Plugins
Plugins Policy
This document governs the offering of plugins for use with Grafana - whether such usage is in connection with open source Grafana, third-party managed Grafana, Grafana Enterprise or Grafana Cloud. For terms regarding the usage of a specific plugin, refer to the type of plugin and any applicable OSS license or commercial terms that may be associated thereto.
Context: Since the release of Grafana 7, Grafana has moved to a next generation plugin architecture, making it easier to develop and maintain plugins.
As a result, all plugins need to be cryptographically signed in order to be accessible by users. The purpose is to improve the security, quality, and reliability of the plugin ecosystem, while also helping Grafana Labs build a sustainable open source business around Grafana.
What are the different classifications of plugins?
- Private - Private plugins are created by an organization solely for its internal use. Private plugins may not be shared outside of that organization- if they are, other parties must run them unsigned.
- Community - Community plugins are non-commercial in nature and are not affiliated with any commercial endeavor.
- Commercial - Commercial plugins are offered in connection with a commercial offering, commercial dependencies or offered by a for-profit business.
- Enterprise - Enterprise plugins are built and offered exclusively by Grafana Labs. Use of Enterprise plugins is governed by the terms of our Master Services Agreement or other written, mutually agreed licensing terms between Grafana Labs and the end user.
How to get plugins signed?
Your ability and process for signing a plugin will depend on which classification of plugin
is in question.
| Signature Level | Paid Subscription Required to Sign? | Description |
|---|---|---|
| Private | No; Free of charge | Private plugins are for use on your own Grafana instance. They may not be shared to the Grafana community or to your customers, and are not published in the Grafana catalog. Private plugins are not compatible with Grafana Cloud. |
| Community | No; Free of charge | Community plugins contain dependent technologies that are open source and/or not for profit. Community plugins are published to the official Grafana catalog, and are available to the Grafana community for direct installation. Support is provided by the individual developer and/or community. Compatible with Grafana Cloud. Not commercial in nature and not affiliated with any commercial endeavor. |
| Commercial | Yes; Commercial Plugin Subscription required | Commercial plugins contain dependent technologies that are closed source or commercially backed (even if open source at their core). These plugins meet the commercial plugin criteria and are partner-developed. Commercial plugins are published to the official Grafana catalog, and are available to the Grafana community for direct installation. Support is provided by the Partner. Compatible with Grafana Cloud. |
Signing Requests
Private
- Request via grafana.com account
a. (must be a customer/user) - Follow the signing instructions in our documentation.
Community
Prerequisites: Technology must be available for testing. Plugin must already exist in a public Git repository. Plugin must meet above pre-requisites as determined by Grafana Labs.
- Request via grafana.com account
- A Grafana Labs team member will review to validate integrity,functionality, and that it meets the community designation. Grafana Labs may refuse any community plugin at its sole discretion.
- Feedback and advisory on any needed changes or updates.
- Finalize packaging, documentation, and catalog page.
- Sign and Publish.
Commercial and Grafana
- Contact: integrations@grafana.com
Restrictions
- Plugins may be denied signing and/or publishing for any of the following reasons:
a. Forking of an existing plugin or creating derivative works
b. Misuse of code (see plugin policy and guidelines)
c. Embedding multiple plugins into a single plugin
d. Duplication of an existing plugin - including Grafana Enterprise plugins
e. For any other reason at the sole discretion of Grafana Labs - Grafana Labs manages its plugin catalog. You may not create a separate public plugin catalog involving or relating to Grafana Labs or its offerings.
- Grafana Labs reserves the right to deny signing and/or publishing of a plugin due to non-compliance with plugin policy, community terms of service, or plugin guidelines.
Note: Distributed plugins that are not included in the catalog still require a signing subscription
Plugin Publishing and Signing Criteria
Grafana plugins must adhere to the following criteria when being reviewed for publishing and
signing.
Privacy and Security
Plugins cannot collect usage or user information. Violations of this include but are not limited to:
- Directly collecting installation and user statistics
- Sending data to 3rd parties for analytics purposes
- Embedding tracking code
Data at rest: Sensitive data, such as credentials and user information, must be encrypted using industry standards.
- Use secureJsonData to store data source credentials
- Secrets cannot be stored in panel options
Data transmission: secure methods that meet industry standard encryption levels should be used, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
Abuse: plugins should not perform actions beyond the scope of the intended use.
- Do not include hidden files
- Do not manipulate the underlying environment, privileges, or related processes
Right to Use and Proper Crediting
- Usage of 3rd party software or dependencies within the plugin must be licensed for the intended use. For example, use of open source dependencies must be clearly listed and properly credited, and you must have rights to use any embedded logos or trademarks.
Grafana Labs reserves the right to decline or remove any plugin at its discretion. Failure to comply with publishing and signing criteria may result in immediate removal from the Grafana plugin catalog.
To learn more, inquire by contacting us or email integrations@grafana.com.
Last updated 2023