Update security.md #20981
Update security.md #20981
Conversation
oddlittlebird
requested review from
marefr,
daniellee,
marcusolsson and
torkelo
| @@ -12,29 +12,27 @@ weight = 2 | |||
|
|
|||
| # Security | |||
|
|
|||
| ## Data source proxy and protecting internal services | |||
| If you run non-Grafana web services on your Grafana server or within its local network, then they might be vulnerable to exploitation through the Grafana data source proxy. | |||
There was a problem hiding this comment.
Data source proxy and protecting internal services and Viewer query permissions are explaining two different things, though to some extent related but Viewer query permissions applies to both data source proxy requests and backend data source queries.
Data source proxy calls: https://grafana.com/docs/grafana/latest/http_api/data_source/#data-source-proxy-calls
Data source backend query seems to be lacking from HTTP API, but should be /api/tsdb/query.
With your changes all sections is in H2 with intro text only referring to "exploitation through the Grafana data source proxy" which seems incorrect to me. I would consider having them in two different H2 headers or re-write the intro-text.
Thoughts?
There was a problem hiding this comment.
I found that endpoint mentioned here: https://grafana.com/docs/grafana/v6.2/plugins/developing/backend-plugins-guide/#request-format
If something needs to be added to the API section, please put in a PR, even if it is sparse.
I am unclear on what relating to the tsdb query API that you cite should be added here.
I rewrote the introduction, please review and let me know if you have additional suggestions.
Co-Authored-By: Dan Cech <dcech@grafana.com>
… into docs-edit-security
|
Do we need any other changes, or is this ready to merge? |
|
This pull request has been automatically marked as stale because it has not had activity in the last 2 weeks. It will be closed in 30 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
Hey guys, anything else, or is this good to go? |
* origin/master: (43 commits) Docs: Use https scheme for Grafana playground links (#21360) fix docs links (#21359) AddDatasourcePage: Refactoring & more Phantom plugins (#21261) Chore: Remove empty flot.pie file (#21356) Docs: Fix link (#21358) Docs: Fix InfluxDB templated dashboard link (#21343) Rendering: Fix panel PNG rendering when using sub url & serve_from_sub_path = true (#21306) NewsPanel: update default feed url (#21342) docs: fix influxdb templated dashboard link (#21336) Docs: Update Windows.md (#21333) Arrow: don't export arrow... breaking phantomjs e2e test (#21331) DataFrame: round trip metadata to arrow Table (#21277) Prometheus: user metrics metadata to inform query hints (#21304) Panel: disable edit/duplicate/delete entry for repeat panel (#21257) Prometheus: Disable suggestions at beginning of value (#21302) grafana/ui: Do not build in strict mode as grafana/ui depends on non-strict libs (#21319) Docs: Update security.md (#20981) @grafana/data: use timeZone parameter rather than isUtc (#21276) Units: support dynamic count and currency units (#21279) Docs: Added sudo and removed $ where inconsistent. (#21314) ...
What this PR does / why we need it: Improve the security guidelines in Grafana documentation.
Special notes for your reviewer: Please refer to questions in the comments.