## Summary
Implements configurable query execution timeout controls to prevent
poorly optimized or excessive queries from consuming excessive server
resources, causing performance degradation, or crashing the Zabbix
server.
Fixes: https://github.com/grafana/oss-big-tent-squad/issues/127
## Problem
Previously, the plugin only had an HTTP connection timeout (`timeout`)
that controlled individual API request timeouts. However, a complete
query execution could involve multiple API calls and run indefinitely if
not properly controlled, potentially causing resource exhaustion.
## Solution
Added a new `queryTimeout` setting that enforces a maximum execution
time for entire database queries initiated by the plugin. Queries
exceeding this limit are automatically terminated with proper error
handling and logging.
## Testing
1. Configure a datasource with `queryTimeout` set to a low value (e.g.,
5 seconds)
2. Execute a query that would normally take longer than the timeout
3. Verify that:
- Query is terminated after the timeout period
- Error message indicates timeout occurred
- Logs contain timeout warning with query details
- Other queries in the same request continue to execute
## Notes
- `queryTimeout` is separate from `timeout` (HTTP connection timeout)
- `queryTimeout` applies to the entire query execution, which may
involve multiple API calls
- Default value of 60 seconds ensures reasonable protection while
allowing normal queries to complete
- Timeout errors are logged with query refId, queryType, timeout
duration, and datasourceId for troubleshooting
## Summary
Implements query guardrails in the backend to prevent execution of
expensive or malformed queries that could impact customer environments.
Part of https://github.com/grafana/oss-big-tent-squad/issues/127
## Changes
### New guardrails added:
1. **Item ID validation** (`queryItemIdData`)
- Validates that item IDs are non-empty
- Validates that item IDs contain only numeric values
2. **Time range validation** (`QueryData`)
- Validates that `From` timestamp is before `To` timestamp
3. **API method allowlist** (`ZabbixAPIHandler`)
- Only allows Zabbix API methods defined in the frontend type
`zabbixMethodName`
- Blocks any write/delete/update operations not in the allowlist
### New files:
- `pkg/datasource/guardrails.go` - Validation functions and error
definitions
- `pkg/datasource/guardrails_test.go` - Unit tests for all validation
functions
### Modified files:
- `pkg/datasource/datasource.go` - Added time range validation
- `pkg/datasource/zabbix.go` - Added item ID validation
- `pkg/datasource/resource_handler.go` - Added API method validation
## Reasoning
- Allowed functions might be unnecessary as we've already prevent using
those in
[types.ts](https://github.com/grafana/grafana-zabbix/blob/main/src/datasource/zabbix/types.ts#L1-L23)
but it's nice to be cautious.
- itemid and time validation is just for sanity.
- Time range validation will be necessary in the future to warn user
agains running expensive queries.
This PR moves the health check to backend only leaving in the frontend
the functionality to test the dbconnector datasource.
Leaving the `dbconnector.testDataSource` should be fine since the
datasource types we allow for db connection with Zabbix already are
backend datasources, and so their health requests would go through the
backend.
Verified:
Clicking test and seeing a `health` request go out.
IMPORTANT: While testing this in the UI, I found a bug with the config
editor - whenever a change is made in the UI and tested, the changes
don't take effect (i.e. disabling trends, keeps `trends` set to `true`,
enabling db connection keep `dbConnectionEnabled` set to `false` and so
on.). Created a separate
[issue](https://github.com/orgs/grafana/projects/457/views/40?pane=issue&itemId=3627315751&issue=grafana%7Coss-big-tent-squad%7C132)
to fix this
Fixes https://github.com/grafana/oss-big-tent-squad/issues/124
Fixes https://github.com/grafana/grafana-zabbix/issues/2004
Fixes#1986Fixes#1994
- Updated .gitignore to include SSL certificate files.
- Introduced new GitHub Actions workflows for testing compatibility with
Zabbix versions 5.0, 6.0, 7.0, and 7.2.
- Added integration tests for Zabbix API for each version, ensuring
proper authentication and API version handling.
- Updated Docker Compose files to support SSL configuration for Zabbix
web services.
- Removed deprecated default Docker Compose and bootstrap files.
- Removed devenv for version 6.2.
