proxy.auth in grafana not working for query analysis and inventory
General
Escalation
General
Escalation
Description
Turned on proxy.auth authentication in /etc/grafana/grafana.ini inside docker docker container:
I'm now able to login to grafana with our external auth proxy. Can see graphs normally, but Query Analytics stops working. I see an empty place instead of list of queries. Checked via chrome dev tools and found that v0/qan/Filters/Get and v0/qan/Filters/GetReport failed to load with "401 Unauthorized".
If I turn off proxy.auth in grafana and enable basic auth again, all works properly. Very likely the difference is that basic auth in grafana results in setting grafana_session cookie, while proxy.auth sets _oauth2_proxy cookie.
Digging further I see that requests to /v0, /v1, /inventory, etc are all authenticated via auth_request /auth_request, and this goes to this upstream:
So looks like it's pmm-managed who decides if request to API should be authenticated or not.
As tmp w/a I just commented auth_request in /etc/nginx/conf.d/pmm.conf for /v0, /v1, /inventory.
How to test
None
How to document
None
Attachments
6
Smart Checklist
Activity
Show:
Lalit Choudhary December 8, 2020 at 7:29 AM
Nice. Thank you for the update.
Mikhail V. Solovyev (test) December 7, 2020 at 9:12 AM
After upgrade to 2.12.0 I no longer needed to apply this workaround. Looks like it was somehow fixed
Lalit Choudhary July 16, 2020 at 7:24 AM
Hi Mikhail,
Not sure what's wrong with my test but I don't see this issue. I will check again with dev if we can get this.
Mikhail V. Solovyev (test) July 16, 2020 at 2:30 AM
The same in 2.9, though I'm already used to comment auth_request after each upgrade
Turned on proxy.auth authentication in /etc/grafana/grafana.ini inside docker docker container:
I'm now able to login to grafana with our external auth proxy. Can see graphs normally, but Query Analytics stops working. I see an empty place instead of list of queries. Checked via chrome dev tools and found that v0/qan/Filters/Get and v0/qan/Filters/GetReport failed to load with "401 Unauthorized".
If I turn off proxy.auth in grafana and enable basic auth again, all works properly. Very likely the difference is that basic auth in grafana results in setting grafana_session cookie, while proxy.auth sets _oauth2_proxy cookie.
Digging further I see that requests to /v0, /v1, /inventory, etc are all authenticated via auth_request /auth_request, and this goes to this upstream:
So looks like it's pmm-managed who decides if request to API should be authenticated or not.
As tmp w/a I just commented auth_request in /etc/nginx/conf.d/pmm.conf for /v0, /v1, /inventory.