Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Use Grafana Service Accounts for pmm-agent authentication

Description

Hi,

Currently PMM Admin has to use user's credentials (usually this is just admin's ones) in order to connect new pmm-agent to PMM Server. Even our official documentation provides provides in an examples using admin's credentials: https://docs.percona.com/percona-monitoring-and-management/setting-up/client/index.html#register.

Such approach has a significant drawbacks:

  • it contradicts OWASP-TOP10 "A05:2021 – Security Misconfiguration" https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

  • it is not secured at all to use admin's credentials in any tasks/actions not related to Admin at all.

  • potential admin credentials leakage

  • issues after changing admin's credentials - it is required to change them in all pmm-agents that use them.

There was an alternative "Authenticating using API keys". But Grafana now deprecates API keys and provides an alternative - Service Accounts.

So this ticket is dedicated to this topic - consider migrating pmm-agent credentials to Grafana Service Accounts. And use a separate Service Account for each pmm-agent.

Moreover, in Percona Everest product we need to automatically connect new pmm-agents to PMM Server. Service Accounts suit best in this task.

How to test

Testing with existing service account

  1. Create new service account.

  2. Create new service token with admin rights related to account you created before.

  3. Save service token (looks like: glsa_Fp0ggev31R58ueNJbJgYw7fIGfO3yKWH_746383ab).

  4. Paste service token to pmm-agent config to password field under server group. Username should be “service_token”.

  5. Connect pmm-agent to pmm-server and run it.

  6. Everything should work as usual.


Testing without existing service account

  1. Use basic auth in pmm-agent config.

  2. Connect pmm-agent to pmm-server and run it.

  3. Your config should be updated and you should see service_token as a username and generated service token in password field.

  4. Everything should work as usual.

 

Testing with existing API key

  1. Create API key in Grafana.

  2. Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey).

  3. Connect pmm-agent to pmm-server and run it.

  4. Go to Grafana settings and you should be able to see “API key” tab there and your API key.

  5. Everything should work as usual.

 

Testing with existing API key and upgrade from PMM 2 to PMM3

  1. Use PMM2 version.

  2. Create API key in Grafana.

  3. Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey).

  4. Connect pmm-agent to pmm-server and run it.

  5. Upgrade to PMM3 (docker way update).

  6. Go to Grafana settings and API key tab should disappear. You should see only “Service accounts” tab.

  7. Everything should work as usual.

How to document

Smart Checklist

hide

Activity

Show:
Done

Details

Assignee

Reporter

Priority

Components

Labels

Needs QA

Yes

Needs Doc

Yes

Planned Version/s

Fix versions

Story Points

Smart Checklist Progress

Parent

Smart Checklist

Created June 23, 2023 at 9:20 AM
Updated August 8, 2024 at 4:58 AM
Resolved May 16, 2024 at 1:00 PM
Configure