Page MenuHomePhabricator

Make it easier to ban misbehaving dashboards from graphite
Open, MediumPublic


Related Gerrit Patches:
operations/puppet : productiongraphite: add http referer ban capability

Event Timeline

fgiunchedi claimed this task.
fgiunchedi raised the priority of this task from to Medium.
fgiunchedi updated the task description. (Show Details)
fgiunchedi added projects: Operations, Graphite.
fgiunchedi added a subscriber: fgiunchedi.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2015, 3:47 PM

the idea being that in the event of a misbehaving/badly configured dashboard it should be quick/simple to blacklist it. we'll have to do this on the graphite side since grafana clients with dashboards already loaded might or might not pick up the change

e.g. in apache using mod_rewrite (adapted from

RewriteMap  grafana_bans "txt:/etc/apache2/FIXME"

RewriteCond "%{HTTP_REFERER}" !=""
RewriteCond "${grafana_bans:%{HTTP_REFERER}}" =-
RewriteRule "^"  "%{HTTP_REFERER}" [F]

with grafana_bans containing e.g -

Change 255695 had a related patch set uploaded (by Filippo Giunchedi):
graphite: add http referer ban capability

moreover, it should be possible to entirely ban grafana (i.e. POST /render) so that for example check_graphite isn't affected

Change 255695 abandoned by Filippo Giunchedi:
graphite: add http referer ban capability

this is part of the action items from including other measures like enforcing minimum refresh periods in grafana ( Fair enough though, I agree it isn't the right approach, abandoning for now

Krinkle moved this task from Inbox to graphite-web on the Graphite board.Nov 18 2016, 6:29 PM