Limit access to Grafana datasources per team.
When you're using Grafana datasource proxy feature (Access: Server (default) in datasource settings),
free version of Grafana does not implements any ACLs for that, and any user can query every datasource and
get metrics directly from it, even with Viewer rights.
Here is related issue.
Grafana Enterprise although implements this permissions.
This project implements simple reverse proxy, that should be installed to handle api/datasources/proxy.
Here how it works:
- Check that requested path actually contains
api/datasources/proxyto avoid proxying everything else; - Check that there is
grafana_sessionauthentication cookie present; - Get list of user's teams by authentication cookie;
- Check that at least on of the user's team have access to requested datasource;
- If everything is OK pass request to Grafana
Project is not production-ready and was build as an experiment. Use on your own risk.
Project supports only MySQL Grafana database backend (PR's welcome!)
Project was only tested againts Prometheus data sources
Project was only tested against Grafana 7
Project doest not supports non-standard Grafana auth cookie name (PR's welcome!)
There are multiple ways of installing grafana-datasource-auth-proxy.
helm repo add grafana-datasource-auth-proxy https://dmitryshaburov.github.io/grafana-datasource-auth-proxy/
helm repo update
helm install [RELEASE_NAME] grafana-datasource-auth-proxy/grafana-datasource-auth-proxydshaburov/grafana-datasource-auth-proxy
docker run -p 9608:9608 -v /etc/grafana-datasource-auth-proxy/config.yaml:/etc/grafana-datasource-auth-proxy/config.yaml dshaburov/grafana-datasource-auth-proxy:latestPrecompiled binaries for released versions are available in the Releases section.
You can checkout the source code and build manually:
git clone https://github.com/DmitryShaburov/grafana-datasource-auth-proxy.git
cd grafana-datasource-auth-proxy
go build .
./grafana-datasource-auth-proxy -config=config.yaml| Flag | Environment Variable | Default Value | Description |
|---|---|---|---|
| config | CONFIG_FILE | /etc/grafana-datasource-auth-proxy/config.yaml | Path to configuration file |
| listen-address | LISTEN_ADDRESS | :3000 | The address to listen on for HTTP requests |
| grafana-url | GF_SERVER_DOMAIN | grafana | Grafana remote origin host |
| grafana-secret | GF_SECURITY_SECRET_KEY | SW2YcwTIb9zpOOhoPsMm | Grafana encryption secret |
| db-database | GF_DATABASE_NAME | grafana | Grafana database name |
| db-host | GF_DATABASE_HOST | 127.0.0.1:3306 | Grafana database host and port |
| db-user | GF_DATABASE_USER | Grafana database user | |
| db-pass | GF_DATABASE_PASSWORD | Grafana database password | |
| log-format | LOG_FORMAT | txt | Log format, valid options are txt and json |
| log-level | LOG_LEVEL | info | Log level, valid options are trace, debug, info, warn, error, fatal and panic |
See config.yaml for example configuration file.
See values.yaml for full list of available Helm chart values and their default configuration.
PRs on Feature Requests, Bug fixes are welcome. Feel free to open an issue and have a discussion first. Contributions on more alert scenarios, more metrics are also welcome and encouraged.