The Grafana CARP
Grafana authentication runs via a so-called CARP, which stands for Cas-Authentication-Reverse-Proxy.
The way the CARP works is that it runs as a proxy server in front of Grafana and takes over cas authentication.
If
Grafana itself implements the proxy authentication: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ The CARP uses this feature to authenticate. A header with the corresponding user name is simply user name when forwarding the request to Grafana.
The CARP also replicates accounts, groups (teams) and authorizations. This is done by requests are sent to Grafana's Rest API. In principle, Grafana would also have offered authorization and team (group) replication, but only in the Premium version, which we are not using here.
Grafana itself also supports other authentication methods, but during testing these proved to be less advantageous than the CARP.
Our previously built CARP was used as the basis for the CARP: https://github.com/cloudogu/carp As its functions have been extended for Grafana
Customize ports
The Carp always runs locally under port 8080 and the corresponding local Grafana under port 3000. If it is not possible to use these ports, the following files must be adapted (see comments in the files):
- Makefile (
grafana-local
target) - dev.ini
- grafana-carp/carp.yml