You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order for Grafana Riak TS Datasource plugin to communicate with Riak TS via the HTTP interface, cross-origin resource sharing (CORS) comes into play (*), so should be opened.
To allow customers to specify the allowable origins w/i their environment, the allowable_origins should be configurable. That said, the add-on and others that may come are optional so should be configured in advanced.config.
CORS provides for a wildcard match for all origins "*". While this may be used, we should provide ample reason why this should not be used in documentation for the feature.
While Grafana is mentioned here several times, this feature opens Riak TS to other such trusted add-ons where the trust is configured by the customer.
An alternative to providing CORS support is to force the customer to setup a reverse proxy, i.e. nginx which intentionally disregards CORS. This option IMHO should be left as an option to the customer, not forced upon the customer, especially since such a reverse proxy provides a tunnel that can be abused by malicious services which the reverse proxy did not intend to grant such access to.
*) Grafana plugins are javascript and generally make direct calls to the underlying web services. Grafana does allow for proxying, but even then the Grafana service proxying respects CORS so passes Origin and Referer headers, i.e. the following simplified curl request yanked from the net tab:
In order for Grafana Riak TS Datasource plugin to communicate with Riak TS via the HTTP interface, cross-origin resource sharing (CORS) comes into play (*), so should be opened.
To allow customers to specify the allowable origins w/i their environment, the allowable_origins should be configurable. That said, the add-on and others that may come are optional so should be configured in advanced.config.
CORS provides for a wildcard match for all origins "*". While this may be used, we should provide ample reason why this should not be used in documentation for the feature.
While Grafana is mentioned here several times, this feature opens Riak TS to other such trusted add-ons where the trust is configured by the customer.
An alternative to providing CORS support is to force the customer to setup a reverse proxy, i.e. nginx which intentionally disregards CORS. This option IMHO should be left as an option to the customer, not forced upon the customer, especially since such a reverse proxy provides a tunnel that can be abused by malicious services which the reverse proxy did not intend to grant such access to.
*) Grafana plugins are javascript and generally make direct calls to the underlying web services. Grafana does allow for proxying, but even then the Grafana service proxying respects CORS so passes Origin and Referer headers, i.e. the following simplified curl request yanked from the net tab:
Riak TS http in ^^ is listening on 10018. Grafana is listening on 3000.
[Created in JIRA by James Gorlick]
The text was updated successfully, but these errors were encountered: