Performance Co-Pilot supports the following authentication mechanisms through the SASL authentication framework: plain
, login
, digest-md5
, scram-sha-256
and gssapi
.
This guide shows how to setup authentication using the scram-sha-256
authentication mechanism and a local user database.
Note
Authentication methods login
, digest-md5
and scram-sha-256
require PCP 5.1.0 or later.
Install the following package, which provides support for the scram-sha-256
authentication method:
$ sudo dnf install -y cyrus-sasl-scram
$ sudo apt-get install -y libsasl2-modules-gssapi-mit
First, open the /etc/sasl2/pmcd.conf
file and specify the supported authentication mechanism and the path to the user database:
mech_list: scram-sha-256
sasldb_path: /etc/pcp/passwd.db
Then create a new unix user (in this example pcptestuser
) and add it to the user database:
$ sudo useradd -r pcptestuser
$ sudo saslpasswd2 -a pmcd pcptestuser
Note
For every user in the user database, a unix user with the same name must exist.
The passwords of the unix user and the /etc/pcp/passwd.db
database are not synchronized,
and (only) the password of the saslpasswd2
command is used for authentication.
Make sure that the permissions of the user database are correct (readable only by root and the pcp user):
$ sudo chown root:pcp /etc/pcp/passwd.db
$ sudo chmod 640 /etc/pcp/passwd.db
Finally, restart pmcd and pmproxy:
$ sudo systemctl restart pmcd pmproxy
To test if the authentication is set up correctly, execute the following command:
$ pminfo -f -h "pcp://127.0.0.1?username=pcptestuser" disk.dev.read
Go to the Grafana datasource settings, enable Basic auth, and enter the username and password. Click the Save & Test button to check if the authentication is working.
Note
Due to security reasons, the access mode Browser is not supported with authentication.