Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Use Grafana Service Accounts for pmm-agent authentication

Description

Hi,

Currently PMM Admin has to use user's credentials (usually this is just admin's ones) in order to connect new pmm-agent to PMM Server. Even our official documentation provides provides in an examples using admin's credentials: https://docs.percona.com/percona-monitoring-and-management/setting-up/client/index.html#register.

Such approach has a significant drawbacks:

  • it contradicts OWASP-TOP10 "A05:2021 – Security Misconfiguration" https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

  • it is not secured at all to use admin's credentials in any tasks/actions not related to Admin at all.

  • potential admin credentials leakage

  • issues after changing admin's credentials - it is required to change them in all pmm-agents that use them.

There was an alternative "Authenticating using API keys". But Grafana now deprecates API keys and provides an alternative - Service Accounts.

So this ticket is dedicated to this topic - consider migrating pmm-agent credentials to Grafana Service Accounts. And use a separate Service Account for each pmm-agent.

Moreover, in Percona Everest product we need to automatically connect new pmm-agents to PMM Server. Service Accounts suit best in this task.

How to test

Testing with existing service account

  1. Create new service account.

  2. Create new service token with admin rights related to account you created before.

  3. Save service token (looks like: glsa_Fp0ggev31R58ueNJbJgYw7fIGfO3yKWH_746383ab).

  4. Paste service token to pmm-agent config to password field under server group. Username should be “service_token”.

    server: address: 127.0.0.1:443 username: service_token password: pasteServiceTokenHere

  5. Connect pmm-agent to pmm-server and run it.

  6. Everything should work as usual.


Testing without existing service account

  1. Use basic auth in pmm-agent config.

  2. Connect pmm-agent to pmm-server and run it.

  3. Your config should be updated and you should see service_token as a username and generated service token in password field.

  4. Everything should work as usual.

 

Testing with existing API key

  1. Create API key in Grafana.

  2. Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey).

  3. Connect pmm-agent to pmm-server and run it.

  4. Go to Grafana settings and you should be able to see “API key” tab there and your API key.

  5. Everything should work as usual.

 

Testing with existing API key and upgrade from PMM 2 to PMM3

  1. Use PMM2 version.

  2. Create API key in Grafana.

  3. Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey).

  4. Connect pmm-agent to pmm-server and run it.

  5. Upgrade to PMM3 (docker way update).

  6. Go to Grafana settings and API key tab should disappear. You should see only “Service accounts” tab.

  7. Everything should work as usual.

How to document

Smart Checklist

hide

Activity

Show:
Automation for Jira
updated the Lead timeMay 16, 2024 at 1:00 PM
214
234
Ondrej Patocka
changed the StatusMay 16, 2024 at 1:00 PM
Pending Release
Done
Ondrej Patocka
updated the ResolutionMay 16, 2024 at 1:00 PM
Fixed
Done
Automation for Jira
updated the Lead timeApril 18, 2024 at 1:49 PM
None
214
Nurlan Moldomurov
changed the StatusApril 18, 2024 at 1:49 PM
Merged
Pending Release
Nurlan Moldomurov
updated the ResolutionApril 18, 2024 at 1:49 PM
None
Fixed
Smart Checklist
updated the ChecklistsApril 16, 2024 at 9:37 AM
- Documentation @6189bd33978253006869dc1c
+ Documentation @6189bd33978253006869dc1c
Smart Checklist
updated the Smart Checklist ProgressApril 16, 2024 at 9:37 AM
0/1
1/1 - Done
Jiří Čtvrtka
updated the How to documentApril 16, 2024 at 9:22 AM
https://drive.google.com/file/d/1RfSIIgFK0b1Fy0nBUZx_6C0yR8MS6RwG/view?usp=sharing
Doc: https://github.com/percona/pmm-doc/pull/1225 Video: https://drive.google.com/file/d/1RfSIIgFK0b1Fy0nBUZx_6C0yR8MS6RwG/view?usp=sharing
Jiří Čtvrtka
updated the How to documentApril 16, 2024 at 9:22 AM
Since documentation is complicated here I will prepare PR and then doc team can check and correct it.
https://drive.google.com/file/d/1RfSIIgFK0b1Fy0nBUZx_6C0yR8MS6RwG/view?usp=sharing
Jiří Čtvrtka
changed the AssigneeApril 9, 2024 at 9:24 AM
Nurlan Moldomurov
Jiří Čtvrtka
Nurlan Moldomurov
changed the StatusApril 1, 2024 at 10:51 AM
Ready For Merge
Merged
Nailya Kutlubaeva
changed the AssigneeApril 1, 2024 at 9:14 AM
Nailya Kutlubaeva
Nurlan Moldomurov
Nailya Kutlubaeva
changed the StatusApril 1, 2024 at 9:14 AM
In QA
Ready For Merge
Percona Bot
updated the AFFECTED USER LEVELMarch 5, 2024 at 10:20 PM
None
Internal
Smart Checklist
updated the ChecklistsFebruary 27, 2024 at 9:44 AM
- Documentation @rasika.chivate @catalina.adam
- Documentation @6189bd33978253006869dc1c
Nailya Kutlubaeva
changed the AssigneeFebruary 21, 2024 at 9:50 AM
Jiří Čtvrtka
Nailya Kutlubaeva
Nailya Kutlubaeva
changed the StatusFebruary 21, 2024 at 9:50 AM
Ready for QA
In QA
Jiří Čtvrtka
changed the StatusFebruary 15, 2024 at 1:25 PM
In Progress
Ready for QA
Jiří Čtvrtka
updated the How to documentFebruary 15, 2024 at 1:25 PM
None
Since documentation is complicated here I will prepare PR and then doc team can check and correct it.
Jiří Čtvrtka
updated the How to testFebruary 15, 2024 at 10:30 AM
None
*Testing with existing service account* # Create new service account. # Create new service token with admin rights related to account you created before. # Save service token (looks like: {{glsa_Fp0ggev31R58ueNJbJgYw7fIGfO3yKWH_746383ab}}). # Paste service token to pmm-agent config to password field under server group. Username should be “service_token”. {noformat}server: address: 127.0.0.1:443 username: service_token password: pasteServiceTokenHere{noformat} # Connect pmm-agent to pmm-server and run it. # Everything should work as usual. *Testing without existing service account* # Use basic auth in pmm-agent config. # Connect pmm-agent to pmm-server and run it. # Your config should be updated and you should see service_token as a username and generated service token in password field. # Everything should work as usual. *Testing with existing API key* # Create API key in Grafana. # Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey). # Connect pmm-agent to pmm-server and run it. # Go to Grafana settings and you should be able to see “API key” tab there and your API key. # Everything should work as usual. *Testing with existing API key and upgrade from PMM 2 to PMM3* # Use PMM2 version. # Create API key in Grafana. # Use API key auth in pmm-agent config (username: api_key, password:yourAPIKey). # Connect pmm-agent to pmm-server and run it. # Upgrade to PMM3 (docker way update). # Go to Grafana settings and API key tab should disappear. You should see only “Service accounts” tab. # Everything should work as usual.
Secure Custom Fields for Jira (Security & Permission)
updated the AFFECTED USER LEVELDecember 19, 2023 at 5:14 AM
None
This field doesn't support this UI
Maggie Suero
changed the StatusDecember 6, 2023 at 9:39 PM
In Review
In Progress
Ondrej Patocka
updated the Fix versionsDecember 1, 2023 at 2:49 PM
None
3.0.0-alpha
Ondrej Patocka
updated the Fix versionsDecember 1, 2023 at 2:49 PM
3.0.0
None
Ondrej Patocka
updated the Planned Version/sDecember 1, 2023 at 1:49 PM
3.0.0-alpha, 3.0.0
3.0.0-alpha
Ondrej Patocka
updated the ChecklistsNovember 27, 2023 at 4:48 PM
-
- Documentation @rasika.chivate @catalina.adam
Ondrej Patocka
updated the ChecklistsNovember 27, 2023 at 4:48 PM
- Documentation @rasika.chivate @catalina.adam
-
Ondrej Patocka
updated the Smart Checklist ProgressNovember 27, 2023 at 2:40 PM
None
0/1
Ondrej Patocka
updated the ChecklistsNovember 27, 2023 at 2:40 PM
None
- Documentation @rasika.chivate @catalina.adam
Roma Novikov
updated the Planned Version/sNovember 13, 2023 at 1:33 PM
3.0.0
3.0.0, 3.0.0-alpha
Jiří Čtvrtka
changed the StatusOctober 12, 2023 at 12:54 PM
In Progress
In Review
Ondrej Patocka
updated the Fix versionsOctober 3, 2023 at 12:31 PM
None
3.0.0
Ondrej Patocka
updated the Planned Version/sOctober 3, 2023 at 12:31 PM
None
3.0.0
Ondrej Patocka
updated the LabelsOctober 3, 2023 at 12:30 PM
security
refined security
Roma Novikov
updated the Epic LinkSeptember 25, 2023 at 10:31 AM
PMM-5869
PMM-12526
Jiří Čtvrtka
changed the StatusSeptember 13, 2023 at 8:56 AM
To Do
In Progress
Jiří Čtvrtka
updated the Story PointsSeptember 13, 2023 at 8:55 AM
None
5
Jiří Čtvrtka
updated the Needs DocSeptember 13, 2023 at 8:55 AM
No
Yes
Jiří Čtvrtka
changed the AssigneeSeptember 13, 2023 at 8:53 AM
Unassigned
Jiří Čtvrtka
Roma Novikov
updated the Epic LinkSeptember 8, 2023 at 2:44 PM
None
PMM-5869
Alex Demidoff
updated the Linked IssuesSeptember 6, 2023 at 9:20 AM
None
This issue relates to PMM-12318
Nurlan Moldomurov
changed the StatusAugust 3, 2023 at 12:12 PM
Open
To Do
Nurlan Moldomurov
updated the RankAugust 3, 2023 at 12:12 PM
None
Ranked lower
Maggie Suero
updated the WorkflowJuly 17, 2023 at 5:13 PM
Percona Open Source Software Default Workflow V1.8
Percona Open Source Software Default Workflow V1.9
Roma Novikov
updated the RankJune 28, 2023 at 12:37 PM
None
Ranked higher
Roma Novikov
updated the LabelsJune 28, 2023 at 12:35 PM
None
security
Nurlan Moldomurov
updated the Linked IssuesJune 27, 2023 at 11:14 AM
None
This issue relates to PMM-10979
Roma Novikov
updated the Linked IssuesJune 26, 2023 at 3:05 PM
None
This issue relates to PMM-11714
Roma Novikov
changed the StatusJune 23, 2023 at 9:36 AM
New
Open
Maxim Kondratenko
created the IssueJune 23, 2023 at 9:20 AM
Done

Details

Assignee

Reporter

Priority

Components

Labels

Needs QA

Yes

Needs Doc

Yes

Planned Version/s

Fix versions

Story Points

Smart Checklist Progress

Parent

Smart Checklist

Created June 23, 2023 at 9:20 AM
Updated August 8, 2024 at 4:58 AM
Resolved May 16, 2024 at 1:00 PM
Configure

Flag notifications