Share grafana iframe in a web site with security

Hi
I would like to embed a grafana panel in a website, but wondering how to add security. all the blogs i read and not had any solution to this.

The only way I have implemented so far is to enable grafana anonymous mode for an organisation, and put an apache reserve proxy between grafana and the web site, and verify the server url is from my site in apache.

but is there a better way ? i tried to add authentication headers for apache to the iframe using javascript but no success in that.

best regards
Anthony

Sounds like you have already found the best solution. This is not a scenario that we (the core team) want to spend time on enabling.

Hi
I am not happy using grafana in anonymous mode for security reasons, as it only supports one organisation to my knowledge, we have many customers and want to embed a different panel for each customer, and we then have to use grafana on a public url even with a reverse proxy for the iframe content.
Putting a reverse proxy in place and just verify the source url ,this url can be hacked i think.

So, Grafana does not seem suited to putting a grafana panel into a third party web site with really good security? we authenticate users but do not want them cutting/pasting the url inside the frame and potentially sharing it or hacking the panel id to see another customer.

Perhaps some type of snapshot sharing solution would work, although it involves a lot of extra work on out side to manage this, limited access, timeout etc. we want to host our own snaphots for privacy reasons.

Regards
Anthony

I know some people have got this to work but I don’t know the details. Just by googling “grafana iframe authentication”, I found:

• Embed Grafana dashboard in web application - #3 by hemamalini
• Passing roles to grafana iframe from parent
• Automatic login by token url · Issue #3752 · grafana/grafana · GitHub

This is incorrect. Grafana has multi-tenant support (you can create multiple organizations that do not have access to other organizations’ dashboards).

image2305×1042 170 KB

image1305×692 90.5 KB

Also, in the current Grafana 5.0 beta, a new feature is dashboard permissions: http://docs.grafana.org/v5.0/administration/permissions/#dashboard-folder-permissions so you can grant access to a folder (also a new feature) or to an individual dashboard.

Hi Anthony,

I am facing the same issue of providing authentication. Did you find any suitable solution to this?

If yes then can you please share it here. It will help us a lot. (I am using the grafana v7.0.3)

I am facing the same issue.Do you have any solution?

Cheers,

Filippo

I see that I can use the snapshot feature to deploy the grafana dashboard/panel to Raintank, which has anonymous access.

And then on the raintank grafana dashboard, I can share that to get an iframe to embed somewhere else, that anyone can view without logging in.

But then when I embed that iframe on Confluence, I get CORS issues, such as

" Access to fetch at ‘https://snapshot.raintank.io/img/online.svg’ from origin ‘null’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
"

Anyone know why this is?

@daniellee, is there anything team developed in recent Grafana 8 release ?

Has anything changed here as I have a need to embed an grafana iframe into sharepoint. Of course it works (using anonymous access) but only if you want the entire internet to have access to your grafana instance. Surely there must be a grafana solution to this problem???

We’ve recently published a blog with a lot of details about iFrame embedding and security issues associated with various Grafana settings, in part to address this thread and others like it. Please refer to it (including @mauriceatkinson ) for the best available answers and security guidance.