Use bearer token to scrape Prometheus

br0mz · April 12, 2018, 8:32am

Since we are using Openshift and Grafana and Prometheus are in other namespaces, I need to authenticate using a token.
I tried the modified Grafana version from Mrsiano(GitHub - mrsiano/openshift-grafana: Grafana instance, which use OAuth token for OpenShift. 📊) but I’m not happy with that version because he uses Grafana 4.7pre1 and I want to implement the newest features of Grafana 5 like dashboard provisioning.

So I’m experimenting with the dockerhub official Grafana 5 container.
Since there is no token option in the datasource configuration,
I tried to provision my datasource with a yaml file in which I use the bearer info in the basicAuth key.
basicAuth: ‘Bearer eyJhb…’

In the datasource.ts file (grafana/public/app/plugins/datasource/prometheus/datasource.ts) this should be injected in the header.options:

if (this.basicAuth) {
  options.headers = {
    Authorization: this.basicAuth,
  };
}

The way Mrsiano modified this file is pretty much the same, except he is adding a token variabele, which he then checks for existance and adds to the header (openshift authorization capabilities. · mrsiano/grafana@67e352b · GitHub)

However, when I try to startup with this config, I get an error:

t=2018-04-12T06:54:30+0000 lvl=info msg=“Starting plugin search” logger=plugins
t=2018-04-12T06:54:30+0000 lvl=dbug msg=“Checking for updates”
t=2018-04-12T06:54:30+0000 lvl=eror msg=“Startup failed” error=“Failed to provision Grafana from config. error: yaml: unmarshal errors:\n line 16: cannot unmarshal !!str Bearer ... into bool”
t=2018-04-12T06:54:30+0000 lvl=info msg=“Shutdown started” logger=server code=1 reason=“startup error”
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0xef1f56]

Can anyone help me on this one?

br0mz · April 16, 2018, 3:04pm

Anyone?
Could use some help

floppy84 · September 13, 2018, 8:23am

Hi br0mz,

Did you find a solution ?
I have same issue.

Regards

metatype · October 3, 2018, 11:02am

Hello,

we’ve been able to do token based authentication by using plugin routes, e.g.:

“routes”: [
{
“path”: “”,
“method”: “GET”,
“url”: “https://prometheus-openshift-metrics.apps.example.com”,
“headers”: [
{“name”: “Authorization”, “content”: “Bearer [your-token-here]”}
]
}],

You need to add above stanza to:

/usr/share/grafana/public/app/plugins/datasource/prometheus/plugin.json

restart grafana and properly configure a prometheus datasource pointing to above url.

It is a bit suboptimal since i’ve not yet found a way to add this section programmatically but i’m a grafana newby.

Is there a way to add a plugin routes programmatically or alternatively to create a prometheus datasource with token based authentication via APIs?

Thanks for any insight,

-m

floppy84 · October 3, 2018, 2:56pm

hi,

Wow thanks a lot !
i was stucking on it.

Ok i made the change and set my Token into Cotent Bearer, but i am on version 5.2.4, and i receive http forbiden from grafana. wherease with a curl request all works fine.

metatype · October 3, 2018, 3:48pm

Hey,

sorry but my comment got messed up with markup. You need to specify the bearer token inside the header (look now at [your-token-here]).

In addition you need to verify that the account corresponding to token has needed permissions.

My setup is on 5.2.4 too.

In case you may debug the header sent with tcpdump (changing destination URL to http), e.g.:

tcpdump -vvvs 1024 -l -A dst [your-prometheus-endpoint]

Forbiddeen could likely indicate a route mismatch.

HTH,

-m

floppy84 · October 3, 2018, 4:14pm

thanks for your help

By doing tcpdump on grafana server and trying test datasource i can see connection to prometheus initiated and also the answer coming from my endpoint.

and when i try with a curl command ::

curl -vvv -k -H “Accept: application/json” -XGET “https://prometheus-openshift-metricsgreen.xxx” -H “Authorization: Bearer MYTOKEN” -H “X-CSRF-Token: 1”

 HTTP/1.1 302 Found
< Content-Length: 29
< Content-Type: text/html; charset=utf-8
< Date: Wed, 03 Oct 2018 16:12:26 GMT
< Gap-Auth: system@cluster.local
< Gap-Upstream-Address: localhost:9090
< Location: /graph
< Set-Cookie: f81241e3a913aa890fb02ba92a29f1be=1d4e79533473822bac3e04e699bce6fd; path=/; HttpOnly; Secure
<
<a href="/graph">Found</a>.

* Connection #0 to host prometheus-openshift-metricsgreen.xxx left intact
* Closing connection #0

floppy84 · October 4, 2018, 8:23am

It works right now, i didn’t place the syntax in right place into json file, by following grafana doc, i understand my mistake.
Thanks a lot