We have identified some security concerns while using Grafana. After clicking Save & Test for a data source and backing out chrome attempts to save password and allows viewers to see password used for connection. Is this issue know and if so what is the solution or workaround?
I suspect that the fact that the credentials are exposed in this specific manner may not be intentional. But, independent of the situation you describe, have in mind that there are still a number of cases where a user would be able to view datasource credentials, specifically for datasources where Basic Auth credentials are stored unencrypted (InfluxDb, mySQL).
- An admin user - i.e. a user who can access the datasource config page - can simply pull the config, including plaintext credentials, via the data source API
- For datasources accessed in Browser mode, a user’s browser front end would be provided with the data source credentials, so a reasonably savvy user would be able to grab these
This I think has been a known issue and there have been efforts to improve on it - see https://github.com/grafana/grafana/issues/10827. Based on that github issue being closed, I think the situation may be better in the latest Grafana versions.
I’d also be curious to hear from someone that’s more deeply familiar with the latest changes, on how to best safeguard data source credentials.