docs: updated

a25b5945 · Torkel Ödegaard · 4f91087d · 4f91087d · a25b5945 · a25b5945
Commit a25b5945 authored Sep 06, 2018 by Torkel Ödegaard
11 changed files
--- a/docs/sources/auth/anonymous.md
+++ b/docs/sources/auth/anonymous.md
-+++
-title = "Anonymous Authentication"
-description = "Anonymous authentication "
-keywords = ["grafana", "configuration", "documentation", "anonymous"]
-type = "docs"
-[menu.docs]
-name = "Anonymous"
-identifier = "anonymous-auth"
-parent = "authentication"
-weight = 4
-+++
-# Anonymous Authentication
-## [auth.anonymous]
-### enabled
-Set to `true` to enable anonymous access. Defaults to `false`
-### org_name
-Set the organization name that should be used for anonymous users. If
-you change your organization name in the Grafana UI this setting needs
-to be updated to match the new name.
-### org_role
-Specify role for anonymous users. Defaults to `Viewer`, other valid
-options are `Editor` and `Admin`.
--- a/docs/sources/auth/auth-proxy.md
+++ b/docs/sources/auth/auth-proxy.md
@@ -3,6 +3,7 @@ title = "Auth Proxy"
 description = "Grafana Auth Proxy Guide "
 keywords = ["grafana", "configuration", "documentation", "proxy"]
 type = "docs"
+aliases = ["/tutorials/authproxy/"]
 [menu.docs]
 name = "Auth Proxy"
 identifier = "auth-proxy"
@@ -12,66 +13,31 @@ weight = 2
 # Auth Proxy Authentication
-## [auth.proxy]
+You can configure Grafana to let a http reverse proxy handling authentication. Popular web servers have a very
+extensive list of pluggable authentication modules, and any of them can be used with the AuthProxy feature.
+Below we detail the configuration options for auth proxy.
-This feature allows you to handle authentication in a http reverse proxy.
+```bash
-### enabled
-Defaults to `false`
-### header_name
-Defaults to X-WEBAUTH-USER
-#### header_property
-Defaults to username but can also be set to email
-### auto_sign_up
-Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
-### whitelist
-Limit where auth proxy requests come from by configuring a list of IP addresses. This can be used to prevent users spoofing the X-WEBAUTH-USER header.
-### headers
-Used to define additional headers for `Name`, `Email` and/or `Login`, for example if the user's name is sent in the X-WEBAUTH-NAME header and their email address in the X-WEBAUTH-EMAIL header, set `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL`.
-<hr>
-# Grafana Authproxy
-AuthProxy allows you to offload the authentication of users to a web server (there are many reasons why you’d want to run a web server in front of a production version of Grafana, especially if it’s exposed to the Internet).
-Popular web servers have a very extensive list of pluggable authentication modules, and any of them can be used with the AuthProxy feature.
-The Grafana AuthProxy feature is very simple in design, but it is this simplicity that makes it so powerful.
-## Interacting with Grafana’s AuthProxy via curl
-The AuthProxy feature can be configured through the Grafana configuration file with the following options:
-```js
 [auth.proxy]
+# Defaults to false, but set to true to enable this feature
 enabled = true
+# HTTP Header name that will contain the username or email
 header_name = X-WEBAUTH-USER
+# HTTP Header property, defaults to `username` but can also be `email`
 header_property = username
+# Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`.
 auto_sign_up = true
+# If combined with Grafana LDAP integration define sync interval
 ldap_sync_ttl = 60
+# Limit where auth proxy requests come from by configuring a list of IP addresses.
+# This can be used to prevent users spoofing the X-WEBAUTH-USER header.
 whitelist =
+# Optionally define more headers to sync other user attributes
+# Example `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL``
+headers =
 ```
-* **enabled**: this is to toggle the feature on or off
+## Interacting with Grafana’s AuthProxy via curl
-* **header_name**: this is the HTTP header name that passes the username or email address of the authenticated user to Grafana. Grafana will trust what ever username is contained in this header and automatically log the user in.
-* **header_property**: this tells Grafana whether the value in the header_name is a username or an email address. (In Grafana you can log in using your account username or account email)
-* **auto_sign_up**: If set to true, Grafana will automatically create user accounts in the Grafana DB if one does not exist. If set to false, users who do not exist in the GrafanaDB won’t be able to log in, even though their username and password are valid.
-* **ldap_sync_ttl**: When both auth.proxy and auth.ldap are enabled, user's organisation and role are synchronised from ldap after the http proxy authentication. You can force ldap re-synchronisation after `ldap_sync_ttl` minutes.
-* **whitelist**: Comma separated list of trusted authentication proxies IP.
-With a fresh install of Grafana, using the above configuration for the authProxy feature, we can send a simple API call to list all users. The only user that will be present is the default “Admin” user that is added the first time Grafana starts up. As you can see all we need to do to authenticate the request is to provide the “X-WEBAUTH-USER” header.
 ```bash
 curl -H "X-WEBAUTH-USER: admin"  http://localhost:3000/api/users
@@ -106,7 +72,8 @@ I’ll demonstrate how to use Apache for authenticating users. In this example w
 ### Apache BasicAuth
-In this example we use Apache as a reverseProxy in front of Grafana. Apache handles the Authentication of users before forwarding requests to the Grafana backend service.
+In this example we use Apache as a reverse proxy in front of Grafana. Apache handles the Authentication of users before forwarding requests to the Grafana backend service.
 #### Apache configuration
@@ -151,38 +118,7 @@ In this example we use Apache as a reverseProxy in front of Grafana. Apache hand
 * The last 3 lines are then just standard reverse proxy configuration to direct all authenticated requests to our Grafana server running on port 3000.
-#### Grafana configuration
+## Full walk through using Docker.
-```bash
-############# Users ################
-[users]
- # disable user signup / registration
-allow_sign_up = false
-# Set to true to automatically assign new users to the default organization (id 1)
-auto_assign_org = true
-# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
- auto_assign_org_role = Editor
-############ Auth Proxy ########
-[auth.proxy]
-enabled = true
-# the Header name that contains the authenticated user.
-header_name = X-WEBAUTH-USER
-# does the user authenticate against the proxy using a 'username' or an 'email'
-header_property = username
-# automatically add the user to the system if they don't already exist.
-auto_sign_up = true
-```
-#### Full walk through using Docker.
-##### Grafana Container
 For this example, we use the official Grafana docker image available at [Docker Hub](https://hub.docker.com/r/grafana/grafana/)
@@ -201,7 +137,8 @@ header_property = username
 auto_sign_up = true
 ```
-* Launch the Grafana container, using our custom grafana.ini to replace `/etc/grafana/grafana.ini`. We don't expose any ports for this container as it will only be connected to by our Apache container.
+Launch the Grafana container, using our custom grafana.ini to replace `/etc/grafana/grafana.ini`. We don't expose
+any ports for this container as it will only be connected to by our Apache container.
 ```bash
 docker run -i -v $(pwd)/grafana.ini:/etc/grafana/grafana.ini --name grafana grafana/grafana

--- a/docs/sources/auth/oauth.md
+++ b/docs/sources/auth/oauth.md
--- a/docs/sources/auth/github.md
+++ b/docs/sources/auth/github.md
+++
+title = "Google OAuth2 Authentication"
+description = "Grafana OAuthentication Guide "
+keywords = ["grafana", "configuration", "documentation", "oauth"]
+type = "docs"
+[menu.docs]
+name = "GitHub OAuth2"
+identifier = "github_oauth2"
+parent = "authentication"
+weight = 4
+++
+# GitHub OAuth2 Authentication
+To enable the GitHub OAuth2 you must register your application with GitHub. GitHub will generate a client ID and secret key for you to use.
+## Configure GitHub OAuth application
+You need to create a GitHub OAuth application (you find this under the GitHub
+settings page). When you create the application you will need to specify
+a callback URL. Specify this as callback:
+```bash
+http://<my_grafana_server_name_or_ip>:<grafana_server_port>/login/github
+```
+This callback URL must match the full HTTP address that you use in your
+browser to access Grafana, but with the prefix path of `/login/github`.
+When the GitHub OAuth application is created you will get a Client ID and a
+Client Secret. Specify these in the Grafana configuration file. For
+example:
+## Enable GitHub in Grafana
+```bash
+[auth.github]
+enabled = true
+allow_sign_up = true
+client_id = YOUR_GITHUB_APP_CLIENT_ID
+client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
+scopes = user:email,read:org
+auth_url = https://github.com/login/oauth/authorize
+token_url = https://github.com/login/oauth/access_token
+api_url = https://api.github.com/user
+team_ids =
+allowed_organizations =
+```
+Restart the Grafana back-end. You should now see a GitHub login button
+on the login page. You can now login or sign up with your GitHub
+accounts.
+You may allow users to sign-up via GitHub authentication by setting the
+`allow_sign_up` option to `true`. When this option is set to `true`, any
+user successfully authenticating via GitHub authentication will be
+automatically signed up.
+### team_ids
+Require an active team membership for at least one of the given teams on
+GitHub. If the authenticated user isn't a member of at least one of the
+teams they will not be able to register or authenticate with your
+Grafana instance. For example:
+```bash
+[auth.github]
+enabled = true
+client_id = YOUR_GITHUB_APP_CLIENT_ID
+client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
+scopes = user:email,read:org
+team_ids = 150,300
+auth_url = https://github.com/login/oauth/authorize
+token_url = https://github.com/login/oauth/access_token
+api_url = https://api.github.com/user
+allow_sign_up = true
+```
+### allowed_organizations
+Require an active organization membership for at least one of the given
+organizations on GitHub. If the authenticated user isn't a member of at least
+one of the organizations they will not be able to register or authenticate with
+your Grafana instance. For example
+```bash
+[auth.github]
+enabled = true
+client_id = YOUR_GITHUB_APP_CLIENT_ID
+client_secret = YOUR_GITHUB_APP_CLIENT_SECRET
+scopes = user:email,read:org
+auth_url = https://github.com/login/oauth/authorize
+token_url = https://github.com/login/oauth/access_token
+api_url = https://api.github.com/user
+allow_sign_up = true
+# space-delimited organization names
+allowed_organizations = github google
+```
--- a/docs/sources/auth/gitlab.md
+++ b/docs/sources/auth/gitlab.md
+++
+title = "Google OAuth2 Authentication"
+description = "Grafana OAuthentication Guide "
+keywords = ["grafana", "configuration", "documentation", "oauth"]
+type = "docs"
+[menu.docs]
+name = "GitLab OAuth2"
+identifier = "gitlab_oauth"
+parent = "authentication"
+weight = 5
+++
+# GitLab OAuth2 Authentication
+To enable the GitLab OAuth2 you must register an application in GitLab. GitLab will generate a client ID and secret key for you to use.
+## Create GitLab OAuth keys
+You need to [create a GitLab OAuth application](https://docs.gitlab.com/ce/integration/oauth_provider.html).
+Choose a descriptive *Name*, and use the following *Redirect URI*:
+```
+https://grafana.example.com/login/gitlab
+```
+where `https://grafana.example.com` is the URL you use to connect to Grafana.
+Adjust it as needed if you don't use HTTPS or if you use a different port; for
+instance, if you access Grafana at `http://203.0.113.31:3000`, you should use
+```
+http://203.0.113.31:3000/login/gitlab
+```
+Finally, select *api* as the *Scope* and submit the form. Note that if you're
+not going to use GitLab groups for authorization (i.e. not setting
+`allowed_groups`, see below), you can select *read_user* instead of *api* as
+the *Scope*, thus giving a more restricted access to your GitLab API.
+You'll get an *Application Id* and a *Secret* in return; we'll call them
+`GITLAB_APPLICATION_ID` and `GITLAB_SECRET` respectively for the rest of this
+section.
+## Enable GitLab in Grafana
+Add the following to your Grafana configuration file to enable GitLab
+authentication:
+```ini
+[auth.gitlab]
+enabled = false
+allow_sign_up = false
+client_id = GITLAB_APPLICATION_ID
+client_secret = GITLAB_SECRET
+scopes = api
+auth_url = https://gitlab.com/oauth/authorize
+token_url = https://gitlab.com/oauth/token
+api_url = https://gitlab.com/api/v4
+allowed_groups =
+```
+Restart the Grafana backend for your changes to take effect.
+If you use your own instance of GitLab instead of `gitlab.com`, adjust
+`auth_url`, `token_url` and `api_url` accordingly by replacing the `gitlab.com`
+hostname with your own.
+With `allow_sign_up` set to `false`, only existing users will be able to login
+using their GitLab account, but with `allow_sign_up` set to `true`, *any* user
+who can authenticate on GitLab will be able to login on your Grafana instance;
+if you use the public `gitlab.com`, it means anyone in the world would be able
+to login on your Grafana instance.
+You can can however limit access to only members of a given group or list of
+groups by setting the `allowed_groups` option.
+### allowed_groups
+To limit access to authenticated users that are members of one or more [GitLab
+groups](https://docs.gitlab.com/ce/user/group/index.html), set `allowed_groups`
+to a comma- or space-separated list of groups. For instance, if you want to
+only give access to members of the `example` group, set
+```ini
+allowed_groups = example
+```
+If you want to also give access to members of the subgroup `bar`, which is in
+the group `foo`, set
+```ini
+allowed_groups = example, foo/bar
+```
+Note that in GitLab, the group or subgroup name doesn't always match its
+display name, especially if the display name contains spaces or special
+characters. Make sure you always use the group or subgroup name as it appears
+in the URL of the group or subgroup.
+Here's a complete example with `alloed_sign_up` enabled, and access limited to
+the `example` and `foo/bar` groups:
+```ini
+[auth.gitlab]
+enabled = false
+allow_sign_up = true
+client_id = GITLAB_APPLICATION_ID
+client_secret = GITLAB_SECRET
+scopes = api
+auth_url = https://gitlab.com/oauth/authorize
+token_url = https://gitlab.com/oauth/token
+api_url = https://gitlab.com/api/v4
+allowed_groups = example, foo/bar
+```
--- a/docs/sources/auth/google.md
+++ b/docs/sources/auth/google.md
+++
+title = "Google OAuth2 Authentication"
+description = "Grafana OAuthentication Guide "
+keywords = ["grafana", "configuration", "documentation", "oauth"]
+type = "docs"
+[menu.docs]
+name = "Google OAuth2"
+identifier = "ggogle_oauth2"
+parent = "authentication"
+weight = 3
+++
+# Google OAuth2 Authentication
+To enable the Google OAuth2 you must register your application with Google. Google will generate a client ID and secret key for you to use.
+## Create Google OAuth keys
+First, you need to create a Google OAuth Client:
+1. Go to https://console.developers.google.com/apis/credentials
+2. Click the 'Create Credentials' button, then click 'OAuth Client ID' in the menu that drops down
+3. Enter the following:
+   - Application Type: Web Application
+   - Name: Grafana
+   - Authorized Javascript Origins: https://grafana.mycompany.com
+   - Authorized Redirect URLs: https://grafana.mycompany.com/login/google
+   - Replace https://grafana.mycompany.com with the URL of your Grafana instance.
+4. Click Create
+5. Copy the Client ID and Client Secret from the 'OAuth Client' modal
+## Enable Google OAuth in Grafana
+Specify the Client ID and Secret in the [Grafana configuration file]({{< relref "installation/configuration.md/#config-file-locations" >}}). For example:
+```bash
+[auth.google]
+enabled = true
+client_id = CLIENT_ID
+client_secret = CLIENT_SECRET
+scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+auth_url = https://accounts.google.com/o/oauth2/auth
+token_url = https://accounts.google.com/o/oauth2/token
+allowed_domains = mycompany.com mycompany.org
+allow_sign_up = true
+```
+Restart the Grafana back-end. You should now see a Google login button
+on the login page. You can now login or sign up with your Google
+accounts. The `allowed_domains` option is optional, and domains were separated by space.
+You may allow users to sign-up via Google authentication by setting the
+`allow_sign_up` option to `true`. When this option is set to `true`, any
+user successfully authenticating via Google authentication will be
+automatically signed up.
--- a/docs/sources/auth/index.md
+++ b/docs/sources/auth/index.md
@@ -8,3 +8,5 @@ identifier = "authentication"
 parent = "admin"
 weight = 3
 +++
--- a/docs/sources/auth/ldap.md
+++ b/docs/sources/auth/ldap.md
@@ -4,13 +4,20 @@ description = "Grafana LDAP Authentication Guide "
 keywords = ["grafana", "configuration", "documentation", "ldap"]
 type = "docs"
 [menu.docs]
-name = "LDAP Auth"
+name = "LDAP"
 identifier = "ldap"
 parent = "authentication"
 weight = 2
 +++
+# LDAP
+The LDAP integration in Grafana allows your Grafana users to login with their LDAP credentials. You can also specify mappings between LDAP
+group memberships and Grafana Organization user roles. Below we detail grafana.ini config file
+settings and ldap.toml config file options.
 ## [auth.ldap]
 ### enabled
 Set to `true` to enable LDAP integration (default: `false`)
@@ -22,16 +29,9 @@ Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
 Allow sign up should almost always be true (default) to allow new Grafana users to be created (if ldap authentication is ok). If set to
 false only pre-existing Grafana users will be able to login (if ldap authentication is ok).
-> For details on LDAP Configuration, go to the [LDAP Integration]({{< relref "ldap.md" >}}) page.
 <hr>
-# LDAP Authentication
+Grafana (2.1 and newer) ships with a strong LDAP integration feature.
-Grafana (2.1 and newer) ships with a strong LDAP integration feature. The LDAP integration in Grafana allows your
-Grafana users to login with their LDAP credentials. You can also specify mappings between LDAP
-group memberships and Grafana Organization user roles.
 ## Configuration
 You turn on LDAP in the [main config file]({{< relref "configuration.md#auth-ldap" >}}) as well as specify the path to the LDAP
 specific configuration file (default: `/etc/grafana/ldap.toml`).

--- a/docs/sources/auth/overview.md
+++ b/docs/sources/auth/overview.md
@@ -9,30 +9,79 @@ parent = "authentication"
 weight = 1
 +++
-# Authentication
+# User Authentication Overview
-Grafana provides many ways to authenticate users. By default it will use local users & passwords stored in the Grafana
+Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user
-database.
+permissions and org memberships.
-## Settings
+## OAuth2 Integrations
-Via the [server ini config file]({{< relref "installation/debian.md" >}}) you can setup many different authentication methods. Auth settings
+- [Google OAuth]({{< relref "auth/google.md" >}})
-are documented below.
+- [GitHub OAuth]({{< relref "auth/github.md" >}})
+- [Gitlab OAuth]({{< relref "auth/gitlab.md" >}})
+- [Generic OAuth]({{< relref "auth/oauth.md" >}}) (Okta2, BitBucket, Azure, OneLogin, Auth0)
-### [auth]
+## LDAP integrations
-#### disable_login_form
+- [LDAP Authentication]({{< relref "auth/ldap.md" >}}) (OpenLDAP, ActiveDirectory, etc)
-Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false.
+## Auth proxy
-#### disable_signout_menu
+- [Auth Proxy]({{< relref "auth/auth-proxy.md" >}}) If you want to handle authentication outside Grafana using a reverse
+    proxy.
-Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false.
+## Grafana Auth
-<hr>
+Grafana of course has a built in user authentication system with password authenticaten enabled by default. You can
+disable authentication by enabling anonymous access. You can also hide login form and only allow login through an auth
+provider (listed above). There is also options for allowing self sign up.
-### [auth.basic]
+### Anonymous authenticaten
-#### enabled
-When enabled is `true` (default) the http api will accept basic authentication.
+You can make Grafana accessible without any login required by enabling anonymous access in the configuration file.
+Example:
+```bash
+[auth.anonymous]
+enabled = true
+# Organization name that should be used for unauthenticated users
+org_name = Main Org.
+# Role for unauthenticated users, other valid values are `Editor` and `Admin`
+org_role = Viewer
+```
+If you change your organization name in the Grafana UI this setting needs to be updated to match the new name.
+### Basic authentication
+Basic auth is enabled by default and works with the built in Grafana user password authentication system and LDAP
+authenticaten integration.
+To disable basic auth:
+```bash
+[auth.basic]
+enabled = false
+```
+### Disable login form
+You can hide the Grafana login form using the below configuration settings.
+```bash
+[auth]
+disable_login_form ⁼ true
+```
+### Hide sign-out menu
+Set to the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy.
+```bash
+[auth]
+disable_signout_menu = true
+```
-<hr>
--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -321,62 +321,17 @@ Defaults to `false`.
 ## [auth]
-### disable_login_form
+Grafana provides many ways to authenticate users. The docs for authentication has been split in to many differnet pages
+below.
-Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false.
+- [Anonymous access]({{< relref "auth/overview.md" >}}) (auth.anonymous)
-### disable_signout_menu
+- [Google OAuth]({{< relref "auth/google.md" >}}) (auth.google)
+- [GitHub OAuth]({{< relref "auth/github.md" >}}) (auth.github)
-Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false.
+- [Gitlab OAuth]({{< relref "auth/gitlab.md" >}}) (auth.gitlab)
+- [Generic OAuth]({{< relref "auth/generic-oauth.md" >}}) (auth.generic_oauth, okta2, auth0, bitbucket, azure)
-<hr>
+- [Basic Authentication]({{< relref "auth/overview.md" >}}) (auth.basic)
+- [LDAP Authentication]({{< relref "auth/ldap.md" >}}) (auth.ldap)
-## [auth.anonymous]
+- [Auth Proxy]({{< relref "auth/auth-proxy.md" >}}) (auth.proxy)
-[Read guide here.](/administration/authentication/anonymous-auth)
-<hr>
-## [auth.github]
-[Read guide here.](/administration/authentication/oauth/#auth-github)
-<hr>
-## [auth.gitlab]
-[Read guide here.](/administration/authentication/oauth/#auth-gitlab)
-<hr>
-## [auth.google]
-[Read guide here.](/administration/authentication/oauth/#auth-google)
-<hr>
-## [auth.generic_oauth]
-[Read guide here.](/administration/authentication/oauth/#auth-generic-oauth)
-<hr>
-## [auth.basic]
-### enabled
-When enabled is `true` (default) the http api will accept basic authentication.
-<hr>
-## [auth.ldap]
-[Read guide here.](/administration/authentication/ldap/)
-<hr>
-## [auth.proxy]
-[Read guide here.](/administration/authentication/auth-proxy/)
-<hr>
 ## [session]

--- a/docs/sources/tutorials/authproxy.md
+++ b/docs/sources/tutorials/authproxy.md