mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00

History

linoman 3f0beee362 Update README build references (#54394 )		2022-08-29 16:36:06 +02:00
..
cloak.sql	Chore: Group auth docker blocks (#54274 )	2022-08-29 08:36:56 +02:00
docker-build-keycloak-m1-image.sh	Chore: Group auth docker blocks (#54274 )	2022-08-29 08:36:56 +02:00
docker-compose.yaml	Chore: Group auth docker blocks (#54274 )	2022-08-29 08:36:56 +02:00
jwks.json	Chore: Group auth docker blocks (#54274 )	2022-08-29 08:36:56 +02:00
readme.md	Update README build references (#54394 )	2022-08-29 16:36:06 +02:00

readme.md

OAUTH BLOCK

Devenv setup jwt auth

To launch the block, use the oauth source. Ex:

make devenv sources="auth/jwt_proxy"

Here is the conf you need to add to your configuration file (conf/custom.ini):

[auth]
signout_redirect_url = http://env.grafana.local:8088/oauth2/sign_out

[auth.jwt]
enabled = true
enable_login_token = true
header_name = X-Forwarded-Access-Token
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/oauth/jwks.json
cache_ttl = 60m
expected_claims = {"iss": "http://env.grafana.local:8087/auth/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true

Add env.grafana.local to /etc/hosts (Mac/Linux) or C:\Windows\System32\drivers\etc\hosts (Windows):

127.0.0.1   env.grafana.local
::1         env.grafana.local

Access Grafana through:

http://env.grafana.local:8088

Devenv setup jwt auth iframe embedding

Add previous configuration and next snippet to grafana.ini

[security]
allow_embedding = true

Create dashboard and copy UID
Clone https://github.com/grafana/grafana-iframe-oauth-sample
Change the dashboard URL in grafana-iframe-oauth-sample/src/pages/restricted.tsx to use the dashboard you created (keep URL query values)
Start sample app from the grafana-iframe-oauth-sample folder with: yarn start
Navigate to http://localhost:4200 and press restricted area

Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard

Backing up keycloak DB

In case you want to make changes to the devenv setup, you can dump keycloak's DB:

cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/jwt_proxy/cloak.sql

Connecting to keycloak:

keycloak admin: http://localhost:8087
keycloak admin login: admin:admin
grafana jwt viewer login: jwt-viewer:grafana
grafana jwt editor login: jwt-editor:grafana
grafana jwt admin login: jwt-admin:grafana

Troubleshooting

Mac M1 Users

The new arm64 architecture does not build for the latest docker image of keycloak. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved. Until then you need to build the docker image locally and then run devenv.

Remove any lingering keycloak image

$ docker rmi $(docker images | grep 'keycloak')

Build keycloak image locally

$ ./docker-build-keycloak-m1-image.sh

Start from beginning of this readme

Docker for Windows Users

Docker for Windows with WSL 2

Port forwarding needs to be set up between the WSL 2 VM (which runs Grafana, in my case it is Ubuntu) and the host system. (https://docs.microsoft.com/en-us/windows/wsl/networking)

Run the following commands from an elevated PowerShell prompt:

Change the default WSL 2 distribution if necessary

wsl --list # Find the default
wsl -s Ubuntu # Change the default

Open port 3000 between the Windows host and the WSL 2 VM

$hostAddr = '0.0.0.0';
$wslHostAddr = wsl hostname -I;
iex "netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=$hostAddr"
iex "netsh interface portproxy add v4tov4 listenport=3000 listenaddress=$hostAddr connectport=3000 connectaddress=$wslHostAddr"

Tested on Win 11 Home, Ubuntu and Docker for Windows v4.11.1 (84025).