Skip to content

Commit

Permalink
Merge pull request grafana#15427 from grafana/15308_docs
Browse files Browse the repository at this point in the history
Improved documentation of new short-lived token solution
  • Loading branch information
marefr authored Feb 15, 2019
2 parents 3d3db08 + ff87f6d commit bc1aec9
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 14 deletions.
2 changes: 1 addition & 1 deletion docs/sources/auth/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ provider (listed above). There is also options for allowing self sign up.

### Login and short-lived tokens

> The followung applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.
> The following applies when using Grafana's built in user authentication, LDAP (without Auth proxy) or OAuth integration.
Grafana are using short-lived tokens as a mechanism for verifying authenticated users.
These short-lived tokens are rotated each `token_rotation_interval_minutes` for an active authenticated user.
Expand Down
35 changes: 26 additions & 9 deletions docs/sources/guides/whats-new-in-v6-0.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ The main highlights are:
- [Azure Monitor]({{< relref "#azure-monitor-datasource" >}}) plugin is ported from being an external plugin to being a core datasource
- [React Plugin]({{< relref "#react-panels-query-editors" >}}) support enables an easier way to build plugins.
- [Named Colors]({{< relref "#named-colors" >}}) in our new improved color picker.
- [Removal of user session storage]({{< relref "#easier-to-deploy-improved-security" >}}) makes Grafana easier to deploy & improves security.

## Explore

Expand Down Expand Up @@ -113,30 +114,42 @@ will be shared closer to or just after release.
{{< docs-imagebox img="/img/docs/v60/react_panels.png" max-width="600px" caption="React Panel" >}}
<br />

### Google Stackdriver Datasource
## Google Stackdriver Datasource

Built-in support for [Google Stackdriver](https://cloud.google.com/stackdriver/) is officially released in Grafana 6.0. Beta support was added in Grafana 5.3 and we have added lots of improvements since then.

To get started read the guide: [Using Google Stackdriver in Grafana](/features/datasources/stackdriver/).

### Azure Monitor Datasource
## Azure Monitor Datasource

One of the goals of the Grafana v6.0 release is to add support for the three major clouds. Amazon Cloudwatch has been a core datasource for years and Google Stackdriver is also now supported. We developed an external plugin for Azure Monitor last year and for this release the [plugin](https://grafana.com/plugins/grafana-azure-monitor-datasource) is being moved into Grafana to be one of the built-in datasources. For users of the external plugin, Grafana will automatically start using the built-in version. As a core datasource, the Azure Monitor datasource will get alerting support for the official 6.0 release.

The Azure Monitor datasource integrates four Azure services with Grafana - Azure Monitor, Azure Log Analytics, Azure Application Insights and Azure Application Insights Analytics.

### Provisioning support for alert notifiers
## Provisioning support for alert notifiers

Grafana now added support for provisioning alert notifiers from configuration files. Allowing operators to provision notifiers without using the UI or the API. A new field called `uid` has been introduced which is a string identifier that the administrator can set themselves. Same kind of identifier used for dashboards since v5.0. This feature makes it possible to use the same notifier configuration in multiple environments and refer to notifiers in dashboard json by a string identifier instead of the numeric id which depends on insert order and how many notifiers that exists in the instance.

### Auth and session token improvements
## Easier to deploy & improved security

The previous session storage implementation in Grafana was causing problems in larger HA setups due to too many write requests to the database. The remember me token also have several security issues which is why we decided to rewrite auth middleware in Grafana and remove the session storage since most operations using the session storage could be rewritten to use cookies or data already made available earlier in the request.
If you are using `Auth proxy` for authentication the session storage will still be used but our goal is to remove this ASAP as well.
Grafana 6.0 removes the need of configuring and setup of additional storage for [user sessions](/tutorials/ha_setup/#user-sessions). This should make it easier to deploy and operate Grafana in a
high availability setup and/or if you're using a stateless user session storage like Redis, Memcache, Postgres or MySQL.

This release will force all users to log in again since their previous token is not valid anymore.
Instead of user sessions a solution based on short-lived tokens that are rotated frequently have been implemented. This also replaces the old "remember me cookie"
solution, which allowed a user to be logged in between browser sessions, and which have been subject to several security holes throughout the years.
Read more about the short-lived token solution and how to configure it [here](/auth/overview/#login-and-short-lived-tokens).

### Named Colors
> Please note that due to these changes, all users will be required to login upon next visit after upgrade.
Besides these changes we have also made security improvements regarding Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS) vulnerabilities:

* Cookies are per default using the [SameSite](/installation/configuration/#cookie-samesite) attribute to protect against CSRF attacks
* Script tags in text panels are per default [disabled](/installation/configuration/#disable-sanitize-html) to protect against XSS attacks

> If you're using [Auth Proxy Authentication](/auth/auth-proxy/) you still need to have user sessions setup and configured
but our goal is to remove this requirements in a near future.

## Named Colors

{{< docs-imagebox img="/img/docs/v60/named_colors.png" max-width="400px" class="docs-image--right" caption="Named Colors" >}}

Expand All @@ -148,12 +161,16 @@ Named colors also enables Grafana to adapt colors to the current theme.

<div class="clearfix"></div>

### Other features
## Other features

- The ElasticSearch datasource now supports [bucket script pipeline aggregations](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-bucket-script-aggregation.html). This gives the ability to do per bucket computations like the difference or ratio between two metrics.
- Support for Google Hangouts Chat alert notifications
- New built in template variables for the current time range in `$__from` and `$__to`

## Upgrading

See [upgrade notes](/installation/upgrading/#upgrading-to-v6-0).

## Changelog

Checkout the [CHANGELOG.md](https://github.com/grafana/grafana/blob/master/CHANGELOG.md) file for a complete list of new features, changes, and bug fixes.
2 changes: 1 addition & 1 deletion docs/sources/installation/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -594,7 +594,7 @@ Default setting for new alert rules. Defaults to categorize error and timeouts a
Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)

# concurrent_render_limit
### concurrent_render_limit

> Available in 5.3 and above
Expand Down
31 changes: 31 additions & 0 deletions docs/sources/installation/upgrading.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,3 +117,34 @@ One of the database migrations included in this release will update all annotati
We've got one report where using systemd, PostgreSQL and a large amount of annotations (table size 1645mb) took 8-20 minutes for the database migration to complete. However, the grafana-server process was killed after 90 seconds by systemd. Any database migration queries in progress when systemd kills the grafana-server process continues to execute in database until finished.

If you're using systemd and have a large amount of annotations consider temporary adjusting the systemd `TimeoutStartSec` setting to something high like `30m` before upgrading.

## Upgrading to v6.0

If you have text panels with script tags they will no longer work due to a new setting that per default disallow unsanitzied HTML.
Read more [here](/installation/configuration/#disable-sanitize-html) about this new setting.

### Authentication and security

If your using Grafana's builtin, LDAP (without Auth Proxy) or OAuth authentication all users will be required to login upon the next visit after the upgrade.

If you have `cookie_secure` set to `true` in the `session` section you probably want to change the `cookie_secure` to `true` in the `security` section as well. Ending up with a configuration like this:

```ini
[session]
cookie_secure = true

[security]
cookie_secure = true
```

The `login_remember_days`, `cookie_username` and `cookie_remember_name` settings in the `security` section are no longer being used so they're safe to remove.

If you have `login_remember_days` configured to 0 (zero) you should change your configuration to this to accomplish similar behavior, i.e. a logged in user will maximum be logged in for 1 day until being forced to login again:

```ini
[auth]
login_maximum_inactive_lifetime_days = 1
login_maximum_lifetime_days = 1
```

The default cookie name for storing the auth token is `grafana_session`. you can configure this with `login_cookie_name` in `[auth]` settings.
10 changes: 7 additions & 3 deletions docs/sources/tutorials/ha_setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Setting up Grafana for high availability is fairly simple. It comes down to two
2. Decide how to store session data.

<div class="text-center">
<img src="/img/docs/tutorials/grafana-high-availability.png" max-width= "800px" class="center"></img>
<img src="/img/docs/tutorials/grafana-high-availability.png" max-width= "800px" class="center" />
</div>

## Configure multiple servers to use the same database
Expand All @@ -24,8 +24,14 @@ First, you need to do is to setup MySQL or Postgres on another server and config
You can find the configuration for doing that in the [[database]]({{< relref "configuration.md" >}}#database) section in the grafana config.
Grafana will now persist all long term data in the database. How to configure the database for high availability is out of scope for this guide. We recommend finding an expert on for the database you're using.

## Alerting

Currently alerting supports a limited form of high availability. Since v4.2.0, alert notifications are deduped when running multiple servers. This means all alerts are executed on every server but alert notifications are only sent once per alert. Grafana does not support load distribution between servers.

## User sessions

> Beginning with Grafana v6.0 and above the following only applies when using [Auth Proxy Authentication](/auth/auth-proxy/).
The second thing to consider is how to deal with user sessions and how to configure your load balancer in front of Grafana.
Grafana supports two ways of storing session data: locally on disk or in a database/cache-server.
If you want to store sessions on disk you can use `sticky sessions` in your load balancer. If you prefer to store session data in a database/cache-server
Expand All @@ -41,6 +47,4 @@ If you use MySQL/Postgres for session storage, you first need a table to store t

For Grafana itself it doesn't really matter if you store the session data on disk or database/redis/memcache. But we recommend using a database/redis/memcache since it makes it easier manage the grafana servers.

## Alerting

Currently alerting supports a limited form of high availability. Since v4.2.0, alert notifications are deduped when running multiple servers. This means all alerts are executed on every server but alert notifications are only sent once per alert. Grafana does not support distributing the alert rule execution between servers. That might be added in the future but right now prefer to keep it simple.

0 comments on commit bc1aec9

Please sign in to comment.