This is related to this issue: [PMM-5481] QAN does not load when using anonymous auth - Percona JIRA
He mentioned that “We did some internal hacked version for pmmdemo.percona.com, but it’s not completely done yet”… I wonder if it can be shared here?
I am setting up PMM with anonymous login because we have hundreds of developers and I don’t want to create a single user/password (they will keep on asking for this credential). But unfortunately, with this bug, QAN is not available if the anonymous login for Grafana is enabled.
Woops! Sorry for missing this. We have not yet prioritized the ticket for viewing QAN data as anonymous…and we also don’t recommend it because QAN can have VERY sensitive data in it that now anyone can see (in query examples I’ve seen real SSN’s, Credit Card Data (yes people still do it!), DOB’s, all kinds of fun stuff) and I have to imagine if you have hundreds of devs that do need to see this stuff you probably have as many non-devs that do not! But there may be a few solutions to your underlying concern of shared account that still keep security tight!
My favorite solution: integrate your Corporate LDAP/Active Directory…you can default all users to viewer when they log in or, I’ve mapped groups in AD to roles in grafana so it’s a matter of requesting specific group membership from your corp IT (compliance loves it and account management stays in your IT group).
You can allow users to use several accounts they may already have (Google, Github, Azure, Okta) by modifying /etc/grafana/grafana.ini inside your PMM container…note that changes will be lost on container upgrade so I recommend passing the environment variables on your docker run command to set them up and not worry about losing them.
We’ve recently rolled out a Percona Account as part of our Percona Platform which users can register for a free account and admins can connect PMM instances to the Portal for additional intelligence (Security checks and the like) but now that account can be used to access PMM…it’s account creation that devs would have to do themselves, but once done that same account will be used to access any Percona services. What’s nice though, is that if your organization has it’s own SSO solution (Okta, Azure Directory, OneLogin, etc) and you’re a support customer, we’re working to enable federation so you could use your corporate account to connect to all things Percona and wouldn’t even need to register in the first place.
The last option would be to enable users to self-register with local grafana accounts which is a matter of uncommenting a few flags in grafana.ini in the users
section. if you setup SMTP then users can sign themselves up, automatically become viewers or editors, and use the forgot password link so you don’t become the password-resetter
To be fair though, the last two options would still let anyone in your company register and see the data.
Hope this helps!
Hello @steve.hoffman
My PMM is already gated behind a general OAuth at the domain level, so I was wondering if it was possible to revisit this. Not having to manage users and/or having yet another OAuth form would be ideal for us.
Since the anonymous user has the Viewer role, what’s the difference that makes PMM forbid it to query QAN?
Thank!
It’s always possible to revisit! I’m passing your request onto our Product Manager for QAN to understand your desire/need better. I tried to tag her here but got a weird account that I’m not sure if it’s actually her so I’ll send on our internal chat tool!
2 Likes
Hi,
Regarding your question, I would like to better understand your requirements and potential scenarios by asking a few questions. To achieve this, I have reached out to you via direct message to schedule a meeting.
Thanks