In the previous chapter, when delving into the management of users and teams, we briefly examined the options for adding and authenticating users. We also looked at how Grafana can group user memberships into teams, allowing more granular control over permissions to resources such as dashboards, panels, and data sources. Now, out of the box, Grafana provides a very straightforward authentication scheme based on authenticating against a user/password pair. New users can either be created under this scheme or they can add themselves (with a minor configuration change). Grafana provides more than a couple of variations on this mechanism, with varying levels of complexity and security.

However, the use of these methodologies is not considered ideal. In many corporate environments, user access must be strictly tracked and integrated with numerous systems, including administration and the...

The tutorial code, dashboards, and other helpful files for this chapter can be found in the book's GitHub repository at https://github.com/PacktPublishing/Learn-Grafana-7.0/tree/master/Chapter13.

Let's start off with one of the more venerable authentication schemes available today: Lightweight Directory Access Protocol (LDAP). LDAP was originally developed in the early 1990s. While it is often used to store user information for authentication purposes, it also can serve all kinds of directory information, including user groups, hostnames, network addresses, and even office addresses and phone numbers.

In this section, we'll set up a simple directory using the OpenLDAP implementation and configure Grafana to bind to the OpenLDAP server to look up users and teams. This process can be a little bit complicated, but we'll go through it step by step. It is beyond the scope of this book to go through the details of setting up and maintaining a production LDAP directory, but I will endeavor to explain things in some detail as we go along. If you are at all looking to integrate your Grafana server with an existing LDAP installation...

From our local LDAP authentication, we move on to three examples that all use the OAuth 2 authentication standard. It is beyond the scope of this book to go into detail about the OAuth 2 standard, but suffice to say it represents one of the most popular industry standards for application authentication. In order to use OAuth 2 to provide Grafana authentication, rather than running our own lookup service, we will leverage external providers. We will look at three different popular services, each providing similar setup techniques but serving slightly different audiences:

• We'll first look at Grafana authentication via GitHub, a common site for organizations working in the software space.
• Next, we'll look at authentication via Google, a provider common with many enterprises that depend on Google for office applications, such as Gmail and the G Suite of tools.
• Finally, we'll look at authentication with...

Moving on from GitHub, let's take a look at Google OAuth 2. Google has a much more elaborate system, but if your Grafana users are part of your G Suite account, this is a good way to provide them with access. After some initial steps involving the configuration of an authentication consent page, getting a client ID and client secret is simple:

1. Go to https://console.developers.google.com/apis/credentials:

2. Create a project if you don't already have one. For our example, we'll call it grafana. Once you've created the project, you'll be returned to the Credentials page:

3. Select + Create Credentials | OAuth client ID:

4. You'll be required to fill out an OAuth consent page. However, since this is an internal application, you only need...

Okta is a well-known authentication provider for the enterprise and is newly supported in Grafana 7. The process is very similar to Google, but only requires the registration of your application with Okta in order to generate the client ID and secret. You'll need to sign up for a developer account in order to generate the appropriate secrets. Once you've logged in to your developer account, follow these instructions:

1. Select Developer Console | Applications | Add Application.
2. Select Web and Next:

3. On the Application Settings page, fill in the following fields and click Done:

• Name: Grafana
• Base URIs: http://localhost:3000
• Login Redirect URIs: http://localhost:3000/login/okta

4. On the next page, under the General Settings tab, you'll find a Client Credentials...

We certainly covered a lot of ground in this chapter. We learned about how to install and configure an OpenLDAP server and integrate it with Grafana to provide authentication lookup. Then, we walked through the process of registering Grafana with three different OAuth 2 providers: GitHub, Google, and Okta. If you want full control of all aspects of user lookup for authentication, then LDAP is certainly a viable solution. If you'd rather have authentication handled securely by a third-party provider, especially if it integrates with other user management systems in your organization, then an external OAuth provider is probably a better solution.

Yet, after all of this, we have only touched on a few of the ever-growing number of authentication options available for Grafana, so consult the Grafana documentation for more details.

In this chapter, we took a small step in integrating Grafana authentication with external cloud services. In the next (and...