We were planning to use Grafana to give external organisations access to some dashboards which would used SQL datasource but our brief investigation showed that it would be completely unsecure since apparently in case of SQL Grafana’s frontend just sends raw SQL query to backend so once a user is authenticated he can just issue any SQL query to the same backend to get any data from DB.
I might be wrong about it so I just wanted to confirm if this is indeed the case.
Normally, for secure solution, SQL would never leave backend (would be stored there) with frontend being able to only call predefined stored SQL but looks like it isn’t a case for Grafana.
Maybe the situation is different for other data sources but it seems that
SQL + muti-tenancy = unsecure solution at least for now if I am not mistaken.