Data source security in Grafana: Best practices and what to avoid

Recently, an incorrect security report was published, claiming that there’s a SQL injection attack in Grafana. As we have communicated to the security researcher, this report is wrong. Authenticated users in Grafana have the same permissions as the user configured for the underlying data source. This is not a security issue, but is in fact the intended and documented behavior for authenticated users, and foundational to both Grafana’s “big tent” strategy and the high performance of Grafana.

Since this has been a point of confusion for users, we wanted to create a public resource explaining how credentials and permissions in Grafana interact, and sharing best practices for data source security in Grafana.

Read More