Menu
Enterprise

Kerberos integration

Grafana provides a basic configuration for Kerberos authentication for both standalone and Dockerized Grafana servers. You must use the tnsnames.ora file with this configuration. The tnsnames.ora file is used by Oracle to store and configure connection information for different databases.

Note

Kerberos authentication is not supported in Grafana Cloud.

Oracle configuration files

The following are key Oracle configuration files:

Locations

The Oracle plugin uses default search paths defined by Oracle Instant Client. Setting the ORACLE_HOME environment variable can be used to override where the sqlnet.ora and tnsnames.ora config files are found.

When ORACLE_HOME is set to /opt/oracle, Oracle configuration files are located in the following directories:

filenameSearch Path
tnsnames.ora/opt/oracle/network/admin
sqlnet.ora/opt/oracle/network/admin
krb5.conf/opt/oracle/network/admin
krb5cc_472/tmp/krb5cc_472

You can use other search paths, and the following are all valid:

  • /home/grafana/.sqlnet.ora

  • /var/lib/grafana/plugins/grafana-oracle-datasource/lib/linux_x64/instantclient_12_2/network/admin/sqlnet.ora

  • /home/grafana/.tnsnames.ora

  • /etc/tnsnames.ora

Data source configuration

See Configure the Oracle data source for instructions on how to configure Oracle in Grafana. Use the data source connection option TNSNames Entry in the Connection section when you configure the Oracle data source. The name entered into the text field should use the following convention:

/@DBNAME

DBNAME must correspond to an entry in tnsnames.ora.

In the following example configuration file, the connection string is /@XE:

INI
XE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = krbclient1.plugins.grafana.net)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = XE)
    )
  )

Docker

The following Docker Compose file shows the expected configuration files mapped into a Docker container.

The main components are:

  • location of krb5.conf
  • mapping the ticket cache to the Grafana UID (472)
  • location of tnsnames.ora
  • location of sqlnet.ora
YAML
version: '3.7'
services:
  grafana:
    image: grafana/grafana:latest
    ports:
      - 3000:3000
    volumes:
      - ./kerb5_client/krb5.conf:/etc/krb5.conf
      - ./ticketcache/krb5cc_1000:/tmp/krb5cc_472
      - ./plugin:/var/lib/grafana/plugins/grafana-oracle-datasource
      - ./network/admin/tnsnames.ora:/etc/tnsnames.ora
      - ./network/admin:/opt/oracle/network/admin
    extra_hosts:
      krb5.plugins.grafana.net: 172.16.0.4
      krbclient1.plugins.grafana.net: 172.16.0.11
    environment:
      - TERM=linux
      - ORACLE_HOME=/opt/oracle
      - GF_DATAPROXY_LOGGING=true
      - GF_LOG_LEVEL=debug
      - GF_LOG_FILTERS=oracle-datasource:debug
      - GF_PLUGINS_ORACLE_DATASOURCE_POOLSIZE=15

Kerberos

The example below shows a basic Oracle Kerberos configuration. Use Oracle’s Configuring Kerberos Authentication to integrate Oracle with Kerberos.

/opt/oracle/network/admin/krb5.conf

INI
[libdefaults]
    default_realm = PLUGINS.GRAFANA.NET
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
[realms]
    PLUGINS.GRAFANA.NET = {
        kdc = krb5.plugins.grafana.net:9088
        admin_server = krb5.plugins.grafana.net:9749
    }
[domain_realm]
    .plugins.grafana.net = PLUGINS.GRAFANA.NET
    plugins.grafana.net = PLUGINS.GRAFANA.NET

sqlnet.ora configuration

The key items in this configuration file are:

  • AUTHENTICATION_KERBEROS5_SERVICE
  • SQLNET.KERBEROS5_CC_NAME
  • SQLNET.KERBEROS5_KEYTAB

/opt/oracle/network/admin/sqlnet.ora

INI
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oraclesvc
SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_472
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_LOCATION=/etc
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

Additional references

Configuring Kerberos Authentication

How to Install and Configure Kerberos in CentOS/RHEL 7

Setting up Kerberos for Ubuntu