Energy MonitoringInternet Of ThingsUncategorized

Access Grafana v5 via token without login screen

This works for Grafana v5. Grafana v6 has removed this functionality for security reasons.

This explains how I implemented a previously outlined solution, in a step-by-step fashion. I initially struggled to get this running.   There’s the method that worked.

Overview

The goal is to give someone a unique link, through which they can logon without a password. They would save this as a shortcut to view Grafana as a specific user. This was useful for me in conjunction with IotaWatt and PhiSaver to enable easy viewing of dashboards.

  1.  Setup on AWS, although I think any linux distro would be similar.
  2. Configure grafana to allow auth logins.
  3. Install Ngnix in standard configuration
  4. Edit Ngnix configuration, usually at /etc/nginx/nginx.conf as @nayar describes.
  5. Restart ngnix
  6. Create a url (see below) with a MD5 hash for some mild security
  7. Enter the url to automatically login as the specified user

Configure grafana to allow auth logins

Edit /etc/grafana/grafana.ini:

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false

Create the URL with a shell script

cat makelink.sh

#!/bin/sh
user=$1
expires=$2
root=$3
md5=`echo -n "$expires/$user grafanarocks" | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =`
echo "$root/?user=$1&md5=$md5&expires=$expires"

makelink.sh cooluser 1705386800 http://yourhost.com

http://yourhost.com/?user=cooluser&md5=fF1U10hcs8L6v8_EkuflhQ&expires=1705386800

The 1705386800 refers to a unix epoch timestamp (seconds since 1/1/1970), and is the time the link expires.

Edit Ngnix configuration

Change the secret “grafanarocks” in both the ngnix.conf and the makelink.sh to something different. See details.

server {
        listen 80 default_server;
        server_name _;
        location / {
                set $user "";
                set $state "";
                if ($args ~ "^user=(.+)&md5") {
                    set $user $1;
                    set $state "${state}U";
                }
                secure_link $arg_md5,$arg_expires;
                secure_link_md5 "$secure_link_expires$uri$user GRAFANAFROCKS";
                if ($secure_link = "") {
                    set $state "${state}S1";
                }
                if ($secure_link = "0") {
                    set $state "${state}S2";
                }
                add_header X-uristate "$state";
                proxy_set_header X-user "$user";
                proxy_set_header X-state "${state}";
                proxy_set_header X-arg_md5 "$arg_md5";
                proxy_set_header X-arg_expires "$arg_expires";
                proxy_set_header X-sec_expires "$secure_link_expires";
                proxy_set_header X-uri "$uri";


                if ($state = "US1") { return 403; }
                if ($state = "US2") { return 410; }
                add_header X-uri "$user";
                proxy_set_header X-WEBAUTH-USER $user;
# Pass on to grafana on port 3000
                proxy_pass http://127.0.0.1:3000;
            }
    }

Leave a Reply

Your email address will not be published. Required fields are marked *