grafana updated password is reset on mfadmin restart

[matthieumarrast]

Problem

When using the default user admin/admin for loggin-in to grafana, we are prompted to update the password for admin user:

So if this password is updated in the web interface, the grafana.status (launched during mfadmin restart) command will get a 401 unauthorized error because we are not testing the new right password (we use MFADMIN_GRAFANA_ADMIN_PASSWORD).

https://github.com/metwork-framework/mfadmin/blob/master/adm/grafana.status :

ADMIN_PASSWORD = os.environ['MFADMIN_GRAFANA_ADMIN_PASSWORD']
[...]
with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin',
                                                         ADMIN_PASSWORD),timeout=TIMEOUT)
[...]
    if r.status_code == 401:
        # maybe the password is not updated
        os.system("_force_grafana_admin_password.sh >/dev/null")

So the script _force_grafana_admin_password.sh will be execute and will reset the admin password with variable MFADMIN_GRAFANA_ADMIN_PASSWORD which is set with mfadmin config.ini :

###################
##### GRAFANA #####
###################
[grafana]

# grafana admin password (length must be > 4)
# (you have to restart the module if you change it)
# admin_password=admin

=> as a result admin password is reset to "admin"

Possible solutions

• the update of the admin password through the grafana UI must have effect on variable/config MFADMIN_GRAFANA_ADMIN_PASSWORD
  or
• grafana must not prompt to update the admin password (if equal to admin) as it must only be updated through the mfadmin config (env variable)

[thebaptiste]

I'm not sure any of the two possible solutions can be implemented as grafana is an external source.
I think we can only change configuration or instructions for use.
The admin password is set (to default mfadmin value) in two configuration files, mfadmin general config.ini file and in grafana.ini file (in this file with the comment "default admin password, can be changed before first start of grafana, or in profile settings").
I have not checked what happens wheter the value is modified in one of the two files or both...
In grafana.ini the creation of the admin passwd on first start of grafana can be disabled (disable_initial_admin_creation is set to false by default), maybe grafana will not prompt to update the admin passwd if disable_initial_admin_creation is set to true.

[matthieumarrast]

setting disable_initial_admin_creation=True raises an error during grafana.status as _force_grafana_admin_password.sh will return an error because the admin user does not exist...

[matthieumarrast]

why the grafana.status try to authenticate with http basic auth ?
r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT)
(metwork only protects kibana with http basic auth)

But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :

If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.

So in grafana.ini we can update as below:

[auth.basic]
enabled = false

and disabling the authent' test in grafana.status:

with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, timeout=TIMEOUT)
    except Exception:
        pass
    if r.status_code == 200:
        progress.complete_task(t)
        sys.exit(0)
    progress.complete_task_nok(t)
    sys.exit(1)

[matthieumarrast]

why the grafana.status try to authenticate with http basic auth ? r = requests.get(GRAFANA_URL, auth=HTTPBasicAuth('admin', ADMIN_PASSWORD),timeout=TIMEOUT) (metwork only protects kibana with http basic auth)

But as per the grafana doc (https://grafana.com/docs/grafana/latest/developers/http_api/auth/) :

If basic auth is enabled (it is enabled by default), then you can authenticate your HTTP request via standard basic auth. Basic auth will also authenticate LDAP users.

So in grafana.ini we can update as below:

[auth.basic]
enabled = false

and disabling the authent' test in grafana.status:

with MFProgress() as progress:
    t = progress.add_task("- Testing Grafana...", total=TIMEOUT)
    try:
        r = requests.get(GRAFANA_URL, timeout=TIMEOUT)
    except Exception:
        pass
    if r.status_code == 200:
        progress.complete_task(t)
        sys.exit(0)
    progress.complete_task_nok(t)
    sys.exit(1)

But maybe the first password initialization is probably made by _force_grafana_admin_password.sh during first grafana.status -> to be verified