Observed that some passwords for mysql user running Grafana are not accepted when accessed from the config file upon start up. But the same passwords work when manually logging into mysql as the user. Appears to be issues with how Grafana processes certain password upon starting. Particularly, passwords with special characters like # cause problems.
Hi @wkneewalden ,
I know this is a security issue, but could you share your datasource config file on startup and an example of a password that’s not working in the config, but works manually. Make any security edits needed. And do you mean that manually entering credentials in Grafana’s datasource setup UI will make it work, or are you referring to a more direct method of manually accessing the db, like using curl or a local login?
Also:
what are you deploying to?
what grafana version?
what mysql version/any unusual configs?
is the mysql instance remote? Any reverse proxy/services in front of it?
Thanks for the response. This was observed during a deployment in Oct 2020, and now going back to investigate. Might have to retest with latest Grafana version to see if issue still occurs.
At the time the version of Grafana was 7.1.5. The mysql version was 5.7.12. In terms of configuration, nothing unusual with mysql. The endpoint is an RDS server for Grafana hosted on AWS, hence for Grafana the config file grafana.ini includes the following (with generic values here):
[database]
type = mysql
host = RDS_ENDPOINT:DB_PORT
name = DB_NAME
user = DB_USER
password = rds_pass
The password attempted that did not work was rds_pass=7yX4reG#zXW8Bk. What is observed is that when this password is put in the grafana.ini and Grafana server attempts to start, the user cannot login to mysql of the RDS with the password. However, by using mysql in the terminal of the instance running the server and manually logging into the user, the password works.
The work around going forward has been to test all password formats in the testing environment first to see if they work with grafana.ini before using one in production. But understanding what in the format caused the issue would be helpful.
My immediate impression on seeing that password is that the # character has
been interpreted as the start of a comment, and therefore Grafana thinks the
password is 7yX4reG.
Antony.
2 Likes
Ok, thanks. If I see any other passwords through testing that give same result, I will post some output from Grafana log. Unfortunately, I don’t have the log from this first password example since it happened a while ago. But fairly certain the log gave a message indicating user cannot log into mysql server. Other special characters have not caused issues. That would fit with the above comment.
Providing some update on this related issue. It was discovered that having ‘#’ inside Grafana admin user passwords can cause similar problems when attempting Grafana API commands with curl. Seems best to just avoid the character # in passwords with Grafana.
1 Like
Hello,
I use provisioning/datasources/default.yaml to create new data sources.
I have the same problem as wkneewalden with password = Pwd1.
However the GUI shows “configured” in the pwd field.
I have to click on field and then enter for it to work.
Could you help me please ?
Thanks a lot.
Grafana V.8.3.4
Here is my default.yaml file :
apiVersion: 1
datasources:
- name: SessionName1
type: mysql
url: 192.168.1.1
database: SessionName1
user: user
password: Pwd1
isDefault: false
jsonData: {"connMaxLifetime":7200,"maxIdleConns":6,"maxOpenConns":10,"timeInterval":"2m"}
secureJsonData:
password: true
version: 1
editable: true