X-Forwarded-User should be configurable independent of -pass-basic-auth option #205
Comments
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
|
+1 Just smashed into this exact issue as well. Changes LGMT. |
|
Was just trying this patch out, but there still doesn't seem to be a way to log in to Grafana with Basic Auth once this proxy is in front of it (maybe that makes sense), but I'm trying to get at the built in admin account, but I always get redirected back to my oauth login. |
|
Hi John, our scenario only relied on OAuth authentication, that's why we chose this proxy. It performs the authentication with grafana in the background and then logs you in directly to the dashboards. Making the regular grafana login page accessible would make the login process a little confusing. Regarding the built-in admin account, you should be able to login using the UAA admin, as long as it is the exact same as the one in grafana. That is a bug, but has nothing to do with the proxy. This is basically because grafana calls its default administrator "admin", as well as the UAA. And, since grafana only matches the usernames, you can use any "admin" user to login to the grafana super-user. Ideally, this user should be changed in grafana, by being assigned a different username, either as a default, or by whoever is responsible for installing the system. Then, the new user would have to be created in cloud foundry's UAA as well. |
|
Got it. Definitely a bit annoying. Not really an issue with this tool, but was unexpected. Would be nice if Grafana had a property to promote specific accounts to admin on creation. Anyway, I worked around it, but bypassing the proxy, then logging in with the admin account and promoting my OAuth account to be an admin. Thanks for the pointers. |
|
No problem ;) |
|
I have the same problem in front of Jenkins, the basic auth header causes the reverse proxy plugin to error, but I need the X headers. It would be great if this was merged. |
|
Same issue with Jenkins as @grahamrhay reported. Please merge this. Thanks! |
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy Signed-off-by: Magnus Bengtsson <[email protected]>
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy Conflicts: oauthproxy.go options.go
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
|
@jehiah would it be possible to get this merged? |
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
* This fixes bitly#205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
We are using oauth2_proxy in front of grafana with its "auth.proxy" configuration option. This relies on X-Forwarded-User header to be sent.
However if we use option
-pass-basic-auth, we not only get X-Forwarded-User but also Authorization: Basic with the base64-encoded username and an empty password. This will fail the login to grafana.Instead, we want to be able to only send X-Forwarded-User (and X-Forwarded-Email) independent of BASIC auth.
Will provide a patch soon.
The text was updated successfully, but these errors were encountered: