Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure persistent storage for keystone credentials #5

Open
dhague opened this issue Aug 12, 2016 · 1 comment
Open

Secure persistent storage for keystone credentials #5

dhague opened this issue Aug 12, 2016 · 1 comment

Comments

@dhague
Copy link

dhague commented Aug 12, 2016

Currently the username & password entered by the user are stored in session variables so that a Keystone token can be requested after an old one expires.
If Grafana is scaled beyond one server, or if the server is restarted, then the session may no longer be available and the user doesn't get a clear indication of any problem.
One hypothetical solution would be to configure persistent session storage for Grafana, e.g. MySQL or memcached. However, this would present a major security issue in that plaintext usernames & passwords would be stored in the session persistence engine.
The solution I propose is to instead store the username & password in a session cookie. This would mean that they never exist on a machine outside of the user's control, and are never persisted to disk. Use of https for Grafana, and the correct "domain", "secure" and "httponly" cookie flags would mean they are securely held and transmitted.
@dhague
Copy link
Author

dhague commented Aug 19, 2016

Almost finished the solution to this - PR should be along sometime early next week.

dhague added a commit to stefanhipfel/grafana_old that referenced this issue Sep 5, 2016
@dhague
Fixes twc-openstack#5
cb26771 
Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password
dhague added a commit to stefanhipfel/grafana_old that referenced this issue Nov 21, 2016
@dhague
Fixes twc-openstack#5
a487ee3 
Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password
dhague added a commit to stefanhipfel/grafana_old that referenced this issue Dec 2, 2016
@dhague
Fixes twc-openstack#5
38a0156 
Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password
dhague added a commit to stefanhipfel/grafana_old that referenced this issue Feb 2, 2017
@dhague
Fixes twc-openstack#5
c652f2f 
Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password
dhague added a commit to stefanhipfel/grafana_old that referenced this issue Mar 14, 2017
@dhague
Squashed set of Darren's commits
eef3b74 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 5, 2018
@dhague @dougszumski
Squashed set of Darren's commits
3116dd3 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 6, 2018
@dhague @dougszumski
Squashed set of Darren's commits
a2109d0 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 6, 2018
@dhague @dougszumski
Squashed set of Darren's commits
0261724 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 6, 2018
@dhague @dougszumski
Squashed set of Darren's commits
c1dcd6d 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 6, 2018
@dhague @dougszumski
Squashed set of Darren's commits
bc1e5b4 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
dougszumski pushed a commit to stackhpc/grafana that referenced this issue Dec 6, 2018
@dhague @dougszumski
Squashed set of Darren's commits
94553d5 
Log the URL when calling a datasource from the proxy

Fixes twc-openstack#5

Configuration options:
cookie_credentials - set to true to use cookie instead of session for storing Keystone password
credential_aes_key - 32-char encryption key. If set, this key is used to encrypt/decrypt the stored Keystone password

Multi-domain login

Fix: allow users with cross-domain role assignments to log in

(cherry picked from commit 66316d7)

Case sensitive login fix

If the backend Keystone is case-insensitive (perhaps using AD for authentication)
then we could end up with several users in Grafana, one for each combination of
 upper & lowercase chars in the username. This fix always uses the username returned
 in the Keystone response as the username for Grafana, regardless of the case used
 in the login screen.

(cherry picked from commit 1b8b6f9)

Fix bug in "Case sensitive login fix"

(cherry picked from commit 27a5f06)

Formatting updates - "go fmt" applied

Check length of ciphertext *before* decoding it

(cherry picked from commit 0e54407)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dhague