grafana对接操作指导

添加应用

在资源管理/应用管理下创建新的OAuth2应用, 重定向地址填写填写grafana的OAuth协议认证地址,默认为:http://xxx.com:3000/login/generic_oauth

img

app-id和app-key

保存后,应用创建成功,赛赋IDaaS生成该应用对应的appid和appkey img

grafana中的OAuth2配置

打开grafana的配置文件进行编辑

vi /etc/grafana/grafana.ini

找到【Server】部分,配置使用的域名

#################################### Server ####################################
[server]

# Protocol (http, https, h2, socket)

;protocol = http

# The ip address to bind to, empty will bind to all interfaces

;http_addr =

# The http port  to use

;http_port = 3000

# The public facing domain name used to access grafana from a browser

domain = t.cipherchina.com【your domain name】

# Redirect to correct domain if host header does not match domain

# Prevents DNS rebinding attacks

;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails

# If you use reverse proxy and sub path specify full url (with sub path)

;root_url = %(protocol)s://%(domain)s:%(http_port)s/

# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.

;serve_from_sub_path = false

# Log web requests

;router_logging = false

# the path relative working path

;static_root_path = public

# enable gzip

;enable_gzip = false

# https certs & key file

;cert_file =
;cert_key =

# Unix socket path

;socket =
########################################################################

找到【auth.generic_oauth】部分,开始编辑配置文件:

  1. enaled值为ture时,在OAuth应用中开启OAuth协议授权登录功能
  2. alow_sign_up = ture时,若赛赋IDaaS认证成功后返回的账号信息在grafana中不存在,grafana将创建新账号,通过该方式创建的新账号都仅有最低权限。
  3. client_id与client_secret对应填写在赛赋IDaaS创建grafana应用时所生成的appid和appkey
  4. 配置文件中配置统一身份认证平台的OAuth接口,例如: • auth_url请求授权接口 http://idaas-address:8645/iam/oauth/authorize • token_url请求token接口 http://idaas-address:8645/iam/oauth/access_token • api_url获取用户信息的接口 http://idaas-address:8645/iam/oauth/user
  5. alowed_domains,可选配置。
    • 不配置时,允许所有类型用户使用OAuth方式登录;
    • 配置alowed_domains时,请注意使用IDaaS服务的域名。该配置生效后,grafana将仅允许邮箱后缀与该域名匹配的账号进行OAuth登录。
#################################### Generic OAuth ##########################
[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = ciphertestid
client_secret = ciphertest
scopes = user:email,read:org
email_attribute_name = email:primary
;email_attribute_path =
auth_url = http://idaas.cipherchina.com:8645/iam/oauth/authorize
token_url = http://idaas.cipherchina.com:8645/iam/oauth/access_token
api_url = http://idaas.cipherchina.com:8645/iam/oauth/user
allowed_domains = cipherchina.com
;team_ids =
;allowed_organizations =
;role_attribute_path =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
#################################### SAML Auth ###########################

(建议编辑前对原配置文件进行备份) 配置文件编辑完成后,重启grafana服务即可。

systemctl stop grafana-server
systemctl start grafana-server
systemctl status grafana-server

重启后,进入控制台,查看Setting应该看到如下配置的信息 img

img

https://v.qq.com/x/page/b0940v8szav.html

results matching ""

    No results matching ""