背景
公司搭建的zabbix,能做到快速搭建,通过zabbix api开发能做到机器初始化快速监控,监控模板直接用zabbix自带不需要另外编写,通过配置报警媒介,报警触发器,能实现发送钉钉报警markdown消息...一切的一切显示出zabbix如此快捷和便利,然而当我们需要观看一个主机组内所有主机监控情况时却为了难,虽然zabbix可以添加聚合图形,但是随着被监控机器不断增加,zabbix聚合图形已无法满足我们这一要求,所以后续将考虑使用prometheus和grafana的方式或者zabbix和grafana的方式来解决这一痛点
grafana搭建和使用
rpm下载链接:Install on RPM-based Linux | Grafana documentation
yum install -y grafana-enterprise-8.0.0-1.x86_64.rpm
systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server
登陆grafana
浏览器输入地址http://10.0.0.63:3000
初始账号密码为admin admin
grafana新建数据源
如果需要接入zabbix数据源,需要先安装插件,命名为grafana-cli plugins install alexanderzobnin-zabbix-app
安装后进入grafana页面,进入插件功能选项将插件激活
这样如果需要的话后面也就能添加zabbix数据源了
添加prometheus数据源
最后测试保存
grafana导入仪表盘模板
打开grafana bashbord官网网址:Dashboards | Grafana Labs
点击自己需要的模板,然后copy模板id
输入id点击load导入
Grafana接入Ldap用户分组,权限管理
Ldap分组信息,如图:
grafana配置文件修改
vim /etc/grafana/grafana.ini #打开grafana配置文件,加入
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
重启grafana服务
systemctl restart grafana-server.service
配置前在ldap服务器上做几个查询
根据条件查询ldap用户
下面的ldap:// 后面需要填写你自己的ldap服务地址,-w 后面需要填写你ldap管理密码
ldapsearch -x -H ldap://xxxx:389 -D "cn=admin,dc=10heroes,dc=cn" -w "xxx" -b "dc=10heroes,dc=cn" "(cn=linghuchong)"
# extended LDIF
#
# LDAPv3
# base <dc=10heroes,dc=cn> with scope subtree
# filter: (cn=linghuchong)
# requesting: ALL
#
# linghuchong, yunwei, user, 10heroes.cn
dn: cn=linghuchong,ou=yunwei,ou=user,dc=10heroes,dc=cn
description: ooelicloud LDAP entry
displayName:: 5Luk54uQ5Yay
gidNumber: 1000
homeDirectory: /home/linghuchong
mail: [email protected]
mobile: 17683789735
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
sn: linghuchong
uid: 1270
uidNumber: 1270
userPassword:: bGluZ2h1Y2hvbmcxMjMu
cn: linghuchong
ou: yunwei
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
根据条件查询ldap组
ldapsearch -x -H ldap://xxxxx:389 -D "cn=admin,dc=10heroes,dc=cn" -w "xxxx" -b "dc=10heroes,dc=cn" "(&(objectClass=organizationalUnit)(ou=yunwei))"
# extended LDIF
#
# LDAPv3
# base <dc=10heroes,dc=cn> with scope subtree
# filter: (&(objectClass=organizationalUnit)(ou=yunwei))
# requesting: ALL
#
# yunwei, user, 10heroes.cn
dn: ou=yunwei,ou=user,dc=10heroes,dc=cn
ou: yunwei
objectClass: organizationalUnit
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
可以看到我们可以通过cn属性值查找到ldap用户,而ldap用户属性有ou属性,这个属性我姑且叫它为组织名,后面我们可以通过ou属性值查找到ldap用户所在的组,这些关键信息在我们后面配置ldap.toml的时候需要用到
修改ldap.toml文件
cat /etc/grafana/ldap.toml
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
#[log]
#level = debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "xxxxx"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "cn=admin,dc=10heroes,dc=cn"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'xxxx'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"
# An array of base dns to search through
search_base_dns = ["dc=10heroes,dc=cn"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=organizationalUnit)(ou=%s))"
group_search_base_dns = ["ou=user,dc=10heroes,dc=cn"]
group_search_filter_user_attribute = "ou"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "displayname"
surname = "sn"
username = "cn"
member_of = "ou"
email = "mail"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "user"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
org_id = 1
[[servers.group_mappings]]
group_dn = "yunwei"
org_role = "Editor"
org_id = 4
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t1"
org_role = "Viewer"
org_id = 5
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t2"
org_role = "Viewer"
org_id = 5
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t3"
org_role = "Viewer"
org_id = 5
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "t4"
org_role = "Viewer"
org_id = 5
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "yunying"
org_role = "Viewer"
org_id = 5
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "center"
org_role = "Viewer"
org_id = 5
完成后重启grafana服务
systemctl restart grafana-server.service
ldap.toml配置说明
host:就是指定你的ldap服务器,可以指定多个,需要分隔符
port:你的ldap服务器的监听的端口
bind_dn: 你需要特定ou的管理员账号,我这里使用了域管理者
bind_password: 上面账号的密码
search_filter: 用户搜索的过滤表达式,配合search_base_dns
search_base_dns: 用户搜索的范围,这里在user这个ou里面搜索所有的用户,需要配合search_filter来完成用户的过滤
group_search_filter: 组搜索的过滤表达式,配合group_search_base_dns
group_search_base_dns: 指定组搜索的范围
servers.attributes: 这个主要是用户获取特定提取到的用户条目有特定字段的提取,username从查询的用户信息取特定字段值作为grafana的用户名,
member_of 代表,根据group_search_base_dns和group_search_filter 得到特定的一个组后,那个字段作为组名字 个取到的结果需要和下面的映射保持一致
email代表取特定用户的mail字段作为grafana用户的email信息
servers_group_mappings: 这个是用于定义ldap用户组和grafana角色组的映射关系的,上面member_of ,group_search_base_dns和group_search_filter 这三个条件可以获取到ldap的组名,里要和三个条件获取的一致
group_dn 对应ldap上的ou
org_role 映射grafana上对应组织的角色
org_id 映射grafana上对应的组织id
测试接入是否生效
输入用户名测试ldap接入是否有效
grafana上的组织
这样通过配置ldap.toml下的[[servers.group_mappings]] 实现了当ldap分组用户登录grafana后分配到具体的某个组织上,然后具有Admin或者Editor或者Viewer权限
小结
在使用grafana的过程中肯定有不熟悉的地方,我的建议是直接看官方文档,其实不管学什么东西,官方文档是比较让人信赖的,这里贴上grafana官方文档链接:LDAP Authentication | Grafana documentation
标签:search,group,cn,接入,Ldap,Grafana,ldap,org,grafana From: https://blog.51cto.com/u_15703497/7231125