How to use data source proxy properly?

Grafana Authentication
, , , ,
1

Hi all,
I cannot wrap my head around data source authentication/authorization and hope to get some ideas where I went wrong or whether I misunderstood the way Grafana works in that regards. Anyways, I need some directions.

  • What Grafana version and what operating system are you using?
    version=9.5.2, running in docker on ubuntu host

  • What are you trying to achieve?
    I want to consume a JSON API data source (via marcusolsson-json-datasource) that request oauth authentication/authorization (using client_credentials).

  • How are you trying to achieve it?
    After reading in the grafana documentation, I supposed that I could use the data source proxy to add a route. I went to the plugin directory and modified plugin.json to contain a “routes” attribute.

  • What happened?
    If I modify the plugin.json file, then the plugin is not loaded at all. Following messages show up in the logs:

    • plugin file checksum does not match signature checksum
    • Skipping loading plugin due to problem with signature

  • What did you expect to happen?
    I expected the plugin to load properly and to route my request via the data source proxy to retrieve an oauth-token before accessing the api.

  • Can you copy/paste the configuration(s) that you are having problems with?
    modified plugin.json in the plugins/marcusolsson-json-datasource directory like this:

"routes": [
  {
    "path": "api",
    "url": "https://api.example.com/v1",
    "tokenAuth": {
      "url": "https://api.example.com/v1/oauth/token",
      "params": {
        "grant_type": "client_credentials",
        "client_id": "my_client_id",
        "client_secret": "my_client_secret"
      }
    }
  }
]

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

    • plugin file checksum does not match signature checksum
    • Skipping loading plugin due to problem with signature

  • Did you follow any online instructions? If so, what is the URL?
    Add authentication for data source plugins | Grafana documentation

Thanks a lot!

2

Hi @garthako in general terms unless you are a developer doing a contribution to the plugin code you should not modify any of the plugin code. The error you are getting is grafana making sure that the code the plugin runs is the code we reviewed and accepted.

The plugin you are using is not suitable for authentication as you want it and is more meant to be used with public json APIs. You can try other datasource plugins that come with configuration options for secure apis. examples Infinity plugin for Grafana | Grafana Labs or JSON Fetcher plugin for Grafana | Grafana Labs

In the case of the marcuolsson-json-datasource you could (and I strongly recommend you against) add authentication is via headers.

I really have to repeat that is a bad idea to add auth headers in the marcusolsson-json-datasource, because by using the headers option you are leaving the password or token or auth means in plain sight and not securely stored. Anyone can go inspect your panel and get the password right away. Just sharing this panel with someone could make the password public.

best luck!

2 Likes
3

Thank you @academo, I reviewed the Infinity plugin and it has all of the necessary features (besides JsonAta, but I can work around that). Thank you so much, especially referring to the security part, which would otherwise have been a nightmare upon discovery :slight_smile:

Cheers mate!

1 Like
4

@garthako - Infinity have support for JSONata. Suggest to use backend parser with Infinity which will give more options and secure options . Let me know how this goes and if you have any struggles with Infinity.

Note: I am the author of the Infinity plugin.

1 Like