Thanks Patrick, that's awesome context. On Fri, Aug 31, 2018 at 10:55 PM Patrick Nawracay <pnawracay@xxxxxxxx> wrote: > > Hi Paul, > > The decision to use a proxy reaches back to openATTIC, when we first > integrated the grafana dashboards. > > We tried to embed the Grafana dashboards and I was told that the > responsible frontend developer had problems with the integration due to > cross origin requests. We, for some reason, also wanted the dashboards > to only be visible to authenticated users. Hence we decided to write a > proxy to overcome this hurdles. The proxy not only enables the frontend > to access URLs on the same origin without having to log in manually, but > also enables us to rewrite the contents of the responses from Grafana > before they are passed to the frontend, which gave us the possibility to > adapt Grafana in a way we weren't able otherwise. openATTIC rewrites the > responses to a level that Grafana doesn't have to be configured to run > behind a reverse proxy (although it does that) and hence can be used > outside of openATTIC, but that comes at a price: We can only ensure that > the proxy works for a specific Grafana version and every update of > Grafana could possibly break the proxy. We knew that and still decided > to go that path as openATTIC dropped support for other distributions > than SUSE Linux Enterprise and we knew when Grafana would be updated. > > Naturally, we didn't go that path with the Ceph Dashboard as we want and > have to support a wider range of Grafana versions. Therefore, we do not > rewrite the content in that way but, on the other hand, have to > configure Grafana to run behind a reverse proxy. (To do so we only have > to change a single line in the Grafana configuration: root_url). > > In openATTIC, we also use the content rewriting capabilities of the > proxy to hide unwanted controls by injecting CSS to the response of > Grafana. This might also break in newer Grafana versions, but is way > less prone to break (also because we only add rules and do not change > existing ones). This is also what we talked about recently in one of our > daily meetings. > > That said, I think your points are very valid. If we don't need to > authenticate by using an anonymous user and find a way to work with > cross origin requests, we don't have to configure Grafana to run behind > a reverse proxy anymore and Grafana would be usable outside of the Ceph > Dashboard. Of course, it might happen that we need or want to hide > something (like controls) from the users but aren't able to anymore, but > that may be okay if we'll use anonymous users who don't have or need > many permissions anyway. I think this would need to be evaluated. > > Patrick > > > On 31.08.2018 00:07, Paul Cuzner wrote: > > Hi "dashboarders" :) > > > > Apologies for missing the daily calls where this has been raised, but > > I'm trying to understand the pro's and cons of the different ways in > > which we can enable grafana integration. > > > > As I understand it, we can use either proxy mode or anonymous mode. > > However, what I don't understand is the advantages of proxy mode over > > anonymous - so I'm asking for help! > > > > For anonymous I see the following advantages; > > + doesn't need ceph to hold grafana credentials, grafana just has > > anonymous mode enabled > > + simplifies the integration (reduces the workaround code) > > + allows the grafana instance to be a shared instance, not solely > > dedicated to Ceph > > + admins can easily tweak dashboards (by using admin in the normal > > grafana instance) > > + may promote quicker iteration on fine tuning dashboard content > > within the community if the dashboards are more easily > > editable/manageable > > > > The last two bullet points I see as big advantages to promote > > community involvement. > > > > So can anyone highlight the benefits of proxy mode? > > > > Thanks, > > > > Paul C > > > > -- > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) > >
