Auth env vars not used by server; only runtime flags work

[matesh]

Hi, I'm struggling badly trying to set up github OAuth authentication with my freshly installed Chronograf instance. I followed the instructions on this page: https://docs.influxdata.com/chronograf/v1.3/administration/security-best-practices/ I set up the github OAuth app and the environment variables on my server, restarted chronograf but navigating to the chronograf URL allows access straight away to everything without forwarding me to any login page or github related urls. I don't see any errors in the journal, the log/chronograf directory is empty. I saw on the interwebs that the PUBLIC_URL should be set up as well, but that doing so made no difference. I was looking at BASE_PATH but in the above mentioned document it says

If you’re using the --basepath option when starting Chronograf, add the same basepath to the callback URL of any OAuth provider that you configure."

from which i assumed that i only need to set this up if i make some exotic changes, which i didn't. I barely ever reach out for help, i like to do my research and solve problems myself. But after 2 hours trying to crack this without even a slight step forward, i gave up. Chronograf seems to be pretty darn good, but without user login, i can't start using it. Any hints that would help me to move forward with this, would be much appreciated!

[goller]

Hey there! Thanks for reaching out because if it is hard for you then it is hard for everyone... I’d like for it to be far easier.

I’ll try it out in a few hours and try to write up a guide.

In the long run I would like to be able to add the ability to configure those options from the user interface itself!

Again, thanks for writing in

Chris

On Oct 18, 2017, at 5:48 PM, matesh notifications@github.com wrote:

Hi, I'm struggling badly trying to set up github OAuth authentication with my freshly installed Chronograf instance. I followed the instructions on this page: https://docs.influxdata.com/chronograf/v1.3/administration/security-best-practices/ I set up the github OAuth app and the environment variables on my server, restarted chronograf but navigating to the chronograf URL allows access straight away to everything without forwarding me to any login page or github related urls. I don't see any errors in the journal, the log/chronograf directory is empty. I saw on the interwebs that the PUBLIC_URL should be set up as well, but that doing so made no difference. I was looking at BASE_PATH but in the above mentioned document it says

If you’re using the --basepath option when starting Chronograf, add the same basepath to the callback URL of any OAuth provider that you configure."

from which i assumed that i only need to set this up if i make some exotic changes, which i didn't. I barely ever reach out for help, i like to do my research and solve problems myself. But after 2 hours trying to crack this without even a slight step forward, i gave up. Chronograf seems to be pretty darn good, but without user login, i can't start using it. Any hints that would help me to move forward with this, would be much appreciated!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[goller]

Hi @matesh ... I've just gone through the documentation and was able to use Github's OAuth. Would you compare to my notes below?

I went here: https://github.com/settings/applications/new and created a new application

After I created it, I got this screen on github. Note the client id and the secret id.. we'll be using those later.

Next, I run chronograf like out of my dev directory:

./chronograf --log-level=debug  --token-secret=grays_sports_almanac  --github-client-id=149bd74edb5fb7023c8f --github-client-secret=YOURSECRET

When I go to http://localhost:8888 I see this login screen:

If you don't have a login screen or button then for some reason the settings did not take (this could be the clue).

chronograf redirects to github ... and then I'm authenticated.

Here are some of my chronograf logs. There should be calls to /oauth/github/login and /oauth/github/callback

[matesh]

Hello Goller,

Thank you for your reply! It looks like I might want to do something fundamentally wrong? The test server on which I'm attempting to fire up Chronograf is hosted on AWS, not a local instance and I was expecting this to work with http://test.mydomain.com:8888, which I used instead of http://localhost:8888 in the above forms.

[matesh]

After some fiddling around and starting the process over again, I managed to find what the problem was. I relied on environment variables according to the guide and although they are set and when i echo them they have correct values, they don't seem to have effect on the chronograf instance. I'm not sure if this is specific to my system (general AWS ubuntu), but running it with command line arguments, everything is honky dory. I should have tried this earlier... Thank you for your help and sorry for sounding the bells for something that ended up being an issue on my side.

[goller]

Hmm ok ... would you post your chronograf settings (except without the secret)?

Also what is your github callback ?

On Oct 19, 2017, at 10:46 AM, Mate Szabo notifications@github.com wrote:

Hello Goller,

Thank you for your reply! It looks like I might want to do something fundamentally wrong? The test server on which I'm attempting to fire up Chronograf is hosted on AWS, not a local instance and I was expecting this to work with http://test.mydomain.com:8888, which I used instead of http://localhost:8888 in the above forms.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[matesh]

You might have missed my last one, I guess after that you don't need the above. Since the issue was on my side, I think this case can now be closed. Thank you for your help, without your post above with running chronograf from command line with the config arguments instead of the environment variables, I would not have gotten to the solution so quickly. I'm just familiarising myself with chronograph but looks great already and I'm looking forward using it actively! You guys are doing a great job, your efforts are much appreciated!

[jaredscheib]

Thanks for writing in, @matesh. This is a second case I recall of environment variables ostensibly not working, the first one being #1739.

Which ENV vars were not working for you? And have others not worked, to your knowledge? And to be absolutely certain, did you set them prior to running the server, or after the server was running? And did you have competing CLI values for those same flags at runtime?

I'm interested in how this might be reproducible. If env vars aren't working, that's worth looking into. And I just changed the issue title to reflect this discovery. Let me know if you think it sounds accurate.

[matesh]

Hello Jared,

After you messaged and reopened the topic I looked into it deeper, please see my findings below.

First of all I have to admit that I avoid and therefore haven't used environment variables very often, pretty much only for the purpose to identify the platform or device type/model during my multi platform developments. I usually set my environment variables globally in the appropriate file (for example in ubuntu /etc/environment). The issue I was having is likely due to a combination of my (at the time) lack of knowledge of how environment variables work when using the export command and slightly confusing information from the documentation.

When I installed Influx, Telegraf, Kapacitor and Chronograf following the documentation available here, I started Chronograf as a service as the documentation suggested. Then immediately moved over to the security best practices page. Following the instructions and making the changes in the environment variables as suggested, then restarting the chronograf service had no effect on the authentication settings. After trying several other things including the github settings and changing client IDs and secrets and all that, I tried to define the environment variables to the /etc/environment file and rebooted the server, however that made no difference either. At this point i gave up and reached out for help assuming that the issue might not be on my side. After goller's post and the hint to attempt to run Chronograf with command line arguments, it worked fine and i ended up using that method to run Chronograf and explore the capabilities. The reason for the above is now obvious: the environment variables I was defining with the export command were only applied to my current login session, in the session in which systemd was operating, these variables were not defined. I think while writing the best practices documentation, the assumption was that Chronograf will be executed from the command line within the same session after setting up the environment variables, just like goller above demonstrated, therefore the freshly exported environment variables are defined and accessible by chronograf.

Knowing all the above and after the research I done since, to avoid similar confusion in the future, i would recommend to point the user in the security best practices document to the /etc/default/chronograf file for defining the configuration parameters/ environment variables. Since most people are more familiar/confident with configuration files rather than environment variables in the linux environment, this would avoid confusion in people less experienced with environment variables like me, as well as it applies the appropriate configuration every time the Chronograf service is started from any user sessions via systemd, which seems to be encouraged way in the getting started document.

Speaking of the chronograf.service script, while fiddling around I found that --host, --port, -b and -c arguments that are hard coded in the ExecStart part of the script seem to override any changes attempted in these parameters by using environment variables when chronograf is started as a service, even when using the EnvironmentFile which is referred to by the script just one line above. I would probably remove these arguments from the systemd script and add them as defaults in the /etc/default/chronograf file and get the users to modify these if needed and/or add their own preferences in the same file instead of using the export command.

Personally, I don't like using environment variables and I don't see the advantage of configuring parameters of a software like Chronograf this way, it can lead to more confusion. I prefer using dedicated configuration files, because just like in this case, parameters usually end up in a file anyway.

Since then I added my parameters to the /etc/default/chronograf file and everything seems to work as expected. Everyday we face something new and make mistakes but we learn from them and that takes us forward. I feel a bit stupid though, I should have been more thorough before ringing the bells, but i hope the above helps with your development.

[aolgin]

Hi,

I'm actually running into a similar issue where I set the variables in the /etc/default/chronograf file, and they just do not work. I'm able to get it running when I pass those as flags in a command, and if I specify environment variables in my docker-compose file, they will also work, but just purely putting the variables and their values in /etc/default/chronograf fails for me.

For reference, I'm using the following variables/flags: TOKEN_SECRET, PUBLIC_URL, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_DOMAINS, LOG_LEVEL.

Also, I'm using Chronograf 1.5.0.0 (git: 23152663e04ab91f52866e83385eaac2b1a0f4b4)

When using only the /etc/default/chronograf file and running the service, there's no login page and I'm taken right into my chronograf instance without having to go through any form of authorization.

Any advice on what to do? I'm happy to provide more input to help troubleshoot this issue.