#30023: improve grafana authentication
-----------------------------------------------------+--------------------
Reporter: anarcat | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID: #29681
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+--------------------
the grafana server is now setup (#29684) but there are still issues
regarding authentication. we might want to grant access to other users
than the admin one, for example.
the original idea was to do the same "anonymous authentication" setup than
for Prometheus, except something came up during deployment that made me
question that strategy. it was raised while considering deployment of
third-party exporters:
> something regarding authentication came up through a third-party scraper
deployment, in #29863. there were concerns the node exporter would leak
information that could be exploited for a side-channel attacks. the node
exporter is firewalled, but then all that data is then made available on
the prometheus server protected only by a trivial password. they will make
an assessment of the exposed data and see if the additional authentication
burden is worth the risk.
if we do not go with "anon" authentication, we could connect the Grafana
server with LDAP, but then it means it might go down if the LDAP server
crashes, which is a problem for a monitoring server, obviously.
in any case, users need to be configured through Puppet, which they
currently are not. this is partly related to secrets management and
generation in Puppet, which is also discussed in #30009.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30023>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
