Security: Store datasource passwords encrypted in secureJsonData #16175
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aocenas
changed the title
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
commented
Mar 23, 2019
aocenas
added
area/plugins
area/security
area/backend/config
pr/early-feedback
daniellee
changed the title
torkelo
changed the title
marefr
reviewed
Apr 3, 2019
aocenas
force-pushed
the
encrypt-passwords
branch
from
4b233ce
to
aad532b
Compare
aocenas
removed
pr/early-feedback
aocenas
commented
Apr 9, 2019
aocenas
commented
Apr 9, 2019
| @@ -184,8 +188,8 @@ Secure json data is a map of settings that will be encrypted with [secret key](/ | |||
| | tlsCACert | string | *All* |CA cert for out going requests | | |||
| | tlsClientCert | string | *All* |TLS Client cert for outgoing requests | | |||
| | tlsClientKey | string | *All* |TLS Client key for outgoing requests | | |||
| | password | string | PostgreSQL | password | | |||
| | user | string | PostgreSQL | user | | |||
There was a problem hiding this comment.
Seems like this was an error. User is taken from user field not from secureJsonData
aocenas
commented
Apr 9, 2019
| @@ -135,6 +137,12 @@ func (cfg *DatasourcesAsConfigV1) mapToDatasourceFromConfig(apiVersion int64) *D | |||
| Editable: ds.Editable, | |||
| Version: ds.Version, | |||
| }) | |||
| if ds.Password != "" { | |||
There was a problem hiding this comment.
Added warnings here, thought not sure if there won't be too much of them if somebody has a lots of datasources.
aocenas
commented
Apr 9, 2019
| @@ -178,6 +178,10 @@ func UpdateDataSource(cmd *m.UpdateDataSourceCommand) error { | |||
| sess.UseBool("basic_auth") | |||
| sess.UseBool("with_credentials") | |||
| sess.UseBool("read_only") | |||
| // Make sure password are zeroed out if empty. We do this as we want to migrate passwords from | |||
| // plain text fields to SecureJsonData. | |||
| sess.MustCols("password") | |||
There was a problem hiding this comment.
Interestingly at the moment it is not actually possible to remove values from config. I needed to add these to be able to do that for plain text password, but otherwise no other value can be removed. Probably not a big issue but wondered how to properly handle such things. Should there be something like fieldSet bool when serialising the request? Right now we send the whole object to the API so this should not be an issue, but this won't support a partial PUT requests.
aocenas
commented
Apr 9, 2019
| onPasswordChange: ReturnType<typeof createChangeHandler>; | ||
|
|
||
| constructor() { | ||
| this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password); |
There was a problem hiding this comment.
Wanted to reuse the handler logic as it is the same everywhere but my Angular is rusty so this patter was the best I come up with.
bergquist
reviewed
Apr 12, 2019
ryantxu
added a commit
to ryantxu/grafana
that referenced
this pull request
Apr 15, 2019
* grafana/master: Docs: minor docs update for old urls Chore: Add more explicit typing (grafana#16594) Chore: Lowered implicit anys limit to 5977 Chore: Adds typings to lodash (grafana#16590) PanelEditor: Change Queries heading to Query (grafana#16536) Security: Store datasource passwords encrypted in secureJsonData (grafana#16175) More development dashboards (grafana#16550) build: upgrades to golang 1.12.4 (grafana#16545) Use package libfontconfig1, instead of libfontconfig (grafana#16548) Adjust Send on all alerts to default label (grafana#16554) Chore: Lower limit of implicit anys to 6676
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #10827
This got a bit wide in the sense that it needs to touch much more parts than expected. Because of that I would welcome some early feedback if the approach still makes sense.
For data sources we store passwords either in non encrypted columns or in secureJsonData which is encrypted. MSSql and Postgres already store them encrypted other datasources store them plain text. What this PR is doing. Some caveats:
What this PR does so far:
Adds migration that will move passwords from plaintext fields to secureJsonData for core datasources.When core datasource is provisioned, both password or secureJsonData.password can be used and both will save the password in secureJsonData so the format stays the same but the behaviour changes.After talking to other people it will make more sense to not complicate the code with migration and provisioning changes and instead users with existing datasources can migrate by resaving their datasources or altering their provisioned files. New datasources will be created with encrypted passwords by default.
TODO: