Open matthieumarrast opened 1 year ago
I'm not sure any of the two possible solutions can be implemented as grafana is an external source.
I think we can only change configuration or instructions for use.
The admin password is set (to default mfadmin
value) in two configuration files, mfadmin general config.ini
file and in grafana.ini
file (in this file with the comment "default admin password, can be changed before first start of grafana, or in profile settings").
I have not checked what happens wheter the value is modified in one of the two files or both...
In grafana.ini
the creation of the admin passwd on first start of grafana can be disabled (disable_initial_admin_creation
is set to false
by default), maybe grafana will not prompt to update the admin passwd if disable_initial_admin_creation
is set to true
.
setting disable_initial_admin_creation=True
raises an error during grafana.status
as _force_grafana_admin_password.sh
will return an error because the admin user does not exist...
why the grafana.status
try to authenticate with http basic auth ?
r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT)
(metwork only protects kibana with http basic auth)
But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :
If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.
So in grafana.ini we can update as below:
[auth.basic]
enabled = false
and disabling the authent' test in grafana.status:
with MFProgress() as progress:
t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
try:
r = requests.get(GRAFANA_URL, timeout=TIMEOUT)
except Exception:
pass
if r.status_code == 200:
progress.complete_task(t)
sys.exit(0)
progress.complete_task_nok(t)
sys.exit(1)
why the
grafana.status
try to authenticate with http basic auth ?r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT)
(metwork only protects kibana with http basic auth)But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :
If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.
So in grafana.ini we can update as below:
[auth.basic] enabled = false
and disabling the authent' test in grafana.status:
with MFProgress() as progress: t = progress.add_task("- Testing Grafana...", total=TIMEOUT) try: r = requests.get(GRAFANA_URL, timeout=TIMEOUT) except Exception: pass if r.status_code == 200: progress.complete_task(t) sys.exit(0) progress.complete_task_nok(t) sys.exit(1)
But maybe the first password initialization is probably made by _force_grafana_admin_password.sh
during first grafana.status
-> to be verified
Problem
When using the default user admin/admin for loggin-in to grafana, we are prompted to update the password for admin user:
So if this password is updated in the web interface, the
grafana.status
(launched during mfadmin restart) command will get a 401 unauthorized error because we are not testing the new right password (we useMFADMIN_GRAFANA_ADMIN_PASSWORD
).https://github.com/metwork-framework/mfadmin/blob/master/adm/grafana.status :
So the script
_force_grafana_admin_password.sh
will be execute and will reset the admin password with variableMFADMIN_GRAFANA_ADMIN_PASSWORD
which is set with mfadminconfig.ini
:=> as a result admin password is reset to "admin"
Possible solutions
MFADMIN_GRAFANA_ADMIN_PASSWORD
or