Draft | Prototype | Call UI Ingress from Grafana #407
Conversation
## [4.8.0](v4.7.1...v4.8.0) (2025-09-10) ### Features * **Assets:** Get locations in assets query builder ([#402](#402)) ([8668651](8668651))
priya-ni
requested review from
hemkumarrao-ni,
ushakanagaraj-ni,
rajsite,
m-akinc and
cameronwaterman
as code owners
| 4. To use UI ingress | ||
| 1. Fill in the **URL** field with the UI URL of the Stratus environment you want to use (e.g. https://test.lifecyclesolutions.ni.com). | ||
| 2. Login to the url in the browser and copy the value of the cookie from the **Network Tab** | ||
| 2. For authentication, enable **With Credentials** toggle, click the **Add header** button and add a custom header | ||
| with the name `cookie` and value set to browser cookie |
There was a problem hiding this comment.
The PR description states:
calling /user/create-api-session, which is available only in the web server [endpoint and not api endpoint]
So this workflow of copying a Cookie out of the browser to add to the configuration for local development seems like a workaround for that.
My questions are:
- Is it expected that the
/user/create-api-sessionendpoints didn't work with the api endpoints and we need this workaround? - Is it an SLE security issue that this workflow works (copying a Cookie out of the browser to another frontend client, shouldn't there be origin validation on frontend CORS requests)?
- How does this compare to our Angular clients that are using the
user/create-api-sessionendpoints?
Talking to @m-akinc and @darrenbiel using the provisioning/example.yaml for managing the Cookie secret if we need to use that approach seems reasonable.
There was a problem hiding this comment.
Is it an SLE security issue that this workflow works (copying a Cookie out of the browser to another frontend client, shouldn't there be origin validation on frontend CORS requests)?
@JD-Robertson out of band it was suggested you may have input on if this is expected behavior? My concern on using it in a dev workflow is that it's actually an issue that when resolved would break the dev workflow. But maybe things are behaving as expected or there are limitations (dev / test have different validation / CORS restrictions or something).
There was a problem hiding this comment.
We don't really try to protect the user from misusing their own data. If you copy the value of a protected cookie into another app, it's not going to be secure anymore. And if the browser doesn't properly protect the cookie, there's not much we can do to protect anything.
And it's not a cross-origin request if you are directly connecting from a different client.
If you're suggesting the cookie itself should somehow validate the client, that's a thought but I've not encountered anything that does that today. This cookie comes from express-session and its contents are currently configured by that library.
I do wonder why all this manual setup. We setup automatic proxies for the back-end with the Web UI projects and the Web Server project. But I know there's been a lot of discussion around this and I don't know where things ended up. @chris468 was involved and might have more insight.
There was a problem hiding this comment.
Is it expected that the /user/create-api-session endpoints didn't work with the api endpoints and we need this workaround?
@rajsite Yes, from the local Grafana setup, we cannot access routes from the web server. If I try to access the above route, I will get a 404 error.
How does this compare to our Angular clients that are using the user/create-api-session endpoints?
In Angular apps, the proxy setup is different, and all the routes go through a web server. But for Grafana, we can configure the setup using YAML or the configuration page.
| // Create session key | ||
| const apiSession = await this.createSessionKey(); | ||
|
|
There was a problem hiding this comment.
This PR shows that creating a session key is possible. But I'm curious about the lifecycle of the keys and if this PR is trying to reflect that. Talking to @darrenbiel we suspect that the session key should be cached in some way for requests. It would be useful to look at what our Angular clients do and reflect that / document if the behaviors will differ.
There was a problem hiding this comment.
@rajsite The /user/create-api-session which intern uses /niauth/v1/session-keys and the key is valid for 1 hour.
As far now with Grafana is concerned, caching is possible within the data source, which we have done in the past using shared folders. We can implement the same caching here as well.
How the Angular clients do it is similar to this pattern, but the session keys will be deleted when a component is destroyed. In React, it can only detect component destruction of query editors, not data sources. So, we can delete the session key either once the queries are completed or leave it as per 1-hour expiry. Please share your thoughts.
Example of bypassing the web server from the Data Spaces app:
1. caller of queryDecimatedData
2. caller of createApiSession
3. api-session.service.ts
There was a problem hiding this comment.
So, we can delete the session key either once the queries are completed or leave it as per 1-hour expiry. Please share your thoughts.
This discussion is continuing in the Azdo HLD
| # url and your API key. | ||
|
|
||
| apiVersion: 1 | ||
|
|
There was a problem hiding this comment.
@priya-ni we gave some initial feedback on the Draft PR. Please let us know if that was the type of feedback you were looking for when creating the draft or if you have questions that were not addressed.
Pull Request
🤨 Rationale
Context
Our Grafana plugin currently routes all requests through the web server middleware. We have a requirement to call the API ingress for better performance.
The bypassing logic contains 2 steps
/user/create-api-session, which is available only in the web server/nidataframe/v1/tables/${id}/query-data)This PR introduces a prototype implementation to test bypassing the web server and directly calling the API ingress, which works in both development & production.
The below PR has needed changes for BE and Terraform configurations.
Pull Request 1056561: Draft | Prototype | Update cors_origins & whitelisted headers with x-grafana-device-id
Task 3260522: Investigate Bypassing webserver
HLD Thread conversation
👩💻 Implementation
Provisioning File Updates:
Bypassing API Implementation:
🧪 Testing
Locally tested
✅ Checklist