This is a Grafana backend plugin to allow using an SQLite database as a data source. The SQLite database needs to be accessible to the filesystem of the device where Grafana itself is running.

Table of contents:

• Plugin Installation
• Security Considerations
• Support for Time Formatted Columns
• Macros
• Alerting
• Configuration
• Common Problems - FAQ
• Development and Contributing
• Supporting the Project
• Further Documentation and Links

The recommended way to install the plugin for most users is to use the grafana CLI:

1. Run this command: grafana-cli plugins install frser-sqlite-datasource
2. Restart the Grafana server.
3. To make sure the plugin was installed, check the list of installed data sources. Click the Plugins item in the main menu. Both core data sources and installed data sources will appear.

For other installation options (e.g. to install versions not yet released in the Grafana registry but in Github) see ./docs/installation.md.

A data source of the SQLite plugin specifies a specific SQLite location. But by using the attach feature this restriction can be circumvented.

A user with read only permissions on the database can use the attach feature in a query to connect to any database that the Grafana user has access to on the system.

To prevent such behavior the attach limit is set to 0 by default and can only be increased when setting the unsafe_allow_attach_limit_above_zero (see below for more information) at plugin level.

Grafana itself can run with an SQLite database as a data storage. Using this plugin the internal Grafana database file can be accessed.

There are no built-in restrictions preventing a user with permissions to edit the data source configuration from attaching to the SQLite database and accessing its contents.

This means that sensitive data, including secrets stored within the database, could potentially be exposed if appropriate access controls are not enforced at the Grafana level.

Recommendations to mitigate risks:

• By default any file with the name grafana.db cannot be opened. This can be disabled via setting unsafe_disable_grafana_internal_blocklist (see below for more information).
• Use the "block_list" option in the grafana.ini (see below for more information) to block access if the file has another name.
• Limit Data Source Editing Permissions: Restrict the ability to modify the data source configuration to only trusted administrators.
• Do not use SQLite as the data storage for Grafana but a database with more access controls (like Postgres).

SQLite has no native "time" format. It relies on strings and numbers for time and dates. Since especially for time series Grafana expects an actual time type, however, the plugin provides a way to infer a real timestamp. This can be set in the query editor by providing the name of the column, which should be reformatted to a timestamp.

The plugin supports two different inputs that can be converted to a "time" depending on the type of the value in the column, that should be formatted as "time":

1. A number input: It is assumed to be a unix timestamp / unix epoch. This represents time in the number of seconds (make sure your timestamp is not in milliseconds). More information is here: https://en.wikipedia.org/wiki/Unix_time

2. A string input: The value is expected to be formatted in accordance with RFC3339, e.g. "2006-01-02T15:04:05Z07:00". Edge cases might occur and the parsing library used is the source of truth here: https://golang.org/pkg/time/#pkg-constants.

Timestamps stored as unix epoch should work out of the box, but the string formatting might require adjusting your current format. The below example shows how to convert a "date" column to a parsable timestamp:

WITH converted AS (
   -- a row looks like this (value, date): 1.45, '2020-12-12'
   SELECT value,  date || 'T00:00:00Z' AS datetime FROM raw_table
)
SELECT datetime, value FROM converted ORDER BY datetime ASC

This plugins supports macros inspired by the built-in Grafana data sources (e.g. https://grafana.com/docs/grafana/latest/datasources/postgres/#macros).

However, as each macro needs to be re-implemented from scratch, only the following macros are supported. Other macros (that you might expect from other SQL databases) are not supported by the plugin (yet).

Example: $__unixEpochGroupSeconds("time", 10)

Will be replaced by an expression usable in GROUP BY clause. For example: cast(("time" / 10) as int) * 10

Example: $__unixEpochGroupSeconds(timestamp, 10, NULL)

This is the same as the above example but with a fill parameter so missing points in that series will be added for Grafana and NULL will be used as value.

In case multiple time columns are provided the first one is chosen as the column to determine the gap filling. "First" in this context means first in the SELECT statement. This column needs to have no NULL values and must be sorted in ascending order.

The plugins supports the Grafana alerting feature. Similar to the built in data sources alerting does not support variables as they are normally replaced in the frontend, which is not involved for the alerts. In order to allow time filtering this plugin supports the variables $__from and $__to. For more information about those variables see here: https://grafana.com/docs/grafana/latest/variables/variable-types/global-variables/#__from-and-__to. Formatting of those variables (e.g. ${__from:date:iso}) is not supported for alerts, however.

Most of the plugin configuration happens when adding a datasource via the Grafana frontend. All such configuration can also be provisioned (see the FAQ for more details).

Aside from that, the plugin supports the following configuration via the grafana.ini file. The following block shows the default values and gives an explanation of each field.

[plugin.frser-sqlite-datasource]
   ; this settings allows setting attach limits above 0.
   ; this enables any users with access to the plugin to attach any database that the Grafana users has access to
   ; this is also not controlled via the block_list.
   ; enabling this setting is not recommended for security reasons
   unsafe_allow_attach_limit_above_zero = false
   ; this is a comma separated list of strings that any part of the path of the SQLite database cannot contain.
   ; use this to prevent access (even for Grafana admin users) from certain files or paths
   ; the path check is case insensitive
   ; block_list = "grafana.db,private_folder,other.db"
   block_list = ""
   ; this setting prevents blocking security related path elements that are blocked by default
   ; the path check is case insensitive
   ; the blocked path elements are: .aws, .config/gcloud, .azure, .kube/config, .docker/config, .ssh, .gnupg, .pki, /etc/shadow, /etc/passwd, /etc/gshadow, /proc/, /sys/, .env, credentials, .git/config, .netrc, .npmrc, .pypirc, id_rsa, id_dsa, id_ecdsa, id_ed25519
   ; enabling this setting is not recommended for security reasons
   unsafe_disable_security_blocklist = false
   ; this setting prevents blocking grafana internal related path elements that are blocked by default
   ; the path check is case insensitive
   ; the blocked path elements are: grafana.db
   ; enabling this setting is not recommended for security reasons
   unsafe_disable_grafana_internal_blocklist = false
   ; by default the plugin adds "_pragma=query_only(1)" to the path options if no _pragma=query_only is already specified
   ; this setting prevents setting this default value.
   ; enabling this setting is not recommended for security reasons
   unsafe_disable_query_only_path_option = false

This is a list of common questions or problems. For the answers and more details see ./docs/faq.md.

• I have a "file not found" error for my database
• I have a "permission denied" error for my database
• ...

Some examples to help getting started with SQL and SQLite can be found in ./docs/examples.md.

These examples include things like:

• filtering by the time specified in the Grafana UI
• creating a time series mindful of gaps
• converting dates to timestamps
• ...

Any contribution is welcome. Some information regarding the local setup can be found in the DEVELOPMENT.md file.

This project was developed for free as an open source project. And it will stay that way.

If you like using this plugin, however, and would like to support the development go check out the Github sponsorship page. This allows sponsoring the project with monthly or one-time contributions.

• A changelog of the plugin can be found in the CHANGELOG.md.
• More documentation about the plugin can be found under the docs section in Github.
• The plugin can be found in the Grafana plugin registry.
• Questions or bugs about the plugin can be found and reported in Github or in the Grafana community.