opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 16:43:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

AuthZ: add headers for IP range AC checks for cloud data sources (#80208)

Browse Source 
* add feature toggle

* add a middleware that appens headers for IP range AC

* sort imports

* sign IP range header and only append it if the request is going to allow listed data sources

* sign a random generated string instead of IP, also change the name of the middleware to make it more generic

* remove the DS IP range AC options from the config file; remove unwanted change

* add test

* sanitize the URLs when comparing

* cleanup and fixes

* check if X-Real-Ip is present, and set the internal request header if it is not present

* use split string function from the util package
This commit is contained in:
Ieva
2024-01-31 17:09:24 +00:00
committed by GitHub
parent e00aba0ce5
commit c310a20966
4 changed files with 284 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/setting/setting.go
View File

@ -348,6 +348,11 @@ type Cfg struct {
// Number of queries to be executed concurrently. Only for the datasource supports concurrency.
ConcurrentQueryCount int
// IP range access control
IPRangeACEnabled bool
IPRangeACAllowedURLs []string
IPRangeACSecretKey string
// SQL Data sources
SqlDatasourceMaxOpenConnsDefault int
SqlDatasourceMaxIdleConnsDefault int
@ -1200,6 +1205,7 @@ func (cfg *Cfg) parseINIFile(iniFile *ini.File) error {
}
cfg.readDataSourcesSettings()
cfg.readDataSourceSecuritySettings()
cfg.readSqlDataSourceSettings()
cfg.Storage = readStorageSettings(iniFile)
@ -1938,6 +1944,14 @@ func (cfg *Cfg) readDataSourcesSettings() {
cfg.ConcurrentQueryCount = datasources.Key("concurrent_query_count").MustInt(10)
}
func (cfg *Cfg) readDataSourceSecuritySettings() {
datasources := cfg.Raw.Section("datasources.ip_range_security")
cfg.IPRangeACEnabled = datasources.Key("enabled").MustBool(false)
cfg.IPRangeACSecretKey = datasources.Key("secret_key").MustString("")
allowedURLString := datasources.Key("allow_list").MustString("")
cfg.IPRangeACAllowedURLs = util.SplitString(allowedURLString)
}
func (cfg *Cfg) readSqlDataSourceSettings() {
sqlDatasources := cfg.Raw.Section("sql_datasources")
cfg.SqlDatasourceMaxOpenConnsDefault = sqlDatasources.Key("max_open_conns_default").MustInt(100)