Managed Service for Grafana:Use OAuth to log on to Grafana

Procedure

In the following example, Alibaba Cloud Managed Service for Grafana simulates the authorization system. The configurations in the following steps are for reference only and may vary depending on your business requirements. However, the configurations you use must comply with the OAuth 2.0 standard.

Step 1: Create an application

1. Log on to the RAM console with your Alibaba Cloud account.

2. In the left-side navigation pane, choose Integrations > OAuth Preview.

3. On the Enterprise Applications tab page, click Create Application.

4. In the panel that appears, set the application parameters.

   1. Set Application Name and Display Name.

   2. Set Application Type to one of the following values:

      • WebApp: a web application.

      • NativeApp: a native application that runs on an operating system, such as a desktop or mobile operating system.

      • ServerApp: an application that accesses Alibaba Cloud services without the need of user logon. Only applications that synchronize user information based on the System for Cross-domain Identity Management (SCIM) protocol are supported.

   3. Set Access Token Validity Period, in seconds.

      Valid values: 900 to 10800. Default value: 3600.

   4. (Optional) For web and native applications, set Refresh Token Validity Period and Callback URL.

      • Valid values for refresh tokens: 7200 to 31536000. Unit: seconds. Default value: 2592000.

      • The callback URL is the endpoint of the Grafana workspace with the /login/generic_oauth suffix, for example, http://[Grafana endpoint: port number]/login/generic_oauth. You can view the endpoint and port number of a Grafana workspace on the Workspace Information page. For more information, see Create and manage a Grafana workspace.

      

5. Click Save.

Step 2: Add a scope

1. On the Enterprise Applications tab page, click the application that you want to manage.

   Note

   On the details page of the application, you can view the application ID in the Basic Information section. The application ID is required when you configure the parameters in Step 4.

2. On the Application OAuth Scopes tab page, click Add OAuth Scopes.

3. In the panel that appears, select profile.

   

4. Click OK.

Step 3: Create a secret

1. On the details page of the application that you want to manage, click the App Secrets tab click Create Secret.

2. In the Create App Secret dialog box, copy the secret and click Close.

   Important

   • The application secret is visible only during creation and cannot be queried. Make sure to save the secret promptly.

   • You can create a maximum of two secrets for each application.

Step 4: Modify workspace parameters

1. Log on to the Managed Service for Grafana console. In the left-side navigation pane, click Workspace Management.

2. On the Workspace Management page, click the ID of the workspace that you want to manage.

3. In the left-side navigation pane, click Parameter Settings.

4. In the parameter list on the left, select auth.generic_oauth and click Modify parameters.

5. Change the values of the following parameters and click Save and Apply:

   name = Alibaba
   enabled = true
   allow_sign_up = true
   client_id = {Application ID}      //You can view the application ID on the details page of an application in the RAM console.
   client_secret = {Application secret that you created in Step 3}
   scopes = openid profile
   auth_url = https://signin.aliyun.com/oauth2/v1/auth
   token_url = https://oauth.aliyun.com/v1/token
   api_url = https://oauth.aliyun.com/v1/userinfo
   email_attribute_path=login_name

6. In the parameter list on the left, select server and click Modify Parameters.

7. Change the value of root_url to http://[Grafana connection address:port number] and click Save and Apply

   Note

   You can view the endpoint and port number of a Grafana workspace on the Workspace Information page.