Apache Proxy & Kerberos Auth Proxy

Hello,

how can I configure Grafana to work with Apache Auth?
I read this blog but I could not get it work: https://grafana.com/blog/2015/12/07/grafana-authproxy-have-it-your-way/

I use XAMPP Apache in a development environment.
Which module do I need for Kerberos SSO ticket negotiation?

Please help me!
Thanks!

Did you get this working? (Don’t know the answer to your question but it would be great if you solved it and could write a short description).

If you didn’t get it working - could you describe the steps you have taken and the errors you are getting.

I did not get it working.
Until now I use ldap against MS AD (by the way: it would be nice if it would be impossible for the users to edit the username).

I tried everything to get SSO working - without success.
Please help me!

You can control this by setting this to false: http://docs.grafana.org/installation/configuration/#allow-sign-up-1

Should look like this if the user tries to change their username:

Could you describe the steps you have taken and the errors you are getting. Thanks.

Hello,
Please read my short article about this. I hope it will help you.
https://laszlo.co.hu/node/4

Hi laszlolaszlo

Cant get to your link, is this where you described about how to access Kerberized cluster using Grafana or something similar. Please provide the link again

Thanks

Hello,

Yes, I moved here:

Thank you laszlolaszlo

So I am new to the SSO, Apache2 and the Kerberized concepts. Does your article also describe a way to access a kerberized cluster from Grafana?

You’re welcome venkata. I just made that scenario for my fun. I didn’t go production. Grafana don’t support Kerberos authentication. So I decided to do a little trick. I installed an Apache2 which support Kerberos authentication well. I set up a FreeIPA authentication and authorization server too. I set up the Apache2 to run as a reverse proxy for Grafana with Kerberos auth. So, on my terminal I can run kinit user@domain, enter my password and I transparently log in Grafana without type my user and password again on Grafanas login page. I hope I was clear. If not please let me know.

Okay thank makes sense laszlolaszlo :). Thanks for detailing.

in fact, what i am looking in is, I have a Druid data source behind a kerberized env. I am trying to access the data source from grafana and Grafana does not allow me to use a Kerberized login to the datasource.

like you said, if Grafana does not support kerberization, then I cant make my thing happen right? Please provide any insights, alternatives etc.

Thanks

I see venkata what you like to do. So if I’m right you want to connect with/from Grafana to a datasource which need Kerberos authentication. I found some links:
http://druid.io/docs/latest/development/extensions-core/druid-kerberos.html
And Druid datasource plugin:


I think the Druid datasource plugin isn’t do Kerberos auth. I suggest to you to contact with this plugins developer: https://github.com/grafana/grafana-plugins/tree/master/datasources/druid

Hi laszlolaszlo,

We have almost the same problem as ventaka but with a different data source. We use OSIsoft PI data sources. In order to implement data level security, we need to use Kerberos authentication which does not appear to be currently supported in Grafana.

Are you able to provide me with any alternatives or insights, as our eventual aim is to implement a SSO solution in which users are defined and authenticated in Active Directory and are not required to log into Grafana.

In fact, we used the Knox gateway to connect Grafana to Druid and it worked :slight_smile:

@venkata could you provide more information, how you configured the Knox gateway to get it working? Would be great! Thanks