上一篇文章利用Docker快速部署了Grafana用来展示Zabbix得监控数据,但还需要给用户去创建账号允许他们登录后才能看展示得数据,那有什么办法让非管理员更方便得去访问Grafana呢?下面介绍两个比较方便实现的:
在开始设置前,为了数据持久化,需要对上一篇中的Docker启动中加入配置文件的持久化配置,具体如下:
bash
# create a persistent volume for data
docker volume create grafana-data
# create a persistent volume for log
docker volume create grafana-log
# create a persistent volume for config
docker volume create grafana-config
# start grafana by using the above persistent storage and defining environment variables
docker run -d -p 3000:3000 --name=grafana --volume grafana-storage:/var/lib/grafana --volume grafana-log:/var/log/grafana --volume grafana-config:/etc/grafana -e "GF_INSTALL_PLUGINS=alexanderzobnin-zabbix-app" grafana/grafana-oss:latest
然后通过以下找到配置文件的具体位置
bash
docker volume inspect grafana-config
[
{
"CreatedAt": "2023-12-22T03:25:15Z",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/grafana-config/_data",
"Name": "grafana-config",
"Options": null,
"Scope": "local"
}
]
cd /var/lib/docker/volumes/grafana-config/_data
文件夹内的grafana.ini, ldap.toml
是下面配置的重点。
- 匿名访问
通过在配置文件中启用匿名访问来使 Grafana 可以在无需登录的情况下访问。在grafana.ini中找到以下部分并修改
bash
#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access (default: false)
enabled = true
# Organization name that should be used for unauthenticated users (default: Main Org.)
org_name = Main Org.
# Role for unauthenticated users, other valid values are `Editor` and `Admin` (default: Viewer)
org_role = Viewer
# Hide the Grafana version text from the footer and help tooltip for unauthenticated users (default: false)
hide_version = true
保存配置文件后,重启docker。
bash
docker restart grafana
在浏览器中直接访问http://IP:3000/,即可以得到以下显示了。普通用户就不用登录即可查看dashboard了。
- 与LDAP(Windows AD)连接,统一认证登录
要使用 LDAP 集成,首先需要在主配置文件中启用 LDAP,并指定 LDAP 特定配置文件的路径(默认为/etc/grafana/ldap.toml
)。
启用 LDAP 后,默认行为是在成功进行 LDAP 身份验证后自动创建 Grafana 用户。如果希望只允许现有的 Grafana 用户登录,您可以在[auth.ldap]
部分将allow_sign_up
更改为false
。如果希望手动分配组织和角色,可以使用skip_org_role_sync
配置选项。
bash
#################################### Auth LDAP ##########################
[auth.ldap]
# Set to `true` to enable LDAP integration (default: `false`)
enabled = true
# Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
config_file = /etc/grafana/ldap.toml
# Allow sign-up should be `true` (default) to allow Grafana to create users on successful LDAP authentication.
# If set to `false` only already existing Grafana users will be able to login. (default: `true`)
allow_sign_up = true
# Prevent synchronizing ldap users organization roles (default: `false`)
skip_org_role_sync = false
修改完grafana.ini后然后修改ldap.toml文件,需要注意的是如下配置适用于Windows AD提供的LDAP设置。
bash
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "ldap.my_secure_remote_server.org"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = "grafana"
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'
# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
timeout = 10
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"
# An array of base dns to search through
search_base_dns = ["dc=grafana,dc=org"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "email"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
[[servers.group_mappings]]
group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"
更多配置可以参考Grafana官方说明。保存配置文件后,重启docker。
bash
docker restart grafana
用AD账号登录后可以看到个人资料里面,很多信息就是从AD同步过来的。