Viewer permission and possible security breach

fredduwez · March 12, 2018, 9:58pm

Hi,

I am very happy with the new permission feature, but I am a bit puzzled by the following statement I found in the documentation:

Permissions on dashboards and folders do not include permissions on data sources. A user with Viewer role can still issue any possible query to a data source, not just those queries that exist on dashboards he/she has access to.

How a viewer could possibly issue such a request ? Could you illustrate the security breach with an example ?

Regards

n3k232 · March 22, 2018, 12:30pm

If you use a InfluxDB Datasource, a Viewer can see every Query Grafana is Sending to the Backend via Browser Development Tools and if he can see these Queries the viewer can manipulate and send them again.

fredduwez · March 26, 2018, 1:24pm

Is there no encryption of the query ?

n3k232 · March 26, 2018, 4:26pm

Nope, i tried it by my Self and ist hope this will be fixed soon

Topic		Replies	Views
Grafana viewer permission on datasource MSSQL mssql	3	511	June 5, 2020
Hide folders/dashboards from specific users Grafana Cloud	4	5276	February 12, 2021
Security Risk: viewers can edit dashboards, but not save Grafana permissions , dashboard	2	82	July 30, 2024
Cannot view dashboards with viewer permission Configuration	1	2081	September 2, 2019
Manage dashboard permissions Dashboards permissions , dashboard	1	342	July 13, 2023

Viewer permission and possible security breach

Related topics