Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grafana updated password is reset on mfadmin restart #257

Open
matthieumarrast opened this issue Apr 3, 2023 · 4 comments
Open

grafana updated password is reset on mfadmin restart #257

matthieumarrast opened this issue Apr 3, 2023 · 4 comments
Labels
Priority: Low

Comments

@matthieumarrast
Copy link
Contributor

matthieumarrast commented Apr 3, 2023
edited
Loading

Problem

When using the default user admin/admin for loggin-in to grafana, we are prompted to update the password for admin user:
image

So if this password is updated in the web interface, the grafana.status (launched during mfadmin restart) command will get a 401 unauthorized error because we are not testing the new right password (we use MFADMIN_GRAFANA_ADMIN_PASSWORD).

https://github.com/metwork-framework/mfadmin/blob/master/adm/grafana.status :

ADMIN_PASSWORD = os.environ['MFADMIN_GRAFANA_ADMIN_PASSWORD']
[...]
with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin',
                                                         ADMIN_PASSWORD),timeout=TIMEOUT)
[...]
    if r.status_code == 401:
        # maybe the password is not updated
        os.system("_force_grafana_admin_password.sh >/dev/null")

So the script _force_grafana_admin_password.sh will be execute and will reset the admin password with variable MFADMIN_GRAFANA_ADMIN_PASSWORD which is set with mfadmin config.ini :

###################
##### GRAFANA #####
###################
[grafana]

# grafana admin password (length must be > 4)
# (you have to restart the module if you change it)
# admin_password=admin

=> as a result admin password is reset to "admin"

Possible solutions

  • the update of the admin password through the grafana UI must have effect on variable/config MFADMIN_GRAFANA_ADMIN_PASSWORD
    or
  • grafana must not prompt to update the admin password (if equal to admin) as it must only be updated through the mfadmin config (env variable)
@matthieumarrast matthieumarrast changed the title grafana updated password is reseted on mfadmin restart grafana updated password is reset on mfadmin restart Apr 3, 2023
@thebaptiste
Copy link
Contributor

I'm not sure any of the two possible solutions can be implemented as grafana is an external source.
I think we can only change configuration or instructions for use.
The admin password is set (to default mfadmin value) in two configuration files, mfadmin general config.ini file and in grafana.ini file (in this file with the comment "default admin password, can be changed before first start of grafana, or in profile settings").
I have not checked what happens wheter the value is modified in one of the two files or both...
In grafana.ini the creation of the admin passwd on first start of grafana can be disabled (disable_initial_admin_creation is set to false by default), maybe grafana will not prompt to update the admin passwd if disable_initial_admin_creation is set to true.

@matthieumarrast
Copy link
Contributor Author

setting disable_initial_admin_creation=True raises an error during grafana.status as _force_grafana_admin_password.sh will return an error because the admin user does not exist...

@matthieumarrast
Copy link
Contributor Author

why the grafana.status try to authenticate with http basic auth ?
r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT)
(metwork only protects kibana with http basic auth)

But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :

If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.

So in grafana.ini we can update as below:

[auth.basic]
enabled = false

and disabling the authent' test in grafana.status:

with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, timeout=TIMEOUT)
    except Exception:
        pass
    if r.status_code == 200:
        progress.complete_task(t)
        sys.exit(0)
    progress.complete_task_nok(t)
    sys.exit(1)

@matthieumarrast
Copy link
Contributor Author

why the grafana.status try to authenticate with http basic auth ? r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT) (metwork only protects kibana with http basic auth)

But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :

If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.

So in grafana.ini we can update as below:

[auth.basic]
enabled = false

and disabling the authent' test in grafana.status:

with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, timeout=TIMEOUT)
    except Exception:
        pass
    if r.status_code == 200:
        progress.complete_task(t)
        sys.exit(0)
    progress.complete_task_nok(t)
    sys.exit(1)

But maybe the first password initialization is probably made by _force_grafana_admin_password.sh during first grafana.status -> to be verified

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thebaptiste @matthieumarrast