Page MenuHomePhabricator
Create Task
Maniphest T379043

Login through Grafana using the login link do not work
Closed, ResolvedPublic
Actions

Description

Hi, have something changed with the login for Grafana? In my default browser Safari I get "You don't have permission to access this resource." I tried with Chrome and Firefox too and get the same. I cleared the browser cache too but no luck.

Screenshot 2024-11-05 at 08.30.24.png (244×868 px, 23 KB)

when I click on the login button from https://grafana.wikimedia.org/ and it goes to the page https://grafana.wikimedia.org/login that returns the error,

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
grafana: Fix login redirection to preserve dashboard contextoperations/puppetproduction+3 -3
grafana: Allow HTTP access from the deployment-hostsoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Peter created this task.Nov 5 2024, 7:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2024, 7:34 AM
kostajh subscribed.Nov 5 2024, 7:57 AM
Peter updated the task description. (Show Details)Nov 5 2024, 8:30 AM
Peter added a project: Grafana.Nov 5 2024, 2:40 PM
lmata subscribed.Nov 5 2024, 3:07 PM

hi, @Peter, thanks for the report; we're investigating; meanwhile, please try https://grafana-rw.wikimedia.org instead while we address this issue.

andrea.denisse subscribed.Nov 5 2024, 3:08 PM

Hi @Peter , this is a known issue. We'll work on a fix for it, in the meantime, could you please try using https://grafana-rw.wikimedia.org/ to login?

Krinkle awarded a token.Nov 5 2024, 3:49 PM
Krinkle subscribed.
andrea.denisse changed the task status from Open to In Progress.Nov 5 2024, 5:30 PM
andrea.denisse claimed this task.
Peter added a comment.Nov 5 2024, 7:05 PM

Thanks that worked for me.

andrea.denisse added a comment.Nov 7 2024, 9:38 PM

There are two distinct behaviors when users access the Grafana login page at https://grafana.wikimedia.org/login, depending on the route they take to get there.

  1. Accessing via Grafana UI: If users reach the login page from within the Grafana UI, they encounter a message stating, "You don't have permission to access this resource."
  1. Direct Access: If users access the login page directly (without first interacting with the Grafana UI), they are successfully redirected to the IDP login page.

These behaviors are the result of rewrite rules in the Apache configuration for the Grafana hosts.

For behavior 1 (from the Grafana UI), the following lines in the Apache config are triggered:

RewriteCond "%{REQUEST_URI}" "^/login"
RewriteCond "%{HTTP_REFERER}" "^https://<%= @domain %>/d/(.*)"
RewriteRule "^" "https://<%= @domainrw %>/d/%1&forceLogin=true" [R=302,L,NE]

For behavior 2 (direct access), the following lines in the Apache config are triggered:

RewriteCond "%{REQUEST_URI}" "^/login"
RewriteRule "^" "https://<%= @domainrw %>" [R=302,L]

The HTTP_REFERER variable is used to redirect users back to the dashboard they were viewing after logging in to the grafana-rw host. This explains why the issue only occurs when accessing the login page via the Grafana UI, as it relies on the referring URL to handle redirection.

Peter renamed this task from Grafana login gives forbidden to Login through Grafana using the login link do not work.Nov 8 2024, 3:00 PM
gerritbot added a comment.Nov 8 2024, 6:55 PM

Change #1088611 had a related patch set uploaded (by Andrea Denisse; author: Andrea Denisse):

[operations/puppet@production] grafana: Fix login redirection to preserve dashboard context

https://gerrit.wikimedia.org/r/1088611

gerritbot added a project: Patch-For-Review.Nov 8 2024, 6:55 PM
gerritbot added a comment.Nov 8 2024, 7:39 PM

Change #1088616 had a related patch set uploaded (by Andrea Denisse; author: Andrea Denisse):

[operations/puppet@production] grafana: Allow HTTP access from the deployment-hosts

https://gerrit.wikimedia.org/r/1088616

gerritbot added a comment.Nov 8 2024, 7:43 PM

Change #1088616 merged by Andrea Denisse:

[operations/puppet@production] grafana: Allow HTTP access from the deployment-hosts

https://gerrit.wikimedia.org/r/1088616

Stashbot added a comment.Nov 8 2024, 9:18 PM

Mentioned in SAL (#wikimedia-operations) [2024-11-08T21:18:07Z] <denisse> disabling Puppet on grafana2001 - T379043

gerritbot added a comment.Nov 12 2024, 4:09 PM

Change #1088611 merged by Andrea Denisse:

[operations/puppet@production] grafana: Fix login redirection to preserve dashboard context

https://gerrit.wikimedia.org/r/1088611

andrea.denisse closed this task as Resolved.Nov 12 2024, 4:15 PM

The fix is deployed in production.

andrea.denisse added a project: SRE Observability (FY2024/2025-Q2).Nov 12 2024, 4:16 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 12 2024, 4:30 PM
andrea.denisse mentioned this in T350108: Grafana login fails to redirect back from an alert page.Jan 13 2025, 9:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits