Commit fd5fa402 by Leonard Gram Committed by GitHub

Docs: request security (#30937)

* Docs: request security

* Docs: lists the section in all examples

* typo

* Update docs/sources/enterprise/_index.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* whats new

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* Update docs/sources/whatsnew/whats-new-in-v7-4.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* final edits

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
parent 7fe9ac3b
...@@ -50,6 +50,7 @@ With Grafana Enterprise, you get access to new features, including: ...@@ -50,6 +50,7 @@ With Grafana Enterprise, you get access to new features, including:
- [Usage insights]({{< relref "usage-insights/_index.md" >}}) to understand how your Grafana instance is used. - [Usage insights]({{< relref "usage-insights/_index.md" >}}) to understand how your Grafana instance is used.
- [Vault integration]({{< relref "vault.md" >}}) to manage your configuration or provisioning secrets with Vault. - [Vault integration]({{< relref "vault.md" >}}) to manage your configuration or provisioning secrets with Vault.
- [Auditing]({{< relref "auditing.md" >}}) tracks important changes to your Grafana instance to help you manage and mitigate suspicious activity and meet compliance requirements. - [Auditing]({{< relref "auditing.md" >}}) tracks important changes to your Grafana instance to help you manage and mitigate suspicious activity and meet compliance requirements.
- [Request security]({{< relref "request-security.md" >}}) makes it possible to restrict outgoing requests from the Grafana server.
## Enterprise plugins ## Enterprise plugins
...@@ -70,4 +71,3 @@ With a Grafana Enterprise license, you get access to premium plugins, including: ...@@ -70,4 +71,3 @@ With a Grafana Enterprise license, you get access to premium plugins, including:
To purchase or obtain a trial license contact the Grafana Labs [Sales Team](https://grafana.com/contact?about=support&topic=Grafana%20Enterprise). To purchase or obtain a trial license contact the Grafana Labs [Sales Team](https://grafana.com/contact?about=support&topic=Grafana%20Enterprise).
...@@ -304,3 +304,25 @@ Time until expiration for tokens which are renewed. Should have a value higher t ...@@ -304,3 +304,25 @@ Time until expiration for tokens which are renewed. Should have a value higher t
### lease_renewal_increment ### lease_renewal_increment
New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit. New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit.
## [security.egress]
> **Note:** Available in Grafana Enterprise v7.4 and later versions.
Security egress makes it possible to control outgoing traffic from the Grafana server.
### host_deny_list
A list of hostnames or IP addresses separated by spaces for which requests are blocked.
### host_allow_list
A list of hostnames or IP addresses separated by spaces for which requests are allowed. All other requests are blocked.
### header_drop_list
A list of headers that are stripped from the outgoing data source and alerting requests.
### cookie_drop_list
A list of cookies that are stripped from the outgoing data source and alerting requests.
+++
title = "Request security"
description = "Grafana Enterprise request security"
keywords = ["grafana", "security", "enterprise"]
weight = 110
+++
# Request security
> **Note:** Available in Grafana Enterprise v7.4 and later versions.
Request security makes it possible to limit requests from the Grafana server, and it targets requests that are generated by users.
For example:
- Data source metric queries
- Alert notifications
This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.
> **Note:** Although request security works with backend plugins, you can create a backend plugin that bypasses this security.
## IP and hostname blocking
You can limit requests based on a hostname, an IP address, or both.
### Deny list
Grafana blocks any request to a hostname or IP address on the deny list.
### Allow list
If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.
For example:
```toml
[security.egress]
# A list of hostnames or IP addresses separated by spaces for which requests are blocked.
host_deny_list = supersecret.internal 192.168.1.10
# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked
host_allow_list = prometheus.internal
```
## Drop headers and cookies
You can set a list of cookies or headers that are to be dropped from outgoing requests.
Example:
```toml
[security.egress]
# a list of headers that will be stripped from outgoing datasource and alerting requests
header_drop_list = user
# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)
cookie_drop_list = session_id
```
...@@ -214,6 +214,12 @@ You can now select a font, other than the default, for Unicode-based scripts. As ...@@ -214,6 +214,12 @@ You can now select a font, other than the default, for Unicode-based scripts. As
[Reporting]({{< relref "../enterprise/reporting.md#rendering-configuration" >}}) was updated as a result of this change. [Reporting]({{< relref "../enterprise/reporting.md#rendering-configuration" >}}) was updated as a result of this change.
### Request security
Request security introduces ways to limit requests from the Grafana server, and it targets requests that are generated by users.
For more information, refer to [Request security]({{< relref "../enterprise/request-security.md" >}}).
## Breaking changes ## Breaking changes
The following Grafana 7.4 changes might break previous functionality. The following Grafana 7.4 changes might break previous functionality.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment