Public sharing and security

I’m using Grafana with InfluxDB and have build a couple of dashbords for private use. I must say I love the ease of use and flexibility that Grafana offers. I currently have Grafana behind a firewall and access it through a SSH tunnel (port forwarding).

For my latest Grafana project I have built visualizations/dashboards for trading related data. I really like the insights they provide and I would like to share it with the world. So I would like to offer public anonymous access to a several of these dashboards. However I need to do it in a safe way. Initially I thought that generating snapshots would be the best and safest option, because I could just generate the snapshots and then serve them from another web server. However this will not work well for two reasons: Firstly I need to update these snapshots frequently (several times pr. minute). This will take up too many CPU resources and it will also increase bandwidth. Secondly my users vil lose the ability to interact with the charts and I think that is important in this case.

So the best option would be to allow public access to the dashbords. Anonymous access would be a big bonus. So I have been reading about the Authproxy. The ability to auto sign-up users, and assigning them a role with limited permissions sounds really promising. I have Apache installed and could use that for reverse proxy as suggested in the article. I don’t understand all the technical aspects of the proxy approach but I hope I can get it working. One big question remains: Is it safe to give public access this way or will it for example be easy for an attacker to delete InfluxDB-data or gain access to the server? It is not that the information in Grafana or InfluxDB are sensitive in any way, but security on the server is quite important to me and I don’t want to provide attacker an easy way in.

It depends on how you expore your InfluxDB. When you add a data source to InfluxDB via the proxy mode you give all your inflxudb users full acess to InfluxDB (with the influxdb user you used, so all the permissions you have given that user in influxdb). So you use use a InfluxDB user with admin permissions user then yes any user could do some destructive things-

The main thing to think about is that even if you expose just one dashboard the InfluxDB is going to be accessable, so any user who know http can issue any query as Grafanas data source proxy will allow the requests if the user can authenticate with Grafana.

Yes I see what you mean. So I have setup up authentication for influxdb and created separate influxdb users with different permissions. For Grafana I have created a special influxdb user that only has read access to one database. Thank you for pointing me in the right direction!