第三方系统通过iframe嵌套集成grafana
具体步骤:
1. 开启允许集成嵌套配置,默认不允许
[security] allow_embedding = true
2. 生成签名验证文件(官网提供三种方式,具体参考官网)
在线生成JWK:https://mkjwk.org/
复制生成的shared key set 到文件jwks.json中
cat jwks.json
{ "keys": [ { "kty": "oct", "use": "sig", "kid": "FCGNjZstuoQZwCXYgCjSwCsHpo1hs9TTfESoOfZYU-M", "k": "ncUW_G8A_kbkF47L6WP6OmUgjiq4cHyRhvg_9KyYbBUPYXaMvaYR29dxky-NiY0uQsP45Y7LfVgyrDfDpV860GgdJgsVPVT5M1ANgVkACucZMF1JDjaFIlWECWgtSkx1BTHYQiOavFI4rIIm09KUoLLBZ9XxmU_ilPFdtV5EUb-dn1QCzJn_Lo7R-0voBfFFYCOnL8tRk07lzaaBMnEtnc1s9EC6qGLHxY2Ivppbihls-GMZCGTbn2C9iYMY4k1EvIjvBn3FcqYlCDj7Zbt3hwMCy9XXZ0hEDKF25maDIA2cTbbC1dPsHcfGl7Jr7K2v3C9VZK45lEj1Wd9Huo7KaQ", "alg": "HS256" } ] }
3. 生成jwt
token加密解密站点:https://jwt.io/
具体参数配置如下,可根据需要修改,注意:"your-256-bit-secret"是jwks.json中的“k”的值,不修改使用下面已生成jwt即可
HEADER
{
"alg": "HS256",
"typ": "JWT",
"kid": "FCGNjZstuoQZwCXYgCjSwCsHpo1hs9TTfESoOfZYU-M"
}
PAYLOAD
{
"sub": "hy-dev-user",
"name": "hy-dev-user",
"iat": 1713418413,
"exp": 4869092013,
"iss": "https://my-token-issuer",
"org": "hy",
"role": "Viewer"
}
cat grafana-jwt.txt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkZDR05qWnN0dW9RWndDWFlnQ2pTd0NzSHBvMWhzOVRUZkVTb09mWllVLU0ifQ.eyJzdWIiOiJoeS1kZXYtdXNlciIsIm5hbWUiOiJoeS1kZXYtdXNlciIsImlhdCI6MTcxMzQxODQxMywiZXhwIjo0ODY5MDkyMDEzLCJpc3MiOiJodHRwczovL215LXRva2VuLWlzc3VlciIsIm9yZyI6Imh5Iiwicm9sZSI6IlZpZXdlciJ9.8NL2dpKjpUp_MzLzyit-388mCMAo0SzCHLLcFJZ1nrY
4. 修改相关配置
cat grafana.ini
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
role_attribute_path = contains(info.roles[], 'admin') && 'Admin' || contains(info.roles[], 'editor') && 'Editor' || 'Viewer'
jwk_set_file =conf/jwks.json (定义签名验证文件)
expect_claims = {"iss": "https://my-token-issuer", "org": "hy"}
allow_assign_grafana_admin = false
skip_org_role_sync = true
username_claim = sub
email_claim = email
auto_sign_up = true
url_login = true
5. 在现有系统中集成配置
<div class="card-body">
<iframe src="https://xxx.com/grafana/d/aka/be9e3f56-70f9-509c-9efd-be6e2c0b5292?orgId=1&auth_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkZDR05qWnN0dW9RWndDWFlnQ2pTd0NzSHBvMWhzOVRUZkVTb09mWllVLU0ifQ.eyJzdWIiOiJoeS1kZXYtdXNlciIsIm5hbWUiOiJoeS1kZXYtdXNlciIsImlhdCI6MTcxMzQxODQxMywiZXhwIjo0ODY5MDkyMDEzLCJpc3MiOiJodHRwczovL215LXRva2VuLWlzc3VlciIsIm9yZyI6Imh5Iiwicm9sZSI6IlZpZXdlciJ9.8NL2dpKjpUp_MzLzyit-388mCMAo0SzCHLLcFJZ1nrY" width="100%" scrolling="No" height="730px" frameborder="0">
</iframe>
</div>
6. 系统展示及验证
- 第三方系统成功集成grafana,并通过jwt方式访问
- 管理员登录grafana,可以看到成功创建用户,并且orgin显示为JWT