User identity authentication in configuration UI #569
Conversation
kostrse
changed the title
There was a problem hiding this comment.
Initial testing on this with grafana/grafana-azure-sdk-go#32 and grafana/grafana#50277 has been unsuccessful. With the necessary updates to appropriately configure user-based auth there are some issues:
- The default auth is set to
Current User, however with theclusterUrlvalue set the schema cannot be reloaded until the auth type option has been reselected. - Attempting to reload the schema leads to the error:
invalid Azure configuration: user identity authentication is not supported by this datasource
The only configuration I've added is to set user_auth_enabled to true. All other parameters needed should be pulled from the existing auth.azuread configuration for OBO.
Additionally, setting the authType to Current User should present the user with an alert describing the feature as experimental and highlighting that certain features will be broken, particularly alerting. An InlineBanner component should suffice for the details here.
I will double check, if there's some UI-specific bug in the behavior of the form, I will see what can be done.
I think because you need this in // Allow user identity authentication for this datasource if it's configured in Grafana config
authOpts.AllowUserIdentity()Datasource needs to explicitly enable support for user identity auth. This is security precaution, e.g. if a datasource isn't designed to properly isolate cache etc., then user identity auth should not be possible. Plus add 3rd argument 'false' to These changes are not included into existing PRs because they need to be introduced in correct order and will be added later.
If you add the
I will add alert message. I hope you should be able to make it work end to end. Each PR is self-containing and responsible for specific parts, so we can get back to this UI PR later, after we finish the backend part. The first PR which I want merge is this one: This will allow me to release a new version of SDK |
|
Added the experimental banner and documentation page. JsonData: {
"azureCredentials":
{
"authType": "currentuser"
},
"clusterUrl": "https://example.kusto.windows.net",
"dataConsistency": "strongconsistency",
"defaultEditorMode": "visual",
"oauthPassThru": true
} |
There was a problem hiding this comment.
I've added some additional comments on the wording. Ideally, we'd like to be as specific as possible with what may or may not work right now so that we don't confuse users and cause ourselves to receive unexpected issue reports.
Also, the form still doesn't behave as expected because the hasCredentials function needs to be updated to take into account the fact that current user auth does not require any additional properties 😊
Co-authored-by: Andreas Christou <andreas.christou@grafana.com>
Co-authored-by: Andreas Christou <andreas.christou@grafana.com>
Logic of typeof options.jsonData.azureCredentials === 'object' ||
(typeof options.jsonData.tenantId === 'string' && typeof options.jsonData.clientId === 'string')If This considered as having credentials: {
"azureCredentials": {
"..."
}
} |
|
Yep I checked the logic beforehand. The problem is when a user creates a new datasource the current user auth method is the default method but it is not actually set in the |
This bug is not specific to user auth. |
# Conflicts: # src/components/ConfigEditor/index.tsx
This PR adds "Current User" as an authentication option for the datasource.
The option is available to the user only if user identity authentication was enabled in Grafana config (see grafana/grafana#50277). It can be enabled as default via feature flag
adxUserIdentityPreferred.Fixes #381