I am bit confused about having a HA setup for Grafana.
I’d like to use a Keycloak instance to authenticate to Grafana and have a set of users with roles and permissions defined. Let’s say I want to have 3 Grafana server instances behind a loadbalancer. For handling user session, do I need an external shared database for my 3 Grafana server instances ? or can I rely only on Keycloak (and its database) ?
Thanks in advance.
Yes, you need. How can you replicate state, e. g. manually configured role between instances?
What do you mean by replicate state ? I saw a lot of people having issues when running multiple grafana server instances behind a lb without a shared database. Most of the answers where pointing out the management of users session. This is why I wondered when using Keycloak to manage users, was it enough for dealing users session or we still need an external database so the grafana servers can sync between each other.
yes, you need. Keycloak doesn’t manage app session.
@jangaraj so in short terms as soon as I have more than one grafana server instance I need a shared database, is this right ?
Also, check the documentation for High Availability:
I have been contemplating setting up a high-availability (HA) configuration for Grafana, but I’m a bit confused about the best approach when it comes to user sessions and authentication. My goal is to use a Keycloak instance for authenticating users to Grafana, with defined roles and permissions. Specifically, I plan to have three Grafana server instances behind a load balancer to ensure redundancy and scalability. Now, my question is regarding chic.ae user sessions. Do I need an external shared database for the three Grafana server instances to handle user sessions? Or can I rely solely on Keycloak and its database for this purpose?
@noastradinguae I was wondering exactly the same ! I also read the doc for setting up a HA Grafana. According the answers above we need the external shared database. @usman.ahmad could we have more details about that ? According the answer above keycloak “doesn’t manage app session”. Does that mean there is a session on Grafana side ?
Do I need an external shared database for the three Grafana server instances to handle user sessions?
Does that mean there is a session on Grafana side ?
Yes. Either the instances needs to have their own hostname or a shared database. Like @jangaraj said, Keycloak doesn’t manage the app session. The cookie-based session management is done entirely by Grafana.
Since Grafana needs a session for most of its calls, you’d need to either provide a session for each of the instances (separated by different
auth.login_cookie_name) or have the load balancer ensure that the same client always talk to the same upstream instance as long as everything is healthy (then the user would have to re-authenticate when that instance goes down). And that’s ignoring other features that won’t work properly without a synchronized database, which includes essentially any updates done through the API or UI and most background jobs that expect some kind of synchronization.