From 6758fd4888dc6b3672de7033c24e8c4ac7a9aad1 Mon Sep 17 00:00:00 2001 From: enginecan <124947731+enginecan@users.noreply.github.com> Date: Fri, 26 May 2023 03:33:55 -0700 Subject: [PATCH] MySQL: Add option to allow cleartext passwords (#63232) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add "Allow Cleartext Passwords" checkbox to MySQL connection settings * Fix lint issues * Add docs * Add line break and bold text --------- Co-authored-by: Zoltán Bedi --- docs/sources/datasources/mysql/_index.md | 27 +++++++------- pkg/tsdb/mysql/mysql.go | 13 ++++--- pkg/tsdb/sqleng/sql_engine.go | 35 ++++++++++--------- .../configuration/ConfigurationEditor.tsx | 22 +++++++++++- public/app/plugins/datasource/mysql/types.ts | 4 ++- 5 files changed, 65 insertions(+), 36 deletions(-) diff --git a/docs/sources/datasources/mysql/_index.md b/docs/sources/datasources/mysql/_index.md index 7318d2c561a..e6916e44b01 100644 --- a/docs/sources/datasources/mysql/_index.md +++ b/docs/sources/datasources/mysql/_index.md @@ -35,19 +35,20 @@ Administrators can also [configure the data source via YAML]({{< relref "#provis 1. Set the data source's basic configuration options. -| Name | Description | -| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Name** | The data source name. This is how you refer to the data source in panels and queries. | -| **Default** | Default data source means that it will be pre-selected for new panels. | -| **Host** | The IP address/hostname and optional port of your MySQL instance. | -| **Database** | Name of your MySQL database. | -| **User** | Database user's login/username | -| **Password** | Database user's password | -| **Session Timezone** | Specify the time zone used in the database session, such as `Europe/Berlin` or `+02:00`. This is necessary, if the timezone of the database (or the host of the database) is set to something other than UTC. Set the value used in the session with `SET time_zone='...'`. If you leave this field empty, then the time zone is not updated. For more information, refer to the [MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/time-zone-support.html). | -| **Max open** | The maximum number of open connections to the database, default `100` (Grafana v5.4+). | -| **Max idle** | The maximum number of connections in the idle connection pool, default `100` (Grafana v5.4+). | -| **Auto (max idle)** | If set will set the maximum number of idle connections to the number of maximum open connections (Grafana v9.5.1+). Default is `true`. | -| **Max lifetime** | The maximum amount of time in seconds a connection may be reused, default `14400`/4 hours. This should always be lower than configured [wait_timeout](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_wait_timeout) in MySQL (Grafana v5.4+). | +| Name | Description | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Name** | The data source name. This is how you refer to the data source in panels and queries. | +| **Default** | Default data source means that it will be pre-selected for new panels. | +| **Host** | The IP address/hostname and optional port of your MySQL instance. | +| **Database** | Name of your MySQL database. | +| **User** | Database user's login/username | +| **Password** | Database user's password | +| **Session Timezone** | Specify the time zone used in the database session, such as `Europe/Berlin` or `+02:00`. This is necessary, if the timezone of the database (or the host of the database) is set to something other than UTC. Set the value used in the session with `SET time_zone='...'`. If you leave this field empty, then the time zone is not updated. For more information, refer to the [MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/time-zone-support.html). | +| **Max open** | The maximum number of open connections to the database, default `100` (Grafana v5.4+). | +| **Max idle** | The maximum number of connections in the idle connection pool, default `100` (Grafana v5.4+). | +| **Auto (max idle)** | If set will set the maximum number of idle connections to the number of maximum open connections (Grafana v9.5.1+). Default is `true`. | +| **Allow cleartext passwords** | Allows using the [cleartext client side plugin](https://dev.mysql.com/doc/en/cleartext-pluggable-authentication.html) if required by an account, such as one defined with the [PAM authentication plugin](http://dev.mysql.com/doc/en/pam-authentication-plugin.html).
**Sending passwords in clear text may be a security problem in some configurations**. To avoid problems if there is any possibility that the password would be intercepted, clients should connect to MySQL Server using a method that protects the password. Possibilities include [TLS / SSL](https://github.com/go-sql-driver/mysql#tls), IPsec, or a private network. Default is `false`. | +| **Max lifetime** | The maximum amount of time in seconds a connection may be reused, default `14400`/4 hours. This should always be lower than configured [wait_timeout](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_wait_timeout) in MySQL (Grafana v5.4+). | ### Min time interval diff --git a/pkg/tsdb/mysql/mysql.go b/pkg/tsdb/mysql/mysql.go index b1070b71f10..031c5cab1cd 100644 --- a/pkg/tsdb/mysql/mysql.go +++ b/pkg/tsdb/mysql/mysql.go @@ -51,10 +51,11 @@ func ProvideService(cfg *setting.Cfg, httpClientProvider httpclient.Provider) *S func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provider) datasource.InstanceFactoryFunc { return func(settings backend.DataSourceInstanceSettings) (instancemgmt.Instance, error) { jsonData := sqleng.JsonData{ - MaxOpenConns: cfg.SqlDatasourceMaxOpenConnsDefault, - MaxIdleConns: cfg.SqlDatasourceMaxIdleConnsDefault, - ConnMaxLifetime: cfg.SqlDatasourceMaxConnLifetimeDefault, - SecureDSProxy: false, + MaxOpenConns: cfg.SqlDatasourceMaxOpenConnsDefault, + MaxIdleConns: cfg.SqlDatasourceMaxIdleConnsDefault, + ConnMaxLifetime: cfg.SqlDatasourceMaxConnLifetimeDefault, + SecureDSProxy: false, + AllowCleartextPasswords: false, } err := json.Unmarshal(settings.JSONData, &jsonData) @@ -101,6 +102,10 @@ func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provide characterEscape(dsInfo.Database, "?"), ) + if dsInfo.JsonData.AllowCleartextPasswords { + cnnstr += "&allowCleartextPasswords=true" + } + opts, err := settings.HTTPClientOptions() if err != nil { return nil, err diff --git a/pkg/tsdb/sqleng/sql_engine.go b/pkg/tsdb/sqleng/sql_engine.go index 5d086f1a0d8..6a9afa42c56 100644 --- a/pkg/tsdb/sqleng/sql_engine.go +++ b/pkg/tsdb/sqleng/sql_engine.go @@ -54,23 +54,24 @@ var NewXormEngine = func(driverName string, connectionString string) (*xorm.Engi } type JsonData struct { - MaxOpenConns int `json:"maxOpenConns"` - MaxIdleConns int `json:"maxIdleConns"` - ConnMaxLifetime int `json:"connMaxLifetime"` - ConnectionTimeout int `json:"connectionTimeout"` - Timescaledb bool `json:"timescaledb"` - Mode string `json:"sslmode"` - ConfigurationMethod string `json:"tlsConfigurationMethod"` - TlsSkipVerify bool `json:"tlsSkipVerify"` - RootCertFile string `json:"sslRootCertFile"` - CertFile string `json:"sslCertFile"` - CertKeyFile string `json:"sslKeyFile"` - Timezone string `json:"timezone"` - Encrypt string `json:"encrypt"` - Servername string `json:"servername"` - TimeInterval string `json:"timeInterval"` - Database string `json:"database"` - SecureDSProxy bool `json:"enableSecureSocksProxy"` + MaxOpenConns int `json:"maxOpenConns"` + MaxIdleConns int `json:"maxIdleConns"` + ConnMaxLifetime int `json:"connMaxLifetime"` + ConnectionTimeout int `json:"connectionTimeout"` + Timescaledb bool `json:"timescaledb"` + Mode string `json:"sslmode"` + ConfigurationMethod string `json:"tlsConfigurationMethod"` + TlsSkipVerify bool `json:"tlsSkipVerify"` + RootCertFile string `json:"sslRootCertFile"` + CertFile string `json:"sslCertFile"` + CertKeyFile string `json:"sslKeyFile"` + Timezone string `json:"timezone"` + Encrypt string `json:"encrypt"` + Servername string `json:"servername"` + TimeInterval string `json:"timeInterval"` + Database string `json:"database"` + SecureDSProxy bool `json:"enableSecureSocksProxy"` + AllowCleartextPasswords bool `json:"allowCleartextPasswords"` } type DataSourceInfo struct { diff --git a/public/app/plugins/datasource/mysql/configuration/ConfigurationEditor.tsx b/public/app/plugins/datasource/mysql/configuration/ConfigurationEditor.tsx index 2c351fd51ac..a83cd73436f 100644 --- a/public/app/plugins/datasource/mysql/configuration/ConfigurationEditor.tsx +++ b/public/app/plugins/datasource/mysql/configuration/ConfigurationEditor.tsx @@ -48,7 +48,7 @@ export const ConfigurationEditor = (props: DataSourcePluginOptionsEditorProps + + Allows using the cleartext client side plugin if required by an account, such as one defined with the PAM + authentication plugin. Sending passwords in clear text may be a security problem in some configurations. + To avoid problems if there is any possibility that the password would be intercepted, clients should + connect to MySQL Server using a method that protects the password. Possibilities include TLS / SSL, IPsec, + or a private network. + + } + htmlFor="allowCleartextPasswords" + label="Allow Cleartext Passwords" + > + + {config.secureSocksDSProxyEnabled && ( diff --git a/public/app/plugins/datasource/mysql/types.ts b/public/app/plugins/datasource/mysql/types.ts index 36554df5a0b..e142f35891a 100644 --- a/public/app/plugins/datasource/mysql/types.ts +++ b/public/app/plugins/datasource/mysql/types.ts @@ -1,5 +1,7 @@ import { SQLOptions, SQLQuery } from 'app/features/plugins/sql/types'; -export interface MySQLOptions extends SQLOptions {} +export interface MySQLOptions extends SQLOptions { + allowCleartextPasswords?: boolean; +} export interface MySQLQuery extends SQLQuery {}