Page MenuHomePhabricator
Create Task
Maniphest T262512

Enable CAS authentication for Grafana
Closed, ResolvedPublic
Actions

Description

Grafana should also use CAS for authentication. Unfortunately Grafana follows an open core approach, with several required features restricted to the Enterprise version, which isn't free software and incompatible with our FLOSS policy. @fgiunchedi and myself investigated a number of potential options, summarised below:

  1. There is native SAML support, but limited to Grafana Enterprise (https://grafana.com/docs/grafana/latest/auth/saml/)
  1. This leaves two alternatives: a) use the internal auth_proxy support in combination with mod_auth_cas: https://grafana.com/docs/grafana/latest/auth/auth-proxy/ or use the built-in Oauth support in Grafana: https://grafana.com/docs/grafana/latest/auth/generic-oauth/

We mostly use mod_cas for other services and the CAS protocol is more powerful in comparison, so comparing the two options, mod_cas is preferable for management and consistency (otherwise we'd need to specifically care for features like SLO in Grafana when using OAuth, while the mod_cas integration is fully puppetised and a config change is reflected everywhere)

There's however another "Open core catch": Internally, Grafana maintains two additional roles: "editors" are able to modify dashboards and "admins" can also modify internal settings such as data sources etc. However, the feature necessary to map user groups to Grafana roles is also restricted to the Enterprise version: https://grafana.com/docs/grafana/latest/auth/team-sync/#enable-synchronization-for-a-team

There's an open task to allow limited group/role mapping to the auth proxy, but it's not seeing action: https://github.com/grafana/grafana/issues/8816

Since we don't have built-in login support (as we would have with the SAML feature), we need to operate with two separate vhosts:

  • grafana.wikimedia.org would be readonly as the current status quo
  • grafana-rw.wikimedia.org would require CAS authentication (to make edits in dashboards (for "editors") and changes to Grafana settings (for "admins")

This leaves the issue of syncing role/permissions: The role data is stored in Grafana's internal database and the authoritative source of users eligible to be editors/admins is LDAP (cn=wmf, cn=nda for "editors", cn=ops, cn=grafanaadmin for "admins"). We can setup a daily systemd timer which updates the editors/admins in the Grafana DB based on LDAP data.

So when someone logs into

  • grafana.w.o no access is checked as before and everyone is using the visitors role
  • grafana-rw.w.o they need to authenticate against CAS and eventually access Grafana with the role predetermined by the daily sync

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+11 -2profile: redirect to grafana-rw with referer
operations/puppetproduction+6 -1profile: redirect grafana login to rw host with SSO enabled
operations/puppetproduction+1 -0Also enable cn=grafana-admin for grafana-rw.w.o
operations/puppetproduction+2 -0Hide the "Sign out" menu option when using CAS
operations/puppetproduction+18 -0Grafana config changes for CAS-enabled grafana-rw.w.o vhost
operations/puppetproduction+5 -0Add grafana-rw to cache config
operations/puppetproduction+21 -20grafana.discovery.wmnet.crt: Add grafana-rw.wikimedia.org
operations/dnsmaster+1 -0Add grafana-rw for CAS-enabled vhost for editors/admins
operations/puppetproduction+33 -2Add CAS-enabled vhost for editors/admins
operations/puppetproduction+15 -0Add IDP service registration for grafana
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Sep 10 2020, 7:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 10 2020, 7:11 AM
jbond added a comment.Sep 10 2020, 10:24 AM

https://grafana.com/docs/grafana/latest/auth/auth-proxy/

We export the CN and UID of the user logging in in CAS (this is already used for Superset), so depending on what Grafana uses to track user we can export either of them.

Our Grafana setup is currently public with the option to login for editing dashboards, this would mean two separate vhosts like grafana-public/grafana or grafana/grafana-admin

mod_cas is what we use for the majority of deployments currently.

I would say go this route if possible as its rather well tested with other services

MoritzMuehlenhoff triaged this task as Medium priority.Sep 10 2020, 10:54 AM
MoritzMuehlenhoff updated the task description. (Show Details)
gerritbot added a comment.Sep 11 2020, 9:35 AM

Change 626627 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add CAS-enabled vhost for editors/admins (WIP)

https://gerrit.wikimedia.org/r/626627

gerritbot added a project: Patch-For-Review.Sep 11 2020, 9:35 AM
gerritbot added a comment.Sep 11 2020, 10:40 AM

Change 626639 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add IDP service registration for grafana

https://gerrit.wikimedia.org/r/626639

gerritbot added a comment.Sep 14 2020, 10:22 AM

Change 626639 merged by Muehlenhoff:
[operations/puppet@production] Add IDP service registration for grafana

https://gerrit.wikimedia.org/r/626639

fgiunchedi added a project: User-fgiunchedi.Sep 14 2020, 3:23 PM
fgiunchedi moved this task from Backlog to Up next on the User-fgiunchedi board.
herron moved this task from Inbox to In progress on the observability board.Sep 15 2020, 4:06 PM
gerritbot added a comment.Sep 16 2020, 7:38 AM

Change 626627 merged by Muehlenhoff:
[operations/puppet@production] Add CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/626627

gerritbot added a comment.Sep 16 2020, 9:29 AM

Change 627769 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/dns@master] Add grafana-rw for CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/627769

gerritbot added a comment.Sep 16 2020, 9:32 AM

Change 627772 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Add grafana-rw to cache config

https://gerrit.wikimedia.org/r/627772

gerritbot added a comment.Sep 16 2020, 9:56 AM

Change 627769 merged by Muehlenhoff:
[operations/dns@master] Add grafana-rw for CAS-enabled vhost for editors/admins

https://gerrit.wikimedia.org/r/627769

gerritbot added a comment.Sep 17 2020, 2:13 PM

Change 628096 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] grafana.discovery.wmnet.crt: Add grafana-rw.wikimedia.org

https://gerrit.wikimedia.org/r/628096

gerritbot added a comment.Sep 17 2020, 2:40 PM

Change 628096 merged by Muehlenhoff:
[operations/puppet@production] grafana.discovery.wmnet.crt: Add grafana-rw.wikimedia.org

https://gerrit.wikimedia.org/r/628096

gerritbot added a comment.Sep 21 2020, 9:22 AM

Change 627772 merged by Muehlenhoff:
[operations/puppet@production] Add grafana-rw to cache config

https://gerrit.wikimedia.org/r/627772

gerritbot added a comment.Sep 22 2020, 2:01 PM

Change 629122 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Grafana config changes for CAS-enabled grafana-rw.w.o vhost

https://gerrit.wikimedia.org/r/629122

gerritbot added a comment.Oct 28 2020, 10:05 AM

Change 629122 merged by Filippo Giunchedi:
[operations/puppet@production] Grafana config changes for CAS-enabled grafana-rw.w.o vhost

https://gerrit.wikimedia.org/r/629122

gerritbot added a comment.Oct 28 2020, 10:09 AM

Change 636885 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Also enable cn=grafana-admin for grafana-rw.w.o

https://gerrit.wikimedia.org/r/636885

gerritbot added a comment.Oct 28 2020, 11:24 AM

Change 636907 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Hide the "Sign out" menu option when using CAS

https://gerrit.wikimedia.org/r/636907

gerritbot added a comment.Oct 28 2020, 11:47 AM

Change 636907 merged by Muehlenhoff:
[operations/puppet@production] Hide the "Sign out" menu option when using CAS

https://gerrit.wikimedia.org/r/636907

gerritbot added a comment.Oct 29 2020, 8:09 AM

Change 636885 merged by Muehlenhoff:
[operations/puppet@production] Also enable cn=grafana-admin for grafana-rw.w.o

https://gerrit.wikimedia.org/r/636885

fgiunchedi moved this task from Up next to Doing on the User-fgiunchedi board.Nov 3 2020, 10:06 AM
Stashbot added a comment.Nov 5 2020, 10:16 AM

Mentioned in SAL (#wikimedia-operations) [2020-11-05T10:16:17Z] <godog> grafana-rw.wikimedia.org active and sso-enabled - T262512

fgiunchedi closed subtask T265712: Sync users and permissions from LDAP to Grafana as Resolved.Nov 5 2020, 1:17 PM
gerritbot added a comment.Nov 5 2020, 2:17 PM

Change 639533 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] profile: redirect grafana login to rw host with SSO enabled

https://gerrit.wikimedia.org/r/639533

gerritbot added a comment.Nov 5 2020, 2:31 PM

Change 639533 merged by Filippo Giunchedi:
[operations/puppet@production] profile: redirect grafana login to rw host with SSO enabled

https://gerrit.wikimedia.org/r/639533

MoritzMuehlenhoff added a comment.Nov 6 2020, 8:25 AM

There's now:

  • A separate vhost grafana-rw.wikimedia.org using CAS to be used for editing dashboards and internal settings
  • grafana.wikimedia.org remains as-is, but the "Sign in" button now redirects to grafana-rw.wikimedia.org
  • There's a daily sync of editor/admin permissions based on what's stored in LDAP groups into the internal Grafana sqlite database.
MoritzMuehlenhoff closed this task as Resolved.Nov 9 2020, 8:04 AM
MoritzMuehlenhoff claimed this task.
gerritbot added a comment.Nov 9 2020, 2:23 PM

Change 640158 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] profile: redirect to grafana-rw with referer

https://gerrit.wikimedia.org/r/640158

gerritbot added a comment.Nov 10 2020, 10:42 AM

Change 640158 merged by Filippo Giunchedi:
[operations/puppet@production] profile: redirect to grafana-rw with referer

https://gerrit.wikimedia.org/r/640158

fgiunchedi closed subtask T267645: Wrong redirect when logging into grafana-rw from a grafana.w.o dashboard as Resolved.Nov 17 2020, 1:17 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL