Grafana Service supports user authentication and application authorization using the OAuth 2.0 protocol. This topic describes how to connect to Grafana to log on to a third-party application by simulating a third-party application in the Alibaba Cloud system.

Background information

OAuth(Open Authorization) is an open protocol that supports secure authorization for Web, mobile, or desktop applications in a simple and standard way. Authorized applications do not need to use a user name and password to access protected information. For more information, see OAuth documentation.

User-created systems can access various information stored in managed Grafana under the premise of authorization. In this example, Alibaba Cloud is authorized to log on to the managed Grafana console to demonstrate OAuth access. For more information about how to authorize other service accounts, see Grafana official documentation.

Step 1: Create an application

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. In the left-side navigation pane, click OAuth Applications.
  3. On the Enterprise Applications tab, click Create Application.
  4. In the Create Application panel, set application parameters.
    1. Set Application Name and Display Name.
    2. Select Application Type.
      • WebApp: refers to web applications that interact with browsers.
      • NativeApp: a native application that runs on an operating system, such as a desktop operating system or a mobile operating system.
      • ServerApp: an application that accesses Alibaba Cloud services without the need of manual user logon. User provisioning is automated based on the System for Cross-Domain Identity Management (SCIM) protocol.
    3. Specify the duration of the Access Token Validity Period.
      Validity period of access tokens: 900 seconds (15 minutes) to 10,800 seconds (3 hours). The default value is 3,600 seconds.
    4. For WebApp and NativeApp, set Refresh Token Validity Period and Callback URL.
      • Validity period of a refresh token: 7,200 seconds (2 hours) to 31,536,000 seconds (1 year). The default value is 2,592,000 seconds.
      • Add the /login/generic_oauth suffix to the URL of the Grafana workspace, for example, http://[Grafana endpoint: port number]/login/generic_oauth. On the Workspace Information page, you can view the endpoint and port number of the Grafana workspace. For more information, see Workspace management .
  5. Click Save.

Step 2: Add a range

  1. On the Enterprise Applications tab, click the name of the application.
    Note In the Basic Information section of the Application Details page, you can view the application ID. The application ID is required when you set the parameters in Step 4.
  2. On the Apply OAuth Range tab, click Add OAuth Range.
  3. In the Add OAuth Range panel, choose Add profile Range.
  4. Click OK.

Step 3: Create a key

  1. On the details page of the application, click the Application Key tab, and then click Create Key.
  2. In the Create Application Key dialog box, view and copy the created application key, and then click Close.
    Notice
    • The content of the application key is only visible during creation and cannot be queried. Please save it in time.
    • You can create a maximum of two application keys for each application.

Step 4: Modify workspace parameters

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Grafana > Workspaces.
  3. On the Workspaces page, find the workspace that you want to manage, and click the workspace ID or click Manage in the Actions column.
  4. In the left-side navigation pane, click Parameters.
  5. Select a auth.generic_oauth in the left-side parameter list and click Modify Parameter.
  6. Modify the parameters and click Save and Take Effect.
    name = Alibaba
    enabled = true
    allow_sign_up = true
    client_id = {Application ID} // You can view the application ID on the Basic Information page of the RAM console. 
    client_secret = {Application key created in step 3}
    scopes = openid profile
    auth_url = https://signin.aliyun.com/oauth2/v1/auth
    token_url = https://oauth.aliyun.com/v1/token
    api_url = https://oauth.aliyun.com/v1/userinfo
    email_attribute_path=login_name
  7. Select a server in the left-side parameter list and click Modify Parameter.
  8. Modify the parameters and click Save and Take Effect.
    root_url=http://[Grafana endpoint: port number]
    Note You can view the endpoint and port number of the Grafana workspace on the Workspace Information page.