IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-26 02:40:26 -06:00
Code Issues Packages Projects Releases Wiki Activity
dc9ec7dc91
grafana/docs/sources/auth/overview.md
Sofia Papagiannaki dc9ec7dc91
Auth: Allow expiration of API keys (#17678) 
* Modify backend to allow expiration of API Keys

* Add middleware test for expired api keys

* Modify frontend to enable expiration of API Keys

* Fix frontend tests

* Fix migration and add index for `expires` field

* Add api key tests for database access

* Substitude time.Now() by a mock for test usage

* Front-end modifications

* Change input label to `Time to live`
* Change input behavior to comply with the other similar
* Add tooltip

* Modify AddApiKey api call response

Expiration should be *time.Time instead of string

* Present expiration date in the selected timezone

* Use kbn for transforming intervals to seconds

* Use `assert` library for tests

* Frontend fixes

Add checks for empty/undefined/null values

* Change expires column from datetime to integer

* Restrict api key duration input

It should be interval not number

* AddApiKey must complain if SecondsToLive is negative

* Declare ErrInvalidApiKeyExpiration

* Move configuration to auth section

* Update docs

* Eliminate alias for models in modified files

* Omit expiration from api response if empty

* Eliminate Goconvey from test file

* Fix test

Do not sleep, use mocked timeNow() instead

* Remove index for expires from api_key table

The index should be anyway on both org_id and expires fields.
However this commit eliminates completely the index for now
since not many rows are expected to be in this table.

* Use getTimeZone function

* Minor change in api key listing

The frontend should display a message instead of empty string
if the key does not expire.
2019-06-26 09:47:03 +03:00

4.1 KiB
Raw Blame History

+++ title = "Overview" description = "Overview for auth" type = "docs" [menu.docs] name = "Overview" identifier = "overview-auth" parent = "authentication" weight = 1 +++

User Authentication Overview

Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.

OAuth Integrations

  • [Google OAuth]({{< relref "auth/google.md" >}})
  • [GitHub OAuth]({{< relref "auth/github.md" >}})
  • [Gitlab OAuth]({{< relref "auth/gitlab.md" >}})
  • [Generic OAuth]({{< relref "auth/generic-oauth.md" >}}) (Okta2, BitBucket, Azure, OneLogin, Auth0)

LDAP integrations

  • [LDAP Authentication]({{< relref "auth/ldap.md" >}}) (OpenLDAP, ActiveDirectory, etc)

Auth proxy

  • [Auth Proxy]({{< relref "auth/auth-proxy.md" >}}) If you want to handle authentication outside Grafana using a reverse proxy.

Grafana Auth

Grafana of course has a built in user authentication system with password authentication enabled by default. You can disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth provider (listed above). There is also options for allowing self sign up.

Login and short-lived tokens

The following applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.

Grafana are using short-lived tokens as a mechanism for verifying authenticated users. These short-lived tokens are rotated each token_rotation_interval_minutes for an active authenticated user.

An active authenticated user that gets it token rotated will extend the login_maximum_inactive_lifetime_days time from "now" that Grafana will remember the user. This means that a user can close its browser and come back before now + login_maximum_inactive_lifetime_days and still being authenticated. This is true as long as the time since user login is less than login_maximum_lifetime_days.

Example:

[auth]

# Login cookie name
login_cookie_name = grafana_session

# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days.
login_maximum_inactive_lifetime_days = 7

# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days.
login_maximum_lifetime_days = 30

# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
token_rotation_interval_minutes = 10

# The maximum lifetime (seconds) an api key can be used. If it is set all the api keys should have limited lifetime that is lower than this value.
api_key_max_seconds_to_live = -1

Anonymous authentication

You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.

Example:

[auth.anonymous]
enabled = true

# Organization name that should be used for unauthenticated users
org_name = Main Org.

# Role for unauthenticated users, other valid values are `Editor` and `Admin`
org_role = Viewer

If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.

Basic authentication

Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP authentication integration.

To disable basic auth:

[auth.basic]
enabled = false

Disable login form

You can hide the Grafana login form using the below configuration settings.

[auth]
disable_login_form = true

Automatic OAuth login

Set to true to attempt login with OAuth automatically, skipping the login screen. This setting is ignored if multiple OAuth providers are configured. Defaults to false.

[auth]
oauth_auto_login = true

Hide sign-out menu

Set to the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.

[auth]
disable_signout_menu = true

URL redirect after signing out

URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from oauth provider.

[auth]
signout_redirect_url =