The Security Problem about Authentication Information

Grafana Plugin Development
1

Hi all
I‘m developing a datasource plugin, I need two fields(ak & sk) to compute a signature for authentication in http header. But if I put the two fields in front end, anyone will get them and access my database. So, I don’t hope others get my ak&sk. Is there any method to solve it?

2

Yes, there is. Here is a draft of some docs I’m writing for this:

Authentication for Datasource Plugins

Grafana has a proxy feature that proxies all data requests through the Grafana backend. Using the Grafana proxy has a couple of benefits (it adds CORS headers for example). A datasource plugin that proxies all requests via Grafana can also enable token authentication for a route.

The plugin config page should save the api key as encrypted and then the Grafana Proxy will decrypt the api key on the backend and carry out authentication and generate an oauth token. This means that users that access the datasource config page cannot access the API key after is saved the first time and that no secret keys are sent in plain text through the browser where they could be spied on. It does require an oauth endpoint or that the api accepts an auth header.

How Token Authentication Works

You can specify routes in your plugin.json file:

Then when you build your url in your datasource class, the url should start with the text specified in the path field for a route. The proxy will strip out the path text and replace it with the value in the url field.

For example, if my code makes a call to url azuremonitor/foo/bar with this code:

this.backendSrv
      .datasourceRequest({
        url: url,
        method: 'GET',
      })

then the Grafana proxy will transform it into “https://management.azure.com/foo/bar” and add CORS headers.

The token auth section in the plugin.json looks like this:

"tokenAuth": {
        "url": "https://login.microsoftonline.com/{{.JsonData.tenantId}}/oauth2/token",
        "params": {
          "grant_type":  "client_credentials",
          "client_id": "{{.JsonData.clientId}}",
          "client_secret": "{{.SecureJsonData.clientSecret}}",
          "resource": "https://management.azure.com/"
        }
      }

This interpolates in data from jsonData and secureJsonData. Grafana will automatically renew the token if it has expired.

You can also use an auth header:

    {
      "path": "appinsights",
      "method": "GET",
      "url": "https://api.applicationinsights.io",
      "headers": [
        {"name": "X-API-Key", "content": "{{.SecureJsonData.appInsightsApiKey}}"}
      ]
    }
4

hello daniellee,How can i get the auth result header ‘X-Subject-Token’ and insert into future request header ‘X-Auth-Token’?