Closed LinuxBozo closed 7 years ago
Blocked on updated release of Grafana that does generic OAuth.
As of September 7th, they're listing generic OAuth in the release notes for 4.0-pre (unreleased)
. The 4.0.0
and 4.0.0-beta1
milestones are now listed as 9 and 13 days overdue, respectively. So it feels like they're creeping forward on this.
Noting for background info since many compliance-related stories have deadlines: I don't believe this has a specific due dates right now. It's likely that this will need to be completed by P-ATO, but specifics will likely get determined by the re-testing process.
Grafana 4.0.0 is now released, and includes @LinuxBozo's generic OAuth PR!
The upstream grafana bosh release just updated to 4.0.0, and we submitted https://github.com/vito/grafana-boshrelease/pull/19 to configure generic oauth.
Update: this happened, but since grafana generic oauth doesn't seem to give us a way to restrict access to certain users, anybody with an opslogin account can authenticate--see https://github.com/grafana/grafana/issues/6809 for details. Given that opslogin is only for cloud.gov staff, I don't think this is an immediate problem. How about accepting this and submitting a patch for grafana to verify oauth scopes like @LinuxBozo has already done for concourse?
I'm good with that approach.
Done at last!
In order to ensure that people outside of the cloud.gov team cannot grant or gain administrator access to our deployment, we want metrics (grafana) to refer to an in-boundary MFA-enabled IDP for authn+authz rather than GitHub teams.
Acceptance criteria