grafana-image-renderer icon indicating copy to clipboard operation
grafana-image-renderer copied to clipboard

Published 20 hours ago verified publisher icon grafana

Secure grafana-image-renderer

Open logiserv opened this issue 4 years ago • 8 comments

What would you like to be added: Secure http access to grafana-image-render docker

Why is this needed: I run grafana-image-renderer successfully externally to grafana I run it in a docker by Google Cloud Run. I want to secure access to docker http output . Can i add user/password or IP/DNS sources to access grafana-image-renderer ? How to modify rendering section of grafana.ini if i can add user/password access ?

logiserv avatar Apr 28 '20 11:04 logiserv

I haven't tried, but think you should be able to do this:

[rendering]
server_url = http://<user>:<password>@<host>:<port>/render

marefr avatar Apr 29 '20 10:04 marefr

Only Basic Authentication is possible ? Basic Authentication isn't deprecated ? A argument (with user/password) is possible when we launch grafana-image-renderer docker ?

logiserv avatar Apr 29 '20 13:04 logiserv

Yeah currently. To validate basic auth you still have to have a reverse proxy in front, the image renderer doesn't support validating basic auth.

marefr avatar Apr 29 '20 14:04 marefr

Would a secret sent as HTTP header from Grafana to Image Renderer service and validated solve your problem? Something I've thinking about.

marefr avatar Apr 29 '20 14:04 marefr

This is what i want (Google Sign-in section) :https://cloud.google.com/run/docs/authenticating/end-users#using_google_sign-in https://developers.google.com/identity/sign-in/web/ Include the ID token in an Authorization: Bearer ID_TOKEN header in the request to the service

logiserv avatar Apr 29 '20 15:04 logiserv

@marefr sorry for my english ... not what i want but what you would make please. Perhaps arguments for the docker user=$User and password=$Password can be a first step ? And User/Password in Rendering section of grafana.ini ? Second step with few others authentications (at least Bearer Authentication) in docker's argument and Rendering section of grafana.ini ?

logiserv avatar May 01 '20 14:05 logiserv

FYI including user and password in the server_url does not work, you still get redirected to /login.

pmenglund avatar Jul 02 '20 20:07 pmenglund

Would a secret sent as HTTP header from Grafana to Image Renderer service and validated solve your problem? Something I've thinking about.

Sorry about resurrecting an old thread, but this is exactly what I need. I can generate an Bearer token from the reverse proxy in front of the Grafana instance that will give the renderer service callback permissions.

elliotmr avatar May 17 '23 15:05 elliotmr