DE 

//Cloudogu EcoSystem Docs

The Grafana CARP

Grafana authentication runs via a so-called CARP, which stands for Cas-Authentication-Reverse-Proxy. The way the CARP works is that it runs as a proxy server in front of Grafana and takes over cas authentication. If /grafana is accessed, the CARP takes over at this point. This forwards to the Cas, evaluates the service ticket or, if you are already authenticated, forwards the request to Grafana.

Grafana itself implements the proxy authentication: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ The CARP uses this feature to authenticate. A header with the corresponding user name is simply user name when forwarding the request to Grafana.

The CARP also replicates accounts, groups (teams) and authorizations. This is done by requests are sent to Grafana's Rest API. In principle, Grafana would also have offered authorization and team (group) replication, but only in the Premium version, which we are not using here.

Grafana itself also supports other authentication methods, but during testing these proved to be less advantageous than the CARP.

Our previously built CARP was used as the basis for the CARP: https://github.com/cloudogu/carp As its functions have been extended for Grafana

Customize ports

The Carp always runs locally under port 8080 and the corresponding local Grafana under port 3000. If it is not possible to use these ports, the following files must be adapted (see comments in the files):

  • Makefile (grafana-local target)
  • dev.ini
  • grafana-carp/carp.yml