community.grafana
community.grafana copied to clipboard
ansible-collections
Change password for default user (admin/admin)
SUMMARY
My request is related to discussion in the following issue: https://github.com/ansible-collections/community.grafana/issues/142 I was trying to secure a freshly created grafana instance. Doing this using web interface is simple: one needs to change the default password for admin account. At first login after typing admin/admin credentials you are asked to change the password to secure one.
ISSUE TYPE
- Feature Idea
COMPONENT NAME
I suspect its user management module.
ADDITIONAL INFORMATION
I would like to be able to secure fresh graphana instance. There are couple of ways of doing so.
First one, which seems not to be working, is to change password of default user (admin/admin):
I've tried it using following playbook:
- name: Setup grafana instance
hosts: all_hosts
remote_user: opc
collections:
- community.grafana
vars:
- grafana_root_password: "{{ lookup('ansible.builtin.env', 'GRAFANA_ROOT_PASSWORD') }}"
module_defaults:
group/community.grafana.grafana:
url: "http://localhost:3000"
tasks:
- name: Create new admin (using admin/admin credentials)
grafana_user:
url_username: admin
url_password: admin
name: "Aministrator"
email: admin@{{ ansible_hostname }}
login: root
password: '{{ grafana_root_password }}'
is_admin: true
state: present
register: result
- debug:
msg: "{{ result }}"
- name: Change password for default admin
grafana_user:
url_username: admin
url_password: admin
name: "Default aministrator"
email: admin@{{ ansible_hostname }}
login: admin
is_admin: true
password: '{{ grafana_root_password }}'
state: present
register: result
- debug:
msg: "{{ result }}"
and running the command:
GRAFANA_ROOT_PASSWORD=xxxx ansible-playbook fast_grafana.yaml -i inventory.oci.yml
but this failed with:
(venv) ubuntu@shieldhitrunner:~/workspace/$ GRAFANA_ROOT_PASSWORD=XXX ansible-playbook fast_grafana.yaml -i inventory.oci.yml
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Setup grafana instance] **********************************************************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************************************************************************
[WARNING]: Platform linux on host 130.61.85.231 is using the discovered Python interpreter at /usr/bin/python3.6, but future installation of another Python interpreter could change the meaning of that path.
See https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [130.61.85.231]
TASK [Create new admin (using admin/admin credentials)] ********************************************************************************************************************************************************
ok: [130.61.85.231]
TASK [debug] ***************************************************************************************************************************************************************************************************
ok: [130.61.85.231] => {
"msg": {
"changed": false,
"failed": false,
"user": {
"authLabels": null,
"avatarUrl": "",
"createdAt": "2022-10-07T20:10:00Z",
"email": "********@th",
"id": 2,
"isDisabled": false,
"isExternal": false,
"isGrafanaAdmin": true,
"login": "root",
"name": "Aministrator",
"orgId": 1,
"theme": "",
"updatedAt": "2022-10-07T20:10:00Z"
}
}
}
TASK [Change password for default admin] ***********************************************************************************************************************************************************************
fatal: [130.61.85.231]: FAILED! => {"changed": false, "msg": "Permission Denied"}
Another option would be to create a new admin and delete the default one (with admin/admin credentials). Unfortunately newly created admin users do not have rights to add data sources an import dashboards. Their role is 'Viewer' as seen here:
This is also consistent with discussion here: https://github.com/ansible-collections/community.grafana/issues/142#issuecomment-796096167
I would welcome any ideas on how to secure a newly created grafana instance
Currently I ran grafana as a regular package installed via dnf on RHEL. The only workaround I see is to run grafana 9 as a docker container and use following role to change admin password:
- name: Change admin password
become: yes
community.docker.docker_container_exec:
container: grafana
command: grafana-cli admin reset-admin-password {{ grafana_root_password }}
register: result
- debug:
msg: "{{ result }}"
Could this feature request be answered with PR https://github.com/ansible-collections/community.grafana/pull/242 ?
@pomverte I don't think that relates. Checking the integration tests and the code quickly, I don't think we support password updates at all in the module. It is a dedicated endpoint in Grafana and we won't be able to compare current and new value. Some trick will be required to deal with idempotency :/
Also, this looks like a bug. The admin user should be admin and not Viewer.
@grzanka can you provide the exact Grafana version ?
@rrey it's Grafana v9.1.7 (0cbb79298d), see:
I've created a new user using following role:
vars:
- grafana_root_password: "{{ lookup('ansible.builtin.env', 'GRAFANA_ROOT_PASSWORD') }}"
module_defaults:
group/community.grafana.grafana:
url: "http://localhost:3000"
tasks:
- name: Create new admin (using admin/admin credentials)
grafana_user:
url_username: admin
url_password: admin
name: "Aministrator"
email: admin@{{ ansible_hostname }}
login: root
password: '{{ grafana_root_password }}'
is_admin: true
state: present
register: result
- debug:
msg: "{{ result }}"
I'm facing the same issue, trying to configure the grafana in docker container.
I started the clean grafana container
$ docker-compose images grafana
Container Repository Tag Image Id Size
srv_grafana_1 grafana/grafana 9.0.3 12a88d8bec9c 290MB
$ docker-compose ps grafana
NAME COMMAND SERVICE STATUS PORTS
srv_grafana_1 "/run.sh" grafana running 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp
then i'm trying to use grafana_user module to change admin default password to my password. The job finishes the work with success
{
"changed": true,
"invocation": {
"module_args": {
"client_cert": null,
"client_key": null,
"email": "********@bar-tower",
"grafana_url": "http://127.0.0.1:3000",
"is_admin": true,
"login": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"name": "Admin",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"state": "present",
"url": "http://127.0.0.1:3000",
"url_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"url_username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"use_proxy": true,
"validate_certs": true
}
},
"user": {
"authLabels": null,
"avatarUrl": "",
"createdAt": "2022-11-28T21:23:10Z",
"email": "********@bar-tower",
"id": 1,
"isDisabled": false,
"isExternal": false,
"isGrafanaAdmin": true,
"login": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"name": "Admin",
"orgId": 1,
"theme": "",
"updatedAt": "2022-11-28T21:23:18Z"
}
}
Then i'm trying to log in with my password to admin user - grafana don't let me to log in, tells that i'm using the wrong password.
But, when i enter the default password admin - it lets me in.
For now I have to use shell module with docker-compose run command to run grafana-cli admin reset-admin-password to avoid the issue.
P.S. on the second run playbook tells me that the admin user update task state is not changed. But in fact, i still have to use the default password.
P.P.S. grafana-cli admin reset-admin-password works only with --password-from-stdin argument for me. Otherwise script finihes with OK, but the default admin password and my new password are not accepted by grafana :shrug:
