Oracle Kerberos integration
Grafana provides a basic configuration for Kerberos authentication for both standalone and Dockerized Grafana servers. You must use the tnsnames.ora file with this configuration. The tnsnames.ora file is used by Oracle to store and configure connection information for different databases.
Note
Kerberos authentication is not supported in Grafana Cloud.
Oracle configuration files
The following are key Oracle configuration files:
- tnsnames.ora - Configuration file used by Oracle to store and configure connection information for different databases. Refer to Local Naming Parameters in the tnsnames.ora File for more information regarding the tnsnames.ora file. 
- sqlnet.ora - Oracle profile configuration file used for managing database connections. Refer to Parameters for the sqlnet.ora File. 
- krb5.conf - Configuration file containing Kerberos configuration information. Refer to krb5.conf in Oracle’s documentation for more information. 
Locations
The Oracle plugin uses default search paths defined by Oracle Instant Client. Setting the ORACLE_HOME environment variable can be used to override where the sqlnet.ora and tnsnames.ora config files are found.
When ORACLE_HOME is set to /opt/oracle, Oracle configuration files are located in the following directories:
| filename | Search Path | 
|---|---|
| tnsnames.ora | /opt/oracle/network/admin | 
| sqlnet.ora | /opt/oracle/network/admin | 
| krb5.conf | /opt/oracle/network/admin | 
| krb5cc_472 | /tmp/krb5cc_472 | 
You can use other search paths, including the following:
- /home/grafana/.sqlnet.ora
- /var/lib/grafana/plugins/grafana-oracle-datasource/lib/linux_x64/instantclient_12_2/network/admin/sqlnet.ora
- /home/grafana/.tnsnames.ora
- /etc/tnsnames.ora
Data source configuration
Refer to Configure the Oracle data source for instructions on how to configure Oracle in Grafana. When setting up the Oracle data source use the data source connection option TNSNames Entry in the Connection section. The name entered into the text field should use the following convention:
/@DBNAME
DBNAME must correspond to an entry in tnsnames.ora.
In the following example configuration file, the connection string is /@XE:
XE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = krbclient1.plugins.grafana.net)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = XE)
    )
  )Docker
The following Docker Compose file shows the expected configuration files mapped into a Docker container.
The main components are:
- location of krb5.conf
- mapping the ticket cache to the Grafana UID (472)
- location of tnsnames.ora
- location of sqlnet.ora
version: '3.7'
services:
  grafana:
    image: grafana/grafana:latest
    ports:
      - 3000:3000
    volumes:
      - ./kerb5_client/krb5.conf:/etc/krb5.conf
      - ./ticketcache/krb5cc_1000:/tmp/krb5cc_472
      - ./plugin:/var/lib/grafana/plugins/grafana-oracle-datasource
      - ./network/admin/tnsnames.ora:/etc/tnsnames.ora
      - ./network/admin:/opt/oracle/network/admin
    extra_hosts:
      krb5.plugins.grafana.net: 172.16.0.4
      krbclient1.plugins.grafana.net: 172.16.0.11
    environment:
      - TERM=linux
      - ORACLE_HOME=/opt/oracle
      - GF_DATAPROXY_LOGGING=true
      - GF_LOG_LEVEL=debug
      - GF_LOG_FILTERS=oracle-datasource:debug
      - GF_PLUGINS_ORACLE_DATASOURCE_POOLSIZE=15Kerberos
The following example depicts a basic Oracle Kerberos configuration. Use Oracle’s Configuring Kerberos Authentication to integrate Oracle with Kerberos.
/opt/oracle/network/admin/krb5.conf
[libdefaults]
    default_realm = PLUGINS.GRAFANA.NET
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
[realms]
    PLUGINS.GRAFANA.NET = {
        kdc = krb5.plugins.grafana.net:9088
        admin_server = krb5.plugins.grafana.net:9749
    }
[domain_realm]
    .plugins.grafana.net = PLUGINS.GRAFANA.NET
    plugins.grafana.net = PLUGINS.GRAFANA.NETsqlnet.ora configuration
Key items in the sqlnet.ora configuration file include:
- AUTHENTICATION_KERBEROS5_SERVICE
- SQLNET.KERBEROS5_CC_NAME
- SQLNET.KERBEROS5_KEYTAB
/opt/oracle/network/admin/sqlnet.ora
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oraclesvc
SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_472
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_LOCATION=/etc
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab






