Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to disable builtin authentication #19964

Closed
mvanrompuy opened this issue Oct 23, 2019 · 11 comments · Fixed by #46978
Closed

Make it possible to disable builtin authentication #19964

mvanrompuy opened this issue Oct 23, 2019 · 11 comments · Fixed by #46978
Labels
area/auth/ldap area/backend beginner friendly effort/small hacktoberfest https://hacktoberfest.com/ prio/low It's a good idea, but not scheduled for any release type/feature-request

Comments

@mvanrompuy
Copy link

What happened: Our Grafana instance was using local authentication (auth.basic). I switched it over to use LDAP (and disable auth.basic). After the change I can successfully login using the LDAP password. I also notice that in the user list, my username is now showing an ldap badge. I then tried to login using my old password, which to my surprise was still working.

What you expected to happen: When activating ldap (and disabling basic authentication), I would expect the old password to be no longer usable, only the LDAP password should be usable.

Keeping these 'old' passwords active is a security risk as the user is not able to update them (the password change functionality is automatically disabled when ldap is enabled) and there are now two passwords which will both give access to the account

How to reproduce it (as minimally and precisely as possible):

  • Setup Grafana with auth.basic enabled and create a user with password 'abc123'.
  • Disable auth.basic and enable auth.ldap
  • Login with the ldap password (should work)
  • Login with the password 'abc123' (will work, but shouldn't)

Anything else we need to know?:

Environment:

  • Grafana version: v6.4.3 (3a2bfb7)
  • Data source type & version: Prometheus
  • OS Grafana is installed on: Centos 7 (docker image grafana/grafana:6.4.3)
  • User OS & Browser: Chrome 78
  • Grafana plugins: vonage-status-panel,grafana-piechart-panel,jdbranham-diagram-panel
  • Others: Auth settings
auth  
api_key_max_seconds_to_live -1
disable_login_form false
disable_signout_menu false
login_cookie_name grafana_session
login_maximum_inactive_lifetime_days 7
login_maximum_lifetime_days 30
oauth_auto_login false
signout_redirect_url  
token_rotation_interval_minutes 10
auth.anonymous  
enabled false
org_name Main Org.
org_role Viewer
auth.basic  
enabled false
auth.generic_oauth  
allow_sign_up true
allowed_domains  
allowed_organizations  
api_url  
auth_url  
client_id some_id
client_secret ************
email_attribute_name email:primary
email_attribute_path  
enabled false
hosted_domain  
name OAuth
scopes user:email
send_client_credentials_via_post false
team_ids  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure false
token_url  
auth.github  
allow_sign_up true
allowed_domains  
allowed_organizations  
api_url https://api.github.com/user
auth_url https://github.com/login/oauth/authorize
client_id some_id
client_secret ************
email_attribute_name  
email_attribute_path  
enabled false
hosted_domain  
name github
scopes user:email,read:org
send_client_credentials_via_post  
team_ids  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure  
token_url https://github.com/login/oauth/access_token
auth.gitlab  
allow_sign_up true
allowed_domains  
allowed_groups  
api_url https://gitlab.com/api/v4
auth_url https://gitlab.com/oauth/authorize
client_id some_id
client_secret ************
email_attribute_name  
email_attribute_path  
enabled false
hosted_domain  
name gitlab
scopes api
send_client_credentials_via_post  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure  
token_url https://gitlab.com/oauth/token
auth.google  
allow_sign_up true
allowed_domains  
api_url https://www.googleapis.com/oauth2/v1/userinfo
auth_url https://accounts.google.com/o/oauth2/auth
client_id some_client_id
client_secret ************
email_attribute_name  
email_attribute_path  
enabled false
hosted_domain  
name google
scopes https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
send_client_credentials_via_post  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure  
token_url https://accounts.google.com/o/oauth2/token
auth.grafana_com  
allow_sign_up true
allowed_domains  
allowed_organizations  
api_url  
auth_url  
client_id some_id
client_secret ************
email_attribute_name  
email_attribute_path  
enabled false
hosted_domain  
name grafana_com
scopes user:email
send_client_credentials_via_post  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure  
token_url  
auth.grafananet  
allow_sign_up true
allowed_domains  
allowed_organizations  
api_url  
auth_url  
client_id some_id
client_secret ************
email_attribute_name  
email_attribute_path  
enabled false
hosted_domain  
name grafananet
scopes user:email
send_client_credentials_via_post  
tls_client_ca  
tls_client_cert  
tls_client_key  
tls_skip_verify_insecure  
token_url  
auth.ldap  
active_sync_enabled true
allow_sign_up true
config_file /etc/grafana/ldap.toml
enabled true
sync_cron 0 0 1 * * *
auth.proxy  
auto_sign_up true
enabled false
header_name X-WEBAUTH-USER
header_property username
headers  
ldap_sync_ttl 60
whitelist  
auth.saml  
assertion_attribute_email mail
assertion_attribute_login mail
assertion_attribute_name displayName
certificate  
certificate_path  
enabled false
idp_metadata  
idp_metadata_path  
idp_metadata_url  
max_issue_delay 90s
metadata_valid_duration 48h
private_key  
private_key_path
@torkelo
Copy link
Member

torkelo commented Oct 23, 2019

Yea by default Grafana checks ldap first then local DB, so you can mix. And in the case you have a user that was created before you switched to ldap where the username is the same you will be able to login with both.

Think we should by default disable local password logins when LDAP is enabled.

@torkelo torkelo added this to Inbox in Backend Platform Backlog via automation Oct 23, 2019
@torkelo torkelo added this to the 6.5 milestone Oct 23, 2019
@marefr marefr modified the milestones: 6.5.0-beta1, 6.6 Nov 13, 2019
@alecxvs
Copy link
Contributor

alecxvs commented Dec 20, 2019

Related to #6606? Invites will create basic auth accounts which is confusing when basic auth login is completely disabled.

@torkelo torkelo modified the milestones: 6.6, 6.7 Jan 14, 2020
@marefr marefr moved this from Inbox to Epics & features in Backend Platform Backlog Jan 27, 2020
@bergquist bergquist modified the milestones: 6.7-beta1, 7.0 Mar 10, 2020
@marefr marefr modified the milestones: 7.0, 7.1 Apr 22, 2020
@bergquist bergquist modified the milestones: 7.1-beta1, 7.2 Jul 1, 2020
@bergquist bergquist changed the title auth.basic (local) password stays active after switching to LDAP Make it possible to disable builtin authentication Jul 3, 2020
@bergquist
Copy link
Contributor

This is not about disabling basic.auth but about disabling Grafana built in login solution. It should be possible to disable that and only use OAuth, Ldap or anonymous login

@bergquist bergquist added the prio/low It's a good idea, but not scheduled for any release label Jul 3, 2020
@bergquist bergquist removed this from Features in Backend Platform Backlog Jul 3, 2020
@roidelapluie roidelapluie added the hacktoberfest https://hacktoberfest.com/ label Sep 30, 2020
@roidelapluie
Copy link
Collaborator

roidelapluie commented Sep 30, 2020
edited

I am marking this as Hacktoberfest issue, as it seems nice to have and beginner friendly.

@roidelapluie roidelapluie mentioned this issue Sep 30, 2020
Closed
@roidelapluie roidelapluie mentioned this issue Sep 30, 2020
Merged
@jgulick48 jgulick48 mentioned this issue Oct 5, 2020
Closed
@kartikay101
Copy link

Is this issue still pending ? I see an open MR added an year ago. I am thinking of making some contributions and this seems like a good issue to dive into the code

@leandro-deveikis
Copy link
Contributor

Hi! Is this issue still open? Will try to reproduce it, and if it's still happening, will try to tackle it as my first contribution.

@marefr
Copy link
Member

marefr commented Feb 1, 2022

@leandro-deveikis or others yes this is still open and you're very welcome to tackle it. There was a PR open targeting to close this, but I just closed it due to this comment.

I think my comment explains what we would like to see to be able to accept and merge this.

@TsotosA TsotosA mentioned this issue Mar 26, 2022
Merged
@jlevesy jlevesy mentioned this issue Jun 9, 2022
Closed
@jlevesy
Copy link

jlevesy commented Jun 9, 2022
edited

Hey folks, I just opened #50524 which carries similar changes than #46978 but on an up to date base.

@TsotosA
Copy link
Contributor

TsotosA commented Oct 12, 2022

Hey all, kind ping for #46978, was reopened and awaits review 😀

@sakjur
Copy link
Contributor

sakjur commented Oct 12, 2022

@TsotosA Thanks for the ping and the PR, it had slipped my mind and @Jguer haven't been available 🙂

Good news is that my sluggishness should mean that you can gather those sweet Hacktoberfest points 🙈

@mellieA mellieA mentioned this issue Jan 6, 2023
Open
@useEffects
Copy link

This is not about disabling basic.auth but about disabling Grafana built in login solution. It should be possible to disable that and only use OAuth, Ldap or anonymous login

How ? @bergquist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/auth/ldap area/backend beginner friendly effort/small hacktoberfest https://hacktoberfest.com/ prio/low It's a good idea, but not scheduled for any release type/feature-request
Projects
None yet
Milestone
No milestone