[MediaWiki-commits] [Gerrit] Put Grafana behind password authentication - change (operations/puppet)

Thu, 10 Sep 2015 11:26:59 -0700 

Ori.livneh has submitted this change and it was merged.

Change subject: Put Grafana behind password authentication
......................................................................


Put Grafana behind password authentication

Change-Id: I8d52500424144425b19938f3498d5a43fd9970f4
---
M modules/grafana/manifests/web/apache.pp
M modules/grafana/templates/grafana.apache.erb
2 files changed, 27 insertions(+), 0 deletions(-)

Approvals:
  Ori.livneh: Verified; Looks good to me, approved



diff --git a/modules/grafana/manifests/web/apache.pp 
b/modules/grafana/manifests/web/apache.pp
index 1b37e4e..f62ab68 100644
--- a/modules/grafana/manifests/web/apache.pp
+++ b/modules/grafana/manifests/web/apache.pp
@@ -25,11 +25,26 @@
     $listen           = '*:80',
     $elastic_backends = undef,
 ) {
+    include ::apache::mod::authnz_ldap
     include ::apache::mod::proxy_balancer
     include ::apache::mod::proxy_http
     include ::apache::mod::lbmethod_byrequests
     include ::apache::mod::headers
 
+    include ::passwords::ldap::production
+
+    $auth_ldap = {
+        name          => 'nda/ops/wmf',
+        bind_dn       => 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org',
+        bind_password => $passwords::ldap::production::proxypass,
+        url           => 'ldaps://ldap-eqiad.wikimedia.org 
ldap-codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn',
+        groups        => [
+            'cn=ops,ou=groups,dc=wikimedia,dc=org',
+            'cn=nda,ou=groups,dc=wikimedia,dc=org',
+            'cn=wmf,ou=groups,dc=wikimedia,dc=org',
+        ],
+    }
+
     apache::site { 'grafana':
         ensure  => $ensure,
         content => template('grafana/grafana.apache.erb'),
diff --git a/modules/grafana/templates/grafana.apache.erb 
b/modules/grafana/templates/grafana.apache.erb
index 9afabba..11a5814 100644
--- a/modules/grafana/templates/grafana.apache.erb
+++ b/modules/grafana/templates/grafana.apache.erb
@@ -8,6 +8,18 @@
     AllowOverride None
   </Directory>
 
+  <Location />
+    AuthName "<%= @auth_ldap['name'] %>"
+    AuthType Basic
+    AuthBasicProvider ldap
+    AuthLDAPBindDN <%= @auth_ldap['bind_dn'] %>
+    AuthLDAPBindPassword <%= @auth_ldap['bind_password'] %>
+    AuthLDAPURL "<%= @auth_ldap['url'] %>"
+    <% @auth_ldap['groups'].each do |group| -%>
+    Require ldap-group <%= group %>
+    <% end -%>
+  </Location>
+
   <Directory /srv/deployment/grafana/grafana/dist>
     AllowOverride None
     <IfVersion >= 2.4>

-- 
To view, visit https://gerrit.wikimedia.org/r/237448
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I8d52500424144425b19938f3498d5a43fd9970f4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <o...@wikimedia.org>
Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to