IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Plugins: Enforce signing for all plugins (#34364)

Browse Source 
* enforce non-backend plugin signing

* fix tests

* add tests

* add signatures

* apply PR feedback

* update upgrading docs
This commit is contained in:
Will Browne
2021-05-19 15:42:50 +02:00
committed by GitHub
parent b987237c9b
commit c1ec13035d
9 changed files with 183 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/sources/installation/upgrading.md
View File

@@ -243,7 +243,7 @@ A global minimum dashboard refresh interval is now enforced and defaults to 5 se
### Backend plugins
Grafana now requires backend plugins to be signed. If a backend plugin is not signed Grafana will not load/start it. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. All Grafana Labs authored backend plugins, including Enterprise plugins, are now signed. It's possible to allow unsigned plugins using a configuration setting, but is something we strongly advise against doing. For more information about this setting, refer to [allow loading unsigned plugins]({{< relref "../administration/#allow-loading-unsigned-plugins" >}}).
Grafana now requires backend plugins to be signed. If a backend plugin is not signed Grafana will not load/start it. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. All Grafana Labs authored backend plugins, including Enterprise plugins, are now signed. It's possible to allow unsigned plugins using a configuration setting, but is something we strongly advise against doing. For more information about this setting, refer to [allow loading unsigned plugins]({{< relref "../administration/#allow_loading_unsigned_plugins" >}}).
### Cookie path
@@ -320,3 +320,9 @@ The Grafana Docker images use the `root` group instead of the `grafana` group. T
The VictorOps alert notifier now accepts a `severity` tag, in a similar vein to the PagerDuty alert notifier. The possible values are outlined in the [VictorOps docs](https://help.victorops.com/knowledge-base/incident-fields-glossary/).
For example, if you want an alert to be `INFO`-level in VictorOps, create a tag `severity=info` (case-insensitive) in your alert.
## Upgrading to v8.0
### Plugins
Grafana now requires all plugins to be signed. If a plugin is not signed Grafana will not load/start it. This is an additional security measure to make sure plugin files and binaries haven't been tampered with. All Grafana Labs authored plugins, including Enterprise plugins, are now signed. It's possible to allow unsigned plugins using a configuration setting, but is something we strongly advise against doing. For more information about this setting, refer to [allow loading unsigned plugins]({{< relref "../administration/#allow_loading_unsigned_plugins" >}}).

2
docs/sources/plugins/plugin-signatures.md
View File

@@ -42,7 +42,7 @@ EROR[06-01|16:45:59] Failed to load plugin error=plugin <plugin id> is unsigne
## Allow unsigned plugins
We strongly recommend that you don't run unsigned plugins in your Grafana installation. If you're aware of the risks and you still want to load an unsigned plugin, refer to [Configuration]({{< relref "../administration/configuration.md#allow-loading-unsigned-plugins" >}}).
We strongly recommend that you don't run unsigned plugins in your Grafana installation. If you're aware of the risks and you still want to load an unsigned plugin, refer to [Configuration]({{< relref "../administration/configuration.md#allow_loading_unsigned_plugins" >}}).
If you've allowed loading of an unsigned backend plugin, then Grafana writes a warning message to the server log: