Prevent user giving a template value?


I’ve only recently discovered that even if I give a custom template list or even one based on a query, the user can type whatever in the template box and that would be a valid variable.

Is there no way of limiting the user to only the custom values or query result values that I design?

Thanks again


What data source are you using? If you’re not using adhoc variables you shouldn’t be able to insert whatever value in variable drop downs. Could you give some more details of your problem, maybe screenshot.




It’s not datasource related. I’ve tested with mysql and elastic. In both cases the value inserted to the template variable search box (plus enter) will result in a query with the template variable set to anything I type in the search box.I’ve tested with custom template variable and query variable. Same result. User can bypass the given list by typing to search box and pressing enter.

I’ll try to send a screenshot later on but trust me, it works.

Yes, this is a feature that was added on purpose in Grafana 2.1:

I hope you are not depending on this as a form of security. Grafana does not provide any fine-grained security for querying data sources (and probably never will as that should be done in the database). If a user belongs to an organization then they can query the data source.


not really from a security aspect in the purest sense, but it would have prevented friendly users from accessing information that is not intended for them. I’ve already seen the issues with the client based data plugins and you are correct that grafana offers nothing in the form of data source protection. Proxies or database security is needed to prevent accessing unauthorized data.

I have wondered why there is not a separate “free text” template variable that would have been used for this purpose but this “feature” explains that a bit.

Maybe a checkbox that would prevent friendly users from doing things outside of what the dashboard designer intended would have been nice…?