Grafana JWT integration with Teleport

[stevenGravy]

Here is a step through example of configuring Grafana to authenticate users with Teleport JSON Web Token (JWT)

Prerequisites:

• Teleport instance configured to allow App Access. See app guide if this is new to you.
• linux machine with Teleport installed as a service
• docker & docker-compose OR an existing Grafana 8.0 installation

Install Grafana

Have docker and docker-compose installed. Set these files.

docker-compose.yaml

version: "3.7"
services:
  grafana:
    image: grafana/grafana
    container_name: grafana
    user: root
    restart: unless-stopped
    ports:
      - "3000:3000"
    volumes:
      - ./provisioning:/etc/grafana/provisioning
      - ./grafana.ini:/etc/grafana/grafana.ini
      - ./dashboards:/etc/grafana/dashboards
      - ./data:/var/lib/grafana
    hostname: grafana     

grafana.ini:

• Change admin_user to your Teleport user ([email protected], michelle,...)
• Change root_url and jwk_set_url to your respective domain. The root_url should be the url that will go through Teleport App Access.

[paths]
provisioning = /etc/grafana/provisioning

[server]
enable_gzip = true
root_url = https://grafanaapp.teleport.example.com

[security]
# If you want to embed grafana into an iframe for example
allow_embedding = true
admin_user = jeff

[users]
default_theme = dark

[auth.basic]
enabled = false
[auth.jwt]
enabled = true
header_name = Teleport-Jwt-Assertion
email_claim = sub
username_claim = sub
jwk_set_url = https://teleport.example.com:443/.well-known/jwks.json
;jwk_set_file = /path/to/jwks.json
;cache_ttl = 60m
;expected_claims = {"aud": ["foo", "bar"]}
;key_file = /path/to/key/file
###
# Optionally, if you want Grafana to create users from the JWT claim
###
auto_sign_up = true

/etc/teleport.yaml:

Set the <authtoken>, <ca-pin> and public_addr to your respective system values. You need a authtoken in this case that had a node,app.

teleport:
  nodename: grafanaapp
  auth_token: <authtoken>
  ca_pin:
  - sha256:<ca-pin>
  auth_servers:
  - teleport.example.com:443
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
ssh_service:
  enabled: yes
  labels:
    serving_app: "grafanaapp"
proxy_service:
  enabled: no
app_service:
  enabled: yes
  apps:
  - name: "grafanaapp"
    uri: "http://localhost:3000"
    public_addr: grafanaapp.teleport.example.com
    rewrite:
       headers:
       - "Host: grafanaapp.teleport.example.com"
       - "Origin: https://grafanaapp.teleport.example.com"

Start Grafana and Teleport

docker-compose up -d
sudo service teleport start

Access

Grafana app should now show in your list of applications

Select Launch and you should auto login. If you get a JWT error it's likely your user in Teleport does not match the admin_user
or you did not enable the automatic sign up.

[zen]

@stevenGravy Do I understand this correctly, that this example only allows on static user in Grafana?

[webvictim]

If you enable user creation in the Grafana config then users can automatically be created for you:

[auth.jwt]
auto_sign_up = true

[daxroc]

Note for Grafana 10.x you'll also need to set the Host and Origin headers for the CSRF changes.

apps:
- name: grafana
  uri: http://localhost:3000
  rewrite:
    headers:
    - "Host: grafana.teleport.example.com"
    - "Origin: https://grafana.teleport.example.com"

[stevenGravy]

Thanks for sharing @daxroc. I deployed recently with 10 and did no experience this as an issue. Did you see this in a particular area needed?

[daxroc]

It’ll work fine until you attempt to save or change settings dashboards, as 10.x has some CSRF fixes.

[stevenGravy]

It’ll work fine until you attempt to save or change settings dashboards, as 10.x has some CSRF fixes.

Thanks for clarifying!!

[stevenGravy]

I've added that to the recommended setup

[daxroc]

If you want to map Teleport roles to the Roles within grafana you can add the following to the auth.jwt block

role_attribute_path = contains(roles[*], 'gf_admin') && 'Admin' || contains(roles[*], 'gf_editor') && 'Editor' || 'Viewer'

Where gf_* are the roles within Teleport
Word of caution here the above grants everyone else Viewer permission; you may want to adjust that to your own requirements.

You may also need additional config on the Teleport app jwt_claims

- name: grafana
  labels:
    type: grafana
  rewrite:
    jwt_claims: roles
    headers:
    ...