Hi Paul, The decision to use a proxy reaches back to openATTIC, when we first integrated the grafana dashboards. We tried to embed the Grafana dashboards and I was told that the responsible frontend developer had problems with the integration due to cross origin requests. We, for some reason, also wanted the dashboards to only be visible to authenticated users. Hence we decided to write a proxy to overcome this hurdles. The proxy not only enables the frontend to access URLs on the same origin without having to log in manually, but also enables us to rewrite the contents of the responses from Grafana before they are passed to the frontend, which gave us the possibility to adapt Grafana in a way we weren't able otherwise. openATTIC rewrites the responses to a level that Grafana doesn't have to be configured to run behind a reverse proxy (although it does that) and hence can be used outside of openATTIC, but that comes at a price: We can only ensure that the proxy works for a specific Grafana version and every update of Grafana could possibly break the proxy. We knew that and still decided to go that path as openATTIC dropped support for other distributions than SUSE Linux Enterprise and we knew when Grafana would be updated. Naturally, we didn't go that path with the Ceph Dashboard as we want and have to support a wider range of Grafana versions. Therefore, we do not rewrite the content in that way but, on the other hand, have to configure Grafana to run behind a reverse proxy. (To do so we only have to change a single line in the Grafana configuration: root_url). In openATTIC, we also use the content rewriting capabilities of the proxy to hide unwanted controls by injecting CSS to the response of Grafana. This might also break in newer Grafana versions, but is way less prone to break (also because we only add rules and do not change existing ones). This is also what we talked about recently in one of our daily meetings. That said, I think your points are very valid. If we don't need to authenticate by using an anonymous user and find a way to work with cross origin requests, we don't have to configure Grafana to run behind a reverse proxy anymore and Grafana would be usable outside of the Ceph Dashboard. Of course, it might happen that we need or want to hide something (like controls) from the users but aren't able to anymore, but that may be okay if we'll use anonymous users who don't have or need many permissions anyway. I think this would need to be evaluated. Patrick On 31.08.2018 00:07, Paul Cuzner wrote: > Hi "dashboarders" :) > > Apologies for missing the daily calls where this has been raised, but > I'm trying to understand the pro's and cons of the different ways in > which we can enable grafana integration. > > As I understand it, we can use either proxy mode or anonymous mode. > However, what I don't understand is the advantages of proxy mode over > anonymous - so I'm asking for help! > > For anonymous I see the following advantages; > + doesn't need ceph to hold grafana credentials, grafana just has > anonymous mode enabled > + simplifies the integration (reduces the workaround code) > + allows the grafana instance to be a shared instance, not solely > dedicated to Ceph > + admins can easily tweak dashboards (by using admin in the normal > grafana instance) > + may promote quicker iteration on fine tuning dashboard content > within the community if the dashboards are more easily > editable/manageable > > The last two bullet points I see as big advantages to promote > community involvement. > > So can anyone highlight the benefits of proxy mode? > > Thanks, > > Paul C > -- SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: OpenPGP digital signature
