Menu should not be displayed to unauthenticated users #203
Comments
|
This is Grafana issue. But what you want to get by doing menu accessible? It contains only configuration pages. |
|
I would like the opposite, the menu to not be accessible. Are you talking about the Zabbix menu item or the entire menu itself? I would love to be able to display a dashboard without a menu at all (the entire top bar) for the public, but have not seen a way to do that. The particular thing I'm talking about here however is that since the menu (top bar) is visible, if you click the Grafana icon, one of the items is a Zabbix menu item. For non authenticated users, this should not show up at all. Here are screenshots to show what I am referring to... Authenticated: Unauthenticated: The Zabbix menu item should not display in the second case. |
|
I see. This is Grafana default behavior. You can open issue in Grafana repo. |
|
Ok great, thanks for the help and the awesome plugin!! |
|
Created the issue here: grafana/grafana#4784 ... if you're interested. |
|
Ok, will track it. |
|
Hey @alexanderzobnin, it looks like we need to add a role to the two menu items that are at the top level so that they will not be shown unless a user is logged in. When I add these however the main menu doesn't completely disappear but the sub menus do. Also, when logged in the sub menus do not appear any longer when following the suggestions of @torkelo. Any thoughts? |
|
@phutchins The zabbix plugin has two bundles dashboards that are linked to from the menu, so it should be shown to anonymous users. Why do you want to hide the links to these dashboards? |
|
It should definitely not be shown to anonymous users (in my case) unless I choose. I do not want unauthenticated users to even know that I run Zabbix as the more that an attacker knows, the more attack vectors there are. I'm trying to expose a single dashboard to the public and nothing more. Ideally, the top bar would not even display in my case. |
|
@phutchins Not sure Grafana is built for your case. If you expose one dashboard you expose the Zabbix data source, so anyone with http knowledge could inspect the http requests and issue any metric query. Don't think zabbix has any "per metric" security, and Grafana data proxy does not add any "per metric" security, it will proxy any request to the zabbix api. |
|
@torkelo ah. I'd assumed that when in proxy mode, the back end was only querying zabbix for stats on the current dashboard. The zabbix user that I'm using is only read only but thats still scary that any request could be proxied. I may have to take a different approach or look into contributing. Any idea how much effort would it take to check proxied requests on the back end against what the dashboard should be querying? |
|
@torkelo Is there any detailed information on how the proxy setting works for datasource connections? Does it not keep the connection only on the back end then send the data to the client? The client should not be able to sniff any credentials or connection info to the data source if this is set, corrrect? |
|
Also, @alexanderzobnin might you have any time to look into updating the roles as mentioned above? |
|
@phutchins it depend, for some data source like InfluxDB the authentication (influxdb password) is hidden and never seen over the wire to the browser. Basic auth username and password is also never transferred to the browser. But besides those all http traffic is just proxied so anyone with http skills can do anything against the time series backend. |
|
@alexanderzobnin are you still working on this? |
|
@alexanderzobnin Thanks for reopen this issue. If you need a tester, let me know. |
When sharing a dashboard in grafana, an unauthenticated user can click the grafana menu button in the top left and will see a Zabbix menu item. It says permission denied when it is clicked but it should not be displayed.
I'd be glad to submit a PR if you can give me some guidance as to where the code that handles this is and any helpful insight.
The text was updated successfully, but these errors were encountered: