We are currently using a Grafana dashboard to visualize data from Sentry. We would like to add more people to the organization with view privileges, meaning they should only be able to see the data queried in the dashboard. While reading this post, we came across this:
Grafana, by default, constructs queries on the frontend before sending them to your data source. This means those queries could be modified in the browser.
Our question is, will dashboards that are not public construct queries on the frontend? Would view-only members of the organization be able to modify these queries? In that case, would they be able to access any data from the data source?
Thank you in advance!
Yes. Yes. Yes. Maybe not in the UI directly, but a few clicks in standard dev tools and any data from datasource can be queried. For example check your browser console and you can edit and resend any query to datasource:
So it is really bad practice to have authorization on the query level.
Thank you for the clarification!
The post mentioned in our previous question also includes the following line:
With public dashboards, we only use the queries stored in the database from the original dashboard and execute them on the backend. This prevents malicious users outside your Grafana instance from running arbitrary queries against your data source.
If I understand this correctly, queries from original dashboards are stored in a database and then public dashboards use those from the backend, making it impossible to edit and resend from the browser. This would mean public and private dashboards behave differently, one using queries from the database in the backend and the other constructing them in the frontend. Is that correct?
If so, is there any way to get the original private dashboard to behave like a public one, meaning a view-only user would not be able to edit and resend queries to the datasource?
Thanks again for the help.
I would say no. Unless you want to code that functionality on your own.
I see, thank you for the help!