Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Enterprise Grafana Cloud Open source

Plugin management

You can enhance your Grafana experience with plugins, extensions to Grafana beyond the wide range of visualizations and data sources that are built-in.

This guide shows you how to install plugins that are built by Grafana Labs, commercial partners, our community, or plugins that you have built yourself.

Types of plugins

Grafana supports three types of plugins:

  • Panels - These plugins make it easy to create and add any kind of panel, to show your data, or improve your favorite dashboards.
  • Data sources - These plugins allow you to pull data from various data sources such as databases, APIs, log files, and so on, and display it in the form of graphs, charts, and dashboards in Grafana.
  • Apps - These plugins enable the bundling of data sources, panels, dashboards, and Grafana pages into a cohesive experience.

Panel plugins

Add new visualizations to your dashboard with panel plugins, such as the Clock, Mosaic and Variable panels.

Use panel plugins when you want to:

  • Visualize data returned by data source queries.
  • Navigate between dashboards.
  • Control external systems, such as smart home devices.

Data source plugins

Data source plugins add support for new databases, such as Google BigQuery.

Data source plugins communicate with external sources of data and return the data in a format that Grafana understands. By adding a data source plugin, you can immediately use the data in any of your existing dashboards.

Use data source plugins when you want to query data from external or third-party systems.

App plugins

Applications, or app plugins, bundle data sources and panels to provide a cohesive experience, such as the Zabbix app.

Apps can also add custom pages for things like control panels.

Use app plugins when you want an out-of-the-box monitoring experience.

Managing access for app plugins

Customize access to app plugins with RBAC.

By default, the Viewer, Editor and Admin roles have access to all app plugins that their Organization role allows them to access. Access is granted by the fixed:plugins.app:reader role.

Note

To prevent users from seeing an app plugin, refer to these permissions scenarios.

Plugin catalog

The Grafana plugin catalog allows you to browse and manage plugins from within Grafana. Only Grafana server administrators and Organization administrators can access and use the plugin catalog. For more information about Grafana roles and permissions, refer to Roles and permissions.

The following access rules apply depending on the user role:

  • If you are an Org Admin, you can configure app plugins, but you can’t install, uninstall, or update them.
  • If you are a Server Admin, you can’t configure app plugins, but you can install, uninstall, or update them.
  • If you are both Org Admin and Server Admin, you can configure app plugins and also install, uninstall, or update them.

Note

The Grafana plugin catalog is designed to work with a single Grafana server instance only. Support for Grafana clusters is planned for future Grafana releases.

Video shows the Plugin catalog in a previous version of Grafana.

Note

If required, the Grafana plugin catalog can be disabled using the plugin_admin_enabled flag in the configuration file.

Browse plugins

To browse for available plugins:

  1. While logged into Grafana as an administrator, click Administration > Plugins and data > Plugins in the side menu to view installed and available plugins.
  2. Use the search to filter based on name, keywords, organization and other metadata.
  3. Click the Data sources, Panels, or Applications buttons to filter by plugin type.

Install a plugin

The most common way to install a plugin is through the Grafana UI, but alternative methods are also available.

  1. In Grafana, click Administration > Plugins and data > Plugins in the side navigation menu to view all plugins.
  2. Browse and find a plugin.
  3. Click the plugin’s logo.
  4. Click Install.

There are also additional ways to install plugins depending on your setup.

Install a plugin using Grafana CLI

Grafana CLI allows you to install, upgrade, and manage your Grafana plugins using a command line. For more information about Grafana CLI plugin commands, refer to Plugin commands.

Install a plugin from a ZIP file

This method is typically used for plugins not available in the Plugin Catalog or in environments without internet access.

Download the archive containing the plugin assets, and install it by extracting the archive into the plugin directory. For example:

bash
unzip my-plugin-0.2.0.zip -d YOUR_PLUGIN_DIR/my-plugin

The path to the plugin directory is defined in the configuration file. For more information, refer to Configuration.

Install a plugin in air-gapped environment

Plugin installation usually requires an internet connection. You can check which endpoints are used during the installation on your instance and add them to your instance’s allowlist.

If this is not possible you can go via installing a plugin using Grafana CLI or as a ZIP file.

You can fetch any plugin from Grafana.com API following the download link referenced in the API. Here is an example based on grafana-lokiexplore-app plugins.

  1. Open https://grafana.com/api/plugins/grafana-lokiexplore-app and look for links section
  2. Find a download url which looks something like https://grafana.com/api/plugins/grafana-lokiexplore-app/versions/1.0.2/download
  3. Use this URL to download the plugin ZIP file, which you can then install as described above.

Install plugins using the Grafana Helm chart

With the Grafana Helm chart, add the plugins you want to install as a list using the plugins field in the your values file. For more information about the configuration, refer to the Helm chart configuration reference.

The following YAML snippet installs v1.9.0 of the Grafana OnCall App plugin and the Redis data source plugin. You must incorporate this snippet within your Helm values file.

yaml
plugins:
  - https://grafana.com/api/plugins/grafana-oncall-app/versions/v1.9.0/download;grafana-oncall-app
  - redis-datasource

When the update is complete, a confirmation message will indicate the installation was successful.

Update a plugin

To update a plugin:

  1. In Grafana, click Administration > Plugins and data > Plugins in the side navigation menu to view all plugins.
  2. Click the Installed filter to show only installed plugins.
  3. Click the plugin’s logo.
  4. Click Update.

When the update is complete, a confirmation message will indicate the installation was successful.

Uninstall a plugin

To uninstall a plugin:

  1. In Grafana, click Administration > Plugins and data > Plugins in the side navigation menu to view all plugins.
  2. Click the plugin’s logo.
  3. Click the Installed filter to show only installed plugins.
  4. Click Uninstall.

When the update is complete, a confirmation message will indicate the installation was successful.

Plugin signatures

Plugin signature verification, also known as signing, is a security measure to make sure plugins haven’t been tampered with. Upon loading, Grafana checks to see if a plugin is signed or unsigned when inspecting and verifying its digital signature.

At startup, Grafana verifies the signatures of every plugin in the plugin directory. If a plugin is unsigned, then Grafana neither loads nor starts it. To see the result of this verification for each plugin, navigate to Configuration -> Plugins.

Grafana also writes an error message to the server log:

bash
WARN[05-26|12:00:00] Some plugin scanning errors were found   errors="plugin '<plugin id>' is unsigned, plugin '<plugin id>' has an invalid signature"

If you are a plugin developer and want to know how to sign your plugin, refer to Sign a plugin.

Signature statusDescription
CoreCore plugin built into Grafana.
Invalid signatureThe plugin has an invalid signature.
Modified signatureThe plugin has changed since it was signed. This may indicate malicious intent.
UnsignedThe plugin is not signed.
SignedThe plugin signature was successfully verified.

Plugin signature levels

All plugins are signed under a signature level. The signature level determines how the plugin can be distributed.

Plugin LevelDescription
Private

Private plugins are for use on your own Grafana. They may not be distributed to the Grafana community, and are not published in the Grafana catalog.

Community

Community plugins have dependent technologies that are open source and not for profit.

Community plugins are published in the official Grafana catalog, and are available to the Grafana community.

Commercial

Commercial plugins have dependent technologies that are closed source or commercially backed.

Commercial plugins are published on the official Grafana catalog, and are available to the Grafana community.

Allow unsigned plugins

Note

Unsigned plugins are not supported in Grafana Cloud.

We strongly recommend that you don’t run unsigned plugins in your Grafana instance. However, if you’re aware of the risks and you still want to load an unsigned plugin, refer to Configuration.

If you’ve allowed loading of an unsigned plugin, then Grafana writes a warning message to the server log:

bash
WARN[06-01|16:45:59] Running an unsigned plugin   pluginID=<plugin id>

Note

If you’re developing a plugin, then you can enable development mode to allow all unsigned plugins.

Plugin Frontend Sandbox

Caution

Plugin Frontend Sandbox is currently in public preview. Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available.

The Plugin Frontend Sandbox is a security feature that isolates plugin frontend code from the main Grafana application. When enabled, plugins run in a separate JavaScript context, which provides several security benefits:

  • Prevents plugins from modifying parts of the Grafana interface outside their designated areas
  • Stops plugins from interfering with other plugins functionality
  • Protects core Grafana features from being altered by plugins
  • Prevents plugins from modifying global browser objects and behaviors

Plugins running inside the Frontend Sandbox should continue to work normally without any noticeable changes in their intended functionality.

Enable Frontend Sandbox

The Frontend Sandbox feature is currently behind the pluginsFrontendSandbox feature flag. To enable it, you’ll need to:

  1. Enable the feature flag in your Grafana configuration. For more information about enabling feature flags, refer to Configure feature toggles.

  2. For self-hosted Grafana installations, add the plugin IDs you want to sandbox in the security section using the enable_frontend_sandbox_for_plugins configuration option.

For Grafana Cloud users, you can simply use the toggle switch in the plugin catalog page to enable or disable the sandbox for each plugin. By default, the sandbox is disabled for all plugins.

Note

Enabling the Frontend Sandbox might impact the performance of certain plugins. Only disable the sandbox if you fully trust the plugin and understand the security implications.

Compatibility

The Frontend Sandbox is available in public preview in Grafana >=11.4. It is compatible with all types of plugins including app plugins, panel plugins, and data source plugins. Angular-based plugins are not supported. Plugins developed and signed by Grafana Labs are excluded and cannot be sandboxed.

When to Use Frontend Sandbox

We strongly recommend enabling the Frontend Sandbox for plugins that allow users to write custom JavaScript code for data visualization or manipulation. These plugins, while powerful, can potentially execute arbitrary JavaScript code in your Grafana instance. The sandbox provides an additional layer of security by restricting what this code can access and modify.

Examples of plugins where the sandbox is particularly important include:

  • Panel plugins that allow users to write custom JavaScript code
  • Plugins from untrusted sources

Troubleshooting

If a plugin isn’t functioning correctly with the Frontend Sandbox enabled:

  1. Temporarily disable the sandbox for that specific plugin
  2. Test if the plugin works correctly without the sandbox
  3. If the plugin only works with the sandbox disabled, ensure you trust the plugin source before continuing to use it without sandbox protection
  4. Report any sandbox-related issues to the plugin developer

Learn more