第三方系统通过iframe嵌套集成grafana

具体步骤:

1. 开启允许集成嵌套配置,默认不允许

[security] allow_embedding = true

2. 生成签名验证文件(官网提供三种方式,具体参考官网)

在线生成JWK:https://mkjwk.org/

复制生成的shared key set 到文件jwks.json中
cat jwks.json
{ "keys": [ { "kty": "oct", "use": "sig", "kid": "FCGNjZstuoQZwCXYgCjSwCsHpo1hs9TTfESoOfZYU-M", "k": "ncUW_G8A_kbkF47L6WP6OmUgjiq4cHyRhvg_9KyYbBUPYXaMvaYR29dxky-NiY0uQsP45Y7LfVgyrDfDpV860GgdJgsVPVT5M1ANgVkACucZMF1JDjaFIlWECWgtSkx1BTHYQiOavFI4rIIm09KUoLLBZ9XxmU_ilPFdtV5EUb-dn1QCzJn_Lo7R-0voBfFFYCOnL8tRk07lzaaBMnEtnc1s9EC6qGLHxY2Ivppbihls-GMZCGTbn2C9iYMY4k1EvIjvBn3FcqYlCDj7Zbt3hwMCy9XXZ0hEDKF25maDIA2cTbbC1dPsHcfGl7Jr7K2v3C9VZK45lEj1Wd9Huo7KaQ", "alg": "HS256" } ] }

3. 生成jwt

token加密解密站点:https://jwt.io/

具体参数配置如下,可根据需要修改,注意:"your-256-bit-secret"是jwks.json中的“k”的值,不修改使用下面已生成jwt即可
HEADER

{
"alg": "HS256",
"typ": "JWT",
"kid": "FCGNjZstuoQZwCXYgCjSwCsHpo1hs9TTfESoOfZYU-M"
}

PAYLOAD

{
"sub": "hy-dev-user",
"name": "hy-dev-user",
"iat": 1713418413,
"exp": 4869092013,
"iss": "https://my-token-issuer",
"org": "hy",
"role": "Viewer"
}

cat grafana-jwt.txt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkZDR05qWnN0dW9RWndDWFlnQ2pTd0NzSHBvMWhzOVRUZkVTb09mWllVLU0ifQ.eyJzdWIiOiJoeS1kZXYtdXNlciIsIm5hbWUiOiJoeS1kZXYtdXNlciIsImlhdCI6MTcxMzQxODQxMywiZXhwIjo0ODY5MDkyMDEzLCJpc3MiOiJodHRwczovL215LXRva2VuLWlzc3VlciIsIm9yZyI6Imh5Iiwicm9sZSI6IlZpZXdlciJ9.8NL2dpKjpUp_MzLzyit-388mCMAo0SzCHLLcFJZ1nrY

4. 修改相关配置

cat grafana.ini
[auth.jwt]

enabled = true

header_name = X-JWT-Assertion

role_attribute_path = contains(info.roles[], 'admin') && 'Admin' || contains(info.roles[], 'editor') && 'Editor' || 'Viewer'

jwk_set_file =conf/jwks.json (定义签名验证文件)

expect_claims = {"iss": "https://my-token-issuer", "org": "hy"}

allow_assign_grafana_admin = false

skip_org_role_sync = true

username_claim = sub

email_claim = email

auto_sign_up = true

url_login = true

5. 在现有系统中集成配置

                        <div class="card-body">
                            <iframe src="https://xxx.com/grafana/d/aka/be9e3f56-70f9-509c-9efd-be6e2c0b5292?orgId=1&auth_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkZDR05qWnN0dW9RWndDWFlnQ2pTd0NzSHBvMWhzOVRUZkVTb09mWllVLU0ifQ.eyJzdWIiOiJoeS1kZXYtdXNlciIsIm5hbWUiOiJoeS1kZXYtdXNlciIsImlhdCI6MTcxMzQxODQxMywiZXhwIjo0ODY5MDkyMDEzLCJpc3MiOiJodHRwczovL215LXRva2VuLWlzc3VlciIsIm9yZyI6Imh5Iiwicm9sZSI6IlZpZXdlciJ9.8NL2dpKjpUp_MzLzyit-388mCMAo0SzCHLLcFJZ1nrY" width="100%" scrolling="No" height="730px" frameborder="0">

                            </iframe>
                        </div>

6. 系统展示及验证

  • 第三方系统成功集成grafana,并通过jwt方式访问
  • 管理员登录grafana,可以看到成功创建用户,并且orgin显示为JWT
posted @ 2024-04-18 15:11  chenhuxy  阅读(503)  评论(0编辑  收藏  举报