Merge remote-tracking branch 'grafana/master' into jwt

* grafana/master:
  docs: suggested changes
  docs: fix header
  fixed handling of alert urls with true flags, fixes grafana#15454
  Fixed dashboard navbar buttons being visible in fullscreen, fixes grafana#15450
  Added missing strict type checking options to grafana/ui and fixed type errors
  Extracted common code for diff calculation
  fix spelling error
  whats new: rename security section
  Fix percent_diff calculation when points are nulls
  docs: move alerting above session
  docs: mention samesite setting
  docs: adds note about new login cookie name
  docs: improve removal of session storage for what's new in v6.0
  docs: add upgrade notes for v6.0
  docs: add note regarding auth proxy and user session requirement
  docs: fix typo

Author: ryantxu

Diff for: docs/sources/auth/overview.md

@@ -38,7 +38,7 @@ provider (listed above). There is also options for allowing self sign up.
 
 ### Login and short-lived tokens
 
-> The followung applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.
+> The following applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.
 
 Grafana are using short-lived tokens as a mechanism for verifying authenticated users.
 These short-lived tokens are rotated each `token_rotation_interval_minutes` for an active authenticated user.

Diff for: docs/sources/guides/whats-new-in-v6-0.md

@@ -27,6 +27,7 @@ The main highlights are:
 - [Azure Monitor]({{< relref "#azure-monitor-datasource" >}}) plugin is ported from being an external plugin to being a core datasource
 - [React Plugin]({{< relref "#react-panels-query-editors" >}}) support enables an easier way to build plugins.
 - [Named Colors]({{< relref "#named-colors" >}}) in our new improved color picker.
+- [Removal of user session storage]({{< relref "#easier-to-deploy-improved-security" >}}) makes Grafana easier to deploy & improves security.
 
 ## Explore
 
@@ -113,30 +114,42 @@ will be shared closer to or just after release.
 {{< docs-imagebox img="/img/docs/v60/react_panels.png" max-width="600px" caption="React Panel" >}}
 <br />
 
-### Google Stackdriver Datasource
+## Google Stackdriver Datasource
 
 Built-in support for [Google Stackdriver](https://cloud.google.com/stackdriver/) is officially released in Grafana 6.0. Beta support was added in Grafana 5.3 and we have added lots of improvements since then.
 
 To get started read the guide: [Using Google Stackdriver in Grafana](/features/datasources/stackdriver/).
 
-### Azure Monitor Datasource
+## Azure Monitor Datasource
 
 One of the goals of the Grafana v6.0 release is to add support for the three major clouds. Amazon Cloudwatch has been a core datasource for years and Google Stackdriver is also now supported. We developed an external plugin for Azure Monitor last year and for this release the [plugin](https://grafana.com/plugins/grafana-azure-monitor-datasource) is being moved into Grafana to be one of the built-in datasources. For users of the external plugin, Grafana will automatically start using the built-in version. As a core datasource, the Azure Monitor datasource will get alerting support for the official 6.0 release.
 
 The Azure Monitor datasource integrates four Azure services with Grafana - Azure Monitor, Azure Log Analytics, Azure Application Insights and Azure Application Insights Analytics.
 
-### Provisioning support for alert notifiers
+## Provisioning support for alert notifiers
 
 Grafana now added support for provisioning alert notifiers from configuration files. Allowing operators to provision notifiers without using the UI or the API. A new field called `uid` has been introduced which is a string identifier that the administrator can set themselves. Same kind of identifier used for dashboards since v5.0. This feature makes it possible to use the same notifier configuration in multiple environments and refer to notifiers in dashboard json by a string identifier instead of the numeric id which depends on insert order and how many notifiers that exists in the instance.
 
-### Auth and session token improvements
+## Easier to deploy & improved security
 
-The previous session storage implementation in Grafana was causing problems in larger HA setups due to too many write requests to the database. The remember me token also have several security issues which is why we decided to rewrite auth middleware in Grafana and remove the session storage since most operations using the session storage could be rewritten to use cookies or data already made available earlier in the request.
-If you are using `Auth proxy` for authentication the session storage will still be used but our goal is to remove this ASAP as well.
+Grafana 6.0 removes the need of configuring and setup of additional storage for [user sessions](/tutorials/ha_setup/#user-sessions). This should make it easier to deploy and operate Grafana in a
+high availability setup and/or if you're using a stateless user session storage like Redis, Memcache, Postgres or MySQL.
 
-This release will force all users to log in again since their previous token is not valid anymore.
+Instead of user sessions a solution based on short-lived tokens that are rotated frequently have been implemented. This also replaces the old "remember me cookie"
+solution, which allowed a user to be logged in between browser sessions, and which have been subject to several security holes throughout the years.
+Read more about the short-lived token solution and how to configure it [here](/auth/overview/#login-and-short-lived-tokens).
 
-### Named Colors
+> Please note that due to these changes, all users will be required to login upon next visit after upgrade.
+
+Besides these changes we have also made security improvements regarding Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS) vulnerabilities:
+
+* Cookies are per default using the [SameSite](/installation/configuration/#cookie-samesite) attribute to protect against CSRF attacks
+* Script tags in text panels are per default [disabled](/installation/configuration/#disable-sanitize-html) to protect against XSS attacks
+
+> If you're using [Auth Proxy Authentication](/auth/auth-proxy/) you still need to have user sessions setup and configured
+but our goal is to remove this requirements in a near future.
+
+## Named Colors
 
 {{< docs-imagebox img="/img/docs/v60/named_colors.png" max-width="400px" class="docs-image--right" caption="Named Colors" >}}
 
@@ -148,12 +161,16 @@ Named colors also enables Grafana to adapt colors to the current theme.
 
 <div class="clearfix"></div>
 
-### Other features
+## Other features
 
 - The ElasticSearch datasource now supports [bucket script pipeline aggregations](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-bucket-script-aggregation.html). This gives the ability to do per bucket computations like the difference or ratio between two metrics.
 - Support for Google Hangouts Chat alert notifications
 - New built in template variables for the current time range in `$__from` and `$__to`
 
+## Upgrading
+
+See [upgrade notes](/installation/upgrading/#upgrading-to-v6-0).
+
 ## Changelog
 
 Checkout the [CHANGELOG.md](https://github.com/grafana/grafana/blob/master/CHANGELOG.md) file for a complete list of new features, changes, and bug fixes.

Diff for: docs/sources/installation/configuration.md

@@ -594,7 +594,7 @@ Default setting for new alert rules. Defaults to categorize error and timeouts a
 
 Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
 
-# concurrent_render_limit
+### concurrent_render_limit
 
 > Available in 5.3  and above
 

Diff for: docs/sources/installation/upgrading.md

@@ -117,3 +117,34 @@ One of the database migrations included in this release will update all annotati
 We've got one report where using systemd, PostgreSQL and a large amount of annotations (table size 1645mb) took 8-20 minutes for the database migration to complete. However, the grafana-server process was killed after 90 seconds by systemd. Any database migration queries in progress when systemd kills the grafana-server process continues to execute in database until finished.
 
 If you're using systemd and have a large amount of annotations consider temporary adjusting the systemd `TimeoutStartSec` setting to something high like `30m` before upgrading.
+
+## Upgrading to v6.0
+
+If you have text panels with script tags they will no longer work due to a new setting that per default disallow unsanitzied HTML.
+Read more [here](/installation/configuration/#disable-sanitize-html) about this new setting.
+
+### Authentication and security
+
+If your using Grafana's builtin, LDAP (without Auth Proxy) or OAuth authentication all users will be required to login upon the next visit after the upgrade.
+
+If you have `cookie_secure` set to `true` in the `session` section you probably want to change the `cookie_secure` to `true` in the `security` section as well. Ending up with a configuration like this:
+
+```ini
+[session]
+cookie_secure = true
+
+[security]
+cookie_secure = true
+```
+
+The `login_remember_days`, `cookie_username` and `cookie_remember_name` settings in the `security` section are no longer being used so they're safe to remove.
+
+If you have `login_remember_days` configured to 0 (zero) you should change your configuration to this to accomplish similar behavior, i.e. a logged in user will maximum be logged in for 1 day until being forced to login again:
+
+```ini
+[auth]
+login_maximum_inactive_lifetime_days = 1
+login_maximum_lifetime_days = 1
+```
+
+The default cookie name for storing the auth token is `grafana_session`. you can configure this with `login_cookie_name` in `[auth]` settings.

Diff for: docs/sources/tutorials/ha_setup.md

@@ -15,7 +15,7 @@ Setting up Grafana for high availability is fairly simple. It comes down to two
   2. Decide how to store session data.
 
 <div class="text-center">
-  <img src="/img/docs/tutorials/grafana-high-availability.png"  max-width= "800px" class="center"></img>
+  <img src="/img/docs/tutorials/grafana-high-availability.png"  max-width= "800px" class="center" />
 </div>
 
 ## Configure multiple servers to use the same database
@@ -24,8 +24,14 @@ First, you need to do is to setup MySQL or Postgres on another server and config
 You can find the configuration for doing that in the [[database]]({{< relref "configuration.md" >}}#database) section in the grafana config.
 Grafana will now persist all long term data in the database. How to configure the database for high availability is out of scope for this guide. We recommend finding an expert on for the database you're using.
 
+## Alerting
+
+Currently alerting supports a limited form of high availability. Since v4.2.0, alert notifications are deduped when running multiple servers. This means all alerts are executed on every server but alert notifications are only sent once per alert. Grafana does not support load distribution between servers.
+
 ## User sessions
 
+> Beginning with Grafana v6.0 and above the following only applies when using [Auth Proxy Authentication](/auth/auth-proxy/).
+
 The second thing to consider is how to deal with user sessions and how to configure your load balancer in front of Grafana.
 Grafana supports two ways of storing session data: locally on disk or in a database/cache-server.
 If you want to store sessions on disk you can use `sticky sessions` in your load balancer. If you prefer to store session data in a database/cache-server
@@ -41,6 +47,4 @@ If you use MySQL/Postgres for session storage, you first need a table to store t
 
 For Grafana itself it doesn't really matter if you store the session data on disk or database/redis/memcache. But we recommend using a database/redis/memcache since it makes it easier manage the grafana servers.
 
-## Alerting
 
-Currently alerting supports a limited form of high availability. Since v4.2.0, alert notifications are deduped when running multiple servers. This means all alerts are executed on every server but alert notifications are only sent once per alert. Grafana does not support distributing the alert rule execution between servers. That might be added in the future but right now prefer to keep it simple.

Diff for: packages/grafana-ui/src/components/Graph/Graph.tsx

@@ -22,7 +22,7 @@ export class Graph extends PureComponent<GraphProps> {
     showBars: false,
   };
 
-  element: HTMLElement | null;
+  element: HTMLElement | null = null;
 
   componentDidUpdate() {
     this.draw();

Diff for: packages/grafana-ui/src/themes/index.ts

@@ -6,7 +6,7 @@ let themeMock: ((name?: string) => GrafanaTheme) | null;
 
 export let getTheme = (name?: string) => (themeMock && themeMock(name)) || (name === 'light' ? lightTheme : darkTheme);
 
-export const mockTheme = (mock: (name: string) => GrafanaTheme) => {
+export const mockTheme = (mock: (name?: string) => GrafanaTheme) => {
   themeMock = mock;
   return () => {
     themeMock = null;

Diff for: packages/grafana-ui/src/utils/valueFormats/arithmeticFormatters.ts

@@ -1,20 +1,20 @@
-import { toFixed } from './valueFormats';
+import { toFixed, DecimalCount } from './valueFormats';
 
-export function toPercent(size: number, decimals: number) {
+export function toPercent(size: number, decimals: DecimalCount) {
   if (size === null) {
     return '';
   }
   return toFixed(size, decimals) + '%';
 }
 
-export function toPercentUnit(size: number, decimals: number) {
+export function toPercentUnit(size: number, decimals: DecimalCount) {
   if (size === null) {
     return '';
   }
   return toFixed(100 * size, decimals) + '%';
 }
 
-export function toHex0x(value: number, decimals: number) {
+export function toHex0x(value: number, decimals: DecimalCount) {
   if (value == null) {
     return '';
   }
@@ -25,7 +25,7 @@ export function toHex0x(value: number, decimals: number) {
   return '0x' + hexString;
 }
 
-export function toHex(value: number, decimals: number) {
+export function toHex(value: number, decimals: DecimalCount) {
   if (value == null) {
     return '';
   }
@@ -34,9 +34,9 @@ export function toHex(value: number, decimals: number) {
     .toUpperCase();
 }
 
-export function sci(value: number, decimals: number) {
+export function sci(value: number, decimals: DecimalCount) {
   if (value == null) {
     return '';
   }
-  return value.toExponential(decimals);
+  return value.toExponential(decimals as number);
 }