Grafana Charm

Merge ~verterok/charm-grafana/+git/grafana-charm:support-auth-proxy-default-config into ~prometheus-charmers/charm-grafana:master

  1. Git
  2. lp:~verterok/charm-grafana/+git/grafana-charm
  3. support-auth-proxy-default-config
  4. Merge into master
Proposed by Guillermo Gonzalez
Status: Merged
Approved by: Tom Haddon
Approved revision: a5cdfd9dc1ad77b080fdbf36c98201b7f6e434bf
Merged at revision: 9d50a6994000b82c76fe44a786630c35aa61601a
Proposed branch: ~verterok/charm-grafana/+git/grafana-charm:support-auth-proxy-default-config
Merge into: ~prometheus-charmers/charm-grafana:master
Diff against target: 72 lines (+35/-0)
3 files modified
README.md (+24/-0)
config.yaml (+4/-0)
templates/grafana.ini.j2 (+7/-0)
Reviewer Review Type Date Requested Status
Tom Haddon Approve
Canonical IS Reviewers Pending
Canonical IS Reviewers Pending
Review via email: mp+369507@code.launchpad.net

This proposal supersedes a proposal from 2019-06-28.

Commit message

Add auth-proxy config and use it to render an active default config for auth.proxy

Description of the change

Add an option to enable default auth.proxy config, this is to use apache+apache-openid as the auth proxy.

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : Posted in a previous version of this proposal

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Tom Haddon (mthaddon) wrote : Posted in a previous version of this proposal

Hi Guillermo,

Does auto_sign_up mean anyone will get access, or does that just mean if apache is configured to restrict to an SSO team that any member of that team will be able to create an account? What rights will users have that are created in this way?

review: Needs Information
Revision history for this message
Tom Haddon (mthaddon) wrote : Posted in a previous version of this proposal

Also, what happens if you have auth-proxy configured as well as anonymous set to True? Should we make a note (and update code) to say that anonymous=True is ignored if you've set auth-proxy=True?

Revision history for this message
Guillermo Gonzalez (verterok) wrote : Posted in a previous version of this proposal

> Hi Guillermo,
>
> Does auto_sign_up mean anyone will get access, or does that just mean if
> apache is configured to restrict to an SSO team that any member of that team
> will be able to create an account? What rights will users have that are
> created in this way?
Right, this is to be used with something like apache-openid so anyone allowed in the apache-openid config (team, list of openids, etc) can access it and a user will be created, using the openid url as the username (name and email can later be updated by the user, as apache-openid doesn't expose that information)

Regarding the rights users will have, as per the charm templates/grafana.ini.j2, users will get Viewer permissions (lines 125-129).

Revision history for this message
Guillermo Gonzalez (verterok) wrote : Posted in a previous version of this proposal

> Also, what happens if you have auth-proxy configured as well as anonymous set
> to True? Should we make a note (and update code) to say that anonymous=True is
> ignored if you've set auth-proxy=True?

AFAIK, anonymous will not be ignored, it will not be used as long as the apache or other fe provides the X-WEBTEAM-USER header. if no header is present if will fallback to anonymous, if it's enabled. if will be also used for any url path not covered by openid, if you have any (e.g: API endpoint you don't want behind openid). for these cases would be better to have anonymous=False, which makes mandatory to get an API key to access the API.

Revision history for this message
Tom Haddon (mthaddon) wrote : Posted in a previous version of this proposal

After some discussions on IRC, there's a little more testing/changes needed to figure out how to deal with admin rights. Marking as Needs Fixing pending those updates. Please "Resubmit" when ready for a follow up review.

review: Needs Fixing
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Tom Haddon (mthaddon) wrote :

A few comments inline.

Revision history for this message
Guillermo Gonzalez (verterok) wrote :

> A few comments inline.
Thanks, fixed and pushed

Revision history for this message
Tom Haddon (mthaddon) wrote :

LGTM, thanks!

review: Approve
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 9d50a6994000b82c76fe44a786630c35aa61601a

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/README.md b/README.md
2index c8b1234..8591ce1 100644
3--- a/README.md
4+++ b/README.md
5@@ -68,6 +68,30 @@ To delete a user, you simply run:
6
7 $ juju run-action --wait grafana/0 delete-user login=john
8
9+
10+#Auth proxy
11+
12+If deployed behind a reverse proxy, you can configure Grafana to let
13+it handle authentication by enabled auth-proxy.
14+
15+ $ juju config grafana auth-proxy=true
16+
17+Check grafana [documentation](https://grafana.com/docs/auth/auth-proxy/#auth-proxy-authentication)
18+on how to configure apache as the reverse proxy.
19+
20+Users will be created/signup automatically with "Viewer" permissions.
21+To change the default permissions of a user, use the change-user-role
22+action passing the openID identifier or the email if the user updated it
23+as the "login":
24+
25+ $ juju run-action --wait grafana/0 change-user-role \
26+ login="user@company.com" new-role="Admin"
27+
28+If not all URL paths are behind the reverse proxy auth,
29+and `anonymous=true` is set, those paths will be accessible (view only) to
30+non-authenticated users.
31+
32+
33 #Development
34
35 Explicitly set `JUJU_REPOSITORY`:
36diff --git a/config.yaml b/config.yaml
37index 5db3f1a..5456de8 100644
38--- a/config.yaml
39+++ b/config.yaml
40@@ -115,6 +115,10 @@ options:
41 default: 'Viewer'
42 type: string
43 description: The role given to anonymous users if enabled.
44+ auth-proxy:
45+ default: False
46+ type: boolean
47+ description: Whether to enable default auth.proxy config, defaults to False.
48 datasources:
49 default: ""
50 type: string
51diff --git a/templates/grafana.ini.j2 b/templates/grafana.ini.j2
52index dbc9d86..06278fc 100644
53--- a/templates/grafana.ini.j2
54+++ b/templates/grafana.ini.j2
55@@ -172,10 +172,17 @@ org_role = {{ config['anonymous_role'] }}
56
57 #################################### Auth Proxy ##########################
58 [auth.proxy]
59+{% if config['auth-proxy'] -%}
60+enabled = true
61+header_name = X-WEBAUTH-USER
62+header_property = username
63+auto_sign_up = true
64+{% else -%}
65 ;enabled = false
66 ;header_name = X-WEBAUTH-USER
67 ;header_property = username
68 ;auto_sign_up = true
69+{% endif %}
70
71 #################################### Basic Auth ##########################
72 [auth.basic]

Subscribers

People subscribed via source and target branches