LDAP Support, Metrics Separation, and Ingestion Token Concerns

TLDR Serhii inquired about LDAP support, separating metrics from different Prometheus instances, and concerns on user-linked tokens. Prabhat answered questions and provided possible solutions. Ryan raised concerns on security risks and shared suggestions.

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:12:02 UTC

Are you going to support LDAP? Is there a way to convert Grafana dashboard? And another question do you plan to support dashboards and other stuff as a code like in Grafana?

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:16:15 UTC

> Are you going to support LDAP? Yes. Will be available soon. > Is there a way to convert Grafana dashboard? Not yet, We will be doing it soon. Please upvote - > And another question do you plan to support dashboards and other stuff as a code like in Grafana? We plan to be able to pull and push dashboards from a git repo allowing dashboards as code and versioning.

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:18:39 UTC

And what is the best way to separate metrics from different Prometheus instances?

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:19:31 UTC

I don't think I understand the question. Can you please elaborate, maybe with an example

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:20:45 UTC

For example I have two Prometheus instances in two different clusters. Both have metric called “metric-name” in openobserve both of them will go into the same index

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:21:39 UTC

I’m from phone if the question is not clear, will do screenshot tomorrow :)

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:22:05 UTC

ah got it. I understand it now.

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:23:06 UTC

current possible solutions: 1. If they have different labels the you could use the labels to separate them

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:23:27 UTC

2. You could push them in 2 different organizations

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:24:15 UTC

But this is a good scenario that requires more thinking and see if there can be a better solution

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:24:20 UTC

So basically I can treat organisations as environments?

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:24:32 UTC

Dev/prod/staging etc

Photo of Ryan
Ryan
Sun, 11 Jun 2023 12:25:14 UTC

I would strongly recommend against ldap support in product its a massive security risk, instead pick any idp and usesaml even a opensource one like keycloak

Photo of Ryan
Ryan
Sun, 11 Jun 2023 12:25:42 UTC

LDAP auth in app means your plain text passwords can be traced out

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:25:44 UTC

Ryan YEah, We will not build SSO directly

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:25:54 UTC

most likely we will pickup dex or something similar

Photo of Ryan
Ryan
Sun, 11 Jun 2023 12:26:11 UTC

Sorry comment was to the OP its bad to even ask for this :slightly_smiling_face:

Photo of Ryan
Ryan
Sun, 11 Jun 2023 12:27:10 UTC

dex is what argocd uses, actual product ask support SCIMv2 provisioning out of the gate don't try the nonsense of mapping token claims alone

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:27:45 UTC

And one more question. Why do you use user credentials for metrics ingestion? For example I must create technical user to generate credentials for ingestion.

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:28:57 UTC

Ryan why? Communication with ldap is going through ssl. Traffic is encrypted.

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:30:38 UTC

While you can use the user id/password for ingestion we generally recommend ingestion token that you get from ingestion menu

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:31:02 UTC

I mean that token yes, but it still linked to user account

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:32:02 UTC

So you have to create tech user, because you never know when someone will leave organization :) and if that user is deleted all configured ingestions will stop working

Photo of Serhii
Serhii
Sun, 11 Jun 2023 12:32:31 UTC

And I don’t think using admin account for that is a good idea

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:32:52 UTC

fair point. We will think about it.

Photo of Ryan
Ryan
Sun, 11 Jun 2023 12:37:52 UTC

right ingestion is typically something that belongs to the org not the user, for integrations you often need both "org" level tokens with scoped rights that won't have to be changed and personal tokens for say something like a Jupyter notebook.

Photo of Prabhat
Prabhat
Sun, 11 Jun 2023 12:56:10 UTC

Open to suggestions on ingestion token generation-