IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Azure: Configuration for user identity authentication in datasources (Experimental) (#50277)

Browse Source 
* Configuration for user identity authentication

* Use token endpoint form Azure AD settings

* Documentation update

* Update Grafana Azure SDK

* Fix secret override

* Fix lint

* Fix doc wording
This commit is contained in:
Sergey Kostrukov 2023-05-15 10:00:54 -07:00 committed by GitHub
parent 5ec0f82baa
commit eafba8fa69
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 250 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
conf/defaults.ini
View File

@ -808,6 +808,23 @@ managed_identity_enabled = false
# Should be set for user-assigned identity and should be empty for system-assigned identity # Should be set for user-assigned identity and should be empty for system-assigned identity
managed_identity_client_id = managed_identity_client_id =
# Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources
# that support it (requires AAD authentication)
# Disabled by default, needs to be explicitly enabled
user_identity_enabled = false
# Override token URL for Azure Active Directory
# By default is the same as token URL configured for AAD authentication settings
user_identity_token_url =
# Override ADD application ID which would be used to exchange users token to an access token for the datasource
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
user_identity_client_id =
# Override the AAD application client secret
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
user_identity_client_secret =
#################################### Role-based Access Control ########### #################################### Role-based Access Control ###########
[rbac] [rbac]
# If enabled, cache permissions in a in memory cache # If enabled, cache permissions in a in memory cache

17
conf/sample.ini
View File

@ -780,6 +780,23 @@
# Should be set for user-assigned identity and should be empty for system-assigned identity # Should be set for user-assigned identity and should be empty for system-assigned identity
;managed_identity_client_id = ;managed_identity_client_id =
# Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources
# that support it (requires AAD authentication)
# Disabled by default, needs to be explicitly enabled
;user_identity_enabled = false
# Override token URL for Azure Active Directory
# By default is the same as token URL configured for AAD authentication settings
;user_identity_token_url =
# Override ADD application ID which would be used to exchange users token to an access token for the datasource
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
;user_identity_client_id =
# Override the AAD application client secret
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
;user_identity_client_secret =
#################################### Role-based Access Control ########### #################################### Role-based Access Control ###########
[rbac] [rbac]
;permission_cache = true ;permission_cache = true

24
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@ -1117,6 +1117,30 @@ The client ID to use for user-assigned managed identity.
Should be set for user-assigned identity and should be empty for system-assigned identity. Should be set for user-assigned identity and should be empty for system-assigned identity.
### user_identity_enabled
Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources that support it (requires AAD authentication).
Disabled by default, needs to be explicitly enabled.
### user_identity_token_url
Override token URL for Azure Active Directory.
By default is the same as token URL configured for AAD authentication settings.
### user_identity_client_id
Override ADD application ID which would be used to exchange users token to an access token for the datasource.
By default is the same as used in AAD authentication or can be set to another application (for OBO flow).
### user_identity_client_secret
Override the AAD application client secret.
By default is the same as used in AAD authentication or can be set to another application (for OBO flow).
## [auth.jwt] ## [auth.jwt]
Refer to [JWT authentication]({{< relref "../configure-security/configure-authentication/jwt/" >}}) for more information. Refer to [JWT authentication]({{< relref "../configure-security/configure-authentication/jwt/" >}}) for more information.

2
go.mod
View File

@ -60,7 +60,7 @@ require (
github.com/gorilla/websocket v1.5.0 github.com/gorilla/websocket v1.5.0
github.com/grafana/alerting v0.0.0-20230428095912-33c5aa68a5ba github.com/grafana/alerting v0.0.0-20230428095912-33c5aa68a5ba
github.com/grafana/grafana-aws-sdk v0.15.0 github.com/grafana/grafana-aws-sdk v0.15.0
github.com/grafana/grafana-azure-sdk-go v1.6.0 github.com/grafana/grafana-azure-sdk-go v1.7.0
github.com/grafana/grafana-plugin-sdk-go v0.160.0 github.com/grafana/grafana-plugin-sdk-go v0.160.0
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/hashicorp/go-hclog v1.5.0 github.com/hashicorp/go-hclog v1.5.0

4
go.sum
View File

@ -1054,8 +1054,8 @@ github.com/grafana/go-mssqldb v0.9.2 h1:FkyRJR4ywsT07iMtpFMHStrl8uuNkGIwp253Fee0
github.com/grafana/go-mssqldb v0.9.2/go.mod h1:HTCsUqZdb7oIO7jc37YauiSB5C3P/13AnpctVWBhlus= github.com/grafana/go-mssqldb v0.9.2/go.mod h1:HTCsUqZdb7oIO7jc37YauiSB5C3P/13AnpctVWBhlus=
github.com/grafana/grafana-aws-sdk v0.15.0 h1:ZOPHQcC5NUFi1bLTwnju91G0KmGh1z+qXOKj9nDfxNs= github.com/grafana/grafana-aws-sdk v0.15.0 h1:ZOPHQcC5NUFi1bLTwnju91G0KmGh1z+qXOKj9nDfxNs=
github.com/grafana/grafana-aws-sdk v0.15.0/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I= github.com/grafana/grafana-aws-sdk v0.15.0/go.mod h1:rCXLYoMpPqF90U7XqgVJ1HIAopFVF0bB3SXBVEJIm3I=
github.com/grafana/grafana-azure-sdk-go v1.6.0 h1:lxvH/mVY7gKBtJKhZ4B/6tIZFY7Jth97HxBA38olaxs= github.com/grafana/grafana-azure-sdk-go v1.7.0 h1:2EAPwNl/qsDMHwKjlzaHif+H+bHcF1W7sM8/jAcxVcI=
github.com/grafana/grafana-azure-sdk-go v1.6.0/go.mod h1:X4PdEQIYgHfn0KTa2ZTKvufhNz6jbCEKUQPZIlcyOGw= github.com/grafana/grafana-azure-sdk-go v1.7.0/go.mod h1:X4PdEQIYgHfn0KTa2ZTKvufhNz6jbCEKUQPZIlcyOGw=
github.com/grafana/grafana-google-sdk-go v0.1.0 h1:LKGY8z2DSxKjYfr2flZsWgTRTZ6HGQbTqewE3JvRaNA= github.com/grafana/grafana-google-sdk-go v0.1.0 h1:LKGY8z2DSxKjYfr2flZsWgTRTZ6HGQbTqewE3JvRaNA=
github.com/grafana/grafana-google-sdk-go v0.1.0/go.mod h1:Vo2TKWfDVmNTELBUM+3lkrZvFtBws0qSZdXhQxRdJrE= github.com/grafana/grafana-google-sdk-go v0.1.0/go.mod h1:Vo2TKWfDVmNTELBUM+3lkrZvFtBws0qSZdXhQxRdJrE=
github.com/grafana/grafana-plugin-sdk-go v0.94.0/go.mod h1:3VXz4nCv6wH5SfgB3mlW39s+c+LetqSCjFj7xxPC5+M= github.com/grafana/grafana-plugin-sdk-go v0.94.0/go.mod h1:3VXz4nCv6wH5SfgB3mlW39s+c+LetqSCjFj7xxPC5+M=

2
packages/grafana-runtime/src/config.ts
View File

@ -21,6 +21,7 @@ import {
export interface AzureSettings { export interface AzureSettings {
cloud?: string; cloud?: string;
managedIdentityEnabled: boolean; managedIdentityEnabled: boolean;
userIdentityEnabled: boolean;
} }
export type AppPluginConfig = { export type AppPluginConfig = {
@ -121,6 +122,7 @@ export class GrafanaBootConfig implements GrafanaConfig {
awsAssumeRoleEnabled = false; awsAssumeRoleEnabled = false;
azure: AzureSettings = { azure: AzureSettings = {
managedIdentityEnabled: false, managedIdentityEnabled: false,
userIdentityEnabled: false,
}; };
caching = { caching = {
enabled: false, enabled: false,

1
pkg/api/dtos/frontend_settings.go
View File

@ -46,6 +46,7 @@ type FrontendSettingsLicenseInfoDTO struct {
type FrontendSettingsAzureDTO struct { type FrontendSettingsAzureDTO struct {
Cloud string `json:"cloud"` Cloud string `json:"cloud"`
ManagedIdentityEnabled bool `json:"managedIdentityEnabled"` ManagedIdentityEnabled bool `json:"managedIdentityEnabled"`
UserIdentityEnabled bool `json:"userIdentityEnabled"`
} }
type FrontendSettingsCachingDTO struct { type FrontendSettingsCachingDTO struct {

1
pkg/api/frontendsettings.go
View File

@ -198,6 +198,7 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
Azure: dtos.FrontendSettingsAzureDTO{ Azure: dtos.FrontendSettingsAzureDTO{
Cloud: hs.Cfg.Azure.Cloud, Cloud: hs.Cfg.Azure.Cloud,
ManagedIdentityEnabled: hs.Cfg.Azure.ManagedIdentityEnabled, ManagedIdentityEnabled: hs.Cfg.Azure.ManagedIdentityEnabled,
UserIdentityEnabled: hs.Cfg.Azure.UserIdentityEnabled,
}, },
Caching: dtos.FrontendSettingsCachingDTO{ Caching: dtos.FrontendSettingsCachingDTO{

2
pkg/api/pluginproxy/token_provider_azure.go
View File

@ -20,7 +20,7 @@ type azureAccessTokenProvider struct {
func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) { func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) {
credentials := getAzureCredentials(cfg.Azure, authParams) credentials := getAzureCredentials(cfg.Azure, authParams)
tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials) tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials, false)
if err != nil { if err != nil {
return nil, err return nil, err
} }

34
pkg/setting/setting_azure.go
View File

@ -1,6 +1,8 @@
package setting package setting
import "github.com/grafana/grafana-azure-sdk-go/azsettings" import (
"github.com/grafana/grafana-azure-sdk-go/azsettings"
)
func (cfg *Cfg) readAzureSettings() { func (cfg *Cfg) readAzureSettings() {
azureSettings := &azsettings.AzureSettings{} azureSettings := &azsettings.AzureSettings{}
@ -11,9 +13,37 @@ func (cfg *Cfg) readAzureSettings() {
cloudName := azureSection.Key("cloud").MustString(azsettings.AzurePublic) cloudName := azureSection.Key("cloud").MustString(azsettings.AzurePublic)
azureSettings.Cloud = azsettings.NormalizeAzureCloud(cloudName) azureSettings.Cloud = azsettings.NormalizeAzureCloud(cloudName)
// Managed Identity // Managed Identity authentication
azureSettings.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false) azureSettings.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false)
azureSettings.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String() azureSettings.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String()
// User Identity authentication
if azureSection.Key("user_identity_enabled").MustBool(false) {
azureSettings.UserIdentityEnabled = true
tokenEndpointSettings := &azsettings.TokenEndpointSettings{}
// Get token endpoint from Azure AD settings if enabled
azureAdSection := cfg.Raw.Section("auth.azuread")
if azureAdSection.Key("enabled").MustBool(false) {
tokenEndpointSettings.TokenUrl = azureAdSection.Key("token_url").String()
tokenEndpointSettings.ClientId = azureAdSection.Key("client_id").String()
tokenEndpointSettings.ClientSecret = azureAdSection.Key("client_secret").String()
}
// Override individual settings
if val := azureSection.Key("user_identity_token_url").String(); val != "" {
tokenEndpointSettings.TokenUrl = val
}
if val := azureSection.Key("user_identity_client_id").String(); val != "" {
tokenEndpointSettings.ClientId = val
tokenEndpointSettings.ClientSecret = ""
}
if val := azureSection.Key("user_identity_client_secret").String(); val != "" {
tokenEndpointSettings.ClientSecret = val
}
azureSettings.UserIdentityTokenEndpoint = tokenEndpointSettings
}
cfg.Azure = azureSettings cfg.Azure = azureSettings
} }

152
pkg/setting/setting_azure_test.go
View File

@ -63,4 +63,156 @@ func TestAzureSettings(t *testing.T) {
}) })
} }
}) })
t.Run("User Identity", func(t *testing.T) {
t.Run("should be disabled by default", func(t *testing.T) {
cfg := NewCfg()
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
assert.False(t, cfg.Azure.UserIdentityEnabled)
})
t.Run("should be enabled", func(t *testing.T) {
cfg := NewCfg()
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
})
t.Run("should use token endpoint from Azure AD if enabled", func(t *testing.T) {
cfg := NewCfg()
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
require.NoError(t, err)
_, err = azureAdSection.NewKey("enabled", "true")
require.NoError(t, err)
_, err = azureAdSection.NewKey("token_url", "URL_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_id", "ID_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
require.NoError(t, err)
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.Equal(t, "URL_1", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
assert.Equal(t, "ID_1", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
assert.Equal(t, "SECRET_1", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
})
t.Run("should not use token endpoint from Azure AD if not enabled", func(t *testing.T) {
cfg := NewCfg()
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
require.NoError(t, err)
_, err = azureAdSection.NewKey("enabled", "false")
require.NoError(t, err)
_, err = azureAdSection.NewKey("token_url", "URL_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_id", "ID_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
require.NoError(t, err)
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientId)
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
})
t.Run("should override Azure AD settings", func(t *testing.T) {
cfg := NewCfg()
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
require.NoError(t, err)
_, err = azureAdSection.NewKey("enabled", "true")
require.NoError(t, err)
_, err = azureAdSection.NewKey("token_url", "URL_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_id", "ID_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
require.NoError(t, err)
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_client_secret", "SECRET_2")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
assert.Equal(t, "SECRET_2", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
})
t.Run("should not use secret from Azure AD if client ID overridden", func(t *testing.T) {
cfg := NewCfg()
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
require.NoError(t, err)
_, err = azureAdSection.NewKey("enabled", "true")
require.NoError(t, err)
_, err = azureAdSection.NewKey("token_url", "URL_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_id", "ID_1")
require.NoError(t, err)
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
require.NoError(t, err)
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
})
})
} }