Comments (10)
Hi @atod, thanks for the question. I looked up the JIRA REST API documentation on authentication. I think basic authentication would be the easiest to get working: https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-basic-authentication
This would require you to create an Authorization header for a specific user, and hard-code that header into the JSON Data Source options in the dashboard. You can use the built-in Encryption to prevent anyone from seeing the actual password.
This approach wouldn't use the credentials of the user viewing the dashboard however—the data would be accessible to anyone opening the Cyclotron dashboard, because of the hard-coded credentials. Not sure if this approach works for you or not, due to the potential risk of exposing a user's credentials. Ideally you could use a service account.
AFAIK it's not possible to get the credentials of the user viewing the dashboard, or their JIRA cookie (due to browser security). Again I'm unclear on the certificate authentication you mention, but potentially that could be integrated into the Cyclotron-svc backend somehow.
Finally one more suggestion: Instead of hardcoding the Authorization header into the dashboard, you could add a new REST endpoint to the cyclotron-svc code, which makes authenticated requests JIRA (using a single user's credentials). Then the JSON Data Source could connect to that endpoint without authentication. As long as the cyclotron-svc backend is secure, this would avoid exposing any user credentials.
Hope this helps, let me know if there's anything I can clarify.
from cyclotron.
Hi @baumandm,
Thank you for providing detailed answer.
I would prefer to avoid the hardcoding of a user into JSON Data Source options. Also service account is not an option for us.
I would like to check with you if it is possible to use the credentials of the user viewing the dashboard by by implementing/extending Cyclotron front-end and back-end in the following way:
- When dashboard user is opening a dashboard he/she is requested to provide own credentials (user name and password) to the front-end. These credentials are stored only in the session (in memory)
- Then the dashboard runs Data Source which calls Cyclotron-svc beck-end service sending the credentials so that they can be used to gather the needed data from the respective system (like Jira).
In that way the credentials will be hardcoded nowhere.
Thank you for your guidance in advance!
atod
from cyclotron.
Hi @atod, I understand what you're proposing and it is certainly possible to extend Cyclotron in this way. However, I don't believe this is to be a security best practice, and its not functionality we would want to provide out-of-the-box due to the inherent risk. That said, I'd be happy to help point you in the right direction if this is something you want to implement.
from cyclotron.
Hi @baumandm , as far as I understand the security vulnerability I think it can be mitigated by ensuring that local Cyclotron instances code can be updated only if the new code change is submitted in version control system (i.e. Git) and then synced and activated via automation (i.e. Jenkins job) for which the change owner need to be authenticated. The access to local Cyclotron instances hosts will be forbidden.
Thank you for offering help how to extend Cyclotron! Where is best to continue the discussion? Should we use this Git issue or we can connect via email for example?
from cyclotron.
Hi @baumandm , reading now my last comment it is hard even for me to understand what I tried to explain. :)
Wanted to say that the access to the code of a productive Cyclotron instance can be forbidden and in that way minimize the risk of security vulnerability.
Do you see a chance to discuss the potential extension?
from cyclotron.
Hi @atod, sorry for the delay in addressing this. I've implemented it pretty much as you described above, but with the additional step of encrypting the value before caching in the front-end. It uses the existing built-in encryption functionality, which only allows decryption when running a Data Source (and the decryption runs service-side so the user never sees the password)
I've added a new configuration setting in the website's configService.js, cacheEncryptedPassword: true
. It's false by default, so you'll need to change it to true.
Once enabled, you should be able to reference the credentials of the current logged-in user like this: ${Cyclotron.currentUsername}
and ${Cyclotron.currentUserPassword}
. This is the inline JavaScript notation, so you can use it in the Data Source properties.
For example, if you wanted to authenticate to a web service with the current user's credentials, using the JSON Data Source:
{
"options": {
"auth": {
"pass": "${Cyclotron.currentUserPassword}",
"user": "${Cyclotron.currentUsername}"
},
"followAllRedirects": "${true}"
},
"type": "json",
"url": "...."
}
Please review and let me know if you have any feedback. It's currently on the branch feature/cacheEncryptedPassword
, as I haven't merged this feature to the master branch yet.
from cyclotron.
Hi @baumandm,
I apologize for my late replay. I just realized that you implemented this feature. Which is awesome!
Will test it in my environment and will return feedback.
Once again thanks a lot!
from cyclotron.
Hi @baumandm ,
I'm still working to validate the feature due to time constraints on my side. And once again thank you for implementing it.
It took time for me to configure the LDAP authentication. Now it works successfully. I'm able to login in my cyclotron instance with my user/password and define view/edit permissions per dashboard.
Currently trying to fetch data from Jira with json datasource. Here it is:
/strings in <> , i.e. <JIRA_HOSTNAME> are placeholders of the original strings /
{ "name": "jira_logged_work", "options": { "auth": { "pass": "${Cyclotron.currentUserPassword}", "user": "${Cyclotron.currentUsername}" }, "followAllRedirects": "${true}", "strictSSL": "${false}" }, "postProcessor": "pp = function (data) {\n console.log( \"JSON Data: \" + JSON.stringify(data) );\n return data.issues;\n}", "queryParameters": { "jql": "project=<JIRA_PROJECT> and worklogDate>=\"-7d\"", "maxResults": "1", "startAt": "0" }, "type": "json", "url": "https://<JIRA_HOSTNAME>/rest/api/2/search" }
Unfortunately it fails with:
POST http://ui5delivery.mo.sap.corp:8077/proxy 500 (Internal Server Error)
and proxyResponse object is undefined.
The first thing I noticed in proxyRequest object was that user is not part from auth object as shown bellow. Even after hardcoding it (for testing purposes only) it still failed in the same way.
{ "url":"https://<JIRA_HOSTNAME>/rest/api/2/search?jql=project%3D<JIRA_PROJECT>+and+worklogDate%3E%3D%22-7d%22&maxResults=1&startAt=0", "method":"GET", "json":true, "auth":{"pass":"<USER_PASSWORD>"}, "followAllRedirects":true, "strictSSL":false }
Any hints will be very much appreciated.
Thank you!
atod
from cyclotron.
Hi @atod, I think this is my mistake. I double-checked the code and my previous instructions were wrong. The correct username reference is "${Cyclotron.currentUser.name}"
. Can you try changing this to see if it resolves the issue?
from cyclotron.
Hi @baumandm,
this helped. Actually I had to use "${Cyclotron.currentUser.sAMAccountName}"
for my use case. Now the user name is present into the proxyRequest. Still have issue to fetch data from Jira but it because of local host proxy configuration. As soon as I manage to fix will write back.
Thank you!
from cyclotron.
Related Issues (20)
- Mongodb as datasource - how to do that? HOT 1
- Recommended OS or guidance on API HOT 1
- Supporting Right to Left Languages HOT 1
- Keep code and configs in Source/Version control system? HOT 2
- Dashboard Navigation UI HOT 2
- Connecting to influxdb with ssl HOT 1
- Dependency of [email protected] causes failure HOT 3
- API requests don't work HOT 3
- dataSource value passed to moment function does not render properly HOT 2
- Google Maps Embedding HOT 1
- Server Side Events in dataSource HOT 4
- Excel / PDF export is using local ip address not domain address HOT 3
- Updating data inside the widgets HOT 3
- Configuring numeral js language HOT 1
- Installation error occured at cyclotron-site HOT 2
- Cannot connect to cyclotron-svc (getTopDashboards) HOT 8
- Promive a docker image HOT 1
- CORS errors on latest Chrome
- [question] on ingesting and visualizing Prometheus metrics
- Is this project still maintained? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclotron.