I’m running Grafana 7.0.3 with Grafana Image Renderer 2.0.0 installed as a plugin. I have a single instance of Grafana running behind an NGINX reverse proxy. I do Basic Authentication in NGINX, pass the credentials to Grafana, which authenticates against LDAP.
[auth.basic] enabled = true [auth.ldap] enabled = true
I am using the Prometheus Data Source. Prometheus is running on a separate server. Prometheus is also behind an NGINX reverse proxy, and also requires basic authentication. I have the Prometheus Data Source configured as shown below.
With the With Credentials option selected, Grafana passes the logged in user’s credentials to Prometheus, and everything works well.
When I try and render an image from a graph (Share -> Direct link rendered image), I get an incomplete graph, as shown below.
From the Grafana log file, when trying to render the image, it looks like Grafana Image Renderer does not pass the user’s credentials to Prometheus, and thus I see “401 (Unauthorized)” in the log files.
t=2020-06-18T14:37:38+0300 lvl=eror msg="Browser console error" logger=plugins.backend pluginId=grafana-image-renderer msg="Failed to load resource: the server responded with a status of 401 (Unauthorized)" url="http://127.0.0.1:3000/api/datasources/proxy/1/api/v1/query_range?query=irate(node_context_switches_total%7Binstance%3D~%22vtzkwlussd01%22%7D%5B5m%5D)&start=1592307120&end=1592479920&step=240"
From the NGINX log file, I can also see that the user’s credentials are not passed through to Prometheus, as indicated by the second dash below.
172.18.69.152 - - [18/Jun/2020:14:41:54 +0300] "prometheus.my.domain" "GET /api/v1/query_range?query=irate(node_context_switches_total%7Binstance%3D~%22vtzkwlussd01%22%7D%5B5m%5D)&start=1592307120&end=1592479920&step=240 HTTP/1.1" 401 172 "https://grafana.my.domain/" "Grafana/7.0.3"
Is it possible to configure Grafana/Image Renderer to pass the logged in user’s credentials through to Prometheus, as it would normally do? Or is this not supported?