apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Docs: Refactored Enterprise side menu (#22189)

Browse Source 
* Refactored Enterprise side menu

* Update menu.yaml

* Fixed links

* Update menu.yaml
pull/22221/head
Diana Payton 5 years ago committed by GitHub
parent d03075b811
commit 0d3d8edb92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 450 additions and 363 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 49
      docs/sources/auth/enhanced_ldap.md
  2. 167
      docs/sources/auth/saml.md
  3. 32
      docs/sources/auth/team-sync.md
  4. 69
      docs/sources/enterprise/datasource_permissions.md
  5. 64
      docs/sources/enterprise/enhanced_ldap.md
  6. 52
      docs/sources/enterprise/reporting.md
  7. 173
      docs/sources/enterprise/saml.md
  8. 47
      docs/sources/enterprise/team-sync.md
  9. 2
      docs/sources/enterprise/white-labeling.md
  10. 40
      docs/sources/features/reporting.md
  11. 58
      docs/sources/menu.yaml
  12. 60
      docs/sources/permissions/datasource_permissions.md

49
docs/sources/auth/enhanced_ldap.md
Unescape View File

@ -10,55 +10,10 @@ parent = "authentication"
weight = 3
+++
# Enhanced LDAP Integration
# Enhanced LDAP integration
> Enhanced LDAP Integration is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
The enhanced LDAP integration adds additional functionality on top of the [existing LDAP integration]({{< relref "ldap.md" >}}).
## LDAP Group Synchronization for Teams
{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
With the enhanced LDAP integration it's possible to setup synchronization between LDAP groups and teams. This enables LDAP users which are members
of certain LDAP groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every
time a user logs in, unless Grafana 6.3 (or later) is used with active background synchronization enabled.
Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized from LDAP in the team members list, see `LDAP` label in screenshot.
This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also enables you to manually add
a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.
[Learn more about Team Sync]({{< relref "team-sync.md">}})
<div class="clearfix"></div>
## Active LDAP Synchronization
> Only available in Grafana Enterprise v6.3+
In the open source version of Grafana, user data from LDAP will be synchronized only during the login process when authenticating using LDAP.
With this feature you can configure Grafana to actively sync users with LDAP server(s) in the background. Role and team membership will be updated, removed users will be disabled and logged out. Only users that have logged into Grafana at least once will be synchronized.
```bash
[auth.ldap]
...
# You can use the Cron syntax or several predefined schedulers -
# @yearly (or @annually) | Run once a year, midnight, Jan. 1st | 0 0 0 1 1 *
# @monthly | Run once a month, midnight, first of month | 0 0 0 1 * *
# @weekly | Run once a week, midnight between Sat/Sun | 0 0 0 * * 0
# @daily (or @midnight) | Run once a day, midnight | 0 0 0 * * *
# @hourly | Run once an hour, beginning of hour | 0 0 * * * *
sync_cron = "0 0 1 * * *" # This is default value (At 1 am every day)
# This cron expression format uses 6 space-separated fields (including seconds), for example
# sync_cron = "* */10 * * * *"
# This will run the LDAP Synchronization every 10th minute, which is also the minimal interval between the grafana sync times i.e. you cannot set it for every 9th minute
# You can also disable active LDAP synchronization
active_sync_enabled = true # enabled by default
```
### Not compatible with Single Bind
Single Bind configuration (as in the [Single Bind Example]({{< relref "ldap.md#single-bind-example">}})) is not supported with active LDAP synchronization because Grafana needs user information to perform LDAP searches.
> Enhanced LDAP integration is only available in Grafana Enterprise. For more information, refer to [Enhanced LDAP integration]({{< relref "../enterprise/enhanced_ldap.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).

167
docs/sources/auth/saml.md
Unescape View File

@ -10,169 +10,8 @@ parent = "authentication"
weight = 5
+++
# SAML Authentication
# SAML authentication
> SAML Authentication integration is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
The SAML authentication integration allows your Grafana users to log in by using an external SAML Identity Provider (IdP). To enable this, Grafana becomes a Service Provider (SP) in the authentication flow, interacting with the IdP to exchange user information.
> Only available in Grafana v6.3+
The SAML authentication integration allows your Grafana users to log in by
using an external SAML Identity Provider (IdP). To enable this, Grafana becomes
a Service Provider (SP) in the authentication flow, interacting with the IdP to
exchange user information.
## Supported SAML
The SAML single-sign-on (SSO) standard is varied and flexible. Our implementation contains the subset of features needed to provide a smooth authentication experience into Grafana.
> Should you encounter any problems with our implementation, please don't hesitate to contact us.
At the moment of writing, Grafana supports:
1. From the Service Provider (SP) to the Identity Provider (IdP)
- `HTTP-POST` binding
- `HTTP-Redirect` binding
2. From the Identity Provider (IdP) to the Service Provider (SP)
- `HTTP-POST` binding
3. In terms of security, we currently support signed and encrypted Assertions. However, signed or encrypted requests are not supported.
4. In terms of initiation, only SP-initiated requests are supported. There's no support for IdP-initiated request.
## Set up SAML Authentication
To use the SAML integration, you need to enable SAML in the [main config file]({{< relref "../installation/configuration.md" >}}).
```bash
[auth.saml]
# Defaults to false. If true, the feature is enabled
enabled = true
# Base64-encoded public X.509 certificate. Used to sign requests to the IdP
certificate =
# Path to the public X.509 certificate. Used to sign requests to the IdP
certificate_path =
# Base64-encoded private key. Used to decrypt assertions from the IdP
private_key =
# Path to the private key. Used to decrypt assertions from the IdP
private_key_path =
# Base64-encoded IdP SAML metadata XML. Used to verify and obtain binding locations from the IdP
idp_metadata =
# Path to the SAML metadata XML. Used to verify and obtain binding locations from the IdP
idp_metadata_path =
# URL to fetch SAML IdP metadata. Used to verify and obtain binding locations from the IdP
idp_metadata_url =
# Duration, since the IdP issued a response and the SP is allowed to process it. Defaults to 90 seconds
max_issue_delay =
# Duration, for how long the SP's metadata should be valid. Defaults to 48 hours
metadata_valid_duration =
# Friendly name or name of the attribute within the SAML assertion to use as the user's name
assertion_attribute_name = displayName
# Friendly name or name of the attribute within the SAML assertion to use as the user's login handle
assertion_attribute_login = mail
# Friendly name or name of the attribute within the SAML assertion to use as the user's email
assertion_attribute_email = mail
```
Important to note:
- like any other Grafana configuration, use of [environment variables for these options is supported]({{< relref "../installation/configuration.md#using-environment-variables" >}})
- only one form of configuration option is required. Using multiple forms, e.g. both `certificate` and `certificate_path` will result in an error
## Grafana Configuration
An example working configuration example looks like:
```bash
[auth.saml]
enabled = true
certificate_path = "/path/to/certificate.cert"
private_key_path = "/path/to/private_key.pem"
metadata_path = "/my/metadata.xml"
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_name = displayName
assertion_attribute_login = mail
assertion_attribute_email = mail
```
And here is a comprehensive list of the options:
| Setting | Required | Description | Default |
| ----------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------- | ------------- |
| `enabled` | No | Whenever SAML authentication is allowed | `false` |
| `certificate` or `certificate_path` | Yes | Base64-encoded string or Path for the SP X.509 certificate | |
| `private_key` or `private_key_path` | Yes | Base64-encoded string or Path for the SP private key | |
| `idp_metadata` or `idp_metadata_path` or `idp_metadata_url` | Yes | Base64-encoded string, Path or URL for the IdP SAML metadata XML | |
| `max_issue_delay` | No | Duration, since the IdP issued a response and the SP is allowed to process it | `90s` |
| `metadata_valid_duration` | No | Duration, for how long the SP's metadata should be valid | `48h` |
| `assertion_attribute_name` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's name | `displayName` |
| `assertion_attribute_login` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's login handle | `mail` |
| `assertion_attribute_email` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's email | `mail` |
### Cert and Private Key
The SAML SSO standard uses asymmetric encryption to exchange information between the SP (Grafana) and the IdP. To perform such encryption, you need a public part and a private part. In this case, the X.509 certificate provides the public part, while the private key provides the private part.
Grafana supports two ways of specifying both the `certificate` and `private_key`. Without a suffix (e.g. `certificate=`), the configuration assumes you've supplied the base64-encoded file contents. However, if specified with the `_path` suffix (e.g. `certificate_path=`) Grafana will treat it as a file path and attempt to read the file from the file system.
### IdP Metadata
Expanding on the above, we'll also need the public part from our IdP for message verification. The SAML IdP metadata XML tells us where and how we should exchange the user information.
Currently, we support three ways of specifying the IdP metadata. Without a suffix `idp_metadata=` Grafana assumes base64-encoded XML file contents, with the `_path` suffix assumes a file path and attempts to read the file from the file system and with the `_url` suffix assumes an URL and attempts to load the metadata from the given location.
### Max Issue Delay
Prevention of SAML response replay attacks and internal clock skews between the SP (Grafana), and the IdP is covered. You can set a maximum amount of time between the IdP issuing a response and the SP (Grafana) processing it.
The configuration options is specified as a duration e.g. `max_issue_delay = 90s` or `max_issue_delay = 1h`
### Metadata valid duration
As an SP, our metadata is likely to expire at some point, e.g. due to a certificate rotation or change of location binding. Grafana allows you to specify for how long the metadata should be valid. Leveraging the standard's `validUntil` field, you can tell consumers until when your metadata is going to be valid. The duration is computed by adding the duration to the current time.
The configuration option is specified as a duration e.g. `metadata_valid_duration = 48h`
## Identity Provider (IdP) registration
For the SAML integration to work correctly, you need to make the IdP aware of the SP.
The integration provides two key endpoints as part of Grafana:
- The `/saml/metadata` endpoint. Which contains the SP's metadata. You can either download and upload it manually or make the IdP request it directly from the endpoint. Some providers name it Identifier or Entity ID.
- The `/saml/acs` endpoint. Which is intended to receive the ACS (Assertion Customer Service) callback. Some providers name it SSO URL or Reply URL.
## Assertion mapping
During the SAML SSO authentication flow, we receive the ACS (Assertion Customer Service) callback. The callback contains all the relevant information of the user under authentication embedded in the SAML response. Grafana parses the response to create (or update) the user within its internal database.
For Grafana to map the user information, it looks at the individual attributes within the assertion. You can think of these attributes as Key/Value pairs (although, they contain more information than that).
Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.
An example is `assertion_attribute_name = "givenName"` where Grafana looks within the assertion for an attribute with a friendly name or name of `givenName`. Both, the friendly name (e.g. `givenName`) or the name (e.g. `urn:oid:2.5.4.42`) can be used interchangeably as the value for the configuration option.
## Troubleshooting
To troubleshoot and get more log info enable saml debug logging in the [main config file]({{< relref "../installation/configuration.md" >}}).
```bash
[log]
filters = saml.auth:debug
```
> SAML authentication integration is only available in Grafana Enterprise v6.3 or later. For more information, refer to [SAML authentication]({{< relref "../enterprise/saml.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).

32
docs/sources/auth/team-sync.md
Unescape View File

@ -10,39 +10,17 @@ parent = "authentication"
weight = 5
+++
# Team Sync
> Team Sync is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
# Team sync
With the Team Sync it's possible to setup synchronization between your auth providers teams and teams in Grafana. This enables LDAP or GitHub OAuth users which are members
of certain teams/groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every
time a user logs in, unless LDAP is used together with active background synchronization that was added in Grafana 6.3.
{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized in the team members list, see `LDAP` label in screenshot.
This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership (for example) changes. This mechanism also enables you to manually add
a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.
This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership (for example) changes. This mechanism also enables you to manually add a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.
<div class="clearfix"></div>
### Enable synchronization for a team
{{< docs-imagebox img="/img/docs/enterprise/team_add_external_group.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
1. Navigate to Configuration / Teams.
2. Select a team.
3. Select the External group sync tab and click on the `Add group` button.
4. Insert the value of the group you want to sync with. This becomes what Grafana denominates as a `GroupID`.
- Using LDAP as an example, this is the LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
- Using Auth Proxy as an example, this is the value we receive as part of the custom `Groups` header.
5. Click on `Add group` button to save.
### Supported Providers
* [LDAP]({{< relref "enhanced_ldap.md#ldap-group-synchronization-for-teams" >}})
* [GitHub OAuth]({{< relref "github.md#team-sync-enterprise-only" >}})
* [GitLab OAuth]({{< relref "gitlab.md#team-sync-enterprise-only" >}})
* [Auth Proxy]({{< relref "auth-proxy.md#team-sync-enterprise-only">}})
> Team Sync is only available in Grafana Enterprise. For more information, refer to [Team sync]({{< relref "../enterprise/team-sync.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).

69
docs/sources/enterprise/datasource_permissions.md
Unescape View File

@ -0,0 +1,69 @@
+++
title = "Data source permissions"
description = "Grafana Datasource Permissions Guide "
keywords = ["grafana", "configuration", "documentation", "datasource", "permissions", "users", "teams", "enterprise"]
type = "docs"
[menu.docs]
name = "Datasource"
identifier = "datasource-permissions"
parent = "enterprise"
weight = 4
+++
# Data source permissions
> Only available in Grafana Enterprise.
Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific **Users** and **Teams**.
## Restricting Access - Enable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}}
By default, permissions are disabled for data sources and a data source in an organization can be queried by any user in
that organization. For example a user with `Viewer` role can still issue any possible query to a data source, not just
those queries that exist on dashboards he/she has access to.
When permissions are enabled for a data source in an organization you will restrict admin and query access for that
data source to [admin users]({{< relref "../permissions/organization_roles/#admin-role" >}}) in that organization.
**To enable permissions for a data source:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to enable permissions for.
3. Select the Permissions tab and click on the `Enable` button.
<div class="clearfix"></div>
## Allow users and teams to query a data source
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}}
After you have [enabled permissions](#restricting-access-enable-permissions) for a data source you can assign query
permissions to users and teams which will allow access to query the data source.
**Assign query permission to users and teams:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to assign query permissions for.
3. Select the Permissions tab.
4. click on the `Add Permission` button.
5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button.
<div class="clearfix"></div>
## Restore Default Access - Disable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}}
If you have enabled permissions for a data source and want to return data source permissions to the default, i.e.
data source can be queried by any user in that organization, you can disable permissions with a click of a button.
Note that all existing permissions created for data source will be deleted.
**Disable permissions for a data source:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to disable permissions for.
3. Select the Permissions tab and click on the `Disable Permissions` button.
<div class="clearfix"></div>

64
docs/sources/enterprise/enhanced_ldap.md
Unescape View File

@ -0,0 +1,64 @@
+++
title = "Enhanced LDAP Integration"
description = "Grafana Enhanced LDAP Integration Guide "
keywords = ["grafana", "configuration", "documentation", "ldap", "active directory", "enterprise"]
type = "docs"
[menu.docs]
name = "Enhanced LDAP"
identifier = "enhanced-ldap"
parent = "enterprise"
weight = 3
+++
# Enhanced LDAP integration
> Only available in Grafana Enterprise.
The enhanced LDAP integration adds additional functionality on top of the existing [LDAP integration]({{< relref "../auth/ldap.md" >}}).
## LDAP Group Synchronization for Teams
{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
With the enhanced LDAP integration it's possible to setup synchronization between LDAP groups and teams. This enables LDAP users which are members
of certain LDAP groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every
time a user logs in, unless Grafana v6.3 (or later) is used with active background synchronization enabled.
Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized from LDAP in the team members list, see `LDAP` label in screenshot.
This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also enables you to manually add
a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.
[Learn more about Team Sync]({{< relref "team-sync.md">}})
<div class="clearfix"></div>
## Active LDAP Synchronization
> Only available in Grafana Enterprise v6.3+
In the open source version of Grafana, user data from LDAP will be synchronized only during the login process when authenticating using LDAP.
With this feature you can configure Grafana to actively sync users with LDAP servers in the background. Role and team membership will be updated, removed users will be disabled and logged out. Only users that have logged into Grafana at least once will be synchronized.
```bash
[auth.ldap]
...
# You can use the Cron syntax or several predefined schedulers -
# @yearly (or @annually) | Run once a year, midnight, Jan. 1st | 0 0 0 1 1 *
# @monthly | Run once a month, midnight, first of month | 0 0 0 1 * *
# @weekly | Run once a week, midnight between Sat/Sun | 0 0 0 * * 0
# @daily (or @midnight) | Run once a day, midnight | 0 0 0 * * *
# @hourly | Run once an hour, beginning of hour | 0 0 * * * *
sync_cron = "0 0 1 * * *" # This is default value (At 1 am every day)
# This cron expression format uses 6 space-separated fields (including seconds), for example
# sync_cron = "* */10 * * * *"
# This will run the LDAP Synchronization every 10th minute, which is also the minimal interval between the Grafana sync times i.e. you cannot set it for every 9th minute
# You can also disable active LDAP synchronization
active_sync_enabled = true # enabled by default
```
### Not compatible with Single Bind
Single Bind configuration (as in the [Single Bind Example]({{< relref "../auth/ldap.md#single-bind-example">}})) is not supported with active LDAP synchronization because Grafana needs user information to perform LDAP searches.

52
docs/sources/enterprise/reporting.md
Unescape View File

@ -0,0 +1,52 @@
+++
title = "Reporting"
description = ""
keywords = ["grafana", "reporting"]
type = "docs"
aliases = ["/docs/grafana/latest/administration/reports"]
[menu.docs]
parent = "enterprise"
weight = 8
+++
# Reporting
> Only available in Grafana Enterprise v6.4+.
Reporting allows you to generate PDFs from any of your Dashboards and have them sent out to interested parties on a schedule.
{{< docs-imagebox img="/img/docs/enterprise/reports_list.png" max-width="500px" class="docs-image--no-shadow" >}}
## Dashboard as a Report
With Reports there are a few things to keep in mind, most importantly, any changes you make to the Dashboard used in a report will be reflected in the report. If you change the time range in the Dashboard the time range will be the same in the report as well.
## Setup
> SMTP must be configured for reports to be sent
### Rendering
> Reporting requires the [rendering plugin]({{< relref "../administration/image_rendering.md#grafana-image-renderer-plugin" >}}).
Reporting with the built-in image rendering is not supported. We recommend installing the image renderer plugin.
## Usage
{{< docs-imagebox img="/img/docs/enterprise/reports_create_new.png" max-width="500px" class="docs-image--no-shadow" >}}
Currently only Organisation Admins can create reports. To get to report click on the reports icon in the side menu. This will allow you to list, create and update your reports.
| Setting | Description |
| --------------|------------------------------------------------------------------ |
| Name | name of the Report |
| Dashboard | what dashboard to generate the report from |
| Recipients | emails of the people who will receive this report |
| ReplyTo | your email address, so that the recipient can respond |
| Message | message body in the email with the report |
| Schedule | how often do you want the report generated and sent |
## Debugging errors
If you have problems with the reporting feature you can enable debug logging by switching the logger to debug (`filters = report:debug`). Learn more about making configuration changes [here]({{< relref "../installation/configuration.md#filters" >}}).

173
docs/sources/enterprise/saml.md
Unescape View File

@ -0,0 +1,173 @@
+++
title = "SAML Authentication"
description = "Grafana SAML Authentication"
keywords = ["grafana", "saml", "documentation", "saml-auth"]
aliases = ["/docs/grafana/latest/auth/saml/"]
type = "docs"
[menu.docs]
name = "SAML"
parent = "authentication"
weight = 5
+++
# SAML authentication
> Only available in Grafana Enterprise v6.3+.
The SAML authentication integration allows your Grafana users to log in by using an external SAML Identity Provider (IdP). To enable this, Grafana becomes a Service Provider (SP) in the authentication flow, interacting with the IdP to exchange user information.
## Supported SAML
The SAML single-sign-on (SSO) standard is varied and flexible. Our implementation contains the subset of features needed to provide a smooth authentication experience into Grafana.
> Should you encounter any problems with our implementation, please don't hesitate to contact us.
Grafana supports:
* From the Service Provider (SP) to the Identity Provider (IdP)
- `HTTP-POST` binding
- `HTTP-Redirect` binding
* From the Identity Provider (IdP) to the Service Provider (SP)
- `HTTP-POST` binding
* In terms of security, we currently support signed and encrypted Assertions. However, signed or encrypted requests are not supported.
* In terms of initiation, only SP-initiated requests are supported. There's no support for IdP-initiated request.
## Set up SAML authentication
To use the SAML integration, you need to enable SAML in the [main config file]({{< relref "../installation/configuration.md" >}}).
```bash
[auth.saml]
# Defaults to false. If true, the feature is enabled
enabled = true
# Base64-encoded public X.509 certificate. Used to sign requests to the IdP
certificate =
# Path to the public X.509 certificate. Used to sign requests to the IdP
certificate_path =
# Base64-encoded private key. Used to decrypt assertions from the IdP
private_key =
# Path to the private key. Used to decrypt assertions from the IdP
private_key_path =
# Base64-encoded IdP SAML metadata XML. Used to verify and obtain binding locations from the IdP
idp_metadata =
# Path to the SAML metadata XML. Used to verify and obtain binding locations from the IdP
idp_metadata_path =
# URL to fetch SAML IdP metadata. Used to verify and obtain binding locations from the IdP
idp_metadata_url =
# Duration, since the IdP issued a response and the SP is allowed to process it. Defaults to 90 seconds
max_issue_delay =
# Duration, for how long the SP's metadata should be valid. Defaults to 48 hours
metadata_valid_duration =
# Friendly name or name of the attribute within the SAML assertion to use as the user's name
assertion_attribute_name = displayName
# Friendly name or name of the attribute within the SAML assertion to use as the user's login handle
assertion_attribute_login = mail
# Friendly name or name of the attribute within the SAML assertion to use as the user's email
assertion_attribute_email = mail
```
Important to note:
- Like any other Grafana configuration, use of [environment variables for these options is supported]({{< relref "../installation/configuration.md#using-environment-variables" >}})
- Only one form of configuration option is required. Using multiple forms, e.g. both `certificate` and `certificate_path` will result in an error
## Grafana configuration
Example working configuration:
```bash
[auth.saml]
enabled = true
certificate_path = "/path/to/certificate.cert"
private_key_path = "/path/to/private_key.pem"
metadata_path = "/my/metadata.xml"
max_issue_delay = 90s
metadata_valid_duration = 48h
assertion_attribute_name = displayName
assertion_attribute_login = mail
assertion_attribute_email = mail
```
Available options:
| Setting | Required | Description | Default |
| ----------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------- | ------------- |
| `enabled` | No | Whenever SAML authentication is allowed | `false` |
| `certificate` or `certificate_path` | Yes | Base64-encoded string or Path for the SP X.509 certificate | |
| `private_key` or `private_key_path` | Yes | Base64-encoded string or Path for the SP private key | |
| `idp_metadata` or `idp_metadata_path` or `idp_metadata_url` | Yes | Base64-encoded string, Path or URL for the IdP SAML metadata XML | |
| `max_issue_delay` | No | Duration, since the IdP issued a response and the SP is allowed to process it | `90s` |
| `metadata_valid_duration` | No | Duration, for how long the SP's metadata should be valid | `48h` |
| `assertion_attribute_name` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's name | `displayName` |
| `assertion_attribute_login` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's login handle | `mail` |
| `assertion_attribute_email` | No | Friendly name or name of the attribute within the SAML assertion to use as the user's email | `mail` |
### Cert and private key
The SAML SSO standard uses asymmetric encryption to exchange information between the SP (Grafana) and the IdP. To perform such encryption, you need a public part and a private part. In this case, the X.509 certificate provides the public part, while the private key provides the private part.
Grafana supports two ways of specifying both the `certificate` and `private_key`. Without a suffix (e.g. `certificate=`), the configuration assumes you've supplied the base64-encoded file contents. However, if specified with the `_path` suffix (e.g. `certificate_path=`) Grafana will treat it as a file path and attempt to read the file from the file system.
### IdP metadata
Expanding on the above, we'll also need the public part from our IdP for message verification. The SAML IdP metadata XML tells us where and how we should exchange the user information.
Currently, we support three ways of specifying the IdP metadata. Without a suffix `idp_metadata=` Grafana assumes base64-encoded XML file contents, with the `_path` suffix assumes a file path and attempts to read the file from the file system and with the `_url` suffix assumes an URL and attempts to load the metadata from the given location.
### Max issue delay
Prevention of SAML response replay attacks and internal clock skews between the SP (Grafana), and the IdP is covered. You can set a maximum amount of time between the IdP issuing a response and the SP (Grafana) processing it.
The configuration options is specified as a duration e.g. `max_issue_delay = 90s` or `max_issue_delay = 1h`
### Metadata valid duration
As an SP, our metadata is likely to expire at some point, e.g. due to a certificate rotation or change of location binding. Grafana allows you to specify for how long the metadata should be valid. Leveraging the standard's `validUntil` field, you can tell consumers until when your metadata is going to be valid. The duration is computed by adding the duration to the current time.
The configuration option is specified as a duration e.g. `metadata_valid_duration = 48h`
## Identity provider (IdP) registration
For the SAML integration to work correctly, you need to make the IdP aware of the SP.
The integration provides two key endpoints as part of Grafana:
- The `/saml/metadata` endpoint. Which contains the SP's metadata. You can either download and upload it manually or make the IdP request it directly from the endpoint. Some providers name it Identifier or Entity ID.
- The `/saml/acs` endpoint. Which is intended to receive the ACS (Assertion Customer Service) callback. Some providers name it SSO URL or Reply URL.
## Assertion mapping
During the SAML SSO authentication flow, we receive the ACS (Assertion Customer Service) callback. The callback contains all the relevant information of the user under authentication embedded in the SAML response. Grafana parses the response to create (or update) the user within its internal database.
For Grafana to map the user information, it looks at the individual attributes within the assertion. You can think of these attributes as Key/Value pairs (although, they contain more information than that).
Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.
An example is `assertion_attribute_name = "givenName"` where Grafana looks within the assertion for an attribute with a friendly name or name of `givenName`. Both, the friendly name (e.g. `givenName`) or the name (e.g. `urn:oid:2.5.4.42`) can be used interchangeably as the value for the configuration option.
## Troubleshooting
To troubleshoot and get more log info enable saml debug logging in the [main config file]({{< relref "../installation/configuration.md" >}}).
```bash
[log]
filters = saml.auth:debug
```

47
docs/sources/enterprise/team-sync.md
Unescape View File

@ -0,0 +1,47 @@
+++
title = "Team sync"
description = "Grafana Team Sync"
keywords = ["grafana", "auth", "documentation"]
aliases = ["/docs/grafana/latest/auth/saml/"]
type = "docs"
[menu.docs]
name = "Team sync"
parent = "enterprise"
weight = 5
+++
# Team sync
> Only available in Grafana Enterprise.
{{< docs-imagebox img="/img/docs/enterprise/team_members_ldap.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
With the Team Sync it's possible to setup synchronization between your auth providers teams and teams in Grafana. This enables LDAP or GitHub OAuth users which are members
of certain teams/groups to automatically be added/removed as members to certain teams in Grafana. Currently the synchronization will only happen every
time a user logs in, unless LDAP is used together with active background synchronization that was added in Grafana 6.3.
Grafana keeps track of all synchronized users in teams and you can see which users have been synchronized in the team members list, see `LDAP` label in screenshot.
This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership (for example) changes. This mechanism also enables you to manually add a user as member of a team and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.
<div class="clearfix"></div>
### Enable synchronization for a team
{{< docs-imagebox img="/img/docs/enterprise/team_add_external_group.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" >}}
1. Navigate to Configuration / Teams.
2. Select a team.
3. Select the External group sync tab and click on the `Add group` button.
4. Insert the value of the group you want to sync with. This becomes what Grafana denominates as a `GroupID`.
- Using LDAP as an example, this is the LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
- Using Auth Proxy as an example, this is the value we receive as part of the custom `Groups` header.
5. Click on `Add group` button to save.
### Supported Providers
* [LDAP]({{< relref "enhanced_ldap.md#ldap-group-synchronization-for-teams" >}})
* [GitHub OAuth]({{< relref "../auth/github.md#team-sync-enterprise-only" >}})
* [GitLab OAuth]({{< relref "../auth/gitlab.md#team-sync-enterprise-only" >}})
* [Auth Proxy]({{< relref "../auth/auth-proxy.md#team-sync-enterprise-only">}})

2
docs/sources/enterprise/white-labeling.md
Unescape View File

@ -12,7 +12,7 @@ weight = 5
# White labeling
> Only available in Grafana Enterprise v6.6+. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
> Only available in Grafana Enterprise v6.6+.
{{< docs-imagebox img="/img/docs/v66/whitelabeling_1.png" max-width="800px" caption="White labeling example" >}}

40
docs/sources/features/reporting.md
Unescape View File

@ -11,44 +11,8 @@ weight = 8
# Reporting
> Reporting is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
> Only available in Grafana v6.4+
Reporting allows you to generate PDFs from any of your Dashboards and have them sent out to interested parties on a schedule.
Reporting allows you to generate PDFs from any of your dashboards and have them sent out to interested parties on a schedule.
{{< docs-imagebox img="/img/docs/enterprise/reports_list.png" max-width="500px" class="docs-image--no-shadow" >}}
## Dashboard as a Report
With Reports there are a few things to keep in mind, most importantly, any changes you make to the Dashboard used in a report will be reflected in the report. If you change the time range in the Dashboard the time range will be the same in the report as well.
## Setup
> SMTP must be configured for reports to be sent
### Rendering
> Reporting requires the [rendering plugin]({{< relref "../administration/image_rendering.md#grafana-image-renderer-plugin" >}}).
Reporting with the built-in image rendering is not supported. We recommend installing the image renderer plugin.
## Usage
{{< docs-imagebox img="/img/docs/enterprise/reports_create_new.png" max-width="500px" class="docs-image--no-shadow" >}}
Currently only Organisation Admins can create reports. To get to report click on the reports icon in the side menu. This will allow you to list, create and update your reports.
| Setting | Description |
| --------------|------------------------------------------------------------------ |
| Name | name of the Report |
| Dashboard | what dashboard to generate the report from |
| Recipients | emails of the people who will receive this report |
| ReplyTo | your email address, so that the recipient can respond |
| Message | message body in the email with the report |
| Schedule | how often do you want the report generated and sent |
## Debugging errors
If you have problems with the reporting feature you can enable debug logging by switching the logger to debug (`filters = report:debug`). Learn more about making configuration changes [here]({{< relref "../installation/configuration.md#filters" >}}).
> Reporting is only available in Grafana Enterprise, v6.4 or later. For more information, refer to [Reporting]({{< relref "../enterprise/reporting.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).

58
docs/sources/menu.yaml
Unescape View File

@ -1,3 +1,12 @@
- name: Getting started
link: /guides/
children:
- name: Getting started
link: /guides/getting_started/
- name: Intro to time series
link: /guides/timeseries/
- name: Glossary
link: /guides/glossary/
- name: Installation
link: /installation/
children:
@ -68,15 +77,6 @@
link: /administration/provisioning/
- name: Troubleshooting
link: /installation/troubleshooting/
- name: Getting Started
link: /guides/
children:
- name: Getting Started
link: /guides/getting_started/
- name: Glossary
link: /guides/glossary/
- name: Screencasts
link: /tutorials/screencasts/
- name: Features
link: /features/
children:
@ -232,38 +232,38 @@
- name: Overview
link: /enterprise/
- name: Reporting
link: /features/reporting/
link: /enterprise/reporting/
- name: Data source permissions
link: /permissions/datasource_permissions/
- link: /auth/enhanced_ldap/
name: Enhanced LDAP
- link: /auth/saml/
name: SAML
- link: /auth/team-sync/
name: Team Sync
- link: /enterprise/white-labeling/
name: White labeling
- link: /enterprise/license-expiration/
name: License expiration
link: /enterprise/datasource_permissions/
- name: Enhanced LDAP
link: /enterprise/enhanced_ldap/
- name: SAML authentication
link: /enterprise/saml/
- name: Team sync
link: /enterprise/team-sync/
- name: White labeling
link: /enterprise/white-labeling/
- name: License expiration
link: /enterprise/license-expiration/
- name: Tutorials
link: /tutorials/
children:
- name: Running Grafana behind a reverse proxy
- name: Run Grafana behind a reverse proxy
link: /installation/behind_proxy/
- name: 'API Tutorial: How To Create API Tokens And Dashboards For A Specific Organization'
link: /tutorials/api_org_token_howto/
- name: Grafana with IIS Reverse Proxy on Windows
- name: Run Grafana with IIS Reverse Proxy on Windows
link: /tutorials/iis/
- name: How To integrate Hubot and Grafana
- name: Integrate Hubot and Grafana
link: /tutorials/hubot_howto/
- name: Setup Grafana for High availability
- name: Set up Grafana for High availability
link: /tutorials/ha_setup/
- name: Plugins
link: /plugins/
children:
- name: Install Plugins
- name: Install plugins
link: /plugins/installation/
- name: Develop Plugins
- name: Develop plugins
link: /plugins/developing/
children:
- link: /plugins/developing/development/
@ -291,6 +291,8 @@
- name: HTTP API
link: /http_api/
children:
- name: API Authentication
link: /http_api/auth/
- name: Admin
link: /http_api/admin/
- name: Alerting
@ -299,8 +301,6 @@
link: /http_api/alerting_notification_channels/
- name: Annotations
link: /http_api/annotations/
- name: Authentication HTTP API
link: /http_api/auth/
- name: Dashboard
link: /http_api/dashboard/
- name: Dashboard Permissions

60
docs/sources/permissions/datasource_permissions.md
Unescape View File

@ -10,62 +10,8 @@ parent = "permissions"
weight = 4
+++
# Data Source Permissions
# Data source permissions
> Data source permissions is only available in Grafana Enterprise. Read more about [Grafana Enterprise]({{< relref "../enterprise" >}}).
Data source permissions allow you to restrict access for users to query a data source. For each data source there is a permission page that allows you to enable permissions and restrict query permissions to specific **Users** and **Teams**.
Data source permissions allows you to restrict access for users to query a data source. For each data source there is
a permission page that makes it possible to enable permissions and restrict query permissions to specific
**Users** and **Teams**.
## Restricting Access - Enable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_enable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_enable.gif" >}}
By default, permissions are disabled for data sources and a data source in an organization can be queried by any user in
that organization. For example a user with `Viewer` role can still issue any possible query to a data source, not just
those queries that exist on dashboards he/she has access to.
When permissions are enabled for a data source in an organization you will restrict admin and query access for that
data source to [admin users]({{< relref "../permissions/organization_roles/#admin-role" >}}) in that organization.
**To enable permissions for a data source:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to enable permissions for.
3. Select the Permissions tab and click on the `Enable` button.
<div class="clearfix"></div>
## Allow users and teams to query a data source
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_add_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_add.gif" >}}
After you have [enabled permissions](#restricting-access-enable-permissions) for a data source you can assign query
permissions to users and teams which will allow access to query the data source.
**Assign query permission to users and teams:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to assign query permissions for.
3. Select the Permissions tab.
4. click on the `Add Permission` button.
5. Select Team/User and find the team/user you want to allow query access and click on the `Save` button.
<div class="clearfix"></div>
## Restore Default Access - Disable Permissions
{{< docs-imagebox img="/img/docs/enterprise/datasource_permissions_disable_still.png" class="docs-image--no-shadow docs-image--right" max-width= "600px" animated-gif="/img/docs/enterprise/datasource_permissions_disable.gif" >}}
If you have enabled permissions for a data source and want to return data source permissions to the default, i.e.
data source can be queried by any user in that organization, you can disable permissions with a click of a button.
Note that all existing permissions created for data source will be deleted.
**To disable permissions for a data source:**
1. Navigate to Configuration / Data Sources.
2. Select the data source you want to disable permissions for.
3. Select the Permissions tab and click on the `Disable Permissions` button.
<div class="clearfix"></div>
> Data source permissions are only available in Grafana Enterprise. For more information, refer to [Data source permissions]({{< relref "../enterprise/datasource_permissions.md" >}}) in [Grafana Enterprise]({{< relref "../enterprise" >}}).

Write Preview
Loading…
Cancel
Save