文章出处:https://medium.com/@maiccaejfeng/grafana-user-%E7%9A%84%E8%BA%AB%E4%BB%BD%E8%AA%8D%E8%AD%89%E6%A9%9F%E5%88%B6-authentication-357d30b6b7fb
Grafana 有提供哪些 user 的身份認證機制呢?
Overview
Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions…
grafana.com
Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.
Grafana 提供許多種 user 身份認證機制。有些認證機制還可以同步 user 權限和 organization 成員身份。大致上可以分成以下四種:
- Grafana Auth
- OAuth Authentication
- Google OAuth2 Authentication
- GitHub OAuth2 Authentication
- GitLab OAuth2 Authentication
- Okta OAuth2 Authentication
- Bitbucket OAuth2 Authentication
- OneLogin OAuth2 Authentication
- Auth0 OAuth2 Authentication
- Azure Active Directory OAuth2 Authentication
- Centrify OAuth2 Authentication
- etc.
3. LDAP Authentication
- OpenLDAP
- ActiveDirectory
- etc.
4. Auth Proxy
1. Grafana Auth
Grafana of course has a built in user authentication system with password authentication enabled by default. You can disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth provider (listed above). There is also options for allowing self sign up.
Grafana 自己有內建的 user 身份認證機制,預設是啟用密碼認證。可以停用密碼認證來啟用匿名訪問。還可以隱藏 login 表單,僅允許通過上列 auth provider 的 login。也有允許自己註冊的選項。
1.1 登入和短期 token (Login and short-lived tokens)
The following applies when using Grafana’s built in user authentication, LDAP (without Auth proxy) or OAuth integration.
以下內容適用於使用 Grafana 內建 user 身份認證、LDAP (without Auth proxy) 或 OAuth integration 時。
Grafana are using short-lived tokens as a mechanism for verifying authenticated users. These short-lived tokens are rotated each token_rotation_interval_minutes for an active authenticated user.
Grafana 使用短期 token 做為驗證身份認證過的 user 的機制。對於身份認證過的有效 user,這些短期 token 每 token_rotation_interval_minutes 分鐘 rotate 一次。
An active authenticated user that gets it token rotated will extend the login_maximum_inactive_lifetime_days time from “now” that Grafana will remember the user. This means that a user can close its browser and come back before now + login_maximum_inactive_lifetime_days and still being authenticated. This is true as long as the time since user login is less than login_maximum_lifetime_days.
一個身份認證過、並且有 rotate 過 token 的有效 user,會從 “現在” 開始延長 login_maximum_inactive_lifetime_days 時間,Grafana 就會記住該 user。這表示該 user 可以關掉瀏覽器後在 now + login_maximum_inactive_lifetime_days 的時間內回來仍可以通過身份認證。只要 user login 以來的時間少於 login_maximum_lifetime_days 這個時間身份認證都有效。
1.1.1 遠端登出 (Remote logout)
You can logout from other devices by removing login sessions from the bottom of your profile page. If you are a Grafana admin user you can also do the same for any user from the Server Admin / Edit User view.
2.1 Google OAuth2 Authentication
Google OAuth2 Authentication
To enable the Google OAuth2 you must register your application with Google. Google will generate a client ID and secret…
grafana.com
To enable the Google OAuth2 you must register your application with Google. Google will generate a client ID and secret key for you to use.
若要在 Grafana 中使用 Google OAuth2,請先至 Google 註冊。Google 會提供 client ID 及 secret key 供使用。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。但總之會在 login 頁面出現 Sign in with Google 的按鈕:
2.2 GitHub OAuth2 Authentication
GitHub OAuth2 Authentication
To enable the GitHub OAuth2 you must register your application with GitHub. GitHub will generate a client ID and secret…
grafana.com
To enable the GitHub OAuth2 you must register your application with GitHub. GitHub will generate a client ID and secret key for you to use.
若要在 Grafana 中使用 GitHub OAuth2,請先至 GitHub 註冊。GitHub 會提供 client ID 及 secret key 供使用。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。
2.3 GitLab OAuth2 Authentication
GitLab OAuth2 Authentication
To enable the GitLab OAuth2 you must register an application in GitLab. GitLab will generate a client ID and secret key…
grafana.com
To enable the GitLab OAuth2 you must register an application in GitLab. GitLab will generate a client ID and secret key for you to use.
若要在 Grafana 中使用 GitLab OAuth2,請先至 GitLab 註冊。GitLab 會提供 client ID 及 secret key 供使用。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。
2.4 Generic OAuth Authentication
OAuth authentication
You can configure many different oauth2 authentication services with Grafana using the generic oauth2 feature. Below…
grafana.com
You can configure many different oauth2 authentication services with Grafana using the generic oauth2 feature. Below you can find examples using Okta, BitBucket, OneLogin and Azure.
您可以使用 Grafana 的 generic oauth2 功能來 configure 許多不同的 oauth2 身份認證服務。以下提供 Okta、BitBucket、OneLogin、及 Azure 的使用範例。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。
2.4.1 Okta OAuth2 Authentication
2.4.2 Bitbucket OAuth2 Authentication
2.4.3 OneLogin OAuth2 Authentication
2.4.4 Auth0 OAuth2 Authentication
2.4.5 Azure Active Directory OAuth2 Authentication
2.4.6 Centrify OAuth2 Authentication
2.4.7 Non-compliant providers OAuth2 Authentication
Some OAuth2 providers might not support client_id and client_secret passed via Basic Authentication HTTP header, which results in invalid_client error. To allow Grafana to authenticate via these type of providers, the client identifiers must be send via POST body, which can be enabled via the following settings:
有些 OAuth2 providers 並不支援 client_id 及 client_secret 經由 Basic Authentication HTTP header 傳送,就會導致 invalid_client 錯誤。若要讓 Grafana 允許這類的認證,client identifiers 就必須經由 POST body 傳送,把 send_client_credentials_via_post 設定成 true 即可。
3. LDAP Authentication
LDAP Authentication
The LDAP integration in Grafana allows your Grafana users to login with their LDAP credentials. You can also specify…
grafana.com
The LDAP integration in Grafana allows your Grafana users to login with their LDAP credentials. You can also specify mappings between LDAP group memberships and Grafana Organization user roles.
Grafana 中的 LDAP 整合可讓 users 用自己的 LDAP credentials 來 login。管理者也可以指定將 LDAP group memberships 和 Grafana Organization user roles 做 mapping。
Grafana uses a third-party LDAP library under the hood that supports basic LDAP v3 functionality. This means that you should be able to configure LDAP integration using any compliant LDAPv3 server, for example OpenLDAP or Active Directory among others.
Grafana 用第三方 LDAP library,支援基本的 LDAP v3 功能。這表示管理者可以使用任何相容的 LDAPv3 server(例如 OpenLDAP、Active Directory among others)來 configure LDAP integration。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。
3.1 OpenLDAP、Multiple LDAP servers
3.2 Active Directory
4. Auth Proxy Authentication
Auth Proxy
You can configure Grafana to let a HTTP reverse proxy handling authentication. Popular web servers have a very…
grafana.com
You can configure Grafana to let a HTTP reverse proxy handling authentication. Popular web servers have a very extensive list of pluggable authentication modules, and any of them can be used with the AuthProxy feature. Below we detail the configuration options for auth proxy.
管理者可以 configure Grafana 來讓 HTTP reverse proxy 來處理身份認證。熱門的 web servers 有很多 pluggable 的身份認證模組,每個都可以跟 AuthProxy 功能一起使用。上面連結中的文件有介紹 auth proxy 的 configuration 選項。
詳細的做法請參閱上面連結中的文件,就不在這裡實作了。
總之 Grafana 支援的 user 身份認證機制有很~多種,並不只局限於上列的方式,而是 OAuth 類型、LDAP 類型…等的都可以。有機會再實作看看摟~!