create a new (phw) user on grafana2
now that we have authentication fixed on grafana2 (#40088), we need to create a new users for @phw. and now i'm left wondering why we'd have to do this in puppet: do we really want to manage every user through trocla?
or maybe shouldn't we disable Apache-based authentication for the secondary server and instead rely on Grafana's built-in authentication?
The main reason why I setup apache-based auth here is to make it easy to manage in puppet. but if we're going to have many people accessing the server, it creates a lot more friction (e.g. password resets would need to go through us as well).
In any case (apache or grafana auth), the code will need refactoring because right now it's a hardcoded user/password list.
In particular, I think we need to take the hostname out of there:
$grafana_admin_password = trocla('grafana_admin_password', 'bcrypt')
if $vhost_name == 'grafana1.torproject.org' {
$grafana_htpasswd_content = "
admin:${grafana_admin_password}
tor-guest:*REDACTED*
"
} else {
$grafana_htpasswd_content = "
admin:${grafana_admin_password}
"
}We should probably include the $::fqdn in the trocla token as well, so that the admin password varies according tot he grafana host. So, refactoring checklist:
-
create a user for @phw in Puppet, or disable apache-based authentication on grafana2. This blocks #40080 (closed). -
take the hostname out of the profile::grafanaclass (by adding a$allow_guestparameter or$grafana_authenticationparameter or something) -
include the hostname inside the trocla()call so the password varies according to the host
Steps 2 and 3 could be split out in another ticket, but I mention them here because it might influence how step 1 is performed.
Also note that Trocla can integrate into Hiera, so it would be possible to move those passwords into Hiera directly. This would allow us to store multiple users in Hiera somewhat more sanely than hardcoding them the way we're currently doing things. See also: https://github.com/duritong/puppet-trocla#hiera-backend