PMM1 config

Hi everyone.
  I try to add other user on /srv/nginx/.htpasswd but that broke a login auth for both users from nginx to grafana proxy reverse… or wherever pmm use… 
  I test remove that .htpasswd and yes I login with 2 users directly on grafana BUT Can’t see data on database.
 I try to add a user directly into grafana.db using sqlite3 with all reference. and nothing.
 so… I need to know 2 things
a) It’s possible add another user to can check pmm1 as only viewer , separately from admin view?
b) In case a) will be not possible … is possible to create another PMM-server and connect the same pmm-client to both pmm-server config ?..  if yes HOW?

thanks in advance 

Hi @baph0m3t ,
for (a), yes you can create / add another user with “View” Role. Alternatively you can also share the dashboard if that is something can fit into your requirement.
you can go to :
Configuration --> Users 



For role:


Hi again… we try that as 1st choice but when we confirm the invite link after that… when nginx login box out with that user/password never login … that’s why I try to do some workaround… but nothing.

Sorry @baph0m3t , i am unable to get your comments.
do you mean , you tried creating user with “view” role, however user is not able to access the PMM because user’s IP is not allowed/whitelisted in the Nginx?

I mean… when you login on pmm1 with docker image… you can in as your admin user… create the new user viewer and can check in the list users… BUT when I do logout from admin to login with the user even close the browser and reopen again only can access with admin user password not work with new one as viewer

Hi again… we try that but when we confirm the invite link after that… when nginx login box out with that user/password never login … that’s why , take a look @vaibhav_upadhyay40
this is the error when I try to add an user using that… (i’m using pmm1 with docker)
[root@pmm1 opt]# tail -f /var/log/grafana/grafana.logt=2020-07-03T18:02:54+0000 lvl=eror msg=“Request error” logger=context userId=2 orgId=1 uname=pmmapkclient error=“runtime error: index out of range” stack="/usr/lib/golang/src/runtime/panic.go:502 (0x436098)\n/usr/lib/golang/src/runtime/panic.go:28 (0x434edd)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/session/file.go:118 (0x851087)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/session/file.go:184 (0x85183e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/session/file.go:209 (0x851be6)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/session/session.go:313 (0x853e52)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/services/session/session.go:128 (0x8ab3d8)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/api/login.go:150 (0xe64e4b)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/api/org_invite.go:186 (0xe6ca40)\n/usr/lib/golang/src/runtime/asm_amd64.s:575 (0x463561)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/api/common.go:37 (0xe84f4b)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/request_tracing.go:25 (0xbe3c8f)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/request_metrics.go:17 (0xbe3627)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/session.go:15 (0xbe3e81)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/recovery.go:146 (0xbe3540)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:79 (0x7e7a00)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:157 (0x7cc516)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:135 (0x7cc27a)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/gzip/gzip.go:96 (0xbdabf1)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/util.go:28 (0xbe400c)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:79 (0x7e7a00)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:157 (0x7cc516)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:135 (0x7cc27a)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:112 (0x7e7b2e)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/grafana/grafana/pkg/middleware/logger.go:34 (0xbe0ec1)\n/usr/lib/golang/src/runtime/asm_amd64.s:573 (0x46344a)\n/usr/lib/golang/src/reflect/value.go:447 (0x4c0738)\n/usr/lib/golang/src/reflect/value.go:308 (0x4bfcb3)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:177 (0x7cc804)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/github.com/go-macaron/inject/inject.go:137 (0x7cc189)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/context.go:121 (0x7e7bed)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/router.go:187 (0x7f80b1)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/router.go:294 (0x7f2a44)\n/home/builder/rpm/BUILD/grafana-5.1.3/_build/src/gopkg.in/macaron.v1/macaron.go:220 (0x7ec024)\n/usr/lib/golang/src/net/http/server.go:2694 (0x698ffb)\n/usr/lib/golang/src/net/http/server.go:1830 (0x695300)\n/usr/lib/golang/src/runtime/asm_amd64.s:2361 (0x465bf0)\n"t=2020-07-03T18:02:54+0000 lvl=eror msg=“Request Completed” logger=context userId=2 orgId=1 uname=pmmapkclient method=POST path=/api/user/invite/complete status=500 remote_addr=127.0.0.1 time_ms=656 size=120 referer=https://pmmserver1:20443/graph/invite/Dv584F6adGrST5RGwjx1a1pt6o2gym
Even with that error… the new user show up in the list BUT when I do logout , close the browser and reopen again only can access with admin user password not with the new one viewer. nginx still show me up again login box.

Not sure on this @baph0m3t , may be someone else can help.


 

I’m pulling down a PMM1 image now to see if I can help out (I’m admittedly weak in PMM1…).  The theory is correct in that there are 2 pieces to getting this to work: 1 is creating a “view only” user in grafana and second is creating a user in the nginx config (which I think is just standard .htaccess style auth).  Where I’m fuzzy is if there’s any special mapping between the .htaccess user and the grafana user so that the username and password need to match (between the view only user in grafana and nginx) and you’ll just be logged in as that user.  

Ok, I was able to get it to work for me (on v 1.17.3 so if you tell me the exact version you’re using I can test it out there). 
Here’s what I did though:

docker pull percona/pmm-server:1.17.3
docker run -d -p 8081:80 -p 8444:443 --name pmm-server1  -e SERVER_USER=fred -e SERVER_PASSWORD=couples percona/pmm-server:1.17.3



On a different machine with the htpasswd command did: htpasswd -nb viewer viewer which resulted in 

viewer:$apr1$s/CyxaLK$N3uROSNCY0cnaZ09dRlui/

copy/pasted that into /srv/nginx/.htpasswd below my specified username "fred" inside the pmm container. 

I tested this in incognito mode and when I logged in as 'fred' I was the superadmin.  I logged out and force refreshed the page and logged in as 'viewer' and came in as a guest.  I didn't need to use grafana to create a user in advance, it was created automatically when the basic-auth creds were passed to grafana.  



Hi @“steve.hoffman”
thanks for testing…I’m using 1.17.1.

Ok was able to get it working on 1.17.1 as well and the only difference I could tell is that I DID have to create the viewer user both in the .htpasswd file AND via the grafana UI.  I think what is happening is you’re trying to use the “invite” user feature and are getting an “Index out of bounds” because something isn’t set that should be to use that grafana component (maybe you don’t have email configured for grafana?) but try it this way:
Login as the ‘super admin’ user to PMM
On the left side there’s a “gear” icon, hover your pointer over that and choose 'Server Admin’
It should default to the “users” tab but if not, click that and you can direct add a user with the “+ Add new user” button. 

This will let you add a user with the username, email and password of your choosing (no invite needed this way).  It wont prompt for a user level but will default to “viewer” you can confirm this after creation using the normal invite users screen pictured above.  I did confirm that the passwords MUST match or you’ll get past basic auth in nginx and fail grafana auth and be greeted with an “invalid user/password” screen.  So quick recap on what should work:
htpasswd -nb username password
copy/paste that info into /srv/nginx/.htpasswd (make sure there are no extra spaces or characters at the end)
login to grafana as original admin account and navigate to Configuration --> Server Admin --> Users Tab
Add new user with username and password matching exactly what you used above in htpasswd command
start a new session or incognito window and try to login as newly created “viewer” user.  

Hi @“steve.hoffman” thanks for your answer…
Yes I used invite link… now I use your way and I confirm your steps help me out… thanks…
Just for curious… if I add other dashboard and that viewer rol,e how can I set THAT new dashboard for this viewer user as his HOME dashboard and NOT see our HOME admin dashboard ?

and of course I see this after I nuked my PMM1 instance :frowning: I think it’s just a matter of logging in as the “viewer” user and starring the dashboard you want to be default.  From there you go to the user preferences as that user and you can set your Default dashboard via the dropdown.  This is from memory so I may be slightly off but hopefully this gets you on the right track.  

Got it!.. thanks @“steve.hoffman” i solve all I need…