Grafana auto_sign_up with Pomerium Identity

alex · March 30, 2022, 3:31pm

View in #support on Slack

@Sara_Jarjoura: question on the docs for Grafana - https://www.pomerium.com/guides/grafana.html
why doesn’t the guide use the auto_sign_up flag to create new users when you authenticate with JWT? is there some technical barrier to doing that?

Grafana | Pomerium

maybe the answer is it wasn’t implemented at the time of writing, but it was implemented as of January
https://github.com/grafana/grafana/pull/43502/files

@Bobby: Yeah – that’s new to me. Seems like a neat feature if it fits your needs / don’t want to pre-enroll users.

@Sara_Jarjoura: yeah if I can get mine working I’d be happy to contribute a PR for the docs
still working on it though

@Bobby: > why doesn’t the guide use the auto_sign_up
I think you nailed it, I think we just didn’t know about it.

I do think that not all users may want that behavior, but it would be cool to show it to make the process easier.

@Sara_Jarjoura: the wording around rolling your own integration under “Manage Access at Scale” is misleading now since it implies there is no way to do this in the config

@Alex: @Sara_Jarjoura can confirm that wasn’t an option (that I saw) when I wrote that guide. Regarding “manage access at scale”, that would be a great place to contribute this new knowledge

@Sara_Jarjoura: got it - yes I’m happy to do that once I get it working, so far I’m still running into the invalid jwt
is signing_key a required config when enabling JWT on the Pomerium side? per the manual verification step it sounds like it is
if it is required that should be added to the Grafana guide as well

@Alex: Sorry for the delayed responses, I was travelling yesterday. signing key was another thing that changed during/after I wrote that guide. It used to be created by default if not explicitly set in config, but I believe we now suggest defining it if you’re going to use the JWT for any user verification past the proxy.
If you’re already working on a PR I’ll wait to see it, otherwise I can take a pass at updating this guide today. Just LMK so we don’t duplicate effort.

@Sara_Jarjoura: I haven’t started a PR yet, the auto_sign_up functionality seems broken since I can see the user gets logged in if I create the user in advance, but if I delete the user I still get invalid JWT
this works even if I don’t have signing key defined on the proxy
I 100% want to get this working with auto_sign_up, I am not intending to create every user in advance
there is a very similar issue on Grafana’s discussion forum
https://community.grafana.com/t/jwt-authentication-issue-in-grafana/61201/8
but it was never resolved

Grafana Labs Community Forums: JWT Authentication issue in Grafana

@Alex: …This is starting to ring some bells. I’ll clear the cobwebs off my PoC Grafana instance and see what I can figure out. As an aside, I just finished providing edits to your databroker PR, I think it’s ready.
It’s hard to keep track of all the idiosyncrasies that come with each piece of software users may want to integrate into Pomerium, so please excuse any memory fog on my part.

@Sara_Jarjoura: hooray! re databroker PR
understandable re the various docs that have been kindly provided by Pomerium for integration
I’m wondering since Name is a required field and Pomerium does not provide a name claim whether that might be the issue
I’m going to try specifying name_claim = sub and see if that helps

@Alex: meanwhile I’m going to see if I left myself enough secure access on my home network to even get to my Grafana config.

@Sara_Jarjoura: lol - shutdown -r now ftw

@Alex: @Sara_Jarjoura what IdP are you using? Have you inspected the identity header with httpbin as discussed in other threads? Any chance I could take a look at part of it, to compare what claims are being offered?

@Sara_Jarjoura: Google - yes I have, and sure

@Alex: Feel free to DM and redact

@Sara_Jarjoura: ok

@Alex: you can use jwt.io to decode the blob httpbin gives you

@Sara_Jarjoura: sent
btw I found this thread which seemed promising but no luck
https://github.com/grafana/grafana/issues/2357
I disabled basic auth and still got invalid JWT

@Alex: Thanks - so I’m also using Google, and I also don’t have a name field in the JWT, though I do in the one provided by Google to Pomerium. This line from Grafana’s docs:
If auto_sign_up is enabled, then the sub claim is used as the "external Auth ID". The name claim is used as the user's full name if it is present.
…makes me think that it’s the lack of name field that’s preventing auto_sign_up from working. Lemme bring this back in-house and see what we can make of it.

@Sara_Jarjoura: is there a way to easily convert this thread into a discuss forum post? it seems worth it to continue there
I probably should have done that from the beginning but thought it would’ve been scoped narrowly enough

@Alex: In fact, there is! One moment while I do the needful.

@Sara_Jarjoura: woot thank you!

saranicole · March 30, 2022, 4:05pm

My current configuration

Grafana.ini

[log]
level = debug
[auth.basic]
enabled = false
[analytics]
check_for_updates = true
[auth.jwt]
auto_sign_up = true
cache_ttl = 60m
email_claim = email
enabled = true
header_name = X-Pomerium-Jwt-Assertion
jwk_set_url = https://authenticate.ops.dev.sw.io/.well-known/pomerium/jwks.json
name_claim = name
username_claim = sub
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[users]
allow_sign_up = false
auto_assign_org = true
auto_assign_org_role = Editor

Helm Values

authenticate:
  existingTLSSecret: pomerium-tls
  idp:
    clientID: ${client_id}
    clientSecret: ${client_secret}
    provider: google
    serviceAccount: ${service_account}
  ingress:
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-pomerium
      ingress.pomerium.io/service_proxy_upstream: "true"
    tls:
      secretName: authenticate-tools-tls
authorize:
  existingTLSSecret: pomerium-tls
config:
  authenticate_service_url: https://authenticate.ops.dev.sw.io
  autocert: false
  existingCASecret: pomerium-tls
  generateTLS: false
  insecure: false
  jwt_claims_headers: email,name
  rootDomain: ops.dev.sw.io
databroker:
  existingTLSSecret: pomerium-tls
  storage:
    clientTLS:
      existingCASecretKey: ca.crt
      existingSecretName: pomerium-redis-tls
    connectionString: rediss://pomerium-redis-master.tools.svc.cluster.local
    tlsSkipVerify: true
    type: redis
extraEnv:
  AUTOCERT: false
  JWT_CLAIMS_HEADERS: email,name
forwardAuth:
  enabled: false
ingress:
  enabled: false
ingressController:
  enabled: true
  image:
    tag: v0.16.1
  namespaces:
  - tools
  - monitoring
proxy:
  existingTLSSecret: pomerium-tls
redis:
  auth:
    enabled: false
  enabled: true
  generateTLS: false
  master:
    disableCommands: []
  replica:
    disableCommands: []
  tls:
    certificateSecret: pomerium-redis-tls
    enabled: true
  usePassword: false

Config.yaml

autocert: false
dns_lookup_family: V4_ONLY
address: :443
grpc_address: :443
certificate_authority_file: "/pomerium/ca/ca.crt"
certificates:
authenticate_service_url: https://authenticate.ops.dev.sw.io
authorize_service_url: https://pomerium-authorize.tools.svc.cluster.local
databroker_service_url: https://pomerium-databroker.tools.svc.cluster.local
idp_provider: google
idp_scopes:
idp_provider_url:
idp_client_id: ${client_id}
idp_client_secret: ${client_secret}
idp_service_account: ${service_account}
databroker_storage_tls_skip_verify: true
routes:

Grafana Logs:

t=2022-03-30T16:04:30+0000 lvl=dbug msg="Parsing JSON Web Token" logger=auth.jwt
t=2022-03-30T16:04:30+0000 lvl=dbug msg="Getting key set from endpoint" logger=auth.jwt url=https://authenticate.ops.dev.sw.io/.well-known/pomerium/jwks.json
t=2022-03-30T16:04:30+0000 lvl=dbug msg="Trying to verify JSON Web Token using a key" logger=auth.jwt
t=2022-03-30T16:04:30+0000 lvl=dbug msg="Validating JSON Web Token claims" logger=auth.jwt
t=2022-03-30T16:04:30+0000 lvl=dbug msg="Failed to find user using JWT claims" logger=context email_claim=sara@sw.com username_claim=<<numbers>>
t=2022-03-30T16:04:30+0000 lvl=eror msg="Invalid JWT" logger=context error="invalid username or password"
t=2022-03-30T16:04:30+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=401 remote_addr=10.0.8.126 time_ms=70 size=31 referer=

saranicole · March 30, 2022, 7:23pm

Resolved! This was a Dumb Thing™ - I was installing Grafana v8.3.6 when I needed Grafana > v8.4.0 . With the correct more recent version of Grafana installed, this works like a charm. Only thing I will note is that I had to set extraEnv.JWT_CLAIMS_HEADERS equal to email,name to get the Name field populated, the config.jwt_claims_headers: email,name alone didn’t seem to cut it. I’m happy to upvote a request to add this so that we can easily get a Name claim populated in the JWT request.

As a follow-up I will submit a PR for the docs so that anyone else installing this gets this lovely feature.

saranicole · March 30, 2022, 7:45pm

PR up at feat(docs) Update Grafana docs to have auto_sign_up by sarasensible · Pull Request #3218 · pomerium/pomerium · GitHub

alex · March 31, 2022, 2:39pm

So I’ve confirmed that auto_sign_up works with our JWT, and now I’m trying to figure out the best order of operations for the guide. I imagine the reader will want at least one user (themselves) to be an admin, but want the auto-assigned role for everyone else to be Editor or Viewer. Additionally, I’d like to rewrite the steps to not require direct access to the Grafana instance for initial setup (partially because I’m travelling and don’t have it myself at the moment, and would prefer not to punch a hole in my security straight to the container).

This post is mostly me rubber-ducking, but I’m thinking that the steps should perhaps not start with pass_identity_headers set on the Route, so that the reader can sign in with the default admin account first and set themselves up with admin access before auto_sign_in starts giving out lesser roles. This to me seems like a better option than changing the Grafana config around, since changes may recreate the container, when using docker-compose for example, and data persistence for Grafana is outside the scope of our guide.

I’m going to experiment more with this, but any and all input is welcome.

alex · March 31, 2022, 2:54pm

I just re-performed my setup as described above, where the steps are:

Configure route without pass_identity_headers, and with preserve_host_header set.
Login with the default admin/admin account
Create an admin account for my IdP-provided user. Here it must be noted that when using Google the user ID will be a numeric string and not your email address.
Remove preserve_host_header and add pass_identity_headers to the route
Now I can sign in as myself directly from Pomerium as an admin, and new users will be created as editors.

I think this is probably the path to take. Again, all input welcome.

EDIT: P.S. preserve_host_header is required with the latest Grafana in order to sign in with the default admin account. Source: Origin not allowed messages after upgrade to 8.3.6 - InfluxDB - Grafana Labs Community Forums

saranicole · March 31, 2022, 2:57pm

I can’t speak for others but what is working in our use case is to restrict admin use to port-forwarding the service internally so that all ingress is bypassed for the less secure setup. I do like the idea of customizing one particular user to be admin, but for our use case we need to be able to share around the admin account internally so tying it to one user would defeat the purpose.

Ultimately the “right way” to do this would be go to Auth Proxy and use Grafana’s Enterprise features to associate groups with teams so that we could have a group of admins, but for a cost-conscious startup this is a good enough solution for now.

alex · March 31, 2022, 3:05pm

@saranicole thanks for the input. It would seem that there are several ways to peel this orange, and which is best is highly dependent on the use case. So I’m going to document the method that’s most reliant on Pomerium’s config, but also reference the other methods available.

Before I get to your PR though, I still need to test the jwt_claims_headers option. I’m also going to see if adjusting set_authorization_header will work to provide the entire data set from the IdP, and possibly let us set the username to something better for the case of Google.

alex · April 1, 2022, 4:35pm

The Grafana Guide is updated! Thanks @saranicole for all your effort on this issue. I hope it will help others as well.

Topic		Replies	Views
Integration Doc: Grafana Integrations testing	1	533	November 15, 2021
Bugs in the Grafana guide Integrations	1	508	August 9, 2023
Other Applications behind Pomerium Support docker	1	240	September 16, 2022
Freja eID support, and custom auth params Integrations oss , identity-provider , oidc	0	274	November 24, 2021
Using Keycloak as an identity provider with Pomerium Support idp	0	389	December 27, 2021

Grafana auto_sign_up with Pomerium Identity

Related Topics