Is Metabase safe to use for querying confidential data?

lunezmoon · January 28, 2021, 5:05am

Hello,

My team is considering using Metabase (We will self-host the Metabase app on our cloud environment using docker image) to query through data but we have to convince the tech lead and manager that Metabase is safe because we will be querying confidential data as well.
So i want to ask the below.

Is my understanding correct that users on Metabase cannot execute update, delete, insert statements using the SQL editor or modify the data from the UI? I am assuming users cannot modify data from Metabase but i want to confirm just in case.
Are there a significant number of clients who use Metabase to query their confidential data? If yes, can you tell me the brief number of clients who use Metabase to query their confidential data (If possible) so we can provide the statistics to our tech lead and manager?
Is there anything in particular we should be aware of if we are going to use Metabase to query confidential data? (The only thing i was worried about was that the http query request/response was not encrypted but we will make Metabase only accessible through VPN so there should be no problem)

flamber · January 28, 2021, 11:31am

Hi @lunezmoon

Metabase is a reporting tool - currently without any actionable functions.
You should always make sure that the database credentials you’re using only has the privileges that you want any app to have. So don’t give Metabase more privileges than what is needed - hence read-access and most likely ability to create temporary tables and set session variables.
There’s more than 20,000 companies using Metabase, and most are using Metabase to access confidential data. There’s a few listed on the main website: https://www.metabase.com/
Always use https - even within VPN.

lunezmoon · January 29, 2021, 1:01am

Hello @flamber

Thank you for your answer.
So is my below understanding for question 1. correct?

If the database credentials you provide to Metabase have write access you can indeed execute update, delete, insert statements from the SQL editor (I have tested this).
So if we want to prevent misoperation by users who want to analyze data we should do either or both of the following.

Provide database credentials with only read-access (Ideal)
Do not grant SQL editor permissions

Sorry i would also like to ask one last question.
My understanding is user passwords, database passwords etc are encrypted and stored by default.
By setting the MB_ENCRYPTION_SECRET_KEY env variable other database connection info like host name, service name etc will also be encrypted and stored as well.
Is my understanding correct?

flamber · January 29, 2021, 2:38pm

@lunezmoon Correct, you should do the same for any other app. I see way too many setups on MySQL, where every app is using the user root, which can do everything on the database - that’s a security nightmare.

All user passwords (core_user table) are always encrypted.
The envvar MB_ENCRYPTION_SECRET_KEY will encrypt everything in metabase_database.details and setting table. But if you apply it on existing instances, then the values are only encrypted once they are saved again.
https://www.metabase.com/docs/latest/operations-guide/encrypting-database-details-at-rest.html

lunezmoon · January 31, 2021, 10:46pm

@flamber
Got it. Thank you!