-
Notifications
You must be signed in to change notification settings - Fork 11.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update security.md #20981
Update security.md #20981
Conversation
@@ -12,29 +12,27 @@ weight = 2 | |||
|
|||
# Security | |||
|
|||
## Data source proxy and protecting internal services | |||
If you run non-Grafana web services on your Grafana server or within its local network, then they might be vulnerable to exploitation through the Grafana data source proxy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Data source proxy and protecting internal services
and Viewer query permissions
are explaining two different things, though to some extent related but Viewer query permissions
applies to both data source proxy requests and backend data source queries.
Data source proxy calls: https://grafana.com/docs/grafana/latest/http_api/data_source/#data-source-proxy-calls
Data source backend query seems to be lacking from HTTP API, but should be /api/tsdb/query
.
With your changes all sections is in H2 with intro text only referring to "exploitation through the Grafana data source proxy" which seems incorrect to me. I would consider having them in two different H2 headers or re-write the intro-text.
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found that endpoint mentioned here: https://grafana.com/docs/grafana/v6.2/plugins/developing/backend-plugins-guide/#request-format
If something needs to be added to the API section, please put in a PR, even if it is sparse.
I am unclear on what relating to the tsdb query API that you cite should be added here.
I rewrote the introduction, please review and let me know if you have additional suggestions.
Co-Authored-By: Dan Cech <dcech@grafana.com>
… into docs-edit-security
Do we need any other changes, or is this ready to merge? |
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Hey guys, anything else, or is this good to go? |
* origin/master: (43 commits) Docs: Use https scheme for Grafana playground links (#21360) fix docs links (#21359) AddDatasourcePage: Refactoring & more Phantom plugins (#21261) Chore: Remove empty flot.pie file (#21356) Docs: Fix link (#21358) Docs: Fix InfluxDB templated dashboard link (#21343) Rendering: Fix panel PNG rendering when using sub url & serve_from_sub_path = true (#21306) NewsPanel: update default feed url (#21342) docs: fix influxdb templated dashboard link (#21336) Docs: Update Windows.md (#21333) Arrow: don't export arrow... breaking phantomjs e2e test (#21331) DataFrame: round trip metadata to arrow Table (#21277) Prometheus: user metrics metadata to inform query hints (#21304) Panel: disable edit/duplicate/delete entry for repeat panel (#21257) Prometheus: Disable suggestions at beginning of value (#21302) grafana/ui: Do not build in strict mode as grafana/ui depends on non-strict libs (#21319) Docs: Update security.md (#20981) @grafana/data: use timeZone parameter rather than isUtc (#21276) Units: support dynamic count and currency units (#21279) Docs: Added sudo and removed $ where inconsistent. (#21314) ...
What this PR does / why we need it: Improve the security guidelines in Grafana documentation.
Special notes for your reviewer: Please refer to questions in the comments.