Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
f20ee6b4
Commit
f20ee6b4
authored
Jan 07, 2016
by
bergquist
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'improbable-io-ssl-for-mysql'
parents
5792a162
6c8d0846
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
94 additions
and
2 deletions
+94
-2
conf/defaults.ini
+7
-1
docs/sources/installation/configuration.md
+18
-1
pkg/services/sqlstore/sqlstore.go
+28
-0
pkg/services/sqlstore/tls_mysql.go
+41
-0
No files found.
conf/defaults.ini
View file @
f20ee6b4
...
@@ -63,9 +63,15 @@ name = grafana
...
@@ -63,9 +63,15 @@ name = grafana
user
=
root
user
=
root
password
=
password
=
# For "postgres" only, either "disable", "require" or "verify-full"
# For "postgres", use either "disable", "require" or "verify-full"
# For "mysql", use either "true", "false", or "skip-verify".
ssl_mode
=
disable
ssl_mode
=
disable
ca_cert_path
=
client_key_path
=
client_cert_path
=
server_cert_name
=
# For "sqlite3" only, path relative to data_path setting
# For "sqlite3" only, path relative to data_path setting
path
=
grafana.db
path
=
grafana.db
...
...
docs/sources/installation/configuration.md
View file @
f20ee6b4
...
@@ -156,7 +156,24 @@ The database user's password (not applicable for `sqlite3`).
...
@@ -156,7 +156,24 @@ The database user's password (not applicable for `sqlite3`).
### ssl_mode
### ssl_mode
For
`postgres`
only, either
`disable`
,
`require`
or
`verify-full`
.
For Postgres, use either
`disable`
,
`require`
or
`verify-full`
.
For MySQL, use either
`true`
,
`false`
, or
`skip-verify`
.
### ca_cert_path
(MySQL only) The path to the CA certificate to use. On many linux systems, certs can be found in
`/etc/ssl/certs`
.
### client_key_path
(MySQL only) The path to the client key. Only if server requires client authentication.
### client_cert_path
(MySQL only) The path to the client cert. Only if server requires client authentication.
### server_cert_name
(MySQL only) The common name field of the certificate used by the
`mysql`
server. Not necessary if
`ssl_mode`
is set to
`skip-verify`
.
<hr
/>
<hr
/>
...
...
pkg/services/sqlstore/sqlstore.go
View file @
f20ee6b4
...
@@ -14,12 +14,21 @@ import (
...
@@ -14,12 +14,21 @@ import (
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/setting"
"github.com/go-sql-driver/mysql"
_
"github.com/go-sql-driver/mysql"
_
"github.com/go-sql-driver/mysql"
"github.com/go-xorm/xorm"
"github.com/go-xorm/xorm"
_
"github.com/lib/pq"
_
"github.com/lib/pq"
_
"github.com/mattn/go-sqlite3"
_
"github.com/mattn/go-sqlite3"
)
)
type
MySQLConfig
struct
{
SslMode
string
CaCertPath
string
ClientKeyPath
string
ClientCertPath
string
ServerCertName
string
}
var
(
var
(
x
*
xorm
.
Engine
x
*
xorm
.
Engine
dialect
migrator
.
Dialect
dialect
migrator
.
Dialect
...
@@ -30,6 +39,8 @@ var (
...
@@ -30,6 +39,8 @@ var (
Type
,
Host
,
Name
,
User
,
Pwd
,
Path
,
SslMode
string
Type
,
Host
,
Name
,
User
,
Pwd
,
Path
,
SslMode
string
}
}
mysqlConfig
MySQLConfig
UseSQLite3
bool
UseSQLite3
bool
)
)
...
@@ -120,6 +131,15 @@ func getEngine() (*xorm.Engine, error) {
...
@@ -120,6 +131,15 @@ func getEngine() (*xorm.Engine, error) {
cnnstr
=
fmt
.
Sprintf
(
"%s:%s@%s(%s)/%s?charset=utf8"
,
cnnstr
=
fmt
.
Sprintf
(
"%s:%s@%s(%s)/%s?charset=utf8"
,
DbCfg
.
User
,
DbCfg
.
Pwd
,
protocol
,
DbCfg
.
Host
,
DbCfg
.
Name
)
DbCfg
.
User
,
DbCfg
.
Pwd
,
protocol
,
DbCfg
.
Host
,
DbCfg
.
Name
)
if
mysqlConfig
.
SslMode
==
"true"
||
mysqlConfig
.
SslMode
==
"skip-verify"
{
tlsCert
,
err
:=
makeCert
(
"custom"
,
mysqlConfig
)
if
err
!=
nil
{
return
nil
,
err
}
mysql
.
RegisterTLSConfig
(
"custom"
,
tlsCert
)
cnnstr
+=
"&tls=custom"
}
case
"postgres"
:
case
"postgres"
:
var
host
,
port
=
"127.0.0.1"
,
"5432"
var
host
,
port
=
"127.0.0.1"
,
"5432"
fields
:=
strings
.
Split
(
DbCfg
.
Host
,
":"
)
fields
:=
strings
.
Split
(
DbCfg
.
Host
,
":"
)
...
@@ -161,4 +181,12 @@ func LoadConfig() {
...
@@ -161,4 +181,12 @@ func LoadConfig() {
}
}
DbCfg
.
SslMode
=
sec
.
Key
(
"ssl_mode"
)
.
String
()
DbCfg
.
SslMode
=
sec
.
Key
(
"ssl_mode"
)
.
String
()
DbCfg
.
Path
=
sec
.
Key
(
"path"
)
.
MustString
(
"data/grafana.db"
)
DbCfg
.
Path
=
sec
.
Key
(
"path"
)
.
MustString
(
"data/grafana.db"
)
if
DbCfg
.
Type
==
"mysql"
{
mysqlConfig
.
SslMode
=
DbCfg
.
SslMode
mysqlConfig
.
CaCertPath
=
sec
.
Key
(
"ca_cert_path"
)
.
String
()
mysqlConfig
.
ClientKeyPath
=
sec
.
Key
(
"client_key_path"
)
.
String
()
mysqlConfig
.
ClientCertPath
=
sec
.
Key
(
"client_cert_path"
)
.
String
()
mysqlConfig
.
ServerCertName
=
sec
.
Key
(
"server_cert_name"
)
.
String
()
}
}
}
pkg/services/sqlstore/tls_mysql.go
0 → 100644
View file @
f20ee6b4
package
sqlstore
import
(
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
)
func
makeCert
(
tlsPoolName
string
,
config
MySQLConfig
)
(
*
tls
.
Config
,
error
)
{
rootCertPool
:=
x509
.
NewCertPool
()
pem
,
err
:=
ioutil
.
ReadFile
(
config
.
CaCertPath
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"Could not read DB CA Cert path: %v"
,
config
.
CaCertPath
)
}
if
ok
:=
rootCertPool
.
AppendCertsFromPEM
(
pem
);
!
ok
{
return
nil
,
err
}
clientCert
:=
make
([]
tls
.
Certificate
,
0
,
1
)
if
config
.
ClientCertPath
!=
""
&&
config
.
ClientKeyPath
!=
""
{
certs
,
err
:=
tls
.
LoadX509KeyPair
(
config
.
ClientCertPath
,
config
.
ClientKeyPath
)
if
err
!=
nil
{
return
nil
,
err
}
clientCert
=
append
(
clientCert
,
certs
)
}
tlsConfig
:=
&
tls
.
Config
{
RootCAs
:
rootCertPool
,
Certificates
:
clientCert
,
}
tlsConfig
.
ServerName
=
config
.
ServerCertName
if
config
.
SslMode
==
"skip-verify"
{
tlsConfig
.
InsecureSkipVerify
=
true
}
// Return more meaningful error before it is too late
if
config
.
ServerCertName
==
""
&&
!
tlsConfig
.
InsecureSkipVerify
{
return
nil
,
fmt
.
Errorf
(
"server_cert_name is missing. Consider using ssl_mode = skip-verify."
)
}
return
tlsConfig
,
nil
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment