From f6f4ae29084018693300dbb01448f3aaa65ff35c Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Wed, 18 Dec 2024 19:23:43 -0700 Subject: [PATCH] Adding Grafana authentication information --- docs/admin/observability/metrics.mdx | 32 ++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/docs/admin/observability/metrics.mdx b/docs/admin/observability/metrics.mdx index 8dc6797dd..0d323057a 100644 --- a/docs/admin/observability/metrics.mdx +++ b/docs/admin/observability/metrics.mdx @@ -82,8 +82,36 @@ sshuttle -r user@host 0/0 Grafana will be available at http://host:3370/-/debug/grafana. -> WARNING: Our Grafana instance runs in anonymous mode with all authentication turned off, since we rely on Sourcegraph's built-in authentication. -> Please be careful when exposing it directly to external traffic. +### Grafana Security + + +WARNING: By default, our Grafana container runs in anonymous mode with authentication disabled, relying on Sourcegraph's authentication and authorization when accessed through your Sourcegraph instance. + +We recommend you use your network security controls to prevent access to Grafana's listening ports, or enable Grafana's builtin authentication. + + +To enable Grafana's builtin authentication, configure the `GF_AUTH_ANONYMOUS_ENABLED` environment variable to `false` in the Grafana container's environment variables in your deployment override file. + +We also recommend that you customize the default admin username and password by configuring the `GF_SECURITY_ADMIN_USER` and `GF_SECURITY_ADMIN_PASSWORD` environment variables, using your secrets management tool in your deployment pipeline. + +```yaml +# Helm override +grafana: + env: + GF_AUTH_ANONYMOUS_ENABLED: + value: "false" + GF_SECURITY_ADMIN_USER: + value: "custom-admin-username" + GF_SECURITY_ADMIN_PASSWORD: + value: "custom-admin-password" + +# Docker Compose override + grafana: + environment: + - 'GF_SECURITY_ADMIN_USER=custom-admin-username' + - 'GF_SECURITY_ADMIN_PASSWORD=custom-admin-password' + - 'GF_AUTH_ANONYMOUS_ENABLED=false' +``` ## Prometheus