Skip to content

Add ability to authenticate to grafana using AAD auth. #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add ability to authenticate to grafana using AAD auth. #193

wants to merge 3 commits into from

Conversation

KnicKnic
Copy link

@KnicKnic KnicKnic commented Jun 27, 2025
edited
Loading

Addresses #192

  1. Adds USE_AAD_AUTH to use aad for grafana.
  2. Adds to GrafanaConfig a AAD default credential if USE_AAD_AUTH is set.
  3. Changed storage of GrafanaClient to a functor to allow computation of the grafana client
    1. This seemed like the cleanest way to update the code
    2. Updated GrafanaClient functor to allow returning errors and fixed up all call sites to deal with errors.
  4. updated the promClientFromContext to assume it is goign to a Azure Monitor workspace and login again with AAD auth
    1. I didn't add logic to cache this client as it isn't being cached today, but it is a potential source of improvement.

@KnicKnic KnicKnic requested a review from a team as a code owner June 27, 2025 07:23
@CLAassistant
Copy link

CLAassistant commented Jun 27, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@KnicKnic
Copy link
Author

@sd2k @csmarchbanks Can you approve running the pending checks? It would be useful to know if more work is required for the PR. I do not have planned work other than responding to comments.

sd2k
sd2k reviewed Jul 1, 2025
View reviewed changes
Copy link
Collaborator

@sd2k sd2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Thanks for the contribution. The code mostly LGTM, I'm just a little unsure about merging this right now for a few reasons:

  1. Neither I nor any of the other maintainers use Azure so it's tricky for us to test this or fix any future issues
  2. We're hoping to (eventually) have support for OAuth inside Grafana, although we have no timelines here so it could be a while

It also seems slightly infeasible to add different auth mechanisms for every different way of running Grafana (something we're hoping to circumvent with OAuth support).

With that said, it does look like a fairly straightforward addition to the code, so we could perhaps get this in with the caveat that it's experimental.

I'll look into whether we can get some simple end to end smoke tests using an Azure Managed Grafana instance so we have a bit more confidence.

@KnicKnic
Copy link
Author

KnicKnic commented Jul 1, 2025

Hi! Thanks for the contribution. The code mostly LGTM, I'm just a little unsure about merging this right now for a few reasons:

  1. Neither I nor any of the other maintainers use Azure so it's tricky for us to test this or fix any future issues
  2. We're hoping to (eventually) have support for OAuth inside Grafana, although we have no timelines here so it could be a while

It also seems slightly infeasible to add different auth mechanisms for every different way of running Grafana (something we're hoping to circumvent with OAuth support).

With that said, it does look like a fairly straightforward addition to the code, so we could perhaps get this in with the caveat that it's experimental.

I'll look into whether we can get some simple end to end smoke tests using an Azure Managed Grafana instance so we have a bit more confidence.

I understand about adding smoke tests. This feature currently is explicitly opt in. But I understand not breaking it.
Also the oauth flow may want some similar mechanisms that I added around returning failures.

I will state that using AAD allows various auth flows that start with the logged in context of the user on the machine or service. This has been really nice when using to just have people auto logged in.

@david-wagih
Copy link

david-wagih commented Aug 5, 2025
edited
Loading

@KnicKnic

does this PR impact the issue when trying to run the MCP server on my graffana instance which has active directory as a sign in way, as it for now returns errors from the MCP server, but when tested on local graffana instance without the active directory setup it worked properly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sd2k sd2k sd2k left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@KnicKnic @CLAassistant @david-wagih @sd2k