Kerberos Integration

Kerberos Integration

A basic configuration is provided to enable kerberos authentication for both standalone and dockerized Grafana servers. Use of tnsnames.ora is expected with this configuration.

Datasource Configuration

The datasource option “enable tnsnames” should be used, and the name entered into the text field should use this convention:

/@DBNAME

Where DBNAME corresponds to an entry in tnsnames.ora

The “enable kerberos” option should also be selected, with no further configuration needed.

Oracle Configuration files

tnsnames.ora sqlnet.ora krb.conf

Example TNSNAMES.ORA

With the following configuration file, the connection string would be /@XE

XE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = krbclient1.plugins.grafana.net)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = XE)
    )
  )

Locations

The plugin will use default search paths defined by InstantClient. Setting the ORACLE_HOME environment variable can be used to override where sqlnet.ora and tnsnames.ora can be found.

When ORACLE_HOME has been set to /opt/oracle the files can be placed in:

filenameSearch Path
tnsnames.ora/opt/oracle/network/admin
sqlnet.ora/opt/oracle/network/admin
krb.conf/opt/oracle/network/admin
krb5cc_472/tmp/krb5cc_472

Other search paths can be used, the following are valid:

\1. /home/grafana/.sqlnet.ora \1. /var/lib/grafana/plugins/grafana-oracle-datasource/lib/linux_x64/instantclient_12_2/network/admin/sqlnet.ora

\1. /home/grafana/.tnsnames.ora \1. /etc/tnsnames.ora

Docker

The following docker-compose file shows the expected configuration files mapped into a docker container.

The main items are: \1. Location of krb5.conf \1. Mapping the ticket cache to the grafana UID (472) \1. Location of tnsnames.ora \1. Location of sqlnet.ora

version: '3.7'
services:
  grafana:
    image: grafana/grafana:latest
    ports:
      - 3000:3000
    volumes:
      - ./kerb5_client/krb5.conf:/etc/krb5.conf
      - ./ticketcache/krb5cc_1000:/tmp/krb5cc_472
      - ./plugin:/var/lib/grafana/plugins/grafana-oracle-datasource
      - ./network/admin/tnsnames.ora:/etc/tnsnames.ora
      - ./network/admin:/opt/oracle/network/admin
    extra_hosts:
      krb5.plugins.grafana.net: 172.16.0.4
      krbclient1.plugins.grafana.net: 172.16.0.11
    environment:
      - TERM=linux
      - ORACLE_HOME=/opt/oracle
      - GF_DATAPROXY_LOGGING=true
      - GF_LOG_LEVEL=debug
      - GF_LOG_FILTERS=oracle-datasource:debug
      - GF_PLUGINS_ORACLE_DATASOURCE_POOLSIZE=15
      - GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS=grafana-oracle-datasource

Kerberos

A basic Oracle configuration file is provided below. Please follow the official Oracle documentation to integrate Oracle with Kerberos.

Example krb.conf

/opt/oracle/network/admin/krb.conf

[libdefaults]
    default_realm = PLUGINS.GRAFANA.NET
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
[realms]
    PLUGINS.GRAFANA.NET = {
        kdc = krb5.plugins.grafana.net:9088
        admin_server = krb5.plugins.grafana.net:9749
    }
[domain_realm]
    .plugins.grafana.net = PLUGINS.GRAFANA.NET
    plugins.grafana.net = PLUGINS.GRAFANA.NET

Example sqlnet.ora

The key items for this configuration file are:

  • AUTHENTICATION_KERBEROS5_SERVICE
  • SQLNET.KERBEROS5_CC_NAME
  • SQLNET.KERBEROS5_KEYTAB

/opt/oracle/network/admin/sqlnet.ora

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oraclesvc
SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_472
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_LOCATION=/etc
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

References

[Setting up Kerberos for CentOS]https://www.thegeekdiary.com/how-to-install-and-configure-kerberos-in-centos-rhel-7/ [Setting up Kerberos for Ubuntu]https://linuxconfig.org/how-to-install-kerberos-kdc-server-and-client-on-ubuntu-18-04/ [Setting up Kerberos with Oracle]https://docs.oracle.com/cd/E11882_01/network.112/e40393/asokerb.htm#ASOAG060