New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth proxy does not work since version 6 #16319
Comments
Strange, in what way is it not working? Any errors? |
api work ok: Immediately after entering the page - logout. There are no errors in the logs: |
We have been seen the exact same behaviour on our test deployment |
The problem is a bit more complicated. nginx.conf: worker_processes 1; http {
} Configuration of grafana above, Logs for 5.4.3:request1: response1: HTTP/1.1 200 OK request2: GET http://localhost/api/dashboards/home HTTP/1.1 response2: {"meta":{"isHome":true,"canSave":false,"canEdit":false,"canAdmin":false,"canStar":false,"slug":"","url":"","expires":"0001-01-01T00:00:00Z","created":"0001-01-01T00:00:00Z","updated":"0001-01-01T00:00:00Z","updatedBy":"","createdBy":"","version":0,"hasAcl":false,"isFolder":false,"folderId":0,"folderTitle":"General","folderUrl":"","provisioned":false},"dashboard":{"annotations":{"list":[]},"editable":true,"folderId":null,"gnetId":null,"graphTooltip":0,"hideControls":true,"id":null,"links":[],"panels":[{"content":"\u003cdiv class="text-center dashboard-header"\u003e\n \u003cspan\u003eHome Dashboard\u003c/span\u003e\n\u003c/div\u003e","editable":true,"gridPos":{"h":3,"w":24,"x":0,"y":0},"id":1,"links":[],"mode":"html","style":{},"title":"","transparent":true,"type":"text"},{"folderId":0,"gridPos":{"h":17,"w":12,"x":0,"y":6},"headings":true,"id":3,"limit":4,"links":[],"query":"","recent":true,"search":false,"starred":true,"tags":[],"title":"","transparent":false,"type":"dashlist"},{"editable":true,"error":false,"gridPos":{"h":17,"w":12,"x":12,"y":6},"id":4,"links":[],"title":"","transparent":false,"type":"pluginlist"}],"rows":[],"schemaVersion":16,"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":"now-6h","to":"now"},"timepicker":{"hidden":true,"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"],"type":"timepicker"},"timezone":"browser","title":"Home","version":0}} Everything works fine. Logs for 6.1.3:request1: response1: request2: GET http://localhost:81/api/dashboards/home HTTP/1.1 response2: {"message":"Unauthorized"} |
I think we can provide a clearer explanation of the bug. It all starts when the browser requests something like http(s)://${proxy_domain}/${proxy_path}/d/${dashboard_id}/${dashboard_name}?${some_parameters}. Our expectation, and the behaviour observed in previous versions of grafana, is that in response to such request, grafana replies with appropriate content, but including in the response headers a cookie containing some grafana session id. Now in recent versions of grafana that behaviuor changed, or broke, if you prefer. The response to the initial request (the request containing the x-webauth-user header that loads the grafana client code in the browser) does not include a cookie with the session id in the headers on grafana versions greater than 6.x. The cookie with the session id eventualy comes backs to the browser after a few requests that the grafana client code sends to the grafana API, such as /api/dashboards/uid/${dashboard_id} and /api/login/ping. So, if the reverse proxy includes the x-webauth-user header in every request, the proxy authentication works. In our application, the initial request includes in the query string a parameter that is inspected by our reverse proxy code to authorize the request. Our reverse proxy code only adds the x-webauth-user header if the query string parameter includes said additional parameter and it has a valid value. But of course the grafana client code is unaware of our reverse proxy authorization scheme and will not include our additional query string parameter in requests it sends to the grafana server. Therefore it is important for us that the initial request (the request that loads the grafana client code in the browser) be replied by the grafana server including the session id cookie needed to authorize subsequent requests. |
Thanks @juanmaz12 for this explanation. I just spent hours trying to figure out the root cause for this regression. Thanks! Yi |
That is very interesting, great investigation. That the auth proxy worked before without having auth proxy headers included in every request is new to us and definitely a bug , auth proxy is intended to proxy all requests. |
We use auth proxy in exactly the same way as @juanmaz12 and are having the same problems. In fact, I believe several examples for autologin (Status screens hanging on the wall) in the issues here show this exact use case. As a workaround, I managed to get it working again by setting a cookie and testing for the cookies existence. I used this addition to my apache configuration. Requires Apache2.4 or higher.
|
Another way of seeing the issue... |
We got same issue here, we are using link with token to rewrite grafana url with auth_proxy user header. |
We are facing same issue where /api/ call is giving status=400 when we are trying to save existing dashboard. Could you please suggest what could be wrong in our case? |
are you always passing the auth proxy header? |
Yes. We are passing auth proxy header always. Still when we try to save dashboard its giving status=400 |
@advaitvdeo HTTP400 means some of params (not headers) you're passing are missing or malformed. Check message in body to get more info about which param. |
If it helps the grafana folks in here, a lot of people are using a variation of this #3752 (comment) for their reverse proxy setup. Basically, we only want to include the auth proxy header (X-WEBAUTH-USER) if the request provides some authentication information. For the example above, the initial request to grafana is signed with some query parameters and the reverse proxy only includes the header if the signature matches the request. Since the API calls that follow the initial load don't include those parameters, and grafana 6.x does not behave the same with cookies as 5.x did and (as @juanmaz12 pointed out) access is denied. |
Created a new feature request to track the interest in a feature to mix auth proxy and Grafana's login tokens,. #17316 |
Any workaround for this issue? Have the same trouble with Grafana v6.3.2 |
So is there a plan when will fix this issue? Have to retrun to 5.X version now.... |
Just have the auth proxy proxy all urls not just login |
But this is fixed in 6.5 or 6.6 , |
@torkelo same configuration works on 5.X version, but doesn't work on 7.0.4. So this may be a regression bug? |
Tested versions:
Auth proxy working OK:
5.4.3
Auth proxy not working:
6.0.2
6.1.0-beta1
6.1.0-9a7577a1pre
grafana.ini:
[users]
allow_sign_up = true
allow_org_create = false
auto_assign_org = true
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false
ldap_sync_ttl = 60
using nginx proxy, config:
proxy_set_header X-WEBAUTH-USER $user;
proxy_pass http://localhost:3000;
The text was updated successfully, but these errors were encountered: