Grafana authentication plugins

Grafana supports multiple authentication plugins, in addition to built-in username and password authentication.

On Managed Service for TimescaleDB, Grafana supports Google, GitHub, and GitLab authentication. You can configure authentication integration using the Aiven command-line client.

Integrate Google authentication plugin

To integrate Google authentication with Grafana service on Managed Service for TimecaleDB, you need to create your Google OAuth keys, and make a note of your client ID and client secret.

Integrating Google authentication plugin

1. In the Aiven Client, connect to your Managed Service for TimescaleDB service.

2. Switch to the project that contains the Grafana service you want to integrate:

   avn switch <PROJECT>

3. List the services in the project, and make a note of the Grafana service that you want to integrate, listed under SERVICE_NAME column in the output.

   avn service list

4. Get the details of the service that you want to integrate:

   avn service get <SERVICE_NAME>

5. Integrate the plugin with your service using the <CLIENT_ID>, and <CLIENT_SECRET> from your Google developer console:

   avn service update -c auth_google.allowed_domains=<G-SUITE_DOMAIN>\
   -c auth_google.client_id=<CLIENT_ID>\
   -c auth_google.client_secret=<CLIENT_SECRET><SERVICE_NAME>

6. Log in to Grafana with your service credentials.

7. Navigate to Configuration → Plugins and verify that the Google OAuth application is listed as a plugin.

note

When you allow sign-ups using -c auth_google.allow_sign_up=true option, by default each new user is created with viewer permissions, and added to their own newly created organizations. To specify different permissions, use -c user_auto_assign_org_role=ROLE_NAME. To add all new users to the main organization, use -c user_auto_assign_org=true option.

Integrate GitHub authentication plugin

To integrate GitHub authentication with Grafana service on Managed Service for TimecaleDB, you need to create your GitHub OAuth application, and make a note of your client ID and client secret.

Integrating GitHub authentication plugin

1. In the Aiven Client, connect to your Managed Service for TimescaleDB service.

2. Switch to the project that contains the Grafana service you want to integrate:

   avn switch <PROJECT>

3. List the services in the project, and make a note of the Grafana service that you want to integrate, listed under SERVICE_NAME column in the output.

   avn service list

4. Get the details of the service that you want to integrate:

   avn service get <SERVICE_NAME>

5. Integrate the plugin with your service using the <CLIENT_ID>, and <CLIENT_SECRET> from your GitHub OAuth application:

   avn service update -c auth_github.client_id=<CLIENT_ID>\
   -c auth_github.client_secret=<CLIENT_SECRET> <SERVICE_NAME>

6. Log in to Grafana with your service credentials.

7. Navigate to Configuration → Plugins. The Plugins page lists GitHub OAuth application for the Grafana instance.

note

When you allow sign-ups using -c auth_github.allow_sign_up=true option, by default each new user is created with viewerpermission and added to their own newly created organizations. To specify different permissions, use -c user_auto_assign_org_role=ROLE_NAME. To add all new users to the main organization, use -c user_auto_assign_org=true option.

Integrate GitLab authentication plugin

To integrate GitLab authentication with Grafana service on Managed Service for TimecaleDB, you need to create your GitLab OAuth application, and make a note of your client ID, client secret and GitLab groups.

If you use your own instance of GitLab instead of gitlab.com, then you need to set the following:

• auth_gitlab.api_url
• auth_github.auth_url
• auth_github.token_url

Integrating GitLab authentication plugin

1. In the Aiven Client, connect to your Managed Service for TimescaleDB service.

2. Switch to the project that contains the Grafana service you want to integrate:

   avn project switch <PROJECT>

3. List the services in the project, and make a note of the Grafana service that you want to integrate, listed under SERVICE_NAME column in the output.

   avn service list

4. Get the details of the service that you want to integrate:

   avn service get <SERVICE_NAME>

5. Integrate the plugin with your service using the <CLIENT_ID>, <CLIENT_SECRET>, and <GITLAB_GROUPS> from your GitLab OAuth application:

   avn service update -c auth_gitlab.client_id=<CLIENT_ID>\
   -c auth_gitlab.client_secret=<CLIENT_SECRET>\
   -c auth_gitlab.allowed_groups=<GITLAB_GROUPS> <SERVICE_NAME>

6. Log in to Grafana with your service credentials.

7. Navigate to Configuration → Plugins. The Plugins page lists GitLab OAuth application for the Grafana instance.

note

When you allow sign-ups using -c auth_gitlab.allow_sign_up=true option, by default each new user is created with viewerpermission and added to their own newly created organizations. To specify different permissions, use -c user_auto_assign_org_role=ROLE_NAME. To add all new users to the main organization, use -c user_auto_assign_org=true option.