MySQL: Add option to allow cleartext passwords (#63232)

* Add "Allow Cleartext Passwords" checkbox to MySQL connection settings

* Fix lint issues

* Add docs

* Add line break and bold text

---------

Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com>
This commit is contained in:
enginecan 2023-05-26 03:33:55 -07:00 committed by GitHub
parent 7f7b03d794
commit 6758fd4888
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 65 additions and 36 deletions

View File

@ -36,7 +36,7 @@ Administrators can also [configure the data source via YAML]({{< relref "#provis
1. Set the data source's basic configuration options.
| Name | Description |
| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Name** | The data source name. This is how you refer to the data source in panels and queries. |
| **Default** | Default data source means that it will be pre-selected for new panels. |
| **Host** | The IP address/hostname and optional port of your MySQL instance. |
@ -47,6 +47,7 @@ Administrators can also [configure the data source via YAML]({{< relref "#provis
| **Max open** | The maximum number of open connections to the database, default `100` (Grafana v5.4+). |
| **Max idle** | The maximum number of connections in the idle connection pool, default `100` (Grafana v5.4+). |
| **Auto (max idle)** | If set will set the maximum number of idle connections to the number of maximum open connections (Grafana v9.5.1+). Default is `true`. |
| **Allow cleartext passwords** | Allows using the [cleartext client side plugin](https://dev.mysql.com/doc/en/cleartext-pluggable-authentication.html) if required by an account, such as one defined with the [PAM authentication plugin](http://dev.mysql.com/doc/en/pam-authentication-plugin.html). <br />**Sending passwords in clear text may be a security problem in some configurations**. To avoid problems if there is any possibility that the password would be intercepted, clients should connect to MySQL Server using a method that protects the password. Possibilities include [TLS / SSL](https://github.com/go-sql-driver/mysql#tls), IPsec, or a private network. Default is `false`. |
| **Max lifetime** | The maximum amount of time in seconds a connection may be reused, default `14400`/4 hours. This should always be lower than configured [wait_timeout](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_wait_timeout) in MySQL (Grafana v5.4+). |
### Min time interval

View File

@ -55,6 +55,7 @@ func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provide
MaxIdleConns: cfg.SqlDatasourceMaxIdleConnsDefault,
ConnMaxLifetime: cfg.SqlDatasourceMaxConnLifetimeDefault,
SecureDSProxy: false,
AllowCleartextPasswords: false,
}
err := json.Unmarshal(settings.JSONData, &jsonData)
@ -101,6 +102,10 @@ func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provide
characterEscape(dsInfo.Database, "?"),
)
if dsInfo.JsonData.AllowCleartextPasswords {
cnnstr += "&allowCleartextPasswords=true"
}
opts, err := settings.HTTPClientOptions()
if err != nil {
return nil, err

View File

@ -71,6 +71,7 @@ type JsonData struct {
TimeInterval string `json:"timeInterval"`
Database string `json:"database"`
SecureDSProxy bool `json:"enableSecureSocksProxy"`
AllowCleartextPasswords bool `json:"allowCleartextPasswords"`
}
type DataSourceInfo struct {

View File

@ -48,7 +48,7 @@ export const ConfigurationEditor = (props: DataSourcePluginOptionsEditorProps<My
};
const WIDTH_SHORT = 15;
const WIDTH_MEDIUM = 22;
const WIDTH_MEDIUM = 25;
const WIDTH_LONG = 40;
return (
@ -150,6 +150,26 @@ export const ConfigurationEditor = (props: DataSourcePluginOptionsEditorProps<My
value={jsonData.tlsSkipVerify || false}
></InlineSwitch>
</InlineField>
<InlineField
labelWidth={WIDTH_MEDIUM}
tooltip={
<span>
Allows using the cleartext client side plugin if required by an account, such as one defined with the PAM
authentication plugin. Sending passwords in clear text may be a security problem in some configurations.
To avoid problems if there is any possibility that the password would be intercepted, clients should
connect to MySQL Server using a method that protects the password. Possibilities include TLS / SSL, IPsec,
or a private network.
</span>
}
htmlFor="allowCleartextPasswords"
label="Allow Cleartext Passwords"
>
<InlineSwitch
id="allowCleartextPasswords"
onChange={onSwitchChanged('allowCleartextPasswords')}
value={jsonData.allowCleartextPasswords || false}
></InlineSwitch>
</InlineField>
</FieldSet>
{config.secureSocksDSProxyEnabled && (

View File

@ -1,5 +1,7 @@
import { SQLOptions, SQLQuery } from 'app/features/plugins/sql/types';
export interface MySQLOptions extends SQLOptions {}
export interface MySQLOptions extends SQLOptions {
allowCleartextPasswords?: boolean;
}
export interface MySQLQuery extends SQLQuery {}