Security Best Practices

Content

Chronograf with OAuth 2.0 Authentication

Configuration

Configure the JWT signature and the OAuth provider to use authentication in Chronograf.

Note: If you’re using the --basepath option when starting Chronograf, add the same basepath to the callback URL of any OAuth provider that you configure.

JWT Signature

Set a JWT signature to a random string. This is needed for all OAuth2 providers that you choose to configure. Keep this random string around!

You’ll need it each time you start a Chronograf server because it is used to verify user authorization. If you are running multiple Chronograf servers in an HA configuration set the TOKEN_SECRET environment variable on each server to allow users to stay logged in. If you want to log all users out every time the server restarts, change the value of TOKEN_SECRET to a different value on each restart.

export TOKEN_SECRET=supersupersecret

Github

Overview

export AUTH_DURATION=1h                                           # force login every hour
export TOKEN_SECRET=supersupersecret                              # Signing secret
export GH_CLIENT_ID=b339dd4fddd95abec9aa                          # Github client id
export GH_CLIENT_SECRET=260041897d3252c146ece6b46ba39bc1e54416dc  # Github client secret
export GH_ORGS=biffs-gang                                         # Restrict to GH orgs

Creating Github OAuth Application

To create a Github OAuth Application follow the Register your app instructions. Essentially, you’ll register your application here.

The Homepage URL should be Chronograf’s full server name and port. If you are running it locally for example, make it http://localhost:8888.

The Authorization callback URL must be the location of the Homepage URL plus /oauth/github/callback. For example, if Homepage URL was http://localhost:8888 then the Authorization callback URL should be http://localhost:8888/oauth/github/callback.

Github provides a Client ID and Client Secret. To register these values with Chronograf set the following environment variables:

  • GH_CLIENT_ID
  • GH_CLIENT_SECRET

For example:

export GH_CLIENT_ID=b339dd4fddd95abec9aa
export GH_CLIENT_SECRET=260041897d3252c146ece6b46ba39bc1e54416dc

Optional Github Organizations

To require an organization membership for a user, set the GH_ORGS environment variables:

export GH_ORGS=biffs-gang

If the user is not a member, then the user will not be allowed access. To support multiple organizations use a comma-delimited list like so:

export GH_ORGS=hill-valley-preservation-sociey,the-pinheads

Google

Creating Google OAuth Application

Obtain a client ID and an application secret by following the steps under “Basic Steps” here. Chronograf will also need to be publicly accessible via a fully qualified domain name so that Google properly redirects users back to the application. This information should be set in the following environment variables:

  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • PUBLIC_URL

Alternatively, this can also be set using the command line switches:

Optional Google Domains

Similar to Github’s organization restriction, Google authentication can be restricted to permit access to Chronograf from only specific domains. These are configured using the GOOGLE_DOMAINS environment variable or the --google-domains switch. Multiple domains are separated with a comma. For example, if we wanted to permit access only from biffspleasurepalace.com and savetheclocktower.com the environment variable would be set as follows:

export GOOGLE_DOMAINS=biffspleasurepalance.com,savetheclocktower.com

Heroku

Creating Heroku Application

To obtain a client ID and application secret for Heroku, follow the guide posted here. Once your application has been created, those two values should be inserted into the following environment variables:

  • HEROKU_CLIENT_ID
  • HEROKU_SECRET

The equivalent command line switches are:

Optional Heroku Organizations

Like the other OAuth2 providers, access to Chronograf via Heroku can be restricted to members of specific Heroku organizations. This is controlled using the HEROKU_ORGS environment variable or the --heroku-organizations switch and is comma-separated. If we wanted to permit access from the hill-valley-preservation-society organization and the-pinheads organization, we would use the following environment variable:

export HEROKU_ORGS=hill-valley-preservation-sociey,the-pinheads

Auth0

Creating an Auth0 Application

To begin authenticating Chronograf users with Auth0, you will need to have an Auth0 account and register an Auth0 client within their dashboard.

Auth0 clients should be configured as “Regular Web Applications” with the “Token Endpoint Authentication” set to “None”. Clients must have the “Allowed Callback URLs” set to “https://www.example.com/oauth/auth0/callback" and the “Allowed Logout URLs” to “https://www.example.com", substituting “example.com” for the PUBLIC_URL of your Chronograf instance.

Finally, clients must be set to be “OIDC Conformant”.

Click save, and then take note of your Domain, Client ID, and Secret at the top of the page. These should be inserted into the following environment variables:

  • AUTH0_DOMAIN
  • AUTH0_CLIENT_ID
  • AUTH0_CLIENT_SECRET

The equivalent command line switches are:

Optional Auth0 Organizations

Auth0 can be customized to operators’ requirements, so it has no official concept of an “organization.” Organizations are supported in Chronograf using a lightweight “app_metadata” key that can be inserted into Auth0 users’ profiles automatically or manually.

To assign a user to an organization, add an “organization” key to the user’s “app_metadata” field with the value corresponding to the user’s organization. For example, we can assign the user Marty McFly to the “time-travelers” organization by setting the “app_metadata” to {"organization": "time-travelers"}. This can be done either manually by an operator or automatically through the use of an Auth0 Rule or a pre-user registration Auth0 Hook

Next, you will need to set Chronograf’s AUTH0_ORGS environment variable to a comma-separated list of the allowed organizations. For example, if you have one group of users with an “organization” key set to “biffs-gang” and another group with an “organization” key set to “time-travelers” you can permit access to both with the environment variable: AUTH0_ORGS=biffs-gang,time-travelers.

An --auth0-organizations command line switch is also available. However, it is limited to a single organization and does not accept a comma-separated list like its environment variable equivalent.

Generic Provider

Creating OAuth Application using your own provider

The generic OAuth2 provider is very similar to the Github provider, but, you are able to set your own authentication, token, and API URLs. The callback URL path will be /oauth/generic/callback. So, if your Chronograf is hosted at https://localhost:8888 then the full callback URL would be https://localhost:8888/oauth/generic/callback.

The generic OAuth2 provider requires several settings:

  • GENERIC_CLIENT_ID : this application’s client identifier issued by the provider
  • GENERIC_CLIENT_SECRET : this application’s secret issued by the provider
  • GENERIC_AUTH_URL : OAuth 2.0 provider’s authorization endpoint URL
  • GENERIC_TOKEN_URL : OAuth 2.0 provider’s token endpoint endpoint is used by the client to obtain an access token
  • TOKEN_SECRET : Used to validate OAuth state response. (see above)

Optional Scopes

By default Chronograf will ask for the user:email scope of the client. If your provider scopes email access under a different scope or scopes provide them as comma-separated values in the GENERIC_SCOPES environment variable.

export GENERIC_SCOPES="openid,email" # Requests access to openid and email scopes

Optional Email domains

The generic OAuth2 provider has a few optional parameters.

  • GENERIC_API_URL : URL that returns OpenID UserInfo JWT (specifically email address)
  • GENERIC_DOMAINS : Email domains user’s email address must use.

Configuring the look of the login page

To configure the copy of the login page button text, set the GENERIC_NAME environment variable. For example, with

export GENERIC_NAME="Hill Valley Preservation Society"

the button text will be Login with Hill Valley Preservation Society.

Optional: Configure an Authentication Duration

By default, authentication will remain valid for 30 days via a cookie stored in the browser. Configure that duration with the AUTH_DURATION environment variable. For example, to change it to 1 hour, use:

export AUTH_DURATION=1h

The duration uses the Go (golang) time duration format, so the largest time unit is h (hours). So to change it to 45 days, use:

export AUTH_DURATION=1080h

Additionally, for greater security, if you want to require re-authentication every time the browser is closed, set AUTH_DURATION to 0. This makes the cookie transient (aka “in-memory”).

TLS

Chronograf supports TLS to securely communicate between the browser and server via HTTPS.

We recommend using HTTPS with Chronograf. If you are not using a TLS termination proxy, you can run Chronograf’s server with TLS connections.

Running Chronograf with TLS

Chronograf server has command line and environment variable options to specify the certificate and key files. The server reads and parses a public/private key pair from these files. The files must contain PEM encoded data.

In Chronograf all command line options also have a corresponding environment variable.

To specify the certificate file either use the --cert CLI option or TLS_CERTIFICATE environment variable.

To specify the key file either use the --key CLI option or TLS_PRIVATE_KEY environment variable.

To specify the certificate and key if both are in the same file either use the --cert CLI option or TLS_CERTIFICATE environment variable.

Example with CLI options

chronograf --cert=my.crt --key=my.key

Example with environment variables

TLS_CERTIFICATE=my.crt TLS_PRIVATE_KEY=my.key chronograf

Docker example with environment variables

docker run -v /host/path/to/certs:/certs -e TLS_CERTIFICATE=/certs/my.crt -e TLS_PRIVATE_KEY=/certs/my.key quay.io/influxdb/chronograf:latest

Testing with Self-Signed Certificates

In a production environment you should not use self-signed certificates. However, for testing it is fast to create your own certs.

To create a cert and key in one file with OpenSSL:

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout testing.pem -out testing.pem -subj "/CN=localhost" -days 365

Next, set the environment variable TLS_CERTIFICATE:

export TLS_CERTIFICATE=$PWD/testing.pem

Run Chronograf:

./chronograf
INFO[0000] Serving chronograf at https://[::]:8888       component=server

In the first log message you should see https rather than http.

© 2015 InfluxData, Inc.
Licensed under the MIT license.
https://docs.influxdata.com/chronograf/v1.3/administration/security-best-practices/