The Data Manipulation panel can request (GET) and update (DELETE, PATCH, POST, PUT) data and configuration using REST API.
We recommend running Grafana behind NGINX reverse proxy for an additional security layer. The reverse proxy also allows us to expose additional API endpoints and static files in the same domain, which makes it CORS-ready.
The Data Manipulation panel may be blocked by CORS policy to access API Server. You can look for a rejection error in your browser Console window.
Unfortunately, Grafana will not be explicit. Nothing will notify you about a CORS restrictions error.
Same-Origin is a policy allowing interaction with resources ONLY from the same domain, host and port. For instance,
abc.com can retrieve data from
abc.com/page1, but is not permitted to access
Cross-Origin Resource Sharing (CORS) policy is more flexible. It was created to allow different domains to interact. If CORS restrictions are off, any domain is allowed to request data. If CORS restrictions are ON, only whitelisted domains are permitted.
Connect to API Server
We understand the risk of data manipulation and take security concerns seriously. This blog post explores three secure ways to connect the Data Manipulation panel to the API Server.