For implementing Grafana in Icinga we are using the iframe mode, because it is much faster and delivers more usability with zooming directly into the graphs and showing tooltips. But the fact that iframe mode is still needs anonymous login activated in grafana is a real bit security issue, because everybody is able with Viewer roll to adress queries to all configured datasources.
Expected Behavior
we would expect to be able to configure an api-token to be used for iframe mode, or to use the credentials of the logged in icinga user to passthrough to grafana automatically
Current Behavior
with enabled anonymous access iframe mode works fine, but also everybody else can access the Grafana Dashboards and send individual queries to all configured datasources, which is a real security issue
with disabled anonymous access icinga users (authorized via ldap, same as in grafana) see the login mask in the iframe and have to login again to view the graphs in icingaweb2.
Possible Solution
passing through the logged in user credentials into the iframe login or using an predefined api-token to fetch the graphs like in indirect proxy-mode
For implementing Grafana in Icinga we are using the iframe mode, because it is much faster and delivers more usability with zooming directly into the graphs and showing tooltips. But the fact that iframe mode is still needs anonymous login activated in grafana is a real bit security issue, because everybody is able with Viewer roll to adress queries to all configured datasources.
Expected Behavior
we would expect to be able to configure an api-token to be used for iframe mode, or to use the credentials of the logged in icinga user to passthrough to grafana automatically
Current Behavior
with enabled anonymous access iframe mode works fine, but also everybody else can access the Grafana Dashboards and send individual queries to all configured datasources, which is a real security issue
with disabled anonymous access icinga users (authorized via ldap, same as in grafana) see the login mask in the iframe and have to login again to view the graphs in icingaweb2.
Possible Solution
passing through the logged in user credentials into the iframe login or using an predefined api-token to fetch the graphs like in indirect proxy-mode