Use bearer token to scrape Prometheus

Since we are using Openshift and Grafana and Prometheus are in other namespaces, I need to authenticate using a token.
I tried the modified Grafana version from Mrsiano(https://github.com/mrsiano/openshift-grafana) but I’m not happy with that version because he uses Grafana 4.7pre1 and I want to implement the newest features of Grafana 5 like dashboard provisioning.

So I’m experimenting with the dockerhub official Grafana 5 container.
Since there is no token option in the datasource configuration,
I tried to provision my datasource with a yaml file in which I use the bearer info in the basicAuth key.
basicAuth: ‘Bearer eyJhb…’

In the datasource.ts file (grafana/public/app/plugins/datasource/prometheus/datasource.ts) this should be injected in the header.options:

if (this.basicAuth) {
  options.headers = {
    Authorization: this.basicAuth,
  };
}

The way Mrsiano modified this file is pretty much the same, except he is adding a token variabele, which he then checks for existance and adds to the header (https://github.com/mrsiano/grafana/commit/67e352b8dac30bfc56a8af3eb0195f26dd26948d)

However, when I try to startup with this config, I get an error:

t=2018-04-12T06:54:30+0000 lvl=info msg=“Starting plugin search” logger=plugins
t=2018-04-12T06:54:30+0000 lvl=dbug msg=“Checking for updates”
t=2018-04-12T06:54:30+0000 lvl=eror msg=“Startup failed” error=“Failed to provision Grafana from config. error: yaml: unmarshal errors:\n line 16: cannot unmarshal !!str Bearer ... into bool”
t=2018-04-12T06:54:30+0000 lvl=info msg=“Shutdown started” logger=server code=1 reason=“startup error”
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0xef1f56]

Can anyone help me on this one?

Anyone?
Could use some help

Hi br0mz,

Did you find a solution ?
I have same issue.

Regards

Hello,

we’ve been able to do token based authentication by using plugin routes, e.g.:

“routes”: [
{
“path”: “”,
“method”: “GET”,
“url”: “https://prometheus-openshift-metrics.apps.example.com”,
“headers”: [
{“name”: “Authorization”, “content”: “Bearer [your-token-here]”}
]
}],

You need to add above stanza to:

/usr/share/grafana/public/app/plugins/datasource/prometheus/plugin.json

restart grafana and properly configure a prometheus datasource pointing to above url.

It is a bit suboptimal since i’ve not yet found a way to add this section programmatically but i’m a grafana newby.

Is there a way to add a plugin routes programmatically or alternatively to create a prometheus datasource with token based authentication via APIs?

Thanks for any insight,

-m

hi,

Wow thanks a lot !
i was stucking on it.

Ok i made the change and set my Token into Cotent Bearer, but i am on version 5.2.4, and i receive http forbiden from grafana. wherease with a curl request all works fine.

Hey,

sorry but my comment got messed up with markup. You need to specify the bearer token inside the header (look now at [your-token-here]).

In addition you need to verify that the account corresponding to token has needed permissions.

My setup is on 5.2.4 too.

In case you may debug the header sent with tcpdump (changing destination URL to http), e.g.:

tcpdump -vvvs 1024 -l -A dst [your-prometheus-endpoint]

Forbiddeen could likely indicate a route mismatch.

HTH,

-m

thanks for your help

By doing tcpdump on grafana server and trying test datasource i can see connection to prometheus initiated and also the answer coming from my endpoint.

and when i try with a curl command ::

curl -vvv -k -H “Accept: application/json” -XGET “https://prometheus-openshift-metricsgreen.xxx” -H “Authorization: Bearer MYTOKEN” -H “X-CSRF-Token: 1”

 HTTP/1.1 302 Found
< Content-Length: 29
< Content-Type: text/html; charset=utf-8
< Date: Wed, 03 Oct 2018 16:12:26 GMT
< Gap-Auth: system@cluster.local
< Gap-Upstream-Address: localhost:9090
< Location: /graph
< Set-Cookie: f81241e3a913aa890fb02ba92a29f1be=1d4e79533473822bac3e04e699bce6fd; path=/; HttpOnly; Secure
<
<a href="/graph">Found</a>.

* Connection #0 to host prometheus-openshift-metricsgreen.xxx left intact
* Closing connection #0

It works right now, i didn’t place the syntax in right place into json file, by following grafana doc, i understand my mistake.
Thanks a lot