Grafana接入Ldap实现用户分组权限管控-摩杜云开发者社区

背景

公司搭建的zabbix,能做到快速搭建,通过zabbix api开发能做到机器初始化快速监控,监控模板直接用zabbix自带不需要另外编写,通过配置报警媒介,报警触发器,能实现发送钉钉报警markdown消息...一切的一切显示出zabbix如此快捷和便利,然而当我们需要观看一个主机组内所有主机监控情况时却为了难,虽然zabbix可以添加聚合图形,但是随着被监控机器不断增加,zabbix聚合图形已无法满足我们这一要求,所以后续将考虑使用prometheus和grafana的方式或者zabbix和grafana的方式来解决这一痛点

grafana搭建和使用

rpm下载链接:Install on RPM-based Linux | Grafana documentation

yum install -y grafana-enterprise-8.0.0-1.x86_64.rpm
systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

登陆grafana

浏览器输入地址http://10.0.0.63:3000

Grafana接入Ldap实现用户分组权限管控_ldap

初始账号密码为admin admin

grafana新建数据源

如果需要接入zabbix数据源,需要先安装插件,命名为grafana-cli plugins install alexanderzobnin-zabbix-app

安装后进入grafana页面,进入插件功能选项将插件激活

Grafana接入Ldap实现用户分组权限管控_ldap_02

Grafana接入Ldap实现用户分组权限管控_grafana_03

Grafana接入Ldap实现用户分组权限管控_grafana_04

这样如果需要的话后面也就能添加zabbix数据源了

添加prometheus数据源

Grafana接入Ldap实现用户分组权限管控_ldap_05

Grafana接入Ldap实现用户分组权限管控_ldap_06

Grafana接入Ldap实现用户分组权限管控_grafana_07

Grafana接入Ldap实现用户分组权限管控_grafana_08

Grafana接入Ldap实现用户分组权限管控_grafana_09

最后测试保存

grafana导入仪表盘模板

Grafana接入Ldap实现用户分组权限管控_grafana_10

打开grafana bashbord官网网址：Dashboards | Grafana Labs

Grafana接入Ldap实现用户分组权限管控_ldap_11

点击自己需要的模板,然后copy模板id

输入id点击load导入

Grafana接入Ldap实现用户分组权限管控_grafana_12

Grafana接入Ldap实现用户分组权限管控_ldap_13

Grafana接入Ldap用户分组,权限管理

Ldap分组信息,如图:

Grafana接入Ldap实现用户分组权限管控_grafana_14

grafana配置文件修改

vim /etc/grafana/grafana.ini   #打开grafana配置文件,加入
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

重启grafana服务

systemctl restart grafana-server.service

配置前在ldap服务器上做几个查询

根据条件查询ldap用户

下面的ldap:// 后面需要填写你自己的ldap服务地址,-w 后面需要填写你ldap管理密码

ldapsearch -x -H ldap://xxxx:389 -D "cn=admin,dc=10heroes,dc=cn" -w "xxx" -b "dc=10heroes,dc=cn" "(cn=linghuchong)"
# extended LDIF
#
# LDAPv3
# base <dc=10heroes,dc=cn> with scope subtree
# filter: (cn=linghuchong)
# requesting: ALL
#

# linghuchong, yunwei, user, 10heroes.cn
dn: cn=linghuchong,ou=yunwei,ou=user,dc=10heroes,dc=cn
description: ooelicloud LDAP entry
displayName:: 5Luk54uQ5Yay
gidNumber: 1000
homeDirectory: /home/linghuchong
mail: 463519696@qq.com
mobile: 17683789735
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
sn: linghuchong
uid: 1270
uidNumber: 1270
userPassword:: bGluZ2h1Y2hvbmcxMjMu
cn: linghuchong
ou: yunwei

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

根据条件查询ldap组

ldapsearch -x -H ldap://xxxxx:389 -D "cn=admin,dc=10heroes,dc=cn" -w "xxxx" -b "dc=10heroes,dc=cn" "(&(objectClass=organizationalUnit)(ou=yunwei))"
# extended LDIF
#
# LDAPv3
# base <dc=10heroes,dc=cn> with scope subtree
# filter: (&(objectClass=organizationalUnit)(ou=yunwei))
# requesting: ALL
#

# yunwei, user, 10heroes.cn
dn: ou=yunwei,ou=user,dc=10heroes,dc=cn
ou: yunwei
objectClass: organizationalUnit
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

可以看到我们可以通过cn属性值查找到ldap用户,而ldap用户属性有ou属性,这个属性我姑且叫它为组织名,后面我们可以通过ou属性值查找到ldap用户所在的组,这些关键信息在我们后面配置ldap.toml的时候需要用到

修改ldap.toml文件

cat /etc/grafana/ldap.toml

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
#[log]
#level = debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "xxxxx"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=10heroes,dc=cn"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'xxxx'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["dc=10heroes,dc=cn"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=organizationalUnit)(ou=%s))"
group_search_base_dns = ["ou=user,dc=10heroes,dc=cn"]
group_search_filter_user_attribute = "ou"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "displayname"
surname = "sn"
username = "cn"
member_of = "ou"
email =  "mail"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "user"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
org_id = 1

[[servers.group_mappings]]
group_dn = "yunwei"
org_role = "Editor"
org_id = 4

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t1"
org_role = "Viewer"
org_id = 5

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t2"
org_role = "Viewer"
org_id = 5

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t3"
org_role = "Viewer"
org_id = 5

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t4"
org_role = "Viewer"
org_id = 5

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "yunying"
org_role = "Viewer"
org_id = 5

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "center"
org_role = "Viewer"
org_id = 5

完成后重启grafana服务

systemctl restart grafana-server.service

ldap.toml配置说明

host：就是指定你的ldap服务器,可以指定多个,需要分隔符

port：你的ldap服务器的监听的端口

bind_dn: 你需要特定ou的管理员账号,我这里使用了域管理者

bind_password: 上面账号的密码

search_filter:  用户搜索的过滤表达式,配合search_base_dns

search_base_dns: 用户搜索的范围,这里在user这个ou里面搜索所有的用户,需要配合search_filter来完成用户的过滤

group_search_filter: 组搜索的过滤表达式,配合group_search_base_dns

group_search_base_dns: 指定组搜索的范围

servers.attributes: 这个主要是用户获取特定提取到的用户条目有特定字段的提取,username从查询的用户信息取特定字段值作为grafana的用户名,

                              member_of 代表，根据group_search_base_dns和group_search_filter 得到特定的一个组后,那个字段作为组名字 个取到的结果需要和下面的映射保持一致

                              email代表取特定用户的mail字段作为grafana用户的email信息

servers_group_mappings: 这个是用于定义ldap用户组和grafana角色组的映射关系的,上面member_of ,group_search_base_dns和group_search_filter 这三个条件可以获取到ldap的组名,里要和三个条件获取的一致

												group_dn 对应ldap上的ou
                        org_role 映射grafana上对应组织的角色
                        org_id   映射grafana上对应的组织id

测试接入是否生效

Grafana接入Ldap实现用户分组权限管控_grafana_15

输入用户名测试ldap接入是否有效

Grafana接入Ldap实现用户分组权限管控_ldap_16

grafana上的组织

Grafana接入Ldap实现用户分组权限管控_ldap_17

Grafana接入Ldap实现用户分组权限管控_ldap_18

这样通过配置ldap.toml下的[[servers.group_mappings]] 实现了当ldap分组用户登录grafana后分配到具体的某个组织上,然后具有Admin或者Editor或者Viewer权限

小结

在使用grafana的过程中肯定有不熟悉的地方,我的建议是直接看官方文档,其实不管学什么东西,官方文档是比较让人信赖的,这里贴上grafana官方文档链接:LDAP Authentication | Grafana documentation