Details

      Description

      When I install PMM using virtual appliance, for example on VMware Workstation Player, the initial installation Wizard, enforces you to set user password and optionally SSH key.

      The problem is that the user/password sets both HTTP auth (enabled as soon as the wizard used) and Grafana user. This leads to at least two important issues later:

      • If you change the password via url//graph/profile/password, new HTTP auth popup is forced but: new password doesn't work for HTTP, and after using old password, now Grafana says the password is wrong! As a result, user ends up blocked with blank screen with message: 
        {"message":"Invalid username or password"}
      • If more users are added, you are not able to use them anyway - the new user doesn't apply to HTTP auth, and also HTTP auth forces the same user to Grafana - login page just redirects and ineffective

      Especially the first issue is dangerous and basically when you change the password, you are blocked.

      Current workaround is to comment out in /etc/nginx/conf.d/pmm.conf these lines:

      #              auth_basic              $realm;
      #              auth_basic_user_file    /srv/nginx/.htpasswd;

      and restart Nginx. This will allow you to access Grafana as default admin user.

      Still logging/signoff doesn't work correctly though due to Nginx overwrites. To fix that, these further lines need to be disabled:

       

      # location = /graph/logout {
      # if ($realm = "on") {
      # # Force browser to reauthenticate
      # return 307 $scheme://logmeout:now@$http_host/graph/;
      # }
      # proxy_pass http://127.0.0.1:3000/logout;
      # proxy_read_timeout 600;
      # }
      

      From now on, Grafana users work as expected.

      Suggested fixes:

      • Get rid of HTTP auth in favor of Grafana authentication alone (why http auth is needed still after all?)
      • Or at least, make the HTTP auth optional in the installation Wizard (with note that it will break user management) as it is now optional with Docker run variant.

       

      Related reports: #PMM-1948, #PMM-2006

       

        Smart Checklist

          Attachments

            Activity

              People

              • Assignee:
                michael.coburn@percona.com Michael Coburn
                Reporter:
                przemyslaw.malkowski@percona.com Przemyslaw Malkowski
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: