Secure grafana with prometheus datasource all over LDAP

Question

I have a problem securing the prometheus datasource for grafana.

When I started I thought that the datasource plugin for grafana has a backend component that forwards requests to the prometheus server.

What I actually see is that the client (browser) directly contacts the prometheus resource. This is a big problem in my configuration because

1. I have to serve a public interface to the prometheus datasource.
2. I only have the chance to use basic auth with a technical user.

So my questions are:

1. Is there a way to hide the prometheus datasource from public (via grafana backend?)?
2. Is there a way to use the grafana LDAP-user with the prometheus datasource (the datasource could be protected by nginx or whatever)?

This could be a main reason to use a completely other monitoring stack.

Answer 1

Is there a way to hide the prometheus datasource from public (via grafana backend?)?

Select Proxy mode rather than Direct when configuring the data source.

Is there a way to use the grafana LDAP-user with the prometheus datasource

Grafana only supports basic auth for this. I would imagine that monitoring systems that support LDAP for authorization are rare, so would advise working with this.