I’m sorry for asking a question which is probably going to sound dumb. I’m pretty new to Grafana having come from Datadog.
I’m trying to share a panel to a webpage without having the users log into Grafana. I can make the server an anonymous login but I’m worried about the security implications of that. We don’t want users to have the ability to change dashboards or panels. I was excited for a minute when I found the Snapshot option using snapshot.raintank.io but quickly found out that shared PNG will never update. In Datadog I was able to export a graph that would update using the iframe but I can’t seem to figure it out in Grafana. Any help or pointers would be appreciated.
Hi @mjohnston - you can use your own domain/storage instead of raintank if you have server-level access to edit the configuration file. Our documentation has instructions for storage providers that are S3 compatible - https://grafana.com/docs/grafana/latest/administration/configuration/#external_image_storages3
For making dashboards public you need to authenticate anonymous viewers: https://grafana.com/docs/grafana/latest/auth/overview/#anonymous-authentication
There’s also another permission to deny edit permissions to viewers here:
Thank you for the reply @samcoren. By authenticating anonymous views aren’t I opening up all my dashboards for modification by anyone? We have many dashboards that we don’t want public and setting anonymous that opens them all that up, correct? Sorry, as I said, I’m new to Grafana.
That’s what the
viewers_can_edit setting for the configuration file is for. People can shuffle the dates around but it doesn’t commit any changes to the actual dashboard. When a public viewer reloads it reverts back to how the original saved dashboard is set up. You can “play” around on play.grafana.com playground to see what I mean as an example. When you zoom in or out of time ranges it changes the url parameter to account for what time range was selected, but if a user closes out the window and comes back to that play.grafana.com url it won’t change how you set up the dashboard.
If you enable anonymous viewing for your org, yes every graph in there is potentially available to be viewed by everyone. As mentioned, they won’t be able to edit (as long as you don’t enable anonymous editing) but can view.
A couple options you could explore:
- Setup separate orgs and create one for all your anonymous graphs. Anonymous viewing is only for the one org you specify.
- You could look as folder permissions. I think you can deny anonymous viewing on folders. If this works (you would need to verify) it would be similar to the orgs approach but it’d keep everything in one org and segregate with folders.