TLDR Serhii inquired about LDAP support, separating metrics from different Prometheus instances, and concerns on user-linked tokens. Prabhat answered questions and provided possible solutions. Ryan raised concerns on security risks and shared suggestions.
> Are you going to support LDAP?
Yes. Will be available soon.
> Is there a way to convert Grafana dashboard?
Not yet, We will be doing it soon. Please upvote -
And what is the best way to separate metrics from different Prometheus instances?
I don't think I understand the question. Can you please elaborate, maybe with an example
For example I have two Prometheus instances in two different clusters. Both have metric called “metric-name” in openobserve both of them will go into the same index
I’m from phone if the question is not clear, will do screenshot tomorrow :)
ah got it. I understand it now.
current possible solutions: 1. If they have different labels the you could use the labels to separate them
2. You could push them in 2 different organizations
But this is a good scenario that requires more thinking and see if there can be a better solution
So basically I can treat organisations as environments?
Dev/prod/staging etc
I would strongly recommend against ldap support in product its a massive security risk, instead pick any idp and usesaml even a opensource one like keycloak
LDAP auth in app means your plain text passwords can be traced out
Ryan YEah, We will not build SSO directly
most likely we will pickup dex or something similar
Sorry comment was to the OP its bad to even ask for this :slightly_smiling_face:
dex is what argocd uses, actual product ask support SCIMv2 provisioning out of the gate don't try the nonsense of mapping token claims alone
And one more question. Why do you use user credentials for metrics ingestion? For example I must create technical user to generate credentials for ingestion.
Ryan why? Communication with ldap is going through ssl. Traffic is encrypted.
While you can use the user id/password for ingestion we generally recommend ingestion token that you get from ingestion menu
I mean that token yes, but it still linked to user account
So you have to create tech user, because you never know when someone will leave organization :) and if that user is deleted all configured ingestions will stop working
And I don’t think using admin account for that is a good idea
fair point. We will think about it.
right ingestion is typically something that belongs to the org not the user, for integrations you often need both "org" level tokens with scoped rights that won't have to be changed and personal tokens for say something like a Jupyter notebook.
Open to suggestions on ingestion token generation-
Serhii
Sun, 11 Jun 2023 12:12:02 UTCAre you going to support LDAP? Is there a way to convert Grafana dashboard? And another question do you plan to support dashboards and other stuff as a code like in Grafana?