Page MenuHomePhabricator

Enable CAS authentication for Grafana
Closed, ResolvedPublic

Description

Grafana should also use CAS for authentication. Unfortunately Grafana follows an open core approach, with several required features restricted to the Enterprise version, which isn't free software and incompatible with our FLOSS policy. @fgiunchedi and myself investigated a number of potential options, summarised below:

  1. There is native SAML support, but limited to Grafana Enterprise (https://grafana.com/docs/grafana/latest/auth/saml/)
  1. This leaves two alternatives: a) use the internal auth_proxy support in combination with mod_auth_cas: https://grafana.com/docs/grafana/latest/auth/auth-proxy/ or use the built-in Oauth support in Grafana: https://grafana.com/docs/grafana/latest/auth/generic-oauth/

We mostly use mod_cas for other services and the CAS protocol is more powerful in comparison, so comparing the two options, mod_cas is preferable for management and consistency (otherwise we'd need to specifically care for features like SLO in Grafana when using OAuth, while the mod_cas integration is fully puppetised and a config change is reflected everywhere)

There's however another "Open core catch": Internally, Grafana maintains two additional roles: "editors" are able to modify dashboards and "admins" can also modify internal settings such as data sources etc. However, the feature necessary to map user groups to Grafana roles is also restricted to the Enterprise version: https://grafana.com/docs/grafana/latest/auth/team-sync/#enable-synchronization-for-a-team

There's an open task to allow limited group/role mapping to the auth proxy, but it's not seeing action: https://github.com/grafana/grafana/issues/8816

Since we don't have built-in login support (as we would have with the SAML feature), we need to operate with two separate vhosts:

  • grafana.wikimedia.org would be readonly as the current status quo
  • grafana-rw.wikimedia.org would require CAS authentication (to make edits in dashboards (for "editors") and changes to Grafana settings (for "admins")

This leaves the issue of syncing role/permissions: The role data is stored in Grafana's internal database and the authoritative source of users eligible to be editors/admins is LDAP (cn=wmf, cn=nda for "editors", cn=ops, cn=grafanaadmin for "admins"). We can setup a daily systemd timer which updates the editors/admins in the Grafana DB based on LDAP data.

So when someone logs into

  • grafana.w.o no access is checked as before and everyone is using the visitors role
  • grafana-rw.w.o they need to authenticate against CAS and eventually access Grafana with the role predetermined by the daily sync

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 10 2020, 7:11 AM

https://grafana.com/docs/grafana/latest/auth/auth-proxy/

We export the CN and UID of the user logging in in CAS (this is already used for Superset), so depending on what Grafana uses to track user we can export either of them.

Our Grafana setup is currently public with the option to login for editing dashboards, this would mean two separate vhosts like grafana-public/grafana or grafana/grafana-admin

mod_cas is what we use for the majority of deployments currently.

I would say go this route if possible as its rather well tested with other services

MoritzMuehlenhoff triaged this task as Medium priority.Sep 10 2020, 10:54 AM
MoritzMuehlenhoff updated the task description. (Show Details)

Change 626627 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add CAS-enabled vhost for editors/admins (WIP)

https://gerrit.wikimedia.org/r/626627

Change 626639 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add IDP service registration for grafana

https://gerrit.wikimedia.org/r/626639

Change 626639 merged by Muehlenhoff:
[operations/puppet@production] Add IDP service registration for grafana

https://gerrit.wikimedia.org/r/626639

fgiunchedi moved this task from Backlog to Up next on the User-fgiunchedi board.
herron moved this task from Inbox to In progress on the observability board.Sep 15 2020, 4:06 PM

Change 626627 merged by Muehlenhoff:
[operations/puppet@production] Add CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/626627

Change 627769 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/dns@master] Add grafana-rw for CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/627769

Change 627772 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add grafana-rw to cache config

https://gerrit.wikimedia.org/r/627772

Change 627769 merged by Muehlenhoff:
[operations/dns@master] Add grafana-rw for CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/627769

Change 628096 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] grafana.discovery.wmnet.crt: Add grafana-rw.wikimedia.org

https://gerrit.wikimedia.org/r/628096

Change 628096 merged by Muehlenhoff:
[operations/puppet@production] grafana.discovery.wmnet.crt: Add grafana-rw.wikimedia.org

https://gerrit.wikimedia.org/r/628096

Change 627772 merged by Muehlenhoff:
[operations/puppet@production] Add grafana-rw to cache config

https://gerrit.wikimedia.org/r/627772

Change 629122 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Grafana config changes for CAS-enabled grafana-rw.w.o vhost

https://gerrit.wikimedia.org/r/629122

Change 629122 merged by Filippo Giunchedi:
[operations/puppet@production] Grafana config changes for CAS-enabled grafana-rw.w.o vhost

https://gerrit.wikimedia.org/r/629122

Change 636885 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Also enable cn=grafana-admin for grafana-rw.w.o

https://gerrit.wikimedia.org/r/636885

Change 636907 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Hide the "Sign out" menu option when using CAS

https://gerrit.wikimedia.org/r/636907

Change 636907 merged by Muehlenhoff:
[operations/puppet@production] Hide the "Sign out" menu option when using CAS

https://gerrit.wikimedia.org/r/636907

Change 636885 merged by Muehlenhoff:
[operations/puppet@production] Also enable cn=grafana-admin for grafana-rw.w.o

https://gerrit.wikimedia.org/r/636885

fgiunchedi moved this task from Up next to Doing on the User-fgiunchedi board.Nov 3 2020, 10:06 AM

Mentioned in SAL (#wikimedia-operations) [2020-11-05T10:16:17Z] <godog> grafana-rw.wikimedia.org active and sso-enabled - T262512

Change 639533 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] profile: redirect grafana login to rw host with SSO enabled

https://gerrit.wikimedia.org/r/639533

Change 639533 merged by Filippo Giunchedi:
[operations/puppet@production] profile: redirect grafana login to rw host with SSO enabled

https://gerrit.wikimedia.org/r/639533

There's now:

  • A separate vhost grafana-rw.wikimedia.org using CAS to be used for editing dashboards and internal settings
  • grafana.wikimedia.org remains as-is, but the "Sign in" button now redirects to grafana-rw.wikimedia.org
  • There's a daily sync of editor/admin permissions based on what's stored in LDAP groups into the internal Grafana sqlite database.
MoritzMuehlenhoff closed this task as Resolved.Nov 9 2020, 8:04 AM
MoritzMuehlenhoff claimed this task.

Change 640158 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] profile: redirect to grafana-rw with referer

https://gerrit.wikimedia.org/r/640158

Change 640158 merged by Filippo Giunchedi:
[operations/puppet@production] profile: redirect to grafana-rw with referer

https://gerrit.wikimedia.org/r/640158