Grafana should also use CAS for authentication. Unfortunately Grafana follows an open core approach, with several required features restricted to the Enterprise version, which isn't free software and incompatible with our FLOSS policy. @fgiunchedi and myself investigated a number of potential options, summarised below:
- There is native SAML support, but limited to Grafana Enterprise (https://grafana.com/docs/grafana/latest/auth/saml/)
- This leaves two alternatives: a) use the internal auth_proxy support in combination with mod_auth_cas: https://grafana.com/docs/grafana/latest/auth/auth-proxy/ or use the built-in Oauth support in Grafana: https://grafana.com/docs/grafana/latest/auth/generic-oauth/
We mostly use mod_cas for other services and the CAS protocol is more powerful in comparison, so comparing the two options, mod_cas is preferable for management and consistency (otherwise we'd need to specifically care for features like SLO in Grafana when using OAuth, while the mod_cas integration is fully puppetised and a config change is reflected everywhere)
There's however another "Open core catch": Internally, Grafana maintains two additional roles: "editors" are able to modify dashboards and "admins" can also modify internal settings such as data sources etc. However, the feature necessary to map user groups to Grafana roles is also restricted to the Enterprise version: https://grafana.com/docs/grafana/latest/auth/team-sync/#enable-synchronization-for-a-team
There's an open task to allow limited group/role mapping to the auth proxy, but it's not seeing action: https://github.com/grafana/grafana/issues/8816
Since we don't have built-in login support (as we would have with the SAML feature), we need to operate with two separate vhosts:
- grafana.wikimedia.org would be readonly as the current status quo
- grafana-rw.wikimedia.org would require CAS authentication (to make edits in dashboards (for "editors") and changes to Grafana settings (for "admins")
This leaves the issue of syncing role/permissions: The role data is stored in Grafana's internal database and the authoritative source of users eligible to be editors/admins is LDAP (cn=wmf, cn=nda for "editors", cn=ops, cn=grafanaadmin for "admins"). We can setup a daily systemd timer which updates the editors/admins in the Grafana DB based on LDAP data.
So when someone logs into
- grafana.w.o no access is checked as before and everyone is using the visitors role
- grafana-rw.w.o they need to authenticate against CAS and eventually access Grafana with the role predetermined by the daily sync