Access from grafana to CheckMK over Grafana-Server

Question

Access from grafana to CheckMK over Grafana-Server

KSJakobsen opened this issue 5 years ago · comments

Hi,

it would be nice if the CheckMK Datasource would use the Grafana-Server as a Proxy for accessing the checkmk (f.e. like the ElasticSearch Datasource Plugin).

Manuel Oetiker · Answer 1 · Tue Apr 07 2020 21:30:49 GMT+0800 (China Standard Time)

Hi,

I think that's a big security issue, because the grafana user can see in the browser debugger the username/password which is used to access the checkmk server

Request URL: http://checkmk.com/prod/check_mk/webapi.py?_username=grafana&_secret=kdkdkeichhee&output_format=json&action=get_graph
Referrer Policy: no-referrer-when-downgrade

Fabian Laule · Answer 2 · Mon Aug 24 2020 21:43:17 GMT+0800 (China Standard Time)

I support this issue due the fact with the security issue and it would also enable server-side caching for specific queries to decrease the load on the cmk instance when multiple users are accessing the same dashboard in grafana with a lot of complex graphs (e.g. cache every query for 10/20/30 seconds).

Óscar Nájera · Answer 3 · Fri Nov 27 2020 19:11:40 GMT+0800 (China Standard Time)

Proxy routes used for plugin authentication are only available with Grafana 7.
We are currently rewriting the data source connector to use this features. This will imply of course a break in backwards compatibility, to the grafana versions. New release of the connector, will come in matching version to checkmk 2.0

Julien · Answer 4 · Wed Mar 03 2021 21:59:34 GMT+0800 (China Standard Time)

Other grafana plugins let users choose between DIRECT and PROXY mode for the datasource. I think that this plugin should simply not allow DIRECT mode because unauthenticated access to checkmk seems not possible.

This is indeed a security issue.

(Additionally, it seems to me like an issue that the username and password must be passed as a GET parameter. GET parameters tend to be logged by intermediate proxies. Basic auth should be used to do this.)

Tillmann Hübner · Answer 5 · Wed Jun 23 2021 19:16:40 GMT+0800 (China Standard Time)

So roughly 8 month have passed since cmk 2.0 - any updates?

Tillmann Hübner · Answer 6 · Wed Sep 01 2021 23:12:04 GMT+0800 (China Standard Time)

Okay, i started working on a datasource that does support variables and backend proxying for advanced security and dmz scenarios. Once its at a bare minimum ill link it here so people can followup

Óscar Nájera · Answer 7 · Wed Sep 01 2021 23:58:00 GMT+0800 (China Standard Time)

I'm rewriting this plugin on the rewrite branch. You can have a look at it too.

Tillmann Hübner · Answer 8 · Thu Sep 02 2021 00:10:20 GMT+0800 (China Standard Time)

Oh there was no hint to that other than the branch obviously - good to know. afaik the stuff I did already is pretty much what you did already :)... gonna have a look and submit PR's if those are welcome

main reason for this is ofc security and the proxy method is mainly needed because from the users browser there is no direct route to the cmk server itself

Óscar Nájera · Answer 9 · Thu Feb 03 2022 22:51:41 GMT+0800 (China Standard Time)

Today the new connector enters its beta phase. It is released, compatible with checkmk's development nightly builds and soon a reduced compatibility backport will arrive for checkmk 2.0.0p20

Connecting to checkmk happens over the backend server on this release.