How do I use functions without having to sign in? #17594

squeaktoy · 2024-05-05T15:59:45Z

squeaktoy
May 5, 2024

I'm running Netdata in my own local network, yet the web UI says the following on some tabs like Top:

Sign in to Netdata to use this function
Functions expose sensitive information about your systems and applications. To protect your privacy, Netdata exposes this information only to logged-in users and claimed agents. When viewing Functions directly on a Netdata Agent UI, this information is sent directly from the Netdata Agent to your web browser, without exposing it to any third parties.

I'm on my local network, so why is Netdata stopping me from viewing info about my own computer? How can I disable this requirement to sign in? I don't want to have an account on a third-party server just to view my own computer's information.

It also says something about "claimed agents". I tried the netdata-claim.sh script, but it says:

This agent was built with --disable-cloud and cannot be claimed

So how am I going to use Netdata functions now without Cloud support? I would rather not connect to third-party servers. Anyone have an idea what to do here?

ilyam8 · 2024-05-06T10:32:41Z

ilyam8
May 6, 2024
Collaborator

Hi, @squeaktoy. Not all functions require Cloud connection, see Available Functions (Require Cloud column).

It also says something about "claimed agents". I tried the netdata-claim.sh script, but it says:

What is your Netdata version? Can you show /usr/sbin/netdata -W buildinfo (or /opt/netdata/usr/sbin/netdata -W buildinfo depends on your install prefix).

There was a bug in a nightly version but it was fixed over a week ago.

7 replies

squeaktoy May 11, 2024
Author

After updating to 1..45.4, I still cannot use the netdata-claim.sh script

gurka May 15, 2024

Not all functions require Cloud connection, see Available Functions (Require Cloud column).

There it says:

Since these functions are able to execute routines on the node and due to the potential use cases that they can cover, our concern is to ensure no sensitive information or disruptive actions are exposed through the Agent's API.

I don't understand this. For example, both the Processes and Systemd-journal functions should be strictly read-only - so why is there a concern about "executing routines on the node"? Why doesn't other functions, like Block-devices or Mount-points, have this "problem"?

It feels like some functions are just arbitrary set to require Cloud, just to force people to create and connect their local nodes to a Cloud account...

Edit: additionally, "Processes", which requires Cloud, is handled by the plugin "apps". The documentation of "apps" even says:

Security

apps.plugin performs a hard-coded function of building the process tree in memory, iterating forever, collecting metrics for each running process and sending them to Netdata. This is a one-way communication, from apps.plugin to Netdata.

So, since apps.plugin cannot be instructed by Netdata for the actions it performs, we think it is pretty safe to allow it to have these increased privileges.

(https://github.com/netdata/netdata/tree/master/src/collectors/apps.plugin#security)

Ou7law007 Dec 21, 2024

Just like most open source services, if it was actually "for security purposes", they can literally make it possible to register a local account and solve the entire issue once and for all.

Ou7law007 Dec 21, 2024

Having to register your account ON THE CLOUD on its own is a big f*ck you to security.

MNLierman Feb 8, 2025

Having to register your account ON THE CLOUD on its own is a big f*ck you to security.

^^ This. Might seem blunt but how true it is, honestly. I emailed Netdata using their Contact Us option – a few reps on Reddit said invite people wanting to discuss plan options and figure out s solution that works for them to use the contact form. I did so, and gave my argument, including my willingness to agree to create a Netdata Cloud account and link up my devices, IF I could secure my account with additional layers or security and also be able to link up all of my local devices under their free plan. 2 weeks later, I have not received a reply.

They're milking home users who probably aren't even their big money makers, and all of this new required plan stuff wasn't a thing a few years ago. If I was making money off their products, sure, I'll pay for it then, but I don't. I barely make enough money to pay myself, and some months, I don't even have money to do that.

One of the reps, somewhere on Reddit, had stated sometime ago, that Netdata is open source and anyone can modify the code, and for that matter, I could create my own account service. Yeah, ok, because I have that level of programming experience to roll my own accounts solution.

ribtoks · 2025-06-08T11:40:38Z

ribtoks
Jun 8, 2025

Can we have any way (runtime is preferred, but compile time is also OK) to force-allow access to local functions like systemd-journald? This function can be disabled by default, but overridable with sudo rights.

0 replies

fuad00 · 2025-07-04T23:25:20Z

fuad00
Jul 4, 2025

any updates?

0 replies

Otmanraad · 2025-07-23T14:48:20Z

Otmanraad
Jul 23, 2025

for real like forcing us to use their cloud services, like i can just go use a different metric monitoring, well time to uninstall.

0 replies

bits-craft · 2025-09-03T20:15:36Z

bits-craft
Sep 3, 2025

Bump!

0 replies

lyc8503 · 2025-09-10T16:28:00Z

lyc8503
Sep 10, 2025

I've also been troubled by this issue and found a possible workaround.

You need to fork the netdata code, modify the src/database/rrdfunctions-inflight.c file, remove the relevant permission checks, and then compile it. Like this:

diff --git a/src/database/rrdfunctions-inflight.c b/src/database/rrdfunctions-inflight.c
index a14234bff431c5..885960b283d26c 100644
--- a/src/database/rrdfunctions-inflight.c
+++ b/src/database/rrdfunctions-inflight.c
@@ -438,48 +438,6 @@ int rrd_function_run(RRDHOST *host, BUFFER *result_wb, int timeout_s,
         return code;
     }
 
-    if(!http_access_user_has_enough_access_level_for_endpoint(user_access, rdcf->access)) {
-
-        if((rdcf->access & HTTP_ACCESS_SIGNED_ID) && !(user_access & HTTP_ACCESS_SIGNED_ID))
-            code = rrd_call_function_error(result_wb,
-                                           "You need to be authenticated via Netdata Cloud Single-Sign-On (SSO) "
-                                           "to access this feature. Sign-in on this dashboard, "
-                                           "or access your Netdata via https://app.netdata.cloud.",
-                                           HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));
-
-        else if((rdcf->access & HTTP_ACCESS_SAME_SPACE) && !(user_access & HTTP_ACCESS_SAME_SPACE))
-            code = rrd_call_function_error(result_wb,
-                                           "You need to login to the Netdata Cloud space this agent is claimed to, "
-                                           "to access this feature.",
-                                           HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));
-
-        else if((rdcf->access & HTTP_ACCESS_COMMERCIAL_SPACE) && !(user_access & HTTP_ACCESS_COMMERCIAL_SPACE))
-            code = rrd_call_function_error(result_wb,
-                                           "This feature is only available for commercial users and supporters "
-                                           "of Netdata. To use it, please upgrade your space. "
-                                           "Thank you for supporting Netdata.",
-                                           HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));
-
-        else {
-            HTTP_ACCESS missing_access = (~user_access) & rdcf->access;
-            char perms_str[1024];
-            http_access2txt(perms_str, sizeof(perms_str), ", ", missing_access);
-
-            char msg[2048];
-            snprintfz(msg, sizeof(msg), "This feature requires additional permissions: %s.", perms_str);
-
-            code = rrd_call_function_error(result_wb, msg,
-                                           HTTP_ACCESS_PERMISSION_DENIED_HTTP_CODE(user_access));
-        }
-
-        dictionary_acquired_item_release(host->functions, host_function_acquired);
-
-        if(result_cb)
-            result_cb(result_wb, code, result_cb_data);
-
-        return code;
-    }
-
     if(timeout_s <= 0)
         timeout_s = rdcf->timeout;

Configuring a complete build and packaging environment is cumbersome, but the compilation process can be handled on GitHub Actions. Although the pipeline may fail due to the absence of an official GPG key, you can still download the compiled deb package, like: https://github.com/lyc8503/netdata/actions/runs/17618181095/job/50056891375

Two important points to note:

After removing permission checks, anyone can directly access features on the Dashboard. You must add password protection using a reverse proxy or employ methods like SSH forwarding to ensure only you can access the Dashboard.
The check for HTTP_ACCESS_COMMERCIAL_SPACE is also removed, which appears to bypass the paywall. However, in my brief testing, I found this does not actually do anything. The existing AI insights premium features remain online and still require payment to use. To put it another way, undoubtedly, users have the freedom to modify the Netdata Agent released under the GPL-3.0 license.
The only cause for concern is that the Netdata UI (dashboard frontend) is released under a non-free license, and it mentions This license allows you to use the Software only to interface with the licensor's other software components, such as Netdata Agents and Netdata Cloud. Any use with replacements for these components is not permitted.
The question is, does a Netdata Agent that has only had a few lines of code modified still qualify as a Netdata Agent? Personally, I believe it does. This is what open-source software is all about.

Regardless, I've been using Netdata on my HomeLab for over seven years now. Its diagnostic capabilities and detailed metrics help me quickly resolve complex issues. I really like it.

Though recent changes, including the tight coupling with Netdata Cloud and the removal of the open-source v1 dashboard, have left me somewhat disappointed. We hope Netdata will become more user-friendly for individual users in terms of its product and design, rather than rushing to promote Netdata Cloud and expensive subscription plans.

2 replies

fuad00 Sep 10, 2025

nice one! people certainly need a docker image of that!

lyc8503 Sep 11, 2025

nice one! people certainly need a docker image of that!

I found some metrics missing when running in docker (even after mounting all required files), so I install Netdata directly on host.

If you'd like to have a docker image, you can pull the Netdata repo, make the modification above and build it locally. It should be much easier to build locally with Docker. Dockerfile is located at packaging/docker/Dockerfile.

budius · 2025-10-03T12:43:11Z

budius
Oct 3, 2025

I'm happy I didn't install locally and just ran it as a docker container for testing.
Now I can just 'docker compose down' and go find a different solution.

Thanks for the reports and confirm it's not really possible.

0 replies

The1hauntedX · 2025-11-19T09:13:01Z

The1hauntedX
Nov 19, 2025

Good find, @lyc8503! It looks like a simpler change can instead be made to src/web/api/http_auth.h

diff --git a/src/web/api/http_auth.h b/src/web/api/http_auth.h
index 0b01fdb1e..6c6f67802 100644
--- a/src/web/api/http_auth.h
+++ b/src/web/api/http_auth.h
@@ -15,7 +15,7 @@ time_t bearer_create_token(nd_uuid_t *uuid, HTTP_USER_ROLE user_role, HTTP_ACCES
 bool web_client_bearer_token_auth(struct web_client *w, const char *v);
 
 static inline bool http_access_user_has_enough_access_level_for_endpoint(HTTP_ACCESS user, HTTP_ACCESS endpoint) {
-    return ((user & endpoint) == endpoint);
+    return true;
 }

This also unlocks the ability to mange collector configs from the UI as well.

0 replies

vhbui02 · 2026-01-14T06:38:51Z

vhbui02
Jan 14, 2026

I want to give thanks to both @The1hauntedX and @lyc8503 answers, and create an automated workflow for it:

First, fork the netdata/netdata repository.
Second, make changes to src/web/api/http_auth.h according to @The1hauntedX
Third, create a GitHub PAT with read-write permission on "Contents" and put it in the fork's repo secret via GitHub Web UI.
Fourth, add a GitHub Actions workflow file to automate fork syncing (make sure to add your name and email at step 1):

# Cre: https://github.com/orgs/community/discussions/153608#discussioncomment-12453674
name: Sync Fork with Upstream
on:
  schedule:
    - cron: "0 0 * * *" # Runs daily at midnight UTC
  workflow_dispatch: # Allows manual triggering

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - name: Configure Git
        run: |
          git config --global user.email "insert your email here"
          git config --global user.name "insert your name here"

      - name: Checkout Forked Repository
        uses: actions/checkout@v6
        with:
          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          fetch-depth: 0

      - name: Sync Upstream & Apply Patch
        run: |
          # 1. Fetch Upstream
          git remote add upstream https://github.com/netdata/netdata.git
          git fetch upstream master

          # 2. Hard Reset: Wipe local history to match Upstream exactly
          # This removes yesterday's patch commit so we don't get conflicts
          git checkout master
          git reset --hard upstream/master

          # 3. Apply the Hack (sed)
          echo "Applying auth bypass patch..."
          sed -i 's/return ((user & endpoint) == endpoint);/return true;/' src/web/api/http_auth.h

          # 4. Commit the changes
          git add src/web/api/http_auth.h
          git commit -m "feat: bypass Netdata Cloud sign-in which is required to access dashboard features"

          # 5. Force Push
          # We force push because we rewrote history (replaced yesterday's commit with today's)
          git push origin master --force

Fifth, commit the changes.
Sixth, copy this script into /usr/local/bin/netdata-custom-updater.sh and change $REPO_OWNER:

Note

If you're not using Ubuntu 24.04, refer to the artifact list at https://github.com/lyc8503/netdata/actions/runs/17618181095/ and change $ARTIFACT_NAME accordingly:

#!/usr/bin/env bash

set -euo pipefail

REPO_OWNER="vhbui02"
REPO_NAME="netdata"
ARTIFACT_NAME="ubuntu-24.04-amd64-packages"

# https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-artifacts-for-a-repository
ARTIFACT_URL=$(curl -fsL \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
    -H "X-GitHub-Api-Version: 2022-11-28" \
    "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/artifacts?per_page=100&page=1&name=${ARTIFACT_NAME}" \
    | jq -r '.artifacts.[].archive_download_url')

if [ -z "${ARTIFACT_URL}" ] || [ "${ARTIFACT_URL}" == "null" ]; then
    echo "Error: Artifact not found!"
    exit 1
fi

curl -fsL \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
    -H "X-GitHub-Api-Version: 2022-11-28" \
    -o /tmp/netdata.zip "${ARTIFACT_URL}"

# -o: overwrite files without prompting
# -qq: quiet mode
unzip -o -qq /tmp/netdata.zip -d /tmp/netdata

# -o Dpkg::Options::="--force-confold" : Keep old config (default=N)
# -o Dpkg::Options::="--force-confdef" : Use default if no modified file exists
if ! (command -v netdata >/dev/null); then
    sudo apt-get install \
        -y \
        -o Dpkg::Options::="--force-confdef" \
        -o Dpkg::Options::="--force-confold" \
        /tmp/netdata/netdata*.deb
else
    sudo apt-get install \
        -y \
        -o Dpkg::Options::="--force-confdef" \
        -o Dpkg::Options::="--force-confold" \
        --only-upgrade \
        /tmp/netdata/netdata*.deb
fi

# Cleanup
rm -f /tmp/netdata.zip 
rm -rf /tmp/netdata

Seventh, mask the built-in systemd updater:

sudo systemctl mask --now netdata-updater.timer
sudo systemctl mask --now netdata-updater.service

Eighth, create your own systemd updater (remember to update GITHUB_TOKEN inside service file and set its permission to 600, or you can use EnvironmentFile= entry with hardened env file instead):

# /etc/systemd/system/netdata-custom-updater.timer
[Unit]
Description=Daily auto-updates for Netdata
RefuseManualStart=no
RefuseManualStop=no

[Timer]
Persistent=false
OnCalendar=daily
Unit=netdata-custom-updater.service

[Install]
WantedBy=timers.target

# /etc/systemd/system/netdata-custom-updater.service
[Unit]
Description=Daily auto-updates for Netdata
RefuseManualStart=no
RefuseManualStop=yes

[Service]
Type=oneshot
Environment="GITHUB_TOKEN=insert-your-token-here"
ExecStart=/usr/local/bin/netdata-custom-updater.sh

Ninth, enable the auto updater:

sudo systemctl enable --now netdata-custom-updater.timer

Tenth, trigger the auto updater manually for initial installation:

sudo systemctl start netdata-custom-updater.service

P/s: This 10-step workflows is my fight to vendor lock-in and attempt to try to make us stupid by saying cloud is necessary for basic auth.

EDIT: I've updated a better CI/CD job that can avoid conflicts even if src/web/api/http_auth.h changed in the future (which hasn't changed in the last 2 years).

3 replies

sashwathn Jan 16, 2026
Collaborator

@vhbui02 : Satya here and I head Product at Netdata.

Thanks for the discussion — and here's a response just to clear things up 🙂

What's being talked about here isn't a bug or something that can be "configured away". The functionality in question is part of the Netdata Cloud / Enterprise UI, which is covered by the Netdata Cloud UI license:
https://app.netdata.cloud/LICENSE.txt

That license doesn't allow bypassing or disabling licensing or access controls, so we can't support or recommend doing that.

It's also worth stressing that Netdata isn't "free or enterprise-only". We offer several options, depending on the use case:

Netdata Agent is still GPL and can always be used locally without Netdata Cloud
Netdata Cloud SaaS for a fully managed experience
Netdata Cloud On-Prem for self-hosted environments
Netdata Cloud HomeLab, which is intentionally very generous for personal/small setups, and currently costs $90/year

If you want the advanced UI features without limitations, one of the Netdata Cloud plans — especially HomeLab for non-commercial use — is the supported way to get them.

We're happy to help clarify what's included in each option or point you to a setup that fits your needs. Discussions or instructions about bypassing licensing, however, are out of scope and won't be supported here.

DDoSolitary Jan 16, 2026

Thanks, for clarifying that modifying GPL licensed code is "bypassing or disabling licensing or access controls". 🙂

sashwathn Jan 16, 2026
Collaborator

@DDoSolitary: There is a reason we have created multiple offerings - to try and fit in different requirements - Community, Homelab and Businesses.
The Netdata Dashboard and any access controls through it falls under a separate license.

I understand your perspective but we do not want to continue the discussion on this thread discussing about bypassing our access controls (hope you understand).

I am more than happy to get on a call and discuss the best way forward. We are in fact ideating an Enterprise Agent offering and it will be good to get some feedback from you. 😄

How do I use functions without having to sign in? #17594

Uh oh!

Uh oh!

Replies: 9 comments · 12 replies

Uh oh!

Uh oh!

ilyam8 May 6, 2024 Collaborator

Uh oh!

squeaktoy May 11, 2024 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sashwathn Jan 16, 2026 Collaborator

Uh oh!

Uh oh!

sashwathn Jan 16, 2026 Collaborator

Replies: 9 comments 12 replies

ilyam8
May 6, 2024
Collaborator

squeaktoy May 11, 2024
Author

sashwathn Jan 16, 2026
Collaborator

sashwathn Jan 16, 2026
Collaborator