Access Grafana v5 via token without login screen

By BrettEnergy Monitoring, Internet Of Things, Uncategorized

This works for Grafana v5. Grafana v6 has removed this functionality for security reasons.

This explains how I implemented a previously outlined solution, in a step-by-step fashion. I initially struggled to get this running.   There’s the method that worked.

Overview

The goal is to give someone a unique link, through which they can logon without a password. They would save this as a shortcut to view Grafana as a specific user. This was useful for me in conjunction with IotaWatt and PhiSaver to enable easy viewing of dashboards.

  1.  Setup on AWS, although I think any linux distro would be similar.
  2. Configure grafana to allow auth logins.
  3. Install Ngnix in standard configuration
  4. Edit Ngnix configuration, usually at /etc/nginx/nginx.conf as @nayar describes.
  5. Restart ngnix
  6. Create a url (see below) with a MD5 hash for some mild security
  7. Enter the url to automatically login as the specified user

Configure grafana to allow auth logins

Edit /etc/grafana/grafana.ini:

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false

Create the URL with a shell script

cat makelink.sh

#!/bin/sh
user=$1
expires=$2
root=$3
md5=`echo -n "$expires/$user grafanarocks" | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =`
echo "$root/?user=$1&md5=$md5&expires=$expires"

makelink.sh cooluser 1705386800 http://yourhost.com

http://yourhost.com/?user=cooluser&md5=fF1U10hcs8L6v8_EkuflhQ&expires=1705386800

The 1705386800 refers to a unix epoch timestamp (seconds since 1/1/1970), and is the time the link expires.

Edit Ngnix configuration

Change the secret “grafanarocks” in both the ngnix.conf and the makelink.sh to something different. See details.

server {
        listen 80 default_server;
        server_name _;
        location / {
                set $user "";
                set $state "";
                if ($args ~ "^user=(.+)&md5") {
                    set $user $1;
                    set $state "${state}U";
                }
                secure_link $arg_md5,$arg_expires;
                secure_link_md5 "$secure_link_expires$uri$user GRAFANAFROCKS";
                if ($secure_link = "") {
                    set $state "${state}S1";
                }
                if ($secure_link = "0") {
                    set $state "${state}S2";
                }
                add_header X-uristate "$state";
                proxy_set_header X-user "$user";
                proxy_set_header X-state "${state}";
                proxy_set_header X-arg_md5 "$arg_md5";
                proxy_set_header X-arg_expires "$arg_expires";
                proxy_set_header X-sec_expires "$secure_link_expires";
                proxy_set_header X-uri "$uri";


                if ($state = "US1") { return 403; }
                if ($state = "US2") { return 410; }
                add_header X-uri "$user";
                proxy_set_header X-WEBAUTH-USER $user;
# Pass on to grafana on port 3000
                proxy_pass http://127.0.0.1:3000;
            }
    }

Leave a Reply

Your email address will not be published. Required fields are marked *