1
0
Fork 0
mirror of synced 2025-01-05 04:32:58 -05:00
formula-grafana/grafana/files/grafana.ini
Guillaume Thouvenin 377c14cca0 Add support for LDAP authentication
This patch adds support for LDAP authentication. It also adds support
to manage authorization. It is now possible to enable several kind of
authentication like LDAP and basic auth. So we introduce a new schema
for allowing it:

  auth:
    basic:
      enabled: true
    ldap:
      enabled: true
      [...]

instead of

  auth:
    engine: basic

The former declaration is still valid for basic, anonymous and proxy
authentication.
2016-12-08 17:15:56 +01:00

291 lines
9.2 KiB
INI

{%- from "grafana/map.jinja" import server with context %}
##################### Grafana Configuration File #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change
# possible values : production, development
; app_mode = production
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
#
;data = /var/lib/grafana
#
# Directory where grafana can store logs
#
;logs = /var/log/grafana
#################################### Server ####################################
[server]
# Protocol (http or https)
;protocol = http
# The ip address to bind to, empty will bind to all interfaces
http_addr = {{ server.bind.address }}
# The http port to use
http_port = {{ server.bind.port }}
# The public facing domain name used to access grafana from a browser
;domain = localhost
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url
;root_url = %(protocol)s://%(domain)s:%(http_port)s/
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
;enable_gzip = false
# https certs & key file
;cert_file =
;cert_key =
#################################### Database ####################################
[database]
# Either "mysql", "postgres" or "sqlite3", it's your choice
type = {% if server.database.engine == "postgresql" %}postgres{% else %}{{ server.database.engine }}{% endif %}
{%- if server.database.engine in ["postgresql", "mysql"] %}
host = {{ server.database.host }}:{{ server.database.port }}
name = {{ server.database.name }}
user = {{ server.database.user }}
password = {{ server.database.password }}
{%- endif %}
# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
# For "sqlite3" only, path relative to data_path setting
{%- if server.database.engine in ["sqlite"] %}
path = grafana.db
{%- endif %}
#################################### Session ####################################
[session]
# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
provider = {{ server.session.engine }}
# Provider config options
# memory: not have any config yet
# file: session dir path, is relative to grafana data_path
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
{%- if server.session.engine == 'redis' %}
provider_config = addr={{ server.session.get('host', '127.0.0.1') }}:{{ server.session.get('port', 6379) }},db={{ server.session.get('db', 'grafana') }}
{%- endif %}
# Session cookie name
;cookie_name = grafana_sess
# If you use session in https only, default is false
;cookie_secure = false
# Session life time, default is 86400
;session_life_time = 86400
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
;reporting_enabled = true
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
#################################### Security ####################################
[security]
# default admin user, created on startup
admin_user = {{ server.admin.user }}
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = {{ server.admin.password }}
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# Auto-login remember days
;login_remember_days = 7
;cookie_username = grafana_user
;cookie_remember_name = grafana_remember
# disable gravatar profile images
;disable_gravatar = false
# data source proxy whitelist (ip_or_domain:port seperated by spaces)
;data_source_proxy_whitelist =
#################################### Users ####################################
[users]
# disable user signup / registration
allow_sign_up = {{ server.allow_sign_up|lower }}
# Allow non admin users to create organizations
allow_org_create = {{ server.allow_org_create|lower }}
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
auto_assign_org_role = {{ server.auto_assign_role }}
#################################### Anonymous Auth ##########################
[auth.anonymous]
{%- if server.auth.engine == 'anonymous' or server.auth.get('anonymous', {}).get('enabled', False) %}
enabled = true
{%- if server.auth.organization is defined or server.auth.anonymous.organization is defined %}
org_name = {{ server.auth.get('organization', server.auth.anonymous.organization) }}
{%- endif %}
{%- if server.auth.role is defined or server.auth.anonymous.role is defined %}
org_name = {{ server.auth.get('role', server.auth.anonymous.role) }}
{%- endif %}
{%- else %}
# enable anonymous access
;enabled = false
# specify organization name that should be used for unauthenticated users
;org_name = Main Org.
# specify role for unauthenticated users
;org_role = Viewer
{%- endif %}
#################################### Github Auth ##########################
[auth.github]
;enabled = false
;allow_sign_up = false
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
;api_url = https://api.github.com/user
;team_ids =
;allowed_organizations =
#################################### Google Auth ##########################
[auth.google]
;enabled = false
;allow_sign_up = false
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
;api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains =
#################################### Auth Proxy ##########################
[auth.proxy]
{%- if server.auth.engine == 'proxy' or server.auth.get('proxy', {}).get('enabled', False) %}
enabled = true
header_name = {{ server.auth.get('proxy', {}).get('header', server.auth.get('header', 'X-Forwarded-User')) }}
header_property = {{ server.auth.get('proxy', {}).get('header_property', server.auth.get('header_property', 'username')) }}
auto_sign_up = true
{%- endif %}
#################################### Basic Auth ##########################
[auth.basic]
{%- if server.auth.engine == 'basic' or server.auth.get('basic', {}).get('enabled', False) %}
enabled = true
{%- else %}
enabled = false
{%- endif %}
#################################### Auth LDAP ##########################
[auth.ldap]
{%- if server.auth.get('ldap', {}).get('enabled', False) %}
enabled = true
config_file = /etc/grafana/ldap.toml
{%- else %}
enabled = false
{%- endif %}
#################################### SMTP / Emailing ##########################
[smtp]
{%- if server.get('mail', {}).get('enabled', False) %}
enabled = true
{%- if server.mail.host is defined %}
host = {{ server.mail.host }}:{{ server.mail.get('port', 25) }}
{%- endif %}
{%- if server.mail.username is defined %}
user = {{ server.mail.username }}
password = {{ server.mail.password }}
{%- endif %}
;cert_file =
;key_file =
;skip_verify = false
from_address = {{ server.mail.get('from', 'grafana@localhost') }}
{%- else %}
enabled = false
{%- endif %}
[emails]
;welcome_email_on_sign_up = false
#################################### Logging ##########################
[log]
# Either "console", "file", default is "console"
# Use comma to separate multiple modes, e.g. "console, file"
;mode = console, file
# Buffer length of channel, keep it as it is if you don't know what it is.
;buffer_len = 10000
# Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
;level = Info
# For "console" mode only
[log.console]
;level =
# For "file" mode only
[log.file]
;level =
# This enables automated log rotate(switch of following options), default is true
;log_rotate = true
# Max line number of single file, default is 1000000
;max_lines = 1000000
# Max size shift of single file, default is 28 means 1 << 28, 256MB
;max_lines_shift = 28
# Segment log daily, default is true
;daily_rotate = true
# Expired days of log file(delete after max days), default is 7
;max_days = 7
#################################### AMPQ Event Publisher ##########################
[event_publisher]
;enabled = false
;rabbitmq_url = amqp://localhost/
;exchange = grafana_events
;#################################### Dashboard JSON files ##########################
[dashboards.json]
{%- if server.dashboards.enabled %}
enabled = true
path = {{ server.dashboards.path }}
{%- else %}
;enabled = false
;path = /var/lib/grafana/dashboards
{%- endif %}