Oracle Kerberos integration
Grafana provides a basic configuration for Kerberos authentication for both standalone and Dockerized
Grafana servers. You must use the tnsnames.ora
file with this configuration. The tnsnames.ora
file is used by Oracle to store and configure connection information for different databases.
Note
Kerberos authentication is not supported in Grafana Cloud.
Oracle configuration files
The following are key Oracle configuration files:
tnsnames.ora - Configuration file used by Oracle to store and configure connection information for different databases. Refer to Local Naming Parameters in the tnsnames.ora File for more information regarding the tnsnames.ora file.
sqlnet.ora - Oracle profile configuration file used for managing database connections. Refer to Parameters for the sqlnet.ora File.
krb5.conf - Configuration file containing Kerberos configuration information. Refer to krb5.conf in Oracle’s documentation for more information.
Locations
The Oracle plugin uses default search paths defined by Oracle Instant Client. Setting the ORACLE_HOME
environment variable can be used to override where the sqlnet.ora
and tnsnames.ora
config files are found.
When ORACLE_HOME
is set to /opt/oracle
, Oracle configuration files are located in the following directories:
You can use other search paths, including the following:
/home/grafana/.sqlnet.ora
/var/lib/grafana/plugins/grafana-oracle-datasource/lib/linux_x64/instantclient_12_2/network/admin/sqlnet.ora
/home/grafana/.tnsnames.ora
/etc/tnsnames.ora
Data source configuration
Refer to Configure the Oracle data source for instructions on how to configure Oracle in Grafana. When setting up the Oracle data source use the data source connection option TNSNames Entry in the Connection section. The name entered into the text field should use the following convention:
/@DBNAME
DBNAME must correspond to an entry in tnsnames.ora
.
In the following example configuration file, the connection string is /@XE
:
XE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = krbclient1.plugins.grafana.net)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
)
)
Docker
The following Docker Compose file shows the expected configuration files mapped into a Docker container.
The main components are:
- location of
krb5.conf
- mapping the ticket cache to the Grafana UID (472)
- location of
tnsnames.ora
- location of
sqlnet.ora
version: '3.7'
services:
grafana:
image: grafana/grafana:latest
ports:
- 3000:3000
volumes:
- ./kerb5_client/krb5.conf:/etc/krb5.conf
- ./ticketcache/krb5cc_1000:/tmp/krb5cc_472
- ./plugin:/var/lib/grafana/plugins/grafana-oracle-datasource
- ./network/admin/tnsnames.ora:/etc/tnsnames.ora
- ./network/admin:/opt/oracle/network/admin
extra_hosts:
krb5.plugins.grafana.net: 172.16.0.4
krbclient1.plugins.grafana.net: 172.16.0.11
environment:
- TERM=linux
- ORACLE_HOME=/opt/oracle
- GF_DATAPROXY_LOGGING=true
- GF_LOG_LEVEL=debug
- GF_LOG_FILTERS=oracle-datasource:debug
- GF_PLUGINS_ORACLE_DATASOURCE_POOLSIZE=15
Kerberos
The following example depicts a basic Oracle Kerberos configuration. Use Oracle’s Configuring Kerberos Authentication to integrate Oracle with Kerberos.
/opt/oracle/network/admin/krb5.conf
[libdefaults]
default_realm = PLUGINS.GRAFANA.NET
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
PLUGINS.GRAFANA.NET = {
kdc = krb5.plugins.grafana.net:9088
admin_server = krb5.plugins.grafana.net:9749
}
[domain_realm]
.plugins.grafana.net = PLUGINS.GRAFANA.NET
plugins.grafana.net = PLUGINS.GRAFANA.NET
sqlnet.ora configuration
Key items in the sqlnet.ora configuration file include:
AUTHENTICATION_KERBEROS5_SERVICE
SQLNET.KERBEROS5_CC_NAME
SQLNET.KERBEROS5_KEYTAB
/opt/oracle/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oraclesvc
SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_472
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_LOCATION=/etc
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab