Le 2025-12-11 12:06, Redouane Kachach a écrit :
Hi Gilles,
I was able to reproduce a similar problem locally (the error related to
"origin not allowed). As of my local testing (and observations) Grafana
was
failing with “origin not allowed” only when user login was enabled
(user/password), but everything worked fine when using anonymous
access. I
think this difference is due to how Grafana’s CSRF protection works:
[...]
You are right !
I think that explains why the problem only appears once user
authentication
is enabled. The problem is that Grafana is deployed in this case behind
mgmt-gateway (which acts as reverse-proxy). So Grafana has no idea
what's
the fqdn in use as it comes from the mgmt-gateway. When oauth2-proxy is
also used so authentication goes through SSO this issue doesn't happen.
Ah !
As I want to also test that, perhaps that will solve my problem.
To solve the problem, grafana provides a config field
csrf_trusted_origins
which can be used to indicate manually your trusted origins. In this
case,
you would need to add something like:
[security]
csrf_trusted_origins = <your-fqdn-domain>
[...]
This works for direct access.
But to work also in the Dashboards, I need to define the grafana
frontend URL, else the VIP is used to call Grafana.
$ ceph dashboard set-grafana-frontend-api-url https://$DNSforVIP/grafana
This change is unfortunately not permanent, if you redeploy your
grafana or
move it to another node, you will lose the change. To make it permanent
you have to adjust the grafana Jinja template, used by cephadm to
generate
the ini file. For that you have to modify the template to add the above
entry and store it for example in a grafana.ini.j2 file then run the
following commands:
I'm not fan of modifying that myself.
So I will wait if it comes upstream.
OR, as I mention it the issue (https://tracker.ceph.com/issues/74164),
We don't need to log in if a Dashboard can show us logs. There are
several on Grafana dashboards Web site.
For now, I will logout from Grafana, and if I want to access logs with
Grafana/Loki, I will use the node's IP directly.
Best,
Redouane.
Thanks a lot to point the problems !
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
