backend: Feature - enable kerberos with forked go-mysql-driver

Dockerfile

@@ -39,7 +39,7 @@ ARG BINGO="true"
 
 # Install build dependencies
 RUN if grep -i -q alpine /etc/issue; then \
-      apk add --no-cache gcc g++ make git; \
+      apk add --no-cache gcc g++ make git krb5-libs krb5-dev; \
     fi
 
 WORKDIR /tmp/grafana
@@ -106,11 +106,15 @@ WORKDIR $GF_PATHS_HOME
 # Install dependencies
 RUN if grep -i -q alpine /etc/issue; then \
       apk add --no-cache ca-certificates bash curl tzdata musl-utils && \
+      apk add --no-cache openssl musl-utils libcrypto1.1>1.1.1t-r1 libssl1.1>1.1.1t-r1 && \
+      apk add --no-cache krb5-libs krb5 && \
+      ln -s /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && \
       apk info -vv | sort; \
     elif grep -i -q ubuntu /etc/issue; then \
       DEBIAN_FRONTEND=noninteractive && \
       apt-get update && \
       apt-get install -y ca-certificates curl tzdata && \
+      apt-get install -y openssl krb5-libs krb5 && \
       apt-get autoremove -y && \
       rm -rf /var/lib/apt/lists/*; \
     else \

docs/sources/datasources/mysql/_index.md

@@ -49,6 +49,12 @@ Administrators can also [configure the data source via YAML]({{< relref "#provis
 | **Auto (max idle)**  | If set will set the maximum number of idle connections to the number of maximum open connections (Grafana v9.5.1+). Default is `true`.                                                                                                                                                                                                                                                                                                                                  |
 | **Max lifetime**     | The maximum amount of time in seconds a connection may be reused, default `14400`/4 hours. This should always be lower than configured [wait_timeout](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_wait_timeout) in MySQL (Grafana v5.4+).                                                                                                                                                                                               |
 
+### Kerberos Authentication
+
+It is also possible to use kerberos authentication when running MySQL Enterprise, and will require additional setup for Grafana.
+
+For details, see the [configuring MySQL with Kerberos documentation]({{< relref "./kerberos/" >}}).
+
 ### Min time interval
 
 The **Min time interval** setting defines a lower limit for the [`$__interval`]({{< relref "../../dashboards/variables/add-template-variables#__interval" >}}) and [`$__interval_ms`]({{< relref "../../dashboards/variables/add-template-variables#__interval_ms" >}}) variables.

docs/sources/datasources/mysql/kerberos/_index.md

@@ -0,0 +1,85 @@
+---
+aliases:
+  - ../../data-sources/mysql/kerberos/
+description: Using Kerberos Authentication with MySQL Enterprise in Grafana
+keywords:
+  - grafana
+  - MySQL
+  - SQL
+  - kerberos
+menuTitle: Kerberos Authentication
+title: MySQL Enterprise Kerberos Integration
+weight: 400
+---
+
+# Kerberos Authentication with MySQL Enterprise in Grafana
+
+A datasource (and Grafana itself) can use a kerberos-enabled MySQL Enterprise connection.
+
+There are three modes of operation, each are detailed below.
+
+## Environment Variables
+
+Configuring Grafana to use kerberos authentication is done using environment variables that are common to the krb5 go library, and one additional variable unique to this driver.
+
+- KRB5_CONFIG (defaults to `/etc/krb5.conf`)
+- KRB5_CLIENT_KTNAME (user keytab)
+- KRB5CCNAME
+- KRB5_CC_LOOKUP_FILE
+
+### Keytab
+
+This is the typical setup where the user is running under a kerberos authenticated environment, and has a keytab and corresponding credential cache that is updated as needed.
+
+### Global Credential Cache
+
+This setup allows a specific credential cache to be used as a fallback where there isn't a keytab, and where there isn't a match in the lookup file.
+
+The credential cache (generated by `kinit`), can be specified with the environment variable:
+
+`KRB5CCNAME`
+
+### Per-Connection Credential Cache
+
+This provides a lookup file that maps a connection to a specific credential cache. This allows connection to multiple databases with different users using the appropriate authentication.
+
+`KRB5_CC_LOOKUP_FILE`
+
+```JSON
+[
+ {
+   "user": "usera",
+   "database": "dbone",
+   "address": "mysql1.mydomain.com:3306",
+   "credentialCache": "/tmp/krb5cc_1000"
+ },
+ {
+   "user": "userb",
+   "database": "dbtwo",
+   "address": "mysql2.mydomain.com:3306",
+   "credentialCache": "/tmp/krb5cc_1001"
+ }
+]
+```
+
+# Configuring a Kerberos Enabled MySQL Datasource
+
+The configuration options remain the same, except for the hostname option which will include a simple connection string in the hostname field in the form:
+
+```TEXT
+mysql://kirbuser@emysql.grafana.com:3306/grafanacore
+```
+
+Authentication will use the environment variables/lookup methods as needed. The username/password fields shouldl remain empty.
+
+# Running Grafana with a Kerberos Enabled MySQL Database
+
+An example of running Grafana using this method:
+
+```SHELL
+export GF_DATABASE_URL=mysql://kirbuser@emysql.grafana.com:3306/grafanacore
+export GF_DATABASE_MAX_IDLE_CONN=10
+export KRB5CCNAME=/tmp/krb5cc_1000
+```
+
+In the above example, the user ID is `1000` and the `kinit` command would generate the `/tmp/krb5cc_1000` file for the user `kirbuser.`

go.mod

@@ -42,7 +42,7 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-sql-driver/mysql v1.7.0
 	github.com/go-stack/stack v1.8.1
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
@@ -302,10 +302,16 @@ require (
 	github.com/gophercloud/gophercloud v1.0.0 // indirect
 	github.com/grafana/sqlds/v2 v2.3.10 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.2 // indirect
 	github.com/hashicorp/memberlist v0.5.0 // indirect
 	github.com/hetznercloud/hcloud-go v1.35.3 // indirect
 	github.com/invopop/yaml v0.1.0 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.0.0 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.2 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/linode/linodego v1.9.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -316,6 +322,7 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b // indirect
 	github.com/perimeterx/marshmallow v1.1.4 // indirect
 	github.com/rivo/uniseg v0.3.4 // indirect
 	github.com/rueian/rueidis v0.0.100-go1.18 // indirect
@@ -417,5 +424,6 @@ replace google.golang.org/grpc => google.golang.org/grpc v1.45.0
 
 replace google.golang.org/genproto => google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3
 
+replace github.com/go-sql-driver/mysql => github.com/grafana/mysql v1.6.8
 // Use 1.10.6 of pq to avoid a change in 1.10.7 that has certificate validation issues. https://github.com/grafana/grafana/issues/65816
 replace github.com/lib/pq => github.com/lib/pq v1.10.6

go.sum

@@ -1292,6 +1292,8 @@ github.com/grafana/grafana-plugin-sdk-go v0.160.0 h1:jELbsqee5kRz9vD1hZeP8+984xM
 github.com/grafana/grafana-plugin-sdk-go v0.160.0/go.mod h1:dPhljkVno3Bg/ZYafMrR/BfYjtCRJD2hU2719Nl3QzM=
 github.com/grafana/kindsys v0.0.0-20230427152021-bb328815be7a h1:i2YhC6eTyDp+7Ftv5c6VZDUQskmKX4oIPGf38qfiZiU=
 github.com/grafana/kindsys v0.0.0-20230427152021-bb328815be7a/go.mod h1:GNcfpy5+SY6RVbNGQW264gC0r336Dm+0zgQ5vt6+M8Y=
+github.com/grafana/mysql v1.6.8 h1:kyo38C4NgghJMqaPrkWPy4rifAcipQVF+dKttfpgTCs=
+github.com/grafana/mysql v1.6.8/go.mod h1:T5l1aVEbD1U8q+mfo87Xqeg/hR3IncgnDF/3fXPnLNE=
 github.com/grafana/phlare/api v0.1.4-0.20230426005640-f90edba05413 h1:bBzCezZNRyYlJpXTkyZdY4fpPxHZUdyeyRWzhtw/P6I=
 github.com/grafana/phlare/api v0.1.4-0.20230426005640-f90edba05413/go.mod h1:IvwuGG9xa/h96UH/exgvsfy3zE+ZpctkNT9o5aaGdrU=
 github.com/grafana/prometheus-alertmanager v0.25.1-0.20230508090422-7d5630522a53 h1:X3Jl4PBIGCtlPSMa6Uiu2+3FDNWmddSjivp+1DDznQs=
@@ -1516,11 +1518,16 @@ github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dv
 github.com/jaegertracing/jaeger v1.24.0/go.mod h1:mqdtFDA447va5j0UewDaAWyNlGreGQyhGxXVhbF58gQ=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8=
 github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.2 h1:6ZIM6b/JJN0X8UM43ZOM6Z4SJzla+a/u7scXFJzodkA=
 github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
@@ -1895,6 +1902,8 @@ github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mo
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
+github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b h1:it0YPE/evO6/m8t8wxis9KFI2F/aleOKsI6d9uz0cEk=
+github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b/go.mod h1:tNrEB5k8SI+g5kOlsCmL2ELASfpqEofI0+FLBgBdN08=
 github.com/opentracing-contrib/go-grpc v0.0.0-20180928155321-4b5a12d3ff02/go.mod h1:JNdpVEzCpXBgIiv4ds+TzhN1hrtxq6ClLrTlT9OQRSc=
 github.com/opentracing-contrib/go-grpc v0.0.0-20191001143057-db30781987df/go.mod h1:DYR5Eij8rJl8h7gblRrOZ8g0kW1umSpKqYIBTgeDtLo=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=

scripts/build/ci-build/Dockerfile

@@ -37,6 +37,9 @@ WORKDIR /tmp
 RUN apt-get update && \
     apt-get install -yq \
         clang patch libxml2-dev \
+        krb5-user       \
+        libkrb5-dev     \
+        libkrb5-3       \
         build-essential \
         ca-certificates \
         curl            \
@@ -133,7 +136,7 @@ RUN apt-get update && \
         gcc             \
         g++             \
         git             \
-	      jq		          \
+	jq              \
         make            \
         rpm             \
         xz-utils        \
@@ -143,7 +146,14 @@ RUN apt-get update && \
         ruby            \
         ruby-dev        \
         rubygems        \
-        unzip && \
+        unzip           \
+        krb5-user       \
+        libkrb5-dev     \
+        libkrb5-3       \
+        cpio            \
+        rpm2cpio        \
+        unzip           \
+        zstd &&         \
     gem install -N public_suffix -v 4.0.7 && \
     gem install --conservative -N fpm && \
     ln -s /usr/bin/llvm-dsymutil-6.0 /usr/bin/dsymutil && \
@@ -183,6 +193,28 @@ RUN cd /tmp && \
     tar xf x86_64-linux-musl-cross.tgz && \
     rm x86_64-linux-musl-cross.tgz
 
+# Add kerberos for x64 musl and arm v7/v8
+RUN cd /tmp && \
+    curl -fLO http://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/krb5-dev-1.20.1-r0.apk && \
+    tar xf krb5-dev-1.20.1-r0.apk && \
+    cp -r usr/include/* /tmp/x86_64-linux-musl-cross/x86_64-linux-musl/include/ && \
+    rm krb5-dev-1.20.1-r0.apk && \
+    rm -rf /tmp/usr && \
+    curl -fLO http://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/krb5-dev-1.20.1-r0.apk && \
+    tar xf krb5-dev-1.20.1-r0.apk && \
+    cp -r usr/include/* /tmp/aarch64-linux-musl-cross/aarch64-linux-musl/include/ && \
+    cp -r usr/include/* /tmp/arm-linux-musleabihf-cross/arm-linux-musleabihf/include/ && \
+    rm krb5-dev-1.20.1-r0.apk && \
+    rm -rf /tmp/usr && \
+    curl -fLO http://raspbian.raspberrypi.org/raspbian/pool/main/h/heimdal/heimdal-multidev_7.7.0+dfsg-2+deb11u3_armhf.deb && \
+    mkdir rpi-armv6 && \
+    cd rpi-armv6 && \
+    ar x ../heimdal-multidev_7.7.0+dfsg-2+deb11u3_armhf.deb && \
+    tar xvf data.tar.xz && \
+    cp -r /tmp/rpi-armv6/usr/include/heimdal/* /opt/rpi-tools/arm-bcm2708/arm-linux-gnueabihf/arm-linux-gnueabihf/include/ && \
+    cd .. && \
+    rm -rf rpi-armv6
+#
 RUN go install github.com/mgechev/revive@v1.0.2 && \
   mv ${GOPATH}/bin/revive /usr/local/bin/ && \
   go install github.com/google/go-jsonnet/cmd/jsonnetfmt@latest && \

scripts/build/ci-build/bootstrap.sh

@@ -3,3 +3,21 @@
 cd /tmp || exit 1
 tar xfJ x86_64-centos6-linux-gnu.tar.xz
 tar xfJ osxcross.tar.xz
+#
+# Add kerberos libs and headers, copy headers to expected path
+export PATH=$PATH:/tmp/osxcross/target/bin
+export MACOSX_DEPLOYMENT_TARGET=10.15
+export OSXCROSS_MACPORTS_MIRROR=packages.macports.org
+osxcross-macports install kerberos5
+osxcross-macports install heimdal
+mkdir -p /usr/local/opt/heimdal/include
+cp -r /tmp/osxcross/target/macports/pkgs/opt/local/libexec/heimdal/include/* /usr/local/opt/heimdal/include/
+
+# Kerberos for centos
+curl -flO http://mirror.centos.org/centos/7/os/x86_64/Packages/krb5-devel-1.15.1-50.el7.x86_64.rpm
+mkdir krb-rpm
+cd krb-rpm
+rpm2cpio ../krb5-devel-1.15.1-50.el7.x86_64.rpm | cpio -idmv
+cp -r usr/include/* /tmp/x86_64-centos6-linux-gnu/x86_64-centos6-linux-gnu/include/ && \
+cd ..
+rm -rf krb-rpm