02. 07. 2019 Damiano Chini Log-SIEM, NetEye

Proxy Authentication with Grafana 6.2

Until now, authentication of NetEye users on Grafana was achieved by means of session cookies, which were provided by the Grafana server when authenticating in Icinga Web 2. However, with the upgrade of Grafana from version 5.2 to version 6.2, we can no longer employ this authentication procedure because Grafana has discontinued the use of session cookies for the various security issues that they have caused in recent years.

In particular, while Grafana 5.2 was in use, logging in to Grafana via NetEye happened through an authentication webhook, which forwarded the username of the authenticated Icinga Web 2 user to Grafana, which then returned a session cookie. And to keep the user authenticated in Grafana, the session cookie was simply included in every subsequent request to the Grafana server.

What happens now in Grafana 6.2 is that session cookies are no longer provided by the Grafana server, and so the Grafana session cannot be maintained anymore by using cookies.

After investigating the issue, we discovered that it is still possible to keep the user authenticated in Grafana by including in every request to Grafana the X-WEBAUTH-USER HTTP header, which in our case specifies who is the user authenticated on Icinga Web 2. To make this happen, it is necessary to capture every request sent by the browser and modify it in order to add the X-WEBAUTH-USER header.

With this information in hand, we managed to maintain user sessions with Grafana by introducing a PHP proxy that intercepts and processes all requests directed to the Grafana server, forwards the modified requests to the server, and outputs the reply coming from Grafana, as shown in the picture below.

In addition, as a security requirement, our PHP proxy removes any X-WEBAUTH-USER HTTP header specified in the original request coming from the user. This is done because we obviously do not want to grant access to Grafana to any user that specifies an X-WEBAUTH-USER header, but just those who have been authenticated by Icinga Web 2.

Damiano Chini

Damiano Chini

Author

Damiano Chini

Latest posts by Damiano Chini

15. 02. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.34
05. 01. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.32
05. 01. 2024 Bug Fixes, NetEye
Bug Fixes for NetEye 4.33
31. 12. 2023 Development, DevOps, NetEye
Speeding up the NetEye CI Testing Phase
29. 12. 2023 Development, NetEye
Reusing Code Logic between NetEye and Alyvix
See All

Related Content

Tags: , ,

22. 12. 2023 ITOA, NetEye

Hostgroup Ping Dashboard

Hostgroups are a grouping of hosts with similar characteristics such as geographical location, type, severity, environment, operating system, applications and much more. Hostgroups can be created for multiple purposes such as: Grouping hosts with common characteristics to view them as Read More
07. 08. 2023 Business Service Monitoring, ITOA, NetEye

From Icinga 2 Monitoring to ITOA

Scenario NetEye 4 is a comprehensive monitoring platform which natively supports Icinga 2 checks on remote hosts and devices. Several Icinga 2 checks support an historical view of the status. An example is the firewall interface performance status below, which Read More
09. 06. 2023 ITOA, NetEye

Monitoring, Collection of Metrics and Dashboard of the NetEye Database

As you all know NetEye uses MariaDB as its database. With the nep-monitoring-core module of the NetEye Extension Packs (NEP), the following aspects of MariaDB are monitored: connection-time open-files running-threads uptime total-threads These checks are performed with a default time Read More
06. 06. 2023 NetEye, Service Management

SSSD for Active Directory Authentication

We all know that NetEye can grant access to its Web Interface through local users, or through the use of LDAP queries that can filter and grant GUI access to users or groups of a given Active Directory domain. What Read More
03. 05. 2023 Anomaly Detection, ITOA, NetEye

A Simple Grafana Data Source for Outlier Detection (POC) – Part 2

In my previous post, we saw how it's possible to build a simple Grafana Data Source Plugin, which we can use to read data from whatever source we'd like to use. In particular, we used it to read data from Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive