PMM QAN Anonymous Login (Unauthorized)

This is related to this issue: [PMM-5481] QAN does not load when using anonymous auth - Percona JIRA

He mentioned that “We did some internal hacked version for, but it’s not completely done yet”… I wonder if it can be shared here?

I am setting up PMM with anonymous login because we have hundreds of developers and I don’t want to create a single user/password (they will keep on asking for this credential). But unfortunately, with this bug, QAN is not available if the anonymous login for Grafana is enabled.

Woops! Sorry for missing this. We have not yet prioritized the ticket for viewing QAN data as anonymous…and we also don’t recommend it because QAN can have VERY sensitive data in it that now anyone can see (in query examples I’ve seen real SSN’s, Credit Card Data (yes people still do it!), DOB’s, all kinds of fun stuff) and I have to imagine if you have hundreds of devs that do need to see this stuff you probably have as many non-devs that do not! But there may be a few solutions to your underlying concern of shared account that still keep security tight!

My favorite solution: integrate your Corporate LDAP/Active Directory…you can default all users to viewer when they log in or, I’ve mapped groups in AD to roles in grafana so it’s a matter of requesting specific group membership from your corp IT (compliance loves it and account management stays in your IT group).

You can allow users to use several accounts they may already have (Google, Github, Azure, Okta) by modifying /etc/grafana/grafana.ini inside your PMM container…note that changes will be lost on container upgrade so I recommend passing the environment variables on your docker run command to set them up and not worry about losing them.

We’ve recently rolled out a Percona Account as part of our Percona Platform which users can register for a free account and admins can connect PMM instances to the Portal for additional intelligence (Security checks and the like) but now that account can be used to access PMM…it’s account creation that devs would have to do themselves, but once done that same account will be used to access any Percona services. What’s nice though, is that if your organization has it’s own SSO solution (Okta, Azure Directory, OneLogin, etc) and you’re a support customer, we’re working to enable federation so you could use your corporate account to connect to all things Percona and wouldn’t even need to register in the first place.

The last option would be to enable users to self-register with local grafana accounts which is a matter of uncommenting a few flags in grafana.ini in the users section. if you setup SMTP then users can sign themselves up, automatically become viewers or editors, and use the forgot password link so you don’t become the password-resetter

To be fair though, the last two options would still let anyone in your company register and see the data.

Hope this helps!