Grafana SSO with IPA backend and Apache reverse proxy

Grafana is a great visulazitaion tool for may datasources. It’s one of mine favourite tool. I will show you how can you setup Grafana, Apache as a reverse (auth) proxy to use Kerberos authentication and enjoy the benefits of SSO.

SSO could be a very comfortable stuff. You haven’t enter your user, password combination for every time when you try to reach your applications. Fortunately Grafana support LDAP and Auth Proxy authentication and Apache2 support Kerberos authentication well. You need an LDAP and Kerberos servers (like Windows AD, MIT KDC, OpenLDAP). In my environment there is an existing FreeIPA server. It provides LDAP and KDC services for Grafana and Apache2.

  • Client: OS X 10.12, Safari 12
  • LDAP and KDC: ipa1.otthon.lan (FreeIPA server on Centos 7.5)
  • HAProxy 1.8.14 act as SSL terminator
  • Grafana 5.2.4 on Centos 7.5
  • Apache 2.4.6 with mod_auth_kerb module
  • Realm: OTTHON.LAN

 

HAProxy, Apache2 and Grafana runs on same server (Centos 7.5). My client computer isn’t joined to otthon.lan domain so I have to use kinit user@OTTHON.LAN before start Safari browser to connect to Grafana. After successfully I authenticate myself with kinit I get a kerberos ticket witch permit to reach Grafana without enter username/e-mail and password at Grafanas login page.

At now I don’t dive deep in HAProxy and FreeIPA configurations. I just show Apache2 and Grafana configurations. You have to install mod_auth_kerb package with yum install mod_auth_kerb command. It’s mandatory for Apache2 to be able use Kerberos authentication. Create a configuration file /etc/httpd/conf.d/grafana-proxy.conf with the following content:

<Proxy *>
    AuthType Kerberos
    AuthName GrafanaAuthProxy
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbAuthRealms OTTHON.LAN
    Krb5Keytab /etc/httpd/http.keytab
    KrbServiceName HTTP/grafana2.otthon.lan@OTTHON.LAN
    KrbSaveCredentials on
    KrbVerifyKDC on
    Require valid-user
    RewriteEngine On
    RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
    RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/

Change bolded parameters to your own. Do not restart httpd service yet. If HTTP/grafana2.otthon.lan@OTTHON.LAN service principal isn’t exist in your KDC, create it before. You have to get keytab for this service principal in /etc/httpd/http.keytab file. I used  ipa-getkeytab -p HTTP/grafana2.otthon.lan@OTTHON.LAN -k /etc/httpd/http.keytab command to retrieve it. Please beware of this keytab file permission!

-rw-r-----. 1 root apache 174 Sep 27 12:55 http.keytab

Don’t allow other user to read it. Apache2 server run as apache user so grant read only permission to apache user for the keytab.

If you got keytab and created service principal let’s modify Grafanas configuration (grafana.ini).
This is my grafana.ini:

app_mode = production
instance_name = ${HOSTNAME}
[paths]
data = /var/lib/grafana
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = conf/provisioning
[server]
protocol = http
http_addr = 127.0.0.1
http_port = 3000
domain = otthon.lan
router_logging = true
enable_gzip = false
[database]
log_queries =
type = postgres
host = pgsql1.otthon.lan:5432
name = *******************
user = *******************
password = *******************
[session]
provider = memory
[dataproxy]
[analytics]
reporting_enabled = false
check_for_updates = true
[security]
[snapshots]
[dashboards]
versions_to_keep = 5
[users]
[auth]
disable_login_form = false
disable_signout_menu = false
[auth.anonymous]
enabled = false
[auth.github]
[auth.google]
[auth.generic_oauth]
[auth.grafana_com]
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
ldap_sync_ttl = 60
whitelist =
headers =
[auth.basic]
[auth.ldap]
enabled = false
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
[smtp]
[emails]
[log]
level = warn
[log.console]
[log.file]
[log.syslog]
[alerting]
[explore]
[metrics]
[metrics.graphite]
[tracing.jaeger]
[grafana_com]
[external_image_storage]
[external_image_storage.s3]
[external_image_storage.webdav]
[external_image_storage.gcs]
[external_image_storage.azure_blob]
[external_image_storage.local]

Please read care the bolded section.
This is my ldap.toml file:

[[servers]]
host = “ipa1.otthon.lan”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
root_ca_cert = “/etc/ipa/ca.crt”
bind_dn = “uid=*************,cn=users,cn=accounts,dc=otthon,dc=lan”
bind_password = ‘***************************’
search_filter = “(uid=%s)”
search_base_dns = [“cn=users,cn=accounts,dc=otthon,dc=lan”]
group_search_base_dns = [“cn=groups,cn=accounts,dc=otthon,dc=lan”]
[servers.attributes]
name = “givenName”
surname = “sn”
username = “uid”
member_of = “memberOf”
email =  “mail”
[[servers.group_mappings]]
group_dn = “cn=grafana-admins,cn=groups,cn=accounts,dc=otthon,dc=lan”
org_role = “Admin”
[[servers.group_mappings]]
group_dn = “cn=grafana-editors,cn=groups,cn=accounts,dc=otthon,dc=lan”
org_role = “Editor”
[[servers.group_mappings]]
group_dn = “*”
org_role = “Viewer”

I enabled LDAP authentication too because I want to reach Grafana outside from my network with my FreeIPA (LDAP) user same as from my home network with Kerberos. If you want to connect only from your local network then LDAP authentication isn’t mandatory.

After all configs and keytab created restart grafana-server and httpd services. That’s it. Have a fun!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.