Viewer permission and possible security breach

fredduwez · March 12, 2018, 9:58pm

Hi,

I am very happy with the new permission feature, but I am a bit puzzled by the following statement I found in the documentation:

Permissions on dashboards and folders do not include permissions on data sources. A user with Viewer role can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.

How a viewer could possibly issue such a request ? Could you illustrate the security breach with an example ?

Regards

n3k232 · March 22, 2018, 12:30pm

If you use a InfluxDB Datasource, a Viewer can see every Query Grafana is Sending to the Backend via Browser Development Tools and if he can see these Queries the viewer can manipulate and send them again.

fredduwez · March 26, 2018, 1:24pm

Is there no encryption of the query ?

n3k232 · March 26, 2018, 4:26pm

Nope, i tried it by my Self and ist hope this will be fixed soon