Making Grafana secure against query modification

Heya everyone,

I am trying to make a grafana-prometheus based graphing solution where our clients (We’re a server hosing company) would have access to graphs with data from their servers that we collect.

Issue is - We have only one central Prometheus instance with all the data of all the servers we manage. And currently, a skilled enough person can easily take the raw requests going off from the browser, modify them, and gain access to whatever Prometheus data they want from whatever server, even if their role is just a viewer, so long as they have an account.

That is too insecure for me to allow all of our customers access.

Is there a way to secure Grafana against such an attack? I was partially successful by making (frankly hackish) filter in Nginx that filters request to query and query_range endpoints, and only allows requests that contain a label variable “instance” with a value from a white list, but as with any other hack solutions, it is prone to fall apart with any update in the future.

Not to mention that this approach is no longer functional in Grafana 8.x, as the query parameters were moved to the body of the request, encoded in JSON.

What I need then is one of the following:
1 - Secure Grafana against request forgery / modification
2 - Make certain parameters non-modifiable even to editors – We pick specific server from our data via label parameters.

Is either of the two possible?

  • What Grafana version and what operating system are you using?
    Debian 10 Buster – Grafana 7.4.3
1 Like