diff --git a/conf/defaults.ini b/conf/defaults.ini index d09dfe3c428..695aace59fe 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -505,6 +505,16 @@ allow_sign_up = true sync_cron = "0 0 1 * * *" active_sync_enabled = true +#################################### AWS ########################### +[aws] +# Enter a comma-separated list of allowed AWS authentication providers. +# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_IAM_role (EC2 IAM Role) +allowed_auth_providers = default,keys,credentials + +# Allow AWS users to assume a role using temporary security credentials. +# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers +assume_role_enabled = true + #################################### SMTP / Emailing ##################### [smtp] enabled = false diff --git a/conf/sample.ini b/conf/sample.ini index 80bae2091de..28db4c24b84 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -495,6 +495,16 @@ ;sync_cron = "0 0 1 * * *" ;active_sync_enabled = true +#################################### AWS ########################### +[aws] +# Enter a comma-separated list of allowed AWS authentication providers. +# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_IAM_role (EC2 IAM Role) +; allowed_auth_providers = default,keys,credentials + +# Allow AWS users to assume a role using temporary security credentials. +# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers +; assume_role_enabled = true + #################################### SMTP / Emailing ########################## [smtp] ;enabled = false diff --git a/docs/sources/administration/configuration.md b/docs/sources/administration/configuration.md index 8a4b20a25e0..cb986f9a897 100644 --- a/docs/sources/administration/configuration.md +++ b/docs/sources/administration/configuration.md @@ -772,6 +772,22 @@ Refer to [Auth proxy authentication]({{< relref "../auth/auth-proxy.md" >}}) for Refer to [LDAP authentication]({{< relref "../auth/ldap.md" >}}) for detailed instructions. +## [aws] + +You can configure core and external AWS plugins. + +### allowed_auth_providers + +Specify what authentication providers the AWS plugins allow. For a list of allowed providers, refer to the data-source configuration page for a given plugin. If you configure a plugin by provisioning, only providers that are specified in `allowed_auth_providers` are allowed. + +Options: `default` (AWS SDK default), `keys` (Access and secret key), `credentials` (Credentials file), `ec2_IAM_role` (EC2 IAM role) + +### assume_role_enabled + +Set to `false` to disable AWS authentication from using an assumed role with temporary security credentials. For details about assume roles, refer to the AWS API reference documentation about the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) operation. + +If this option is disabled, the **Assume Role** and the **External Id** field are removed from the AWS data source configuration page. If the plugin is configured using provisioning, it is possible to use an assumed role as long as `assume_role_enabled` is set to `true`. +
## [smtp] @@ -1530,6 +1546,9 @@ Set this to `true` to have date formats automatically derived from your browser Used as the default time zone for user preferences. Can be either `browser` for the browser local time zone or a time zone name from the IANA Time Zone database, such as `UTC` or `Europe/Amsterdam`. ## [expressions] + > **Note:** This feature is available in Grafana v7.4 and later versions. + ### enabled + Set this to `false` to disable expressions and hide them in the Grafana UI. Default is `true`. diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go index 16433b94be9..6496d6bd1bf 100644 --- a/pkg/api/frontendsettings.go +++ b/pkg/api/frontendsettings.go @@ -237,12 +237,14 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i "licenseUrl": hs.License.LicenseURL(c.SignedInUser), "edition": hs.License.Edition(), }, - "featureToggles": hs.Cfg.FeatureToggles, - "rendererAvailable": hs.RenderService.IsAvailable(), - "http2Enabled": hs.Cfg.Protocol == setting.HTTP2Scheme, - "sentry": hs.Cfg.Sentry, - "marketplaceUrl": hs.Cfg.MarketplaceURL, - "expressionsEnabled": hs.Cfg.ExpressionsEnabled, + "featureToggles": hs.Cfg.FeatureToggles, + "rendererAvailable": hs.RenderService.IsAvailable(), + "http2Enabled": hs.Cfg.Protocol == setting.HTTP2Scheme, + "sentry": hs.Cfg.Sentry, + "marketplaceUrl": hs.Cfg.MarketplaceURL, + "expressionsEnabled": hs.Cfg.ExpressionsEnabled, + "awsAllowedAuthProviders": hs.Cfg.AWSAllowedAuthProviders, + "awsAssumeRoleEnabled": hs.Cfg.AWSAssumeRoleEnabled, } return jsonObj, nil diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index bd8c2c211cf..0251b05dae9 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -273,6 +273,10 @@ type Cfg struct { AdminUser string AdminPassword string + // AWS Plugin Auth + AWSAllowedAuthProviders []string + AWSAssumeRoleEnabled bool + // Auth proxy settings AuthProxyEnabled bool AuthProxyHeaderName string @@ -861,6 +865,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error { } cfg.readLDAPConfig() + cfg.readAWSConfig() cfg.readSessionConfig() cfg.readSmtpSettings() cfg.readQuotaSettings() @@ -923,6 +928,18 @@ func (cfg *Cfg) readLDAPConfig() { cfg.LDAPAllowSignup = LDAPAllowSignup } +func (cfg *Cfg) readAWSConfig() { + awsPluginSec := cfg.Raw.Section("aws") + cfg.AWSAssumeRoleEnabled = awsPluginSec.Key("assume_role_enabled").MustBool(true) + allowedAuthProviders := awsPluginSec.Key("allowed_auth_providers").String() + for _, authProvider := range strings.Split(allowedAuthProviders, ",") { + authProvider = strings.TrimSpace(authProvider) + if authProvider != "" { + cfg.AWSAllowedAuthProviders = append(cfg.AWSAllowedAuthProviders, authProvider) + } + } +} + func (cfg *Cfg) readSessionConfig() { sec, _ := cfg.Raw.GetSection("session")