-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Store datasource passwords encrypted in secureJsonData #16175
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have left a few comments. Think this is a good start. Haven't tested it yet though.
4b233ce
to
aad532b
Compare
@@ -184,8 +188,8 @@ Secure json data is a map of settings that will be encrypted with [secret key](/ | |||
| tlsCACert | string | *All* |CA cert for out going requests | | |||
| tlsClientCert | string | *All* |TLS Client cert for outgoing requests | | |||
| tlsClientKey | string | *All* |TLS Client key for outgoing requests | | |||
| password | string | PostgreSQL | password | | |||
| user | string | PostgreSQL | user | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like this was an error. User is taken from user field not from secureJsonData
@@ -135,6 +137,12 @@ func (cfg *DatasourcesAsConfigV1) mapToDatasourceFromConfig(apiVersion int64) *D | |||
Editable: ds.Editable, | |||
Version: ds.Version, | |||
}) | |||
if ds.Password != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added warnings here, thought not sure if there won't be too much of them if somebody has a lots of datasources.
@@ -178,6 +178,10 @@ func UpdateDataSource(cmd *m.UpdateDataSourceCommand) error { | |||
sess.UseBool("basic_auth") | |||
sess.UseBool("with_credentials") | |||
sess.UseBool("read_only") | |||
// Make sure password are zeroed out if empty. We do this as we want to migrate passwords from | |||
// plain text fields to SecureJsonData. | |||
sess.MustCols("password") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interestingly at the moment it is not actually possible to remove values from config. I needed to add these to be able to do that for plain text password, but otherwise no other value can be removed. Probably not a big issue but wondered how to properly handle such things. Should there be something like fieldSet
bool when serialising the request? Right now we send the whole object to the API so this should not be an issue, but this won't support a partial PUT requests.
onPasswordChange: ReturnType<typeof createChangeHandler>; | ||
|
||
constructor() { | ||
this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanted to reuse the handler logic as it is the same everywhere but my Angular is rusty so this patter was the best I come up with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
* grafana/master: Docs: minor docs update for old urls Chore: Add more explicit typing (grafana#16594) Chore: Lowered implicit anys limit to 5977 Chore: Adds typings to lodash (grafana#16590) PanelEditor: Change Queries heading to Query (grafana#16536) Security: Store datasource passwords encrypted in secureJsonData (grafana#16175) More development dashboards (grafana#16550) build: upgrades to golang 1.12.4 (grafana#16545) Use package libfontconfig1, instead of libfontconfig (grafana#16548) Adjust Send on all alerts to default label (grafana#16554) Chore: Lower limit of implicit anys to 6676
Closes #10827
This got a bit wide in the sense that it needs to touch much more parts than expected. Because of that I would welcome some early feedback if the approach still makes sense.
For data sources we store passwords either in non encrypted columns or in secureJsonData which is encrypted. MSSql and Postgres already store them encrypted other datasources store them plain text. What this PR is doing. Some caveats:
What this PR does so far:
Adds migration that will move passwords from plaintext fields to secureJsonData for core datasources.When core datasource is provisioned, both password or secureJsonData.password can be used and both will save the password in secureJsonData so the format stays the same but the behaviour changes.After talking to other people it will make more sense to not complicate the code with migration and provisioning changes and instead users with existing datasources can migrate by resaving their datasources or altering their provisioned files. New datasources will be created with encrypted passwords by default.
TODO: