search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
263 stars 138 forks source link

OCP3.11 Using default granfana connect to standlone prometheus to pull date always popup oauth login #127

Closed liyongc closed 3 years ago

liyongc commented 5 years ago

I have standalone prometheus installed in the different namespces (e.g dev1) from the default namespace "openshift-monitoring" for my app. And I want to add my standalone prometheus to default grafana.

Now I can use the sa (service account) "prom" (service account of the standalone prometheus ) to do the prometheus api query with authtication bear

curl --insecure  -i -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI...pUxdu2JLIBsoThff5A" https://prom-dev1.xxx/api/v1/query_range?query=xxx

With the same sa "prom" I can also run some grafana datasource api query.

curl --insecure  -i -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJSUzI...pUxdu2JLIBsoThff5A" https://grafana-openshift-monitoring.xxx/api/datasources

Also I add the standalone prometheus to grafana with POST /api/datasources { "name": "${datasource_name}", "type": "prometheus", "typeLogoUrl": "", "access": "proxy", "url": "https://$( oc get route prom -n "${prometheus_namespace}" -o jsonpath='{.spec.host}' )", "basicAuth": false, "withCredentials": false, "jsonData": { "tlsSkipVerify":true, "httpHeaderName1":"Authorization" }, "secureJsonData": { "httpHeaderValue1":"Bearer $( oc sa get-token prom -n "${prometheus_namespace}" )" } }

Now I tried to pull data from grafana dashboard to use the above datasource in "query inspector" and get the below "OAUTH login " response

xhrStatus:"complete"
request:Object
method:"GET"
url:"api/datasources/proxy/2/api/v1/query_range?query=min(app_availability)&start=1565250300&end=1565272200&step=300"
response:" <!DOCTYPE html> <html lang="en" charset="utf-8"> <head> <title>Log In</title> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"> <style> @font-face { font-family: "Open Sans"; src: url(data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAAFeoABMAAAAAlkQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABqAAAABwAAAAcavCZq0dERUYAAAHEAAAAHQAAAB4AJwD1R1BPUwAAAeQAAASjAAAJni1yF0JHU1VCAAAGiAAAAIEAAACooGKInk9TLzIAAAcMAAAAYAAAAGCh3ZrDY21hcAAAB2

Now try to use the sa prom to do the API query from the client also get the same login page

https://grafana-openshift-monitoring.xxx/api/datasources/proxy/2/api/v1/query_range?query=min\(app_availability\)\&start\=1565241000\&end\=1565262900\&step\=300

I don't understand the logic here, I use the same sa "prom", can do the granfan admin api and can do the prometheus query api directly, why it could not work when I add it to grafana datasource and pull data from grafana as proxy ?

I double checked the "OAUTH login " returned from prom-proxy and its logs as below: 2019/08/08 14:13:46 provider.go:382: authorizer reason: no RBAC policy matched 2019/08/08 14:13:50 provider.go:382: authorizer reason: no RBAC policy matched 2019/08/08 14:13:52 provider.go:382: authorizer reason: no RBAC policy matched

openshift-bot commented 4 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 4 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 3 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci-robot commented 3 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oauth-proxy/issues/127#issuecomment-727166634): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.