@@ 34,6 34,9 @@ provisioning = /etc/grafana/provisioning
# Protocol (http, https, h2, socket)
;protocol = http
+# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.2, TLS1.3. If nothing is set TLS1.2 would be taken
+;min_tls_version = ""
+
# The ip address to bind to, empty will bind to all interfaces
http_addr = 127.0.0.1
@@ 381,6 384,9 @@ strict_transport_security = true
# The CSRF check will be executed even if the request has no login cookie.
;csrf_always_check = false
+# Comma-separated list of plugins ids that won't be loaded inside the frontend sandbox
+;disable_frontend_sandbox_for_plugins =
+
[security.encryption]
# Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
# Please note that small values may cause performance issues due to a high frequency decryption operations.
@@ 433,7 439,7 @@ allow_sign_up = false
# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
;auto_assign_org_id = 1
-# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
+# Default role new users will be automatically assigned
;auto_assign_org_role = Viewer
# Require email validation before sign up completes
@@ 589,7 595,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
;auto_login = false
;client_id = some_id
;client_secret = some_secret
-;scopes = api
+;scopes = openid email profile
;auth_url = https://gitlab.com/oauth/authorize
;token_url = https://gitlab.com/oauth/token
;api_url = https://gitlab.com/api/v4
@@ 599,6 605,11 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
;role_attribute_strict = false
;allow_assign_grafana_admin = false
;skip_org_role_sync = false
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+;use_pkce = true
#################################### Google Auth ##########################
[auth.google]
@@ 609,13 620,14 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
;auto_login = false
;client_id = some_client_id
;client_secret = some_client_secret
-;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
-;auth_url = https://accounts.google.com/o/oauth2/auth
-;token_url = https://accounts.google.com/o/oauth2/token
-;api_url = https://www.googleapis.com/oauth2/v1/userinfo
+;scopes = openid email profile
+;auth_url = https://accounts.google.com/o/oauth2/v2/auth
+;token_url = https://oauth2.googleapis.com/token
+;api_url = https://openidconnect.googleapis.com/v1/userinfo
;allowed_domains =
;hosted_domain =
;skip_org_role_sync = false
+;use_pkce = true
#################################### Grafana.com Auth ####################
[auth.grafana_com]
@@ 647,6 659,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
;allowed_organizations =
;role_attribute_strict = false
;allow_assign_grafana_admin = false
+;use_pkce = true
# prevent synchronizing users organization roles
;skip_org_role_sync = false
@@ 668,6 681,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid
;role_attribute_strict = false
;allow_assign_grafana_admin = false
;skip_org_role_sync = false
+;use_pkce = true
#################################### Generic OAuth ##########################
[auth.generic_oauth]
@@ 761,6 775,12 @@ role_attribute_strict = true
# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
; assume_role_enabled = true
+# Specify max no of pages to be returned by the ListMetricPages API
+; list_metrics_page_limit = 500
+
+# Experimental, for use in Grafana Cloud only. Please do not set.
+; external_id =
+
#################################### Azure ###############################
[azure]
# Azure cloud environment where Grafana is hosted
@@ 777,6 797,23 @@ role_attribute_strict = true
# Should be set for user-assigned identity and should be empty for system-assigned identity
;managed_identity_client_id =
+# Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources
+# that support it (requires AAD authentication)
+# Disabled by default, needs to be explicitly enabled
+;user_identity_enabled = false
+
+# Override token URL for Azure Active Directory
+# By default is the same as token URL configured for AAD authentication settings
+;user_identity_token_url =
+
+# Override ADD application ID which would be used to exchange users token to an access token for the datasource
+# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
+;user_identity_client_id =
+
+# Override the AAD application client secret
+# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
+;user_identity_client_secret =
+
#################################### Role-based Access Control ###########
[rbac]
;permission_cache = true
@@ 819,6 856,9 @@ role_attribute_strict = true
# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
;filters =
+# Set the default error message shown to users. This message is displayed instead of sensitive backend errors which should be obfuscated. Default is the same as the sample value.
+;user_facing_default_error = "please inspect Grafana server log for details"
+
# For "console" mode only
[log.console]
;level =
@@ 865,20 905,11 @@ role_attribute_strict = true
;tag =
[log.frontend]
-# Should Sentry javascript agent be initialized
+# Should Faro javascript agent be initialized
;enabled = false
-# Defines which provider to use, default is Sentry
-;provider = sentry
-
-# Sentry DSN if you want to send events to Sentry.
-;sentry_dsn =
-
-# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout.
-;custom_endpoint = /log
-
-# Rate of events to be reported between 0 (none) and 1 (all), float
-;sample_rate = 1.0
+# Custom HTTP endpoint to send events to. Default will log the events to stdout.
+;custom_endpoint = /log-grafana-javascript-agent
# Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log).
;log_endpoint_requests_per_second_limit = 3
@@ 993,6 1024,11 @@ role_attribute_strict = true
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
;ha_peer_timeout = "15s"
+# The label is an optional string to include on each packet and stream.
+# It uniquely identifies the cluster and prevents cross-communication
+# issues when sending gossip messages in an enviromenet with multiple clusters.
+;ha_label =
+
# The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated
# across cluster more quickly at the expense of increased bandwidth usage.
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
@@ 1154,6 1190,16 @@ role_attribute_strict = true
# Enable the Profile section
;enabled = true
+#################################### News #############################
+[news]
+# Enable the news feed section
+; news_feed_enabled = true
+
+#################################### Query #############################
+[query]
+# Set the number of data source queries that can be executed concurrently in mixed queries. Default is the number of CPUs.
+;concurrent_query_limit =
+
#################################### Query History #############################
[query_history]
# Enable the Query history
@@ 1168,6 1214,8 @@ role_attribute_strict = true
;interval_seconds = 10
# Disable total stats (stat_totals_*) metrics to be generated
;disable_total_stats = false
+# The interval at which the total stats collector will update the stats. Default is 1800 seconds.
+;total_stats_collector_interval_seconds = 1800
#If both are set, basic auth will be required for the metrics endpoints.
; basic_auth_username =
@@ 1302,8 1350,11 @@ role_attribute_strict = true
;plugin_catalog_hidden_plugins =
# Log all backend requests for core and external plugins.
;log_backend_requests = false
-# Force download of public key for verifying plugin signature on startup.
-;enforce_public_key_download = false
+# Disable download of the public key for verifying plugin signature.
+; public_key_retrieval_disabled = false
+# Force download of the public key for verifying plugin signature on startup. If disabled, the public key will be retrieved every 10 days.
+# Requires public_key_retrieval_disabled to be false to have any effect.
+; public_key_retrieval_on_startup = false
#################################### Grafana Live ##########################################
[live]
@@ 1450,13 1501,13 @@ role_attribute_strict = true
# Move an app plugin referenced by its id (including all its pages) to a specific navigation section
[navigation.app_sections]
-# The following will move an app plugin with the id of `my-app-id` under the `starred` section
-# my-app-id = admin
+# The following will move an app plugin with the id of `my-app-id` under the `cfg` section
+# my-app-id = cfg
# Move a specific app plugin page (referenced by its `path` field) to a specific navigation section
[navigation.app_standalone_pages]
-# The following will move the page with the path "/a/my-app-id/starred-content" from `my-app-id` to the `starred` section
-# /a/my-app-id/starred-content = starred
+# The following will move the page with the path "/a/my-app-id/my-page" from `my-app-id` to the `cfg` section
+# /a/my-app-id/my-page = cfg
#################################### Secure Socks5 Datasource Proxy #####################################
[secure_socks_datasource_proxy]
@@ 1467,5 1518,11 @@ role_attribute_strict = true
; server_name =
# The address of the socks5 proxy datasources should connect to
; proxy_address =
+; show_ui = true
+
+################################## Feature Management ##############################################
+[feature_management]
+hidden_toggles =
+read_only_toggles =
# vi: ft=dosini