【Grafana】Grafana匿名访问以及与LDAP连接

上一篇文章利用Docker快速部署了Grafana用来展示Zabbix得监控数据，但还需要给用户去创建账号允许他们登录后才能看展示得数据，那有什么办法让非管理员更方便得去访问Grafana呢？下面介绍两个比较方便实现的：
在开始设置前，为了数据持久化，需要对上一篇中的Docker启动中加入配置文件的持久化配置，具体如下：

# create a persistent volume for data
docker volume create grafana-data# create a persistent volume for log
docker volume create grafana-log# create a persistent volume for config
docker volume create grafana-config# start grafana by using the above persistent storage and defining environment variables
docker run -d -p 3000:3000 --name=grafana --volume grafana-storage:/var/lib/grafana --volume grafana-log:/var/log/grafana --volume grafana-config:/etc/grafana -e "GF_INSTALL_PLUGINS=alexanderzobnin-zabbix-app" grafana/grafana-oss:latest

然后通过以下找到配置文件的具体位置

docker volume inspect grafana-config
[{"CreatedAt": "2023-12-22T03:25:15Z","Driver": "local","Labels": null,"Mountpoint": "/var/lib/docker/volumes/grafana-config/_data","Name": "grafana-config","Options": null,"Scope": "local"}
]
cd /var/lib/docker/volumes/grafana-config/_data

文件夹内的grafana.ini, ldap.toml是下面配置的重点。

1. 匿名访问
   通过在配置文件中启用匿名访问来使 Grafana 可以在无需登录的情况下访问。在grafana.ini中找到以下部分并修改

#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access (default: false)
enabled = true# Organization name that should be used for unauthenticated users (default: Main Org.)
org_name = Main Org.# Role for unauthenticated users, other valid values are `Editor` and `Admin` (default: Viewer)
org_role = Viewer# Hide the Grafana version text from the footer and help tooltip for unauthenticated users (default: false)
hide_version = true

保存配置文件后，重启docker。

docker restart grafana

在浏览器中直接访问http://IP:3000/，即可以得到以下显示了。普通用户就不用登录即可查看dashboard了。

2. 与LDAP（Windows AD）连接，统一认证登录
   要使用 LDAP 集成，首先需要在主配置文件中启用 LDAP，并指定 LDAP 特定配置文件的路径（默认为 /etc/grafana/ldap.toml）。
   启用 LDAP 后，默认行为是在成功进行 LDAP 身份验证后自动创建 Grafana 用户。如果希望只允许现有的 Grafana 用户登录，您可以在 [auth.ldap]部分将 allow_sign_up 更改为 false。如果希望手动分配组织和角色，可以使用 skip_org_role_sync 配置选项。

#################################### Auth LDAP ##########################
[auth.ldap]
# Set to `true` to enable LDAP integration (default: `false`)
enabled = true# Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
config_file = /etc/grafana/ldap.toml# Allow sign-up should be `true` (default) to allow Grafana to create users on successful LDAP authentication.
# If set to `false` only already existing Grafana users will be able to login. (default: `true`)
allow_sign_up = true# Prevent synchronizing ldap users organization roles (default: `false`)
skip_org_role_sync = false

修改完grafana.ini后然后修改ldap.toml文件，需要注意的是如下配置适用于Windows AD提供的LDAP设置。

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "ldap.my_secure_remote_server.org"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"# Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = "grafana"
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
timeout = 10# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"# An array of base dns to search through
search_base_dns = ["dc=grafana,dc=org"]## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "email"# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1[[servers.group_mappings]]
group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
org_role = "Editor"[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"

更多配置可以参考Grafana官方说明。保存配置文件后，重启docker。

docker restart grafana

用AD账号登录后可以看到个人资料里面，很多信息就是从AD同步过来的。