Page MenuHomePhabricator

Restrict edit rights in grafana / enable dashboard deletion
Closed, ResolvedPublic

Description

It seems that anonymous users can actually save and modify dashboards in grafana. Should we limit the save / deletion functionality in some way, perhaps the same way graphite is limited? So far vandalism has not been an issue, but it seems that it would be a matter of time.

Somewhat related, dashboard deletion is currently disabled by blocking the 'delete' verb in the Apache proxy in front of ElasticSearch. If we locked down editing, we might be able to open that up to authenticated users so that dashboard deletion in grafana would work as expected.

Event Timeline

GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added subscribers: GWicke, yuvipanda, ori.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2015, 1:22 AM
GWicke set Security to None.Mar 24 2015, 1:22 AM
GWicke added a subscriber: Eevans.
GWicke updated the task description. (Show Details)Mar 24 2015, 5:24 PM
GWicke added a subscriber: bd808.
GWicke renamed this task from Restrict edit rights in grafana? to Restrict edit rights in grafana / enable dashboard deletion.Mar 24 2015, 5:26 PM
GWicke updated the task description. (Show Details)Mar 24 2015, 5:30 PM
This comment was removed by Eevans.
GWicke added a comment.EditedMar 24 2015, 7:46 PM

@Eevans, it might make sense to add your comment to T88585 / T78514 or create a new task for pre-generating the JSON definition for the grafana dashboards of a class of services.

fgiunchedi triaged this task as Medium priority.Apr 2 2015, 9:44 AM
fgiunchedi added a subscriber: fgiunchedi.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 2 2015, 12:10 AM
GWicke updated the task description. (Show Details)Sep 10 2015, 6:16 PM
Gilles added a subscriber: Gilles.Sep 15 2015, 11:10 AM

Hasn't this been implemented now? Yesterday I was using grafana and it only prompted me for credentials when I tried to save a dashboard.

Thanks :) @GWicke are all your wishes granted, then? Can we close this?

Dzahn closed this task as Resolved.Sep 16 2015, 12:32 AM
Dzahn claimed this task.
Dzahn added a subscriber: Dzahn.

Claiming it's resolved per "<Limit POST PUT DELETE>" in the second linked patch. @GWicke ok?

@Dzahn, yes indeed. Thanks, @ori!