pangeo-cloud-federation icon indicating copy to clipboard operation
pangeo-cloud-federation copied to clipboard

Published 20 hours ago verified publisher icon pangeo-data

Enable GitHub Auth for Grafana

Open salvis2 opened this issue 4 years ago • 6 comments

Should we enable GitHub auth for Grafana on any hub that will use it?

It could be separate for each hub but could easily live in pangeo-deploy/values.yaml and be consistent for all hubs where monitoring is enabled. I could make anyone in the pangeo-data organization an Editor in Grafana, since you can anonymously get in as a Viewer (at least by default on the GCP hub).

salvis2 avatar Aug 26 '20 20:08 salvis2

Just to clarify, GitHub auth would just be needed for updating the charts? We'd still allow anonymous viewing?

TomAugspurger avatar Aug 26 '20 20:08 TomAugspurger

Just to clarify, GitHub auth would just be needed for updating the charts? We'd still allow anonymous viewing?

Do you mean the Helm charts for Grafana? Or the charts in Grafana ie any of the visualizations? No for the former, yes for the latter. We could also use GitHub auth for general login and remove anonymous viewing.

salvis2 avatar Aug 26 '20 21:08 salvis2

Yes, I meant grafana visualizations. Too many "charts" :)

TomAugspurger avatar Aug 26 '20 21:08 TomAugspurger

So you could automatically give access to edit Grafana charts via GitHub login. You could also have GitHub login for the basic access, disable anonymous access, and manually elevate people to Editors (I don't think that persists through new helm installs though). I think the nicest thing about allowing people in pangeo-data to edit Grafana charts is that they can test things before submitting PRs to the config so that things persist between helm installs. And just the ability to try it out.

salvis2 avatar Aug 26 '20 21:08 salvis2

Yep that all sounds good to me.

On Wed, Aug 26, 2020 at 4:23 PM Sebastian Alvis [email protected] wrote:

So you could automatically give access to edit Grafana charts via GitHub login. You could also have GitHub login for the basic access, disable anonymous access, and manually elevate people to Editors (I don't think that persists through new helm installs though). I think the nicest thing about allowing people in pangeo-data to edit Grafana charts is that they can test things before submitting PRs to the config so that things persist between helm installs. And just the ability to try it out.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pangeo-data/pangeo-cloud-federation/issues/698#issuecomment-681131628, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKAOIQAMQJDVJRYBJMB243SCV4OHANCNFSM4QMHVSFQ .

TomAugspurger avatar Aug 26 '20 21:08 TomAugspurger

The one thing I need for that which I can't get right now is a GitHub OAuth app, which should require "Owner" status in pangeo-data. I'd either need to get elevated their or have someone else set up the app and contribute it to https://github.com/pangeo-data/pangeo-cloud-federation/pull/679.

Alternatively, Grafana does support Auth0: https://grafana.com/docs/grafana/latest/auth/generic-oauth/#set-up-oauth2-with-auth0

salvis2 avatar Aug 26 '20 21:08 salvis2