# README
Grafana Datasource Auth Proxy
Limit access to Grafana datasources per team.
Table of Contents
About
Project topic
When you're using Grafana datasource proxy feature (Access: Server (default) in datasource settings),
free version of Grafana does not implements any ACLs for that, and any user can query every datasource and
get metrics directly from it, even with Viewer rights.
Here is related issue.
Grafana Enterprise although implements this permissions.
This project implements simple reverse proxy, that should be installed to handle api/datasources/proxy.
Here how it works:
- Check that requested path actually contains
api/datasources/proxyto avoid proxying everything else; - Check that there is
grafana_sessionauthentication cookie present; - Get list of user's teams by authentication cookie;
- Check that at least on of the user's team have access to requested datasource;
- If everything is OK pass request to Grafana
Limitations
Project is not production-ready and was build as an experiment. Use on your own risk.
Project supports only MySQL Grafana database backend (PR's welcome!)
Project was only tested againts Prometheus data sources
Project was only tested against Grafana 7
Project doest not supports non-standard Grafana auth cookie name (PR's welcome!)
Usage
Installation
There are multiple ways of installing grafana-datasource-auth-proxy.
Running from Helm chart
helm repo add grafana-datasource-auth-proxy https://dmitryshaburov.github.io/grafana-datasource-auth-proxy/
helm repo update
helm install [RELEASE_NAME] grafana-datasource-auth-proxy/grafana-datasource-auth-proxy
Running as Docker container
dshaburov/grafana-datasource-auth-proxy
docker run -p 9608:9608 -v /etc/grafana-datasource-auth-proxy/config.yaml:/etc/grafana-datasource-auth-proxy/config.yaml dshaburov/grafana-datasource-auth-proxy:latest
Precompiled binaries
Precompiled binaries for released versions are available in the Releases section.
Compiling the binary
You can checkout the source code and build manually:
git clone https://github.com/DmitryShaburov/grafana-datasource-auth-proxy.git
cd grafana-datasource-auth-proxy
go build .
./grafana-datasource-auth-proxy -config=config.yaml
Configuration
Flags
| Flag | Environment Variable | Default Value | Description |
|---|---|---|---|
| config | CONFIG_FILE | /etc/grafana-datasource-auth-proxy/config.yaml | Path to configuration file |
| listen-address | LISTEN_ADDRESS | :3000 | The address to listen on for HTTP requests |
| grafana-url | GF_SERVER_DOMAIN | grafana | Grafana remote origin host |
| grafana-secret | GF_SECURITY_SECRET_KEY | SW2YcwTIb9zpOOhoPsMm | Grafana encryption secret |
| db-database | GF_DATABASE_NAME | grafana | Grafana database name |
| db-host | GF_DATABASE_HOST | 127.0.0.1:3306 | Grafana database host and port |
| db-user | GF_DATABASE_USER | Grafana database user | |
| db-pass | GF_DATABASE_PASSWORD | Grafana database password | |
| log-format | LOG_FORMAT | txt | Log format, valid options are txt and json |
| log-level | LOG_LEVEL | info | Log level, valid options are trace, debug, info, warn, error, fatal and panic |
YAML config
See config.yaml for example configuration file.
Helm chart
See values.yaml for full list of available Helm chart values and their default configuration.
Contribution
PRs on Feature Requests, Bug fixes are welcome. Feel free to open an issue and have a discussion first. Contributions on more alert scenarios, more metrics are also welcome and encouraged.