Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable GitHub auth for m2lines grafana #1830

Merged
merged 1 commit into from
Nov 2, 2022
Merged

Enable GitHub auth for m2lines grafana #1830

merged 1 commit into from
Nov 2, 2022

Conversation

sgibson91
Copy link
Member

fixes #1803

This is deployed and works!

sgibson91
sgibson91 commented Oct 28, 2022
View reviewed changes
config/clusters/m2lines/support.values.yaml
root_url: https://grafana.m2lines.2i2c.cloud
auth.github:
enabled: true
allow_sign_up: true
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs said to set this to false but I noticed it was set to true for the leap hub. Also, if we use false we would probably need to ask the comm. rep. to set up something like a GitHub team so that not just anyone can sign in and view the boards. This would add back-and-forth to the setup though, unless we do this explicitly as a part of #1806

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tbf, this would ultimately be fixed if we instead authenticate against JupyterHub and allow hub admins to see the dashboards... Which could be a part of #535? I'm not sure...

@sgibson91 sgibson91 requested a review from a team October 28, 2022 10:42
@sgibson91 sgibson91 self-assigned this Oct 28, 2022
@sgibson91 sgibson91 mentioned this pull request Oct 28, 2022
Merged
@yuvipanda
Copy link
Member

@sgibson91 does this allow anyone to sign up?

@sgibson91
Copy link
Member Author

sgibson91 commented Oct 28, 2022
edited
Loading

@yuvipanda ok, I'm not sure. I believe so. This is the same config as is on the leap hubs and Ryan confirmed access there, but he is also a member of the 2i2c org, right? We might need someone not a member to test...

@sgibson91
Copy link
Member Author

@yuvipanda The alternative is to create a team in the m2lines org and add the people who want to access these boards and then add that team to this config.

@yuvipanda
Copy link
Member

@sgibson91 What we can do is:

  1. Grant access to just the 2i2c-org github team members
  2. Use that access to invite the community rep (Grafana does similar things as hub does, see https://grafana.com/docs/grafana/latest/administration/user-management/manage-org-users/)
  3. Community rep can then invite other users this way.

How does that sound?

@sgibson91
Copy link
Member Author

@yuvipanda So I changed allow_sign_up: false, redeployed, then signed in as the admin user. But I can't find an option to invite a new user. I can create one and set a password for them, is that the same thing?

Screenshot 2022-10-28 at 19 32 55

Screenshot 2022-10-28 at 19 33 42

Clicking on "New User" above takes me to the below screen

Screenshot 2022-10-28 at 19 33 49

@GeorgianaElena
Copy link
Member

GeorgianaElena commented Oct 31, 2022
edited
Loading

A few thoughts from me:

1. allow_sign_up option

@sgibson91 does this (i.e. allow_sign_up) allow anyone to sign up?

The docs say the following:

You may allow users to sign-up via GitHub authentication by setting the allow_sign_up option to true.
When this option is set to true, any user successfully authenticating via GitHub authentication will be
automatically signed up.

So, from what I experienced so far and what I underdstand, the allow_sign_up automatically creates Grafana users for the users that successfully authenticated via GitHub. Otherwise, I believe an admin would have to first manually create an user in Grafana for them, before them logging in. So, it's ok to be set to true, and I believe the docs should be udpated.

2. The invite option

But I can't find an option to invite a new user. I can create one and set a password for them, is that the same thing?

I believe the invite is in the users config section at https://grafana.m2lines.2i2c.cloud/org/users
Screenshot 2022-10-31 at 12 07 15

  1. Moving forward

I propose to move the discussion around best ways to provide access to cluster grafanas in another issue so these two aspects don't block on each other and to have more stucture in these discussions.

There is also another issue about this same aspect #1570 which we could help unblock in the process. Unfortunately I now realize that we didn't solve the support request part of it, and the uwhackweeks folks might still don't have their access :(

@GeorgianaElena GeorgianaElena mentioned this pull request Oct 31, 2022
Closed
@sgibson91
Copy link
Member Author

sgibson91 commented Oct 31, 2022
edited
Loading

The docs say the following:

You may allow users to sign-up via GitHub authentication by setting the allow_sign_up option to true.
When this option is set to true, any user successfully authenticating via GitHub authentication will be
automatically signed up.

So, from what I experienced so far and what I underdstand, the allow_sign_up automatically creates Grafana users for the users that successfully authenticated via GitHub. Otherwise, I believe an admin would have to first manually create an user in Grafana for them, before them logging in. So, it's ok to be set to true, and I believe the docs should be udpated.

But if "successfully authenticated via GitHub" means "anyone with a GitHub account", then I don't think it's ok to set this to true. I think we need to figure out if Ryan successfully got access to LEAP's grafana because he is a member of the 2i2c GitHub org, and therefore this config wouldn't work for other community reps that aren't also 2i2c members (we would need them to setup a specific team). Maybe the UW Hackweeks hub will be a good testbed for this?

@GeorgianaElena
Copy link
Member

But if "successfully authenticated via GitHub" means "anyone with a GitHub account", then I don't think it's ok to set this to true. I think we need to figure out if Ryan successfully got access to LEAP's grafana because he is a member of the 2i2c GitHub org, and therefore this config wouldn't work for other community reps that aren't also 2i2c members (we would need them to setup a specific team). Maybe the UW Hackweeks hub will be a good testbed for this?

@sgibson91, I just tested this using a test GitHub user and also checked the grafana pod logs. We should be safe, and only have 2i2c org be allowed
Screenshot 2022-10-31 at 12 49 19

Screenshot 2022-10-31 at 12 52 47

@GeorgianaElena
Copy link
Member

How do you get to that page from the homepage? I can see the "Invite" option if I click directly on the link you sent, but I cannot find how to get to that page. All pages I come across only have the "New user" option. https://scribehow.com/shared/Trying_to_find_Invite_option_on_Grafana__GzOzUdEoQCOMMwsqUrvlsg

From the settings icon, then Users option:
Screenshot 2022-10-31 at 13 17 27

@sgibson91 sgibson91 mentioned this pull request Nov 2, 2022
Closed
2 tasks
@sgibson91
Copy link
Member Author

I'm going to deploy/merge this one as-is for now so we can at least respond on the support ticket, and have opened this issue for more discussion:

@sgibson91 sgibson91 merged commit 74b06d5 into 2i2c-org:master Nov 2, 2022
@sgibson91 sgibson91 deleted the m2lines-grafana-github branch November 2, 2022 10:40
@github-actions
Copy link

github-actions bot commented Nov 2, 2022

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/3376833996

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sgibson91 sgibson91

Labels
None yet
Projects
No open projects
Sprint Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update m2lines grafana
3 participants
@sgibson91 @yuvipanda @GeorgianaElena