search

grafana / github-datasource

Grafana data source plugin using the Github API to retrieve and visualize Github data.
https://grafana.com/grafana/plugins/grafana-github-datasource/
Apache License 2.0
227 stars 54 forks source link

Implement authentication as GitHub App #88

Open cliffchapmanrbx opened 3 years ago

cliffchapmanrbx commented 3 years ago

Hi all,

Related to #75 we'd very much appreciate if this plugin implemented GitHub App style authentication rather than using a PAT associated with an existing account.

Enterprise accounts are billed on a per-user basis, and 'machine users' count towards this accounting. This is exacerbated by the need to have separate accounts for separate team's private repositories that can't have shared accounts in them for security compliance. This can make integration cost prohibitive.

The primary effort here is to set up the handshake to generate an installation PAT, at which point it acts like a user PAT save that it only lasts for an hour. We've had success converting several of our internal apps to use the App communication.

kminehart commented 3 years ago

I agree.

To do this properly I'm waiting on this Grafana PR to be merged: https://github.com/grafana/grafana/pull/27055.

I tried to allow this plugin to be an OAuth2 client, and while it's possible, I didn't want to have a significant setup burden for installing this plugin. You would have to create a new GitHub app or a new OAuth 2.0 app for the plugin, and link directly to the callback URL in the plugin.

Here's what an example callback URL would look like: http://localhost:3000/api/datasources/2638/resources/oauth/auth. The problem that I encountered was that public URL of the Grafana instance was not exposed to the datasource, nor was the datasource ID needed for the URL (2638 in the above example), so I couldn't easily generate a callback URL that users could paste into the setup page for an OAuth / GitHub app.

Once I got to that point, I found the above PR and I decided it wasn't worth it. If there's demand for it though, I could go back and re-implement this, and allow users to type in their grafana public URL and datasource ID into the settings to generate a callback URL. I just felt like this was too cumbersome and would create a lot of support requests / confusion.

cliffchapmanrbx commented 3 years ago

OAuth2 may satisfy our needs allowing individuals to configure the application themselves. The advantage of a full GitHub App is that we can grant that application different permissions than the individual users of the Grafana server, for instance, installing the GitHub App into repos they may not have access to otherwise. We've used this for some specific build scenarios using the Jenkins GitHub App to great effect.

Additionally, a GitHub App has the advantage of enabling PAT-based API access as well as OAuth2-based API access, a GitHub App is a mashup of both an OAuth 2 app and a 'machine user'. Just with a more complicated authentication handshake 😊

Based on how we've set up other GitHub Apps I'd fully expect just a guide on how to manually set up an app, the scoped required, and dropping the generated private key into my Grafana configuration, likely as a config file entry so we can populate it automatically via Vault with our setup.

siavashs commented 2 years ago

GitHub App Authentication does not use standard/generic JWT payloads (for example expires_in vs. expires_at, etc.) That's why I created https://github.com/beatlabs/github-auth The above package returns an authenticated HTTP Client which gets refreshed tokens automatically.

The plugin will have 3 new settings:

The user will configure the above manually through the UI or with datasource provisioning.

This way the plugin will handle the authentication internally and will not depend on Grafana to do the authentication during request proxy, etc. and the Grafana codebase will not include an exception for handling GitHub OAuth2. I'll open a PR to add the app auth support as described above (we have users in the company asking for this datasource and the authentication is a blocker for us). Let me know if you had any suggestions or comments, it's really appreciated.

NickLarsenNZ commented 2 years ago

Any progress on this? The PAT method is a bit of a show stopper as it gives access to all organisations of that user.

NickLarsenNZ commented 1 year ago

To do this properly I'm waiting on this Grafana PR to be merged: https://github.com/grafana/grafana/pull/27055.

@kminehart, https://github.com/grafana/grafana/pull/27055 is merged and https://github.com/grafana/grafana/issues/26023 is closed, so it should be possible right?

hemi-reslife commented 1 year ago

My team will also appreciate this

NickLarsenNZ commented 1 year ago

Grafana 9.2 is out and I believe this is all supported now.

kminehart commented 1 year ago

I don't believe the Forward OAuth Identity feature is a solution to this. I think you can try but I doubt it will succeed, as it's been in Grafana since 7.2.

galargh commented 1 year ago

I'd also very much appreciate this. My use-case: I want to use a GitHub App that has read-only access to multiple orgs in Grafana.

yahel2410 commented 4 months ago

Hi team, any update on this issue?

zoltanbedi commented 4 months ago

Hi @yahel2410, sorry this is not prioritized.