[tor-bugs] #30023 [Internal Services/Tor Sysadmin Team]: improve grafana authentication

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 4 17:18:29 UTC 2019 

#30023: improve grafana authentication
-----------------------------------------------------+--------------------
     Reporter:  anarcat                              |      Owner:  tpa
         Type:  task                                 |     Status:  new
     Priority:  Medium                               |  Milestone:
    Component:  Internal Services/Tor Sysadmin Team  |    Version:
     Severity:  Normal                               |   Keywords:
Actual Points:                                       |  Parent ID:  #29681
       Points:                                       |   Reviewer:
      Sponsor:                                       |
-----------------------------------------------------+--------------------
 the grafana server is now setup (#29684) but there are still issues
 regarding authentication. we might want to grant access to other users
 than the admin one, for example.

 the original idea was to do the same "anonymous authentication" setup than
 for Prometheus, except something came up during deployment that made me
 question that strategy. it was raised while considering deployment of
 third-party exporters:

 > something regarding authentication came up through a third-party scraper
 deployment, in #29863. there were concerns the node exporter would leak
 information that could be exploited for a side-channel attacks. the node
 exporter is firewalled, but then all that data is then made available on
 the prometheus server protected only by a trivial password. they will make
 an assessment of the exposed data and see if the additional authentication
 burden is worth the risk.

 if we do not go with "anon" authentication, we could connect the Grafana
 server with LDAP, but then it means it might go down if the LDAP server
 crashes, which is a problem for a monitoring server, obviously.

 in any case, users need to be configured through Puppet, which they
 currently are not. this is partly related to secrets management and
 generation in Puppet, which is also discussed in #30009.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30023>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list