[Security] Grafana v10.4.2 (22809dea50) x Postgresql: Why does Grafana query the pg_authid system catalog?

[3BK]

What happened?

Why does Grafana query the pg_authid system catalog?

This catalog is not publicly readable by design because it contains passwords.

Grafana sent this to PostgreSQL:

SELECT oid, rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolconnlimit, rolpassword, rolvaliduntil, rolreplication, rolbypassrls, pg_catalog.shobj_description(oid, 'pg_authid') as rolcomment, rolname = current_user AS is_current_user FROM pg_authid WHERE rolname !~ '^pg_' ORDER BY 2

By design, Grafana should have sent this to PostgreSQL:

SELECT oid, rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolconnlimit, rolpassword, rolvaliduntil, rolreplication, rolbypassrls, pg_catalog.shobj_description(oid, 'pg_roles') as rolcomment, rolname = current_user AS is_current_user FROM pg_roles WHERE rolname !~ '^pg_' ORDER BY 2

What did you expect to happen?

I expected Graphana to query pg_roles instead of pg_authid .

Did this work before?

Don't know.

How do we reproduce it?

1. Spin up grafana latest + postgresql latest
2. Connect Grafana to postgresql
3. Boom

Is the bug inside a dashboard panel?

The bug is in tsdb.postgresql

Environment (with versions)?

Grafana: Grafana v10.4.2 (22809de)
OS: *NIX
Browser: Chrome (latest)
Postgresql: 16.2

Grafana platform?

A package manager (APT, YUM, BREW, etc.)

Datasource(s)?

tsdb.postgresql

Tasks

Beta Give feedback

No tasks being tracked yet.

[3BK]

What's even more interesting is that the Grafana repository doesn't appear to contain any obvious references to pg_authid .

[3BK]

@tonypowa Is this within your purview? To wit. Why does Grafana need to inventory all database passwords on connection?

[3BK]

Adding @yesoreyeram and @gabor as a second set of eyes.

[gabor]

hi @3BK , i cannot reproduce this with the postgres datasource. i tried with the commit you mentioned, and no such query was sent to the database by the datasource plugin.

are you using the postgres datasource, or are you using postgres as the database that grafana uses to run( i mean the https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#database setting)?

[3BK]

Background I set up postgresql as a datasource on a system at work but was unable get grafana to connect. Investigation I read all applicable internet solutions and related issue notes. I read all the subject matter applicable git code. I spun up a test bed and executed all high probability mutations, perms, and combs on the seqeunce of events and configuration for connecting grafana to postgresql. Same barriers and errors. Testbed activities After several debugging sessions, I found evidence that grafana connection attempt (using the read only account) triggered attempts to query the privileged catalog. Hence the case / issue. Last night Suddenly the same high probability of success sequences and configurations which formerly failed or triggered the security issue worked -without any findings. Nothing else had changed aside from one maybe two OS patches. As an aside, I have been using a paswword manager, etc. (It almost seemed like some underlying component had drifted/shifted on the test bed. ) Next steps I will retest the same sequences and config at work and advise if i can correlate / reproduce / narrow down or eliminate the security warning / finding. [edit by @gabor : this contained the whole github-notification-email quoted, i removed that part]