In the previous chapter, when delving into how to manage users and teams, we briefly examined the options for adding and authenticating users. We also looked at how Grafana can group user memberships into teams, allowing for more granular control over permissions to resources such as dashboards, panels, and data sources. Out of the box, Grafana provides a very straightforward authentication scheme based on authenticating against a user/password pair. New users can either be created under this scheme or they can add themselves (with a minor configuration change). Grafana provides more than a couple of variations of this mechanism, with varying levels of complexity and security.

However, the use of these methodologies is not considered ideal. In many corporate environments, user access must be strictly tracked and integrated with numerous systems, including administration and the IT department. Authentication models must...

Let’s start with one of the more venerable authentication schemes available today: Lightweight Directory Access Protocol (LDAP), originally developed in the early 1990s. While it is often used to store user information for authentication purposes, it can also serve all kinds of directory information, including user groups, hostnames, network addresses, and even office addresses and phone numbers.

In this section, we’ll set up a simple directory using the OpenLDAP implementation and configure Grafana to bind to the OpenLDAP server to look up users and teams. This process can be a little bit complicated, but we’ll go through it step by step. It is beyond the scope of this book to go through the details of setting up and maintaining a production LDAP directory, but I will endeavor to explain things in some detail as we go along. If you are looking to integrate your Grafana server with an existing LDAP installation, this should give...

We will use Docker Compose to download an image of the OpenLDAP implementation of LDAP, which is available from osixia. Information about how to work with this Docker image can be found on GitHub at https://github.com/osixia/docker-openldap. Our Docker Compose file will ultimately contain two services: one for LDAP and the other for Grafana. The full docker-compose.yml file is available in this book’s GitHub repository in the Chapter16 directory.

Here’s the first part of the LDAP service:

  ldap:
    image: osixia/openldap

Here, we’re just downloading the image from osixia. Once we have downloaded the image, we’ll need to open port 389. If you enable support for Transport Layer Security (TLS) connections, you’ll need to open port 636. For demonstration purposes, we’ll connect to our LDAP server over an unsecured connection:

       ports...

Now that we’ve covered our local LDAP authentication, we’ll cover three examples that all use the OAuth 2 authentication standard. It is beyond the scope of this book to go into detail about the OAuth 2 standard but suffice to say it represents one of the most popular industry standards for application authentication. To use OAuth 2 to provide Grafana authentication, rather than running a lookup service, we will leverage external providers. We will look at three different popular services, each providing similar setup techniques but serving slightly different audiences.

In each case, we’ll go through the typical workflow for registering the Grafana application to secure a known key, then configuring Grafana to use the key to perform the necessary trusted authentication after a user has logged into a provider account.

Without going into the specifics, the process for each implementation of OAuth 2 is relatively consistent:

...

Okta is a well-known authentication provider for enterprises. The process is very similar to Google, but it only requires you to register your application with Okta to generate a client ID and secret. To generate the appropriate secrets, you’ll need to sign up for a developer account. Once you’ve logged into your Okta developer account, follow these instructions:

1. From the Dashboard area, open Applications, select Applications, and click on Create App Integration:

Figure 16.15 – Okta – the Applications menu

2. Select OIDC – OpenID Connect for Sign-in method and Web Application for Application type, then click Next:

Figure 16.16 – New app integration settings

3. On the New Web App Integration form, under General Settings, fill in the following fields and click Done:
   • App integration name: Grafana
   • Sign-in redirect URIs: http://localhost:3000/login...

We certainly covered a lot of ground in this chapter. First, we learned how to install and configure an OpenLDAP server and integrate it with Grafana to provide authentication lookup. Then, we walked through the process of registering Grafana with three different OAuth 2 providers: GitHub, Google, and Okta. If you want full control of all aspects of user lookup for authentication, then LDAP is certainly a viable solution. If you’d rather have authentication handled securely by a third-party provider, especially if it integrates with other user management systems in your organization, then an external OAuth provider is probably a better solution.

Yet, after all of this, we have only touched on a few of the ever-growing number of authentication options available for Grafana, so consult the Grafana documentation for more details.

In this chapter, we took a small step in integrating Grafana authentication with external cloud services. In the next (and final) chapter...