Docs: Minor edits to the README and several md files (#19238)
* Update README.md Capitalized the G and S in "Getting Started," and moved "guide" to match the section title in the docs. * Fixed sentence structure. Changed "download" to "grafana.com/get" and changed "get" to "download". * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111) * Docs: Replace "datasources" with "data sources" (#19111)
This commit is contained in:
Brenda Harjala
committed by
Marcus Olsson
Marcus Olsson
parent
b20a258b72
commit
c9e566b156
@@ -7,25 +7,25 @@ parent = "developing"
|
||||
weight = 3
|
||||
+++
|
||||
|
||||
# Authentication for Datasource Plugins
|
||||
# Authentication for data source plugins
|
||||
|
||||
Grafana has a proxy feature that proxies all data requests through the Grafana backend. This is very useful when your datasource plugin calls an external/thirdy-party API. The Grafana proxy adds CORS headers and can authenticate against the external API. This means that a datasource plugin that proxies all requests via Grafana can enable token authentication and the token will be renewed automatically for the user when it expires.
|
||||
Grafana has a proxy feature that proxies all data requests through the Grafana backend. This is very useful when your data source plugin calls an external/thirdy-party API. The Grafana proxy adds CORS headers and can authenticate against the external API. This means that a data source plugin that proxies all requests via Grafana can enable token authentication and the token will be renewed automatically for the user when it expires.
|
||||
|
||||
The plugin config page should save the API key/password to be encrypted (using the `secureJsonData` feature) and then when a request from the datasource is made, the Grafana Proxy will:
|
||||
The plugin config page should save the API key/password to be encrypted (using the `secureJsonData` feature) and then when a request from the data source is made, the Grafana Proxy will:
|
||||
|
||||
1. decrypt the API key/password on the backend.
|
||||
2. carry out authentication and generate an OAuth token that will be added as an `Authorization` HTTP header to all requests (or it will add a HTTP header with the API key).
|
||||
3. renew the token if it expires.
|
||||
|
||||
This means that users that access the datasource config page cannot access the API key or password after is saved the first time and that no secret keys are sent in plain text through the browser where they can be spied on.
|
||||
This means that users that access the data source config page cannot access the API key or password after is saved the first time and that no secret keys are sent in plain text through the browser where they can be spied on.
|
||||
|
||||
For backend authentication to work, the external/third-party API must either have an OAuth endpoint or that the API accepts an API key as a HTTP header for authentication.
|
||||
|
||||
## Plugin Routes
|
||||
|
||||
You can specify routes in the `plugin.json` file for your datasource plugin. [Here is an example](https://github.com/grafana/azure-monitor-datasource/blob/d74c82145c0a4af07a7e96cc8dde231bfd449bd9/src/plugin.json#L30-L95) with lots of routes (though most plugins will just have one route).
|
||||
You can specify routes in the `plugin.json` file for your data source plugin. [Here is an example](https://github.com/grafana/azure-monitor-datasource/blob/d74c82145c0a4af07a7e96cc8dde231bfd449bd9/src/plugin.json#L30-L95) with lots of routes (though most plugins will just have one route).
|
||||
|
||||
When you build your url to the third-party API in your datasource class, the url should start with the text specified in the path field for a route. The proxy will strip out the path text and replace it with the value in the url field.
|
||||
When you build your url to the third-party API in your data source class, the url should start with the text specified in the path field for a route. The proxy will strip out the path text and replace it with the value in the url field.
|
||||
|
||||
For example, if my code makes a call to url `azuremonitor/foo/bar` with this code:
|
||||
|
||||
@@ -53,7 +53,7 @@ The `method` parameter is optional. It can be set to any HTTP verb to provide mo
|
||||
|
||||
### Dynamic Routes
|
||||
|
||||
When using routes, you can also reference a variable stored in JsonData or SecureJsonData which will be interpolated when connecting to the datasource.
|
||||
When using routes, you can also reference a variable stored in JsonData or SecureJsonData which will be interpolated when connecting to the data source.
|
||||
|
||||
With JsonData:
|
||||
```json
|
||||
@@ -83,7 +83,7 @@ An app using this feature can be found [here](https://github.com/grafana/kentik-
|
||||
|
||||
## Encrypting Sensitive Data
|
||||
|
||||
When a user saves a password or secret with your datasource plugin's Config page, then you can save data to a column in the datasource table called `secureJsonData` that is an encrypted blob. Any data saved in the blob is encrypted by Grafana and can only be decrypted by the Grafana server on the backend. This means once a password is saved, no sensitive data is sent to the browser. If the password is saved in the `jsonData` blob or the `password` field then it is unencrypted and anyone with Admin access (with the help of Chrome Developer Tools) can read it.
|
||||
When a user saves a password or secret with your data source plugin's Config page, then you can save data to a column in the data source table called `secureJsonData` that is an encrypted blob. Any data saved in the blob is encrypted by Grafana and can only be decrypted by the Grafana server on the backend. This means once a password is saved, no sensitive data is sent to the browser. If the password is saved in the `jsonData` blob or the `password` field then it is unencrypted and anyone with Admin access (with the help of Chrome Developer Tools) can read it.
|
||||
|
||||
This is an example of using the `secureJsonData` blob to save a property called `password`:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user