Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backend plugins: Unsigned external plugins should not be loaded by default #24027

Closed
bergquist opened this issue Apr 29, 2020 · 13 comments · Fixed by #24075
Closed

Backend plugins: Unsigned external plugins should not be loaded by default #24027

bergquist opened this issue Apr 29, 2020 · 13 comments · Fixed by #24075
Assignees
@aknuds1
Labels
area/backend/plugins area/backend/security area/backend
Projects
Backend Platform Squad
Milestone
7.0.0-beta2

Comments

@bergquist
Copy link
Contributor

bergquist commented Apr 29, 2020
edited by aknuds1

Unsigned external plugins should not be loaded by default since it can be considered a security issue. Grafana should provide a setting to override this behavior for specified plugins.

External plugins means plugins installed into the plugins directory (configured via paths.plugins).

EX

[plugins]
allow_loading_unsigned_plugins = "plugin1, plugin2, plugin3"

Note by Arve:
According to @ryantxu we should only validate the signatures of back-end plugins for now.
@bergquist bergquist added this to the 7.0 milestone Apr 29, 2020
@aknuds1 aknuds1 self-assigned this Apr 29, 2020
@aknuds1 aknuds1 added this to In progress in Backend Platform Squad Apr 29, 2020
@aknuds1 aknuds1 changed the title Backend plugins: Unsigned plugins should not be loaded by default Backend plugins: Unsigned external plugins should not be loaded by default Apr 30, 2020
@aknuds1 aknuds1 mentioned this issue Apr 30, 2020
Merged
@aknuds1 aknuds1 moved this from In progress to Under review in Backend Platform Squad Apr 30, 2020
@aknuds1 aknuds1 mentioned this issue Apr 30, 2020
Merged
Backend Platform Squad automation moved this from Under review to Done May 4, 2020
@Shannanigans
Copy link

@bergquist As I am quite new to Grafana I am unsure, but it would seem that the backend plugin tutorial does not account for this recent update.

https://grafana.com/tutorials/build-a-data-source-backend-plugin/#3

Which I believe is now the cause of:

t=2020-05-21T16:04:21+0000 lvl=eror msg="Failed to load plugin" logger=plugins error="plugin \"myorg-my-backend-data-source-plugin\" is unsigned" pluginPath=/var/lib/grafana/plugins/my-backend-data-source-plugin/dist

@aknuds1
Copy link
Contributor

aknuds1 commented May 21, 2020

@Shannanigans thanks for reporting that, it does look as if it needs to be updated. Would you mind creating an issue for updating the tutorial?

@Shannanigans
Copy link

@aknuds1 Am I correct in assuming that the issue should be created in the tutorials repo?

@aknuds1
Copy link
Contributor

aknuds1 commented May 21, 2020

@Shannanigans That looks correct to me. BTW you can use the setting plugins.allow_loading_unsigned_plugins to allow loading your plugin without having signed it first (we don't have support for signing community plugins yet).

@Shannanigans Shannanigans mentioned this issue May 21, 2020
Closed
@Shannanigans
Copy link

In case anyone lands here with a similar issue and is using docker you can add you plugin to the unsigned whitelist like so:

docker run -d \
-p 3000:3000 \
-v "$(pwd)"/grafana-plugins:/var/lib/grafana/plugins \
--name=grafana \
-e "GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS=myorg-my-backend-data-source-plugin" \
grafana/grafana

Plugin config docs
Configuration via env vars

@CapChrisCap CapChrisCap mentioned this issue Jun 16, 2020
Closed
@ronaldoedy ronaldoedy mentioned this issue Aug 27, 2020
Closed
@iamlauriano
Copy link

None of the above options work, whoever has this problem will have to add the environment variables like this:
<-e "GF_INSTALL_PLUGINS = alexanderzobnin-zabbix-app" -e "GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS = alexanderzobnin-zabbix-datasource">

@jadbaz
Copy link

jadbaz commented Aug 28, 2020

@LaurianoElmiroDuarte you're a lifesaver
It just so happens I'm actually looking for this exact plugin
Thanks a million!

@iamlauriano
Copy link

iamlauriano commented Aug 28, 2020 via email
edited

@jfelpel
Copy link

jfelpel commented Aug 31, 2020

@LaurianoElmiroDuarte How would I add those environment variables when running grafana installed on centos8?

I am running into the same issue with it not loading the zabbix plugin, and like you, nothing I have tried from these forums has worked...

Thoughts? Ideas?

-JF

@iamlauriano
Copy link

iamlauriano commented Aug 31, 2020 via email

@jczinger
Copy link

jczinger commented Sep 4, 2020

adding the following to /var/grafana/grafana.ini in the [plugins] section is how I did it on a non-docker install.
allow_loading_unsigned_plugins=NAME_OF_PLUGIN

Here is my log entry before making the change:

sudo cat /var/log/grafana/grafana.log | grep zabbix
t=2020-09-04T15:31:38-0600 lvl=eror msg="Failed to load plugin" logger=plugins error="plugin \"alexanderzobnin-zabbix-datasource\" is unsigned" pluginPath=/var/lib/grafana/plugins/dist/alexanderzobnin-zabbix-app/datasource-zabbix
t=2020-09-04T15:31:38-0600 lvl=warn msg="Some plugins failed to load" logger=plugins errors="[plugin \"alexanderzobnin-zabbix-datasource\" is unsigned]"

And after:

sudo cat /var/log/grafana/grafana.log | grep zabbix
t=2020-09-04T15:33:46-0600 lvl=warn msg="Running an unsigned backend plugin" logger=plugins pluginID=alexanderzobnin-zabbix-datasource pluginDir=/var/lib/grafana/plugins/dist/alexanderzobnin-zabbix-app/datasource-zabbix
t=2020-09-04T15:33:47-0600 lvl=info msg=Profiler logger=plugins.backend pluginId=alexanderzobnin-zabbix-datasource enabled=false

The datasource showed up after this.

@vschettino vschettino mentioned this issue Sep 15, 2020
Merged
@derrickoswald derrickoswald mentioned this issue Oct 9, 2020
Closed
@dlopes7
Copy link

dlopes7 commented Nov 1, 2020

Any news about allowing the community to sign plugins?

@etichy etichy mentioned this issue Nov 14, 2020
Closed
@starkblaze01 starkblaze01 mentioned this issue Apr 26, 2021
Open
@MohdRashid01
Copy link

How to pass this command <-e "GF_INSTALL_PLUGINS = grafana-kubernetes-app" -e "GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS = grafana-kubernetes-app"> in Kubernetes grafana.yaml file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aknuds1 aknuds1

Labels
area/backend/plugins area/backend/security area/backend
Projects
No open projects
Backend Platform Squad
  
Done
Milestone
7.0.0-beta2
Development

Successfully merging a pull request may close this issue.

Plugins: Require signing of external back-end plugins grafana/grafana
9 participants
@aknuds1 @bergquist @MohdRashid01 @dlopes7 @jadbaz @Shannanigans @iamlauriano @jczinger @jfelpel