Commit 1f0e1b33 by Ryan Committed by GitHub

Postgres: Add SSL support for datasource (#21341)

* Add SSL certificate/key fields to Postgres data source configuration

Co-authored-by: Edwin Cordeiro <edwin@scordeiro.net>
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
parent 94f2a3eb
...@@ -160,6 +160,9 @@ Since not all datasources have the same configuration settings we only have the ...@@ -160,6 +160,9 @@ Since not all datasources have the same configuration settings we only have the
| tsdbVersion | string | OpenTSDB | Version | | tsdbVersion | string | OpenTSDB | Version |
| tsdbResolution | string | OpenTSDB | Resolution | | tsdbResolution | string | OpenTSDB | Resolution |
| sslmode | string | PostgreSQL | SSLmode. 'disable', 'require', 'verify-ca' or 'verify-full' | | sslmode | string | PostgreSQL | SSLmode. 'disable', 'require', 'verify-ca' or 'verify-full' |
| sslRootCertFile | string | PostgreSQL | SSL server root certificate file, must be readable by the Grafana user |
| sslCertFile | string | PostgreSQL | SSL client certificate file, must be readable by the Grafana user |
| sslKeyFile | string | PostgreSQL | SSL client key file, must be readable by *only* the Grafana user |
| encrypt | string | MSSQL | Connection SSL encryption handling. 'disable', 'false' or 'true' | | encrypt | string | MSSQL | Connection SSL encryption handling. 'disable', 'false' or 'true' |
| postgresVersion | number | PostgreSQL | Postgres version as a number (903/904/905/906/1000) meaning v9.3, v9.4, ..., v10 | | postgresVersion | number | PostgreSQL | Postgres version as a number (903/904/905/906/1000) meaning v9.3, v9.4, ..., v10 |
| timescaledb | boolean | PostgreSQL | Enable usage of TimescaleDB extension | | timescaledb | boolean | PostgreSQL | Enable usage of TimescaleDB extension |
......
...@@ -2,8 +2,10 @@ package postgres ...@@ -2,8 +2,10 @@ package postgres
import ( import (
"database/sql" "database/sql"
"fmt"
"net/url" "net/url"
"strconv" "strconv"
"strings"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
...@@ -20,8 +22,13 @@ func init() { ...@@ -20,8 +22,13 @@ func init() {
func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndpoint, error) { func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndpoint, error) {
logger := log.New("tsdb.postgres") logger := log.New("tsdb.postgres")
logger.Debug("Creating Postgres query endpoint")
cnnstr, err := generateConnectionString(datasource, logger)
if err != nil {
return nil, err
}
cnnstr := generateConnectionString(datasource)
if setting.Env == setting.DEV { if setting.Env == setting.DEV {
logger.Debug("getEngine", "connection", cnnstr) logger.Debug("getEngine", "connection", cnnstr)
} }
...@@ -39,19 +46,51 @@ func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndp ...@@ -39,19 +46,51 @@ func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndp
timescaledb := datasource.JsonData.Get("timescaledb").MustBool(false) timescaledb := datasource.JsonData.Get("timescaledb").MustBool(false)
return sqleng.NewSqlQueryEndpoint(&config, &queryResultTransformer, newPostgresMacroEngine(timescaledb), logger) endpoint, err := sqleng.NewSqlQueryEndpoint(&config, &queryResultTransformer, newPostgresMacroEngine(timescaledb), logger)
if err == nil {
logger.Debug("Successfully connected to Postgres")
} else {
logger.Debug("Failed connecting to Postgres", "err", err)
}
return endpoint, err
} }
func generateConnectionString(datasource *models.DataSource) string { func generateConnectionString(datasource *models.DataSource, logger log.Logger) (string, error) {
sslmode := datasource.JsonData.Get("sslmode").MustString("verify-full") sslMode := strings.TrimSpace(strings.ToLower(datasource.JsonData.Get("sslmode").MustString("verify-full")))
isSSLDisabled := sslMode == "disable"
// Always pass SSL mode
sslOpts := fmt.Sprintf("sslmode=%s", url.QueryEscape(sslMode))
if isSSLDisabled {
logger.Debug("Postgres SSL is disabled")
} else {
logger.Debug("Postgres SSL is enabled", "sslMode", sslMode)
// Attach root certificate if provided
if sslRootCert := datasource.JsonData.Get("sslRootCertFile").MustString(""); sslRootCert != "" {
logger.Debug("Setting server root certificate", "sslRootCert", sslRootCert)
sslOpts = fmt.Sprintf("%s&sslrootcert=%s", sslOpts, url.QueryEscape(sslRootCert))
}
// Attach client certificate and key if both are provided
sslCert := datasource.JsonData.Get("sslCertFile").MustString("")
sslKey := datasource.JsonData.Get("sslKeyFile").MustString("")
if sslCert != "" && sslKey != "" {
logger.Debug("Setting SSL client auth", "sslCert", sslCert, "sslKey", sslKey)
sslOpts = fmt.Sprintf("%s&sslcert=%s&sslkey=%s", sslOpts, url.QueryEscape(sslCert), url.QueryEscape(sslKey))
} else if sslCert != "" || sslKey != "" {
return "", fmt.Errorf("SSL client certificate and key must both be specified")
}
}
u := &url.URL{ u := &url.URL{
Scheme: "postgres", Scheme: "postgres",
User: url.UserPassword(datasource.User, datasource.DecryptedPassword()), User: url.UserPassword(datasource.User, datasource.DecryptedPassword()),
Host: datasource.Url, Path: datasource.Database, Host: datasource.Url, Path: datasource.Database,
RawQuery: "sslmode=" + url.QueryEscape(sslmode), RawQuery: sslOpts,
} }
return u.String() return u.String(), nil
} }
type postgresQueryResultTransformer struct { type postgresQueryResultTransformer struct {
......
...@@ -3,18 +3,18 @@ ...@@ -3,18 +3,18 @@
<div class="gf-form-group"> <div class="gf-form-group">
<div class="gf-form max-width-30"> <div class="gf-form max-width-30">
<span class="gf-form-label width-7">Host</span> <span class="gf-form-label width-10">Host</span>
<input type="text" class="gf-form-input" ng-model='ctrl.current.url' placeholder="localhost:5432" bs-typeahead="{{['localhost:5432', 'localhost:5433']}}" required></input> <input type="text" class="gf-form-input" ng-model='ctrl.current.url' placeholder="localhost:5432" bs-typeahead="{{['localhost:5432', 'localhost:5433']}}" required></input>
</div> </div>
<div class="gf-form max-width-30"> <div class="gf-form max-width-30">
<span class="gf-form-label width-7">Database</span> <span class="gf-form-label width-10">Database</span>
<input type="text" class="gf-form-input" ng-model='ctrl.current.database' placeholder="database name" required></input> <input type="text" class="gf-form-input" ng-model='ctrl.current.database' placeholder="database name" required></input>
</div> </div>
<div class="gf-form-inline"> <div class="gf-form-inline">
<div class="gf-form max-width-15"> <div class="gf-form max-width-15">
<span class="gf-form-label width-7">User</span> <span class="gf-form-label width-10">User</span>
<input type="text" class="gf-form-input" ng-model='ctrl.current.user' placeholder="user"></input> <input type="text" class="gf-form-input" ng-model='ctrl.current.user' placeholder="user"></input>
</div> </div>
<div class="gf-form"> <div class="gf-form">
...@@ -27,16 +27,39 @@ ...@@ -27,16 +27,39 @@
/> />
</div> </div>
</div> </div>
<div class="gf-form"> <div class="gf-form">
<label class="gf-form-label width-7">SSL Mode</label> <label class="gf-form-label width-10">SSL Mode</label>
<div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon"> <div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon">
<select class="gf-form-input" ng-model="ctrl.current.jsonData.sslmode" ng-options="mode for mode in ['disable', 'require', 'verify-ca', 'verify-full']" ng-init="ctrl.current.jsonData.sslmode"></select> <select class="gf-form-input" ng-model="ctrl.current.jsonData.sslmode" ng-options="mode for mode in ['disable', 'require', 'verify-ca', 'verify-full']" ng-init="ctrl.current.jsonData.sslmode"></select>
<info-popover mode="right-absolute"> <info-popover mode="right-absolute">
This option determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. This option determines whether or with what priority a secure SSL (TLS) TCP/IP connection will be negotiated with the server.
</info-popover> </info-popover>
</div> </div>
</div> </div>
<div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
<span class="gf-form-label width-10">SSL Root Certificate</span>
<input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslRootCertFile' placeholder="SSL/TLS root cert file"></input>
<info-popover mode="right-absolute">
If the selected SSL mode requires a server root certificate, provide the path to the file here.
Be sure that the file is readable by the user executing the grafana process.
</info-popover>
</div>
<div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
<span class="gf-form-label width-10">SSL Client Certificate</span>
<input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslCertFile' placeholder="SSL/TLS client cert file"></input>
<info-popover mode="right-absolute">
To authenticate with an SSL/TLS client certificate, provide the path to the file here.
Be sure that the file is readable by the user executing the grafana process.
</info-popover>
</div>
<div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
<span class="gf-form-label width-10">SSL Client Key</span>
<input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslKeyFile' placeholder="SSL/TLS client key file"></input>
<info-popover mode="right-absolute">
To authenticate with a client SSL/TLS certificate, provide the path to the corresponding key file here.
Be sure that the file is <i>only</i> readable by the user executing the grafana process.
</info-popover>
</div>
</div> </div>
<b>Connection limits</b> <b>Connection limits</b>
...@@ -132,4 +155,3 @@ ...@@ -132,4 +155,3 @@
</p> </p>
</div> </div>
</div> </div>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment