From f468977d9127c0d98151ad5cfe8873625b4ec163 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 20 Feb 2024 20:03:37 -0600 Subject: [PATCH] grafana: Enable send_user_header option I discovered today that if anonymous Grafana users have Viewer permission, they can use the Datasource API to make arbitrary queries to any backend, even if they cannot access the Explore page directly. This is documented ([issue #48313][0]) as expected behavior. I don't really mind giving anonymous access to the Victoria Metrics datasource, but I definitely don't want anonymous users to be able to make Loki queries and view log data. Since Grafana Datasource Permissions is limited to Grafana Enterprise and not available in the open source version of Grafana, the official recommendation from upstream is to use a separate Organization for the Loki datasource. Unfortunately, this would preclude having dashboards that have graphs from both data sources. Although I don't have any of those right now, I like the idea and may build some eventually. Fortunately, I discovered the `send_user_header` Grafana configuration option. With this enabled, Grafana will send an `X-Grafana-User` header with the username of the user on whose behalf it is making a request to the backend. If the user is not logged in, it does not send the header. Thus, we can detect the presence of this header on the backend and refuse to serve query requests if it is missing. [0]: https://github.com/grafana/grafana/issues/48313 --- grafana/grafana.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/grafana/grafana.ini b/grafana/grafana.ini index c819dce..af259ef 100644 --- a/grafana/grafana.ini +++ b/grafana/grafana.ini @@ -149,7 +149,7 @@ max_idle_connections = 100 idle_conn_timeout_seconds = 90 # If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request. -send_user_header = false +send_user_header = true #################################### Analytics ########################### [analytics]