mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 10:02:13 +08:00
7eb17bccca
* Set every page to have defaults of 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/enterprise-licensing pages to have 'Enterprise' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/recorded-queries pages to have labels cloud,enterprise * Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/stats-and-license pages to have labels cloud,enterprise * Set alerting pages to have labels cloud,enterprise,oss * Set breaking-changes pages to have labels cloud,enterprise,oss * Set dashboards pages to have labels cloud,enterprise,oss * Set datasources pages to have labels cloud,enterprise,oss * Set explore pages to have labels cloud,enterprise,oss * Set fundamentals pages to have labels cloud,enterprise,oss * Set introduction/grafana-cloud pages to have labels cloud Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix introduction pages products Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set panels-visualizations pages to have labels cloud,enterprise,oss * Set release-notes pages to have labels cloud,enterprise,oss * Set search pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set troubleshooting pages to have labels cloud,enterprise,oss * Set whatsnew pages to have labels cloud,enterprise,oss * Apply updated labels from review Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com> --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
60 lines
3.5 KiB
Markdown
60 lines
3.5 KiB
Markdown
---
|
|
aliases:
|
|
- ../administration/security/
|
|
- ../installation/security/
|
|
description: Learn how to make Grafana secure.
|
|
labels:
|
|
products:
|
|
- enterprise
|
|
- oss
|
|
title: Configure security
|
|
weight: 600
|
|
---
|
|
|
|
# Configure security
|
|
|
|
If you run non-Grafana web services on your Grafana server or within its local network, then they might be vulnerable to exploitation through the Grafana data source proxy or other methods.
|
|
|
|
To prevent this type of exploitation from happening, we recommend that you apply one or more of the precautions listed below.
|
|
|
|
## Limit IP addresses/hostnames for data source URL
|
|
|
|
You can configure Grafana to only allow certain IP addresses or hostnames to be used as data source URLs and proxied through the Grafana data source proxy. Refer to [data_source_proxy_whitelist]({{< relref "../configure-grafana#data_source_proxy_whitelist" >}}) for usage instructions.
|
|
|
|
## Request security
|
|
|
|
The request security configuration option allows users to limit requests from the Grafana server. It targets requests that are generated by users. For more information, refer to [Request security]({{< relref "./configure-request-security" >}}).
|
|
|
|
{{% admonition type="note" %}}
|
|
Request security is available in Grafana Enterprise v7.4 and later versions.
|
|
{{% /admonition %}}
|
|
|
|
## Firewall rules
|
|
|
|
Configure a firewall to restrict Grafana from making network requests to sensitive internal web services.
|
|
|
|
There are many firewall tools available, refer to the documentation for your specific security tool. For example, Linux users can use [iptables](https://en.wikipedia.org/wiki/Iptables).
|
|
|
|
## Proxy server
|
|
|
|
Require all network requests being made by Grafana to go through a proxy server.
|
|
|
|
## Limit Viewer query permissions
|
|
|
|
Users with the Viewer role can enter _any possible query_ in _any_ of the data sources available in the **organization**, not just the queries that are defined on the dashboards for which the user has Viewer permissions.
|
|
|
|
**For example:** In a Grafana instance with one data source, one dashboard, and one panel that has one query defined, you might assume that a Viewer can only see the result of the query defined in that panel. Actually, the Viewer has access to send any query to the data source. With a command-line tool like curl (there are lots of tools for this), the Viewer can make their own query to the data source and potentially access sensitive data.
|
|
|
|
To address this vulnerability, you can restrict data source query access in the following ways:
|
|
|
|
- Create multiple data sources with some restrictions added in data source configuration that restrict access (like database name or credentials). Then use the [Data Source Permissions]({{< relref "../../administration/data-source-management#data-source-permissions" >}}) Enterprise feature to restrict user access to the data source in Grafana.
|
|
- Create a separate Grafana organization, and in that organization, create a separate data source. Make sure the data source has some option/user/credentials setting that limits access to a subset of the data. Not all data sources have an option to limit access.
|
|
|
|
## Implications of enabling anonymous access to dashboards
|
|
|
|
When you enable anonymous access to a dashboard, it is publicly available. This section lists the security implications of enabling Anonymous access.
|
|
|
|
- Anyone with the URL can access the dashboard.
|
|
- Anyone can make view calls to the API and list all folders, dashboards, and data sources.
|
|
- Anyone can make arbitrary queries to any data source that the Grafana instance is configured with.
|