improve grafana authentication
the grafana server is now setup (#29684 (moved)) but there are still issues regarding authentication. we might want to grant access to other users than the admin one, for example.
the original idea was to do the same "anonymous authentication" setup than for Prometheus, except something came up during deployment that made me question that strategy. it was raised while considering deployment of third-party exporters:
something regarding authentication came up through a third-party scraper deployment, in #29863 (moved). there were concerns the node exporter would leak information that could be exploited for a side-channel attacks. the node exporter is firewalled, but then all that data is then made available on the prometheus server protected only by a trivial password. they will make an assessment of the exposed data and see if the additional authentication burden is worth the risk.
if we do not go with "anon" authentication, we could connect the Grafana server with LDAP, but then it means it might go down if the LDAP server crashes, which is a problem for a monitoring server, obviously.
in any case, users need to be configured through Puppet, which they currently are not. this is partly related to secrets management and generation in Puppet, which is also discussed in #30009 (moved).