LinuxBozo
commented
7 years ago Blocked on updated release of Grafana that does generic OAuth.
Closed LinuxBozo closed 7 years ago
LinuxBozo
commented
7 years ago Blocked on updated release of Grafana that does generic OAuth.
mogul
commented
7 years ago As of September 7th, they're listing generic OAuth in the release notes for 4.0-pre (unreleased). The 4.0.0 and 4.0.0-beta1 milestones are now listed as 9 and 13 days overdue, respectively. So it feels like they're creeping forward on this.
brittag
commented
7 years ago Noting for background info since many compliance-related stories have deadlines: I don't believe this has a specific due dates right now. It's likely that this will need to be completed by P-ATO, but specifics will likely get determined by the re-testing process.
mogul
commented
7 years ago Grafana 4.0.0 is now released, and includes @LinuxBozo's generic OAuth PR!
jmcarp
commented
7 years ago The upstream grafana bosh release just updated to 4.0.0, and we submitted https://github.com/vito/grafana-boshrelease/pull/19 to configure generic oauth.
jmcarp
commented
7 years ago Update: this happened, but since grafana generic oauth doesn't seem to give us a way to restrict access to certain users, anybody with an opslogin account can authenticate--see https://github.com/grafana/grafana/issues/6809 for details. Given that opslogin is only for cloud.gov staff, I don't think this is an immediate problem. How about accepting this and submitting a patch for grafana to verify oauth scopes like @LinuxBozo has already done for concourse?
mogul
commented
7 years ago I'm good with that approach.
mogul
commented
7 years ago Done at last!
In order to ensure that people outside of the cloud.gov team cannot grant or gain administrator access to our deployment, we want metrics (grafana) to refer to an in-boundary MFA-enabled IDP for authn+authz rather than GitHub teams.
Acceptance criteria