public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
659a01903e3bf6963da17029cd2b4304f5554bd7
grafana/devenv/docker/blocks/auth/jwt_proxy/readme.md
Jo 5f6f1a7d07 Devenv: Update to keycloak 20 (#61174) 
update to keycloak 20
2023-01-10 16:50:53 +01:00

118 lines
3.6 KiB
Markdown
Raw Blame History

# JWT PROXY BLOCK
## Devenv setup jwt auth
To launch the block, use the oauth source. Ex:
```bash
make devenv sources="auth/jwt_proxy"
```
Here is the conf you need to add to your configuration file (conf/custom.ini):
```ini
[auth]
signout_redirect_url = http://env.grafana.local:8088/oauth2/sign_out
[auth.jwt]
enabled = true
header_name = X-Forwarded-Access-Token
username_claim = login
email_claim = email
jwk_set_file = devenv/docker/blocks/auth/oauth/jwks.json
cache_ttl = 60m
expect_claims = {"iss": "http://env.grafana.local:8087/realms/grafana", "azp": "grafana-oauth"}
auto_sign_up = true
role_attribute_path = contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
role_attribute_strict = false
allow_assign_grafana_admin = true
```
Add *env.grafana.local* to /etc/hosts (Mac/Linux) or C:\Windows\System32\drivers\etc\hosts (Windows):
```ini
127.0.0.1 env.grafana.local
::1 env.grafana.local
```
Access Grafana through:
```sh
http://env.grafana.local:8088
```
## Devenv setup jwt auth iframe embedding
- Add previous configuration and next snippet to grafana.ini
```ini
[security]
allow_embedding = true
```
- Create dashboard and copy UID
- Clone [https://github.com/grafana/grafana-iframe-oauth-sample](https://github.com/grafana/grafana-iframe-oauth-sample)
- Change the dashboard URL in `grafana-iframe-oauth-sample/src/pages/restricted.tsx` to use the dashboard you created (keep URL query values)
- Start sample app from the `grafana-iframe-oauth-sample` folder with: `yarn start`
- Navigate to [http://localhost:4200](http://localhost:4200) and press restricted area
Note: You may need to grant the JWT user in grafana access to the datasources and the dashboard
## Backing up keycloak DB
In case you want to make changes to the devenv setup, you can dump keycloak's DB:
```bash
cd devenv;
docker-compose exec -T oauthkeycloakdb bash -c "pg_dump -U keycloak keycloak" > docker/blocks/auth/jwt_proxy/cloak.sql
```
## Connecting to keycloak:
- keycloak admin: http://localhost:8087
- keycloak admin login: admin:admin
- grafana jwt viewer login: jwt-viewer:grafana
- grafana jwt editor login: jwt-editor:grafana
- grafana jwt admin login: jwt-admin:grafana
# Troubleshooting
## Mac M1 Users
The new arm64 architecture does not build for the latest docker image of keycloak. Refer to https://github.com/docker/for-mac/issues/5310 for the issue to see if it resolved.
Until then you need to build the docker image locally and then run `devenv`.
1. Remove any lingering keycloak image
```sh
$ docker rmi $(docker images | grep 'keycloak')
```
1. Build keycloak image locally
```sh
$ ./docker-build-keycloak-m1-image.sh
```
1. Start from beginning of this readme
## Docker for Windows Users
### Docker for Windows with WSL 2
Port forwarding needs to be set up between the WSL 2 VM (which runs Grafana, in my case it is Ubuntu) and the host system. (https://docs.microsoft.com/en-us/windows/wsl/networking)
Run the following commands from an elevated PowerShell prompt:
1. Change the default WSL 2 distribution if necessary
```powershell
wsl --list # Find the default
wsl -s Ubuntu # Change the default
```
2. Open port 3000 between the Windows host and the WSL 2 VM
```powershell
$hostAddr = '0.0.0.0';
$wslHostAddr = wsl hostname -I;
iex "netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=$hostAddr"
iex "netsh interface portproxy add v4tov4 listenport=3000 listenaddress=$hostAddr connectport=3000 connectaddress=$wslHostAddr"
```
Tested on Win 11 Home, Ubuntu and Docker for Windows v4.11.1 (84025).
Reference in New Issue View Git Blame Copy Permalink