dhague
commented
8 years ago Almost finished the solution to this - PR should be along sometime early next week.
Open dhague opened 8 years ago
dhague
commented
8 years ago Almost finished the solution to this - PR should be along sometime early next week.
Currently the username & password entered by the user are stored in session variables so that a Keystone token can be requested after an old one expires. If Grafana is scaled beyond one server, or if the server is restarted, then the session may no longer be available and the user doesn't get a clear indication of any problem. One hypothetical solution would be to configure persistent session storage for Grafana, e.g. MySQL or memcached. However, this would present a major security issue in that plaintext usernames & passwords would be stored in the session persistence engine. The solution I propose is to instead store the username & password in a session cookie. This would mean that they never exist on a machine outside of the user's control, and are never persisted to disk. Use of https for Grafana, and the correct "domain", "secure" and "httponly" cookie flags would mean they are securely held and transmitted.