grafana / grafana-kiosk

Kiosk Utility for Grafana
Apache License 2.0
372 stars 60 forks source link

Service Account authentication always shows "Endpoint only available for users" #146

Open weng5e opened 1 month ago

weng5e commented 1 month ago

I really love the grafana-kiosk that is making it really easy to display Grafana on my office TV!

One small issue is that there is always a warning message of "Endpoint only available for users". How can I avoid showing it?

The command I use to run kiosk: .\grafana-kiosk.windows.amd64.exe -URL=https://XXXXXXXXX -login-method apikey --apikey XXXXXX" -kiosk-mode=tv

Grafana v10.4.7 (ac358f3e56)

Image

briangann commented 1 month ago

this looks like it was introduced in grafana v10.1.x, it is now checking the type of login being used, and puts up that warning if it is not a "real user."

i tried both a "legacy" api key and the new service account api key and they behave the same way.

right now i don't see a way to prevent this from happening other than opening an issue with Grafana core and a PR that would prevent that popup.

luckily the popup does go away, but this is not a good user experience.

i think api keys are really intended to be used against the /api path only and not as a login method, even though it does work. i've noticed some odd side effects with this method too where plugins fail to load (one loads, the rest do not).

weng5e commented 1 month ago

Thanks for the quick response @briangann! All of our plugins are working correctly even with service account :)

Our usage scenario is a "typical big enterprise" office TV. We have the below security requirements:

  1. Our Grafana cannot be anonymous accessible due to the company's security requirements.
  2. It is also a common practice for big enterprise IT department to ban sharing one "user / human identity" account across the team, i.e. we cannot share a username and password auth based email. All of our user ' human accounts are enforcing multifactor authentication. MFA will make long runing TV display impossible.
  3. We are running kiosk on Raspberry Pi, which is not our company IT managed device. For user accounts, our IT department only allow login on company managed devices (e.g. Windows machines which are domain joined).

So, it seems like service account is our only option to use Grafana Kiosk. Is this understanding correct?

Given service account might be our only option here, it would be really nice if there is a way to hide the "Endpoint only available for users" warning.

briangann commented 1 month ago

I think that usage scenario is likely common, plus it doesn't rely on field searching for the login.

I'll talk to our team about this suppressing this popup for service accounts since functionally everything works.

weng5e commented 1 month ago

@briangann thank you so much for the information! Looking forward for addtional updates.

weng5e commented 1 month ago

This bug is not restricted to only the kiosk client. It is also impacting other non user scenarios, e.g. image capture in alerting and reporting.

Image

allebone commented 3 weeks ago

Nothing to add, just observing, since we’re starting the journey to kiosk and API/service account is our chosen method too!