Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prompt the user to create a password for accessing Grafana at install-time #24

Closed
velovix opened this issue Apr 13, 2021 · 8 comments
Closed

Prompt the user to create a password for accessing Grafana at install-time #24

velovix opened this issue Apr 13, 2021 · 8 comments
Labels
enhancement New feature or request wontfix This will not be worked on

Comments

@velovix
Copy link
Member

velovix commented Apr 13, 2021
edited
Loading

This password will be stored to the .env file and used by BrainFrame's docker-compose.yml. This improves security as it prevents Grafana's default admin user from ever being publicly accessible.
@velovix velovix changed the title Prompt the user to create a password for accessing Grafana and the database Prompt the user to create a password for accessing Grafana and the database at install-time Apr 13, 2021
@velovix velovix changed the title Prompt the user to create a password for accessing Grafana and the database at install-time Prompt the user to create a password for accessing Grafana at install-time Jun 8, 2021
@velovix
Copy link
Member Author

velovix commented Jun 8, 2021
edited
Loading

Grafana's login page could potentially be removed if we add a global log-in screen for all BrainFrame services.

@apockill
Copy link
Member

apockill commented Jun 8, 2021

Would we prompt for passwords for each service, or ask for a generic password and apply it to all the things? (Our customers might not know what Grafana is for example).

Please set a password for the BrainFrame services:
>

might yield a .env with

GRAFANA_PASSWORD=hunter2
POSTGRES_PASSWORD=hunter2
OTHER_SERVICE_AUTH=hunter2

I'm probably overthinking this though. Do we even need more than one password at the moment?

@apockill
Copy link
Member

apockill commented Jun 8, 2021

Grafana's login page could potentially be removed if we add a global log-in screen for all BrainFrame services.

Would we have to modify grafana's source for that? I think that may violate their AGPL license

@BryceBeagle
Copy link
Member

Looks like you can configure the Grafana username/password through configuration files

https://grafana.com/docs/grafana/latest/administration/configure-docker/#configure-grafana-with-docker-secrets

@apockill
Copy link
Member

apockill commented Jun 8, 2021

@BryceBeagle Tyler is talking about a longer-term goal to have a separate service be our "log in" authenticator for all services in BrainFrame. I think that having grafana use our service for the login page may require a bit of code change with Grafana.

@BryceBeagle
Copy link
Member

Couldn't we do something fancy with nginx? If not authenticated, serve a different image with a login screen. If authenticated, serve the grafana image.

@velovix
Copy link
Member Author

velovix commented Jun 8, 2021

Grafana has some support for delegating authorization to another service. I haven't looked into it too much though.

@velovix velovix added the enhancement New feature or request label Jun 22, 2021
@velovix
Copy link
Member Author

velovix commented Jun 30, 2021

I think at this point it's clear that we need a shared authorization service that lives on top of all of our other services. We would then want to turn off Grafana's authorization since it's redundant. Closing in favor of #30.

@velovix velovix closed this as completed Jun 30, 2021
@velovix velovix added the wontfix This will not be worked on label Jun 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@apockill @velovix @BryceBeagle