Support Basic auth for backend requests

[dbuconn]

I recently upgraded from Grafana 6.5.2 and plugin 3.12.4 to Grafana 7.1.5 and plugin 4.0.1, and when testing the datasource I'm getting a 401 error in Apache.

Before upgrade (IP and user anonymized)
xx.xx.xx.xx - apiuser [04/Sep/2020:08:50:10 -0400] "POST /api/api_jsonrpc.php HTTP/1.1" 200 41 "-" "Grafana/6.5.2"

After upgrading Grafana:
xx.xx.xx.xx - apiuser [04/Sep/2020:08:55:16 -0400] "POST /api/api_jsonrpc.php HTTP/1.1" 200 68 "-" "Grafana/7.1.5"

After upgrading plugin:
xx.xx.xx.xx - - [04/Sep/2020:08:59:55 -0400] "POST /api/api_jsonrpc.php HTTP/1.1" 401 381 "-" "Grafana/grafana-zabbix"

For some reason it's getting the 401 381 error - is it not passing the API user? I also tested credentials using curl and did not get the 401 error (unless I deliberately entered a wrong password of course)

Is there a config I need to change or is this a bug?

RHEL 7.8, Apache 2.4.6, Zabbix 4.4.6.

[alexanderzobnin]

Hi! Could you show the plugin config? Also, you can enable debug logging in grafana and show logs from the grafana-server when you press save and test button. In this case plugin sends apiinfo.version query first which is not required auth, so we can try to figure out is it API credentials issue or not.

[dbuconn]

Hi Alex,

I believe it's failing at the htaccess level I believe, and that config hasn't changed. Relevant (anonymized) info posted:

Grafana log with debug:

t=2020-09-14T08:19:45-0400 lvl=dbug msg="Zabbix API request" logger=plugins.backend pluginId=alexanderzobnin-zabbix-datasource datasource=Zabbix method=apiinfo.version
t=2020-09-14T08:19:45-0400 lvl=eror msg="Zabbix API request error" logger=plugins.backend pluginId=alexanderzobnin-zabbix-datasource error="request failed, status: 401 Unauthorized"

Apache log on the web server:
xx.xx.xx.xx - - [14/Sep/2020:08:19:45 -0400] "POST /api/api_jsonrpc.php HTTP/1.1" 401 381 "-" "Grafana/grafana-zabbix"

Curl output from grafana to the web server, not giving the same 401 error:

curl -v -su 'apiuser' https://zabbixweb/api/api_jsonrpc.php

Enter host password for user 'apiuser':

• About to connect() to zabbixweb port 443 (#0)
• Trying xx.xx.xx.xx...
• Connected to zabbixweb (xx.xx.xx.xx) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• Server certificate:
• subject: CN=xxx
• start date: Dec 06 00:00:00 2018 GMT
• expire date: Dec 05 23:59:59 2020 GMT
• common name: xxx
  issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
• Server auth using Basic with user 'apiuser'

GET /api/api_jsonrpc.php HTTP/1.1
Authorization: Basic xxx
User-Agent: curl/7.29.0
Host: zabbixweb
Accept: /

• HTTP 1.0, assume close after body
  < HTTP/1.0 412 Precondition Failed
  < Date: Mon, 14 Sep 2020 12:26:57 GMT
  < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/5.4.16
  < X-Powered-By: PHP/5.4.16
  < Access-Control-Allow-Origin: *
  < Access-Control-Allow-Headers: Content-Type
  < Access-Control-Allow-Methods: POST
  < Access-Control-Max-Age: 1000
  < Content-Length: 0
  < Connection: close
  < Content-Type: text/html; charset=UTF-8

[alexanderzobnin]

So you're using Basic auth, right? It looks like it's not implemented in plugin.

[hluaces]

So you're using Basic auth, right? It looks like it's not implemented in plugin.

Could you please clarify why this used to work and now doesn't? Do you have any idea?

[moudsen]

I'm experiencing the same issue and will patiently wait for 4.0.2. Any release date known at this point?

[alexanderzobnin]

@hluaces Previously plugin had only frontend part and all queries were sent by Grafana backend. Now plugin has it's own backend which invokes requests, so this requires basic auth to be implemented in the plugin (or in the grafana plugin SDK, but it doesn't have this feature now).

[hluaces]

@alexanderzobnin thanks for taking the time to answer me and for your work.

[alexanderzobnin]

Fixed in d2e9c2b