Influxdata
/
chronograf
mirror of https://github.com/influxdata/chronograf.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
chronograf/docs/auth.md

4.1 KiB
Raw Blame History

Chronograf with OAuth 2.0 (Github-style)

OAuth 2.0 Style Authentication

Configuration

To use authentication in Chronograf, both Github OAuth and JWT signature need to be configured.

Configuring JWT signature

Set a JWT signature to a random string. This is needed for all OAuth2 providers that you choose to configure. Keep this random string around!

You'll need it each time you start a chronograf server because it is used to verify user authorization. If you are running multiple chronograf servers in an HA configuration set the TOKEN_SECRET on each to allow users to stay logged in.

export TOKEN_SECRET=supersupersecret

Github

Creating Github OAuth Application

To create a Github OAuth Application follow the Register your app instructions. Essentially, you'll register your application here

The Homepage URL should be Chronograf's full server name and port. If you are running it locally for example, make it http://localhost:8888

The Authorization callback URL must be the location of the Homepage URL plus /oauth/github/callback. For example, if Homepage URL was http://localhost:8888 then the Authorization callback URL should be http://localhost:8888/oauth/github/callback.

Github will provide a Client ID and Client Secret. To register these values with chronograf set the following environment variables:

  • GH_CLIENT_ID
  • GH_CLIENT_SECRET

For example:

export GH_CLIENT_ID=b339dd4fddd95abec9aa
export GH_CLIENT_SECRET=260041897d3252c146ece6b46ba39bc1e54416dc

Optional Github Organizations

To require an organization membership for a user, set the GH_ORGS environment variables

export GH_ORGS=biffs-gang

If the user is not a member, then the user will not be allowed access.

To support multiple organizations use a comma delimted list like so:

export GH_ORGS=hill-valley-preservation-sociey,the-pinheads

Google

Creating Google OAuth Application

You will need to obtain a client ID and an application secret by following the steps under "Basic Steps" here. Chronograf will also need to be publicly accessible via a fully qualified domain name so that Google properly redirects users back to the application.

This information should be set in the following ENVs:

  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • PUBLIC_URL

Alternatively, this can also be set using the command line switches:

  • --google-client-id
  • --google-client-secret
  • --public-url

Optional Google Domains

Similar to Github's organization restriction, Google authentication can be restricted to permit access to Chronograf from only specific domains. These are configured using the GOOGLE_DOMAINS ENV or the --google-domains switch. Multiple domains are separated with a comma. For example, if we wanted to permit access only from biffspleasurepalace.com and savetheclocktower.com the ENV would be set as follows:

export GOOGLE_DOMAINS=biffspleasurepalance.com,savetheclocktower.com

Heroku

Creating Heroku Application

To obtain a client ID and application secret for Heroku, you will need to follow the guide posted here. Once your application has been created, those two values should be inserted into the following ENVs:

  • HEROKU_CLIENT_ID
  • HEROKU_SECRET

The equivalent command line switches are:

  • --heroku-client-id
  • --heroku-secret

Optional Heroku Organizations

Like the other OAuth2 providers, access to Chronograf via Heroku can be restricted to members of specific Heroku organizations. This is controlled using the HEROKU_ORGS ENV or the --heroku-organizations switch and is comma-separated. If we wanted to permit access from the hill-valley-preservation-society orgization and the-pinheads organization, we would use the following ENV:

export HEROKU_ORGS=hill-valley-preservation-sociey,the-pinheads