Grafana configuration parameters
You can find the information about parameters you can use during the configuration of JWT authentication on Grafana.
The following table lists the minimum parameters that you must configure to enable JWT authentication on Grafana:
| Section | Parameters | Description | Values to be configured for z/OSMF |
|---|---|---|---|
[auth.jwt] |
enabled | Use this parameter to allow JWT to authenticate on the Grafana
server. The default value is set to true. |
true |
| enable_login_token | Upon successful authentication proxy header validation, this
parameter provides the user with a login
token. The default value is set to false. |
true | |
| header_name | Use this parameter to specify the header's name that holds a
token. The default value is set to X-JWT-Assertion. |
X-Forwarded-Access-Token | |
| username_claim | Use this parameter to identify the user.
The sub claim is mandatory and needs to be present in a JWT, and it should mention the subject of the JWT. The default value is also set to sub. |
sub | |
| jwk_set_file | Use this parameter to verify the token with a JSON Web Key Set loaded from a JSON file. | /PATH/TO/jwks.json | |
| cache_ttl | Use this parameter to establish the duration for caching data
retrieved from the HTTP endpoint.
This parameter enables the user to store the data for a specified period, allowing for faster access and retrieval of information. The default value is set to 60m (minutes). |
60m | |
| expect_claims | Use this parameter to verify the validity of other claims that
contain JSON-encoded information.
When it comes to validation, only the exp, nbf, and iat claims are automatically checked by default. You must validate if you are using other claims such as iss, sub, aud, and jti. |
{"iss": "zOSMF"} | |
| auto_sign_up | Use this parameter to automatically create user profiles in Grafana
using the TSO ID of z/OSMF for users who do not have
user profiles in the Grafana
server. The default value is set to false. |
true | |
| url_login | Use this parameter to enable JWT authentication in the URL.
The default value is set to false. |
true | |
[server] |
protocol | Use this parameter to configure z/OSMF to work over
HTTPS. When you configure z/OSMF to work over HTTPS, it is recommended to configure Grafana to also work over HTTPS. This ensures the secure data transfer between the user's web browser and the Grafana server. The default value is set to http. |
https |
| cert_file | Use this parameter to specify the path to the certificate file when the protocol parameter is set to https or h2. | /PATH/TO/certificate.crt | |
| cert_key | Use this parameter to specify the path to the certificate key file when the protocol parameter is set to https or h2. | /PATH/TO/privateKey.key | |
[Security] |
cookie_secure | Use this parameter if you hosted the Grafana instance over
HTTPS. The default value is set to false. |
true |
| cookie_samesite | Use this parameter to prevent the browser from sharing cookies with
other
websites. The default value is set to lax. |
disabled | |
| allow_embedding | Use this parameter to enable web browsers to display Grafana within
z/OSMF HTML <frame>,
<iframe>, <embed>, or <object> element.
The default value is set to false. |
true |
For more information about customizing the Grafana instance by modifying the parameters in the configuration file, refer to the following sections in the Grafana documentation.