Documentation Plugins Oracle data source Kerberos integration

Kerberos integration

Grafana provides a basic configuration for Kerberos authentication for both standalone and Dockerized Grafana servers. You must use the tnsnames.ora file with this configuration. The tnsnames.ora file is used by Oracle to store and configure connection information for different databases.

Oracle configuration files

The following are key Oracle configuration files:

• tnsnames.ora - Used by Oracle to store and configure connection information for different databases. See Local Naming Parameters in the tnsnames.ora File for more information regarding the tnsnames.ora file.

• sqlnet.ora - This is an Oracle profile configuration file. See Parameters for the sqlnet.ora File.

• krb5.conf - This configuration file contains Kerberos configuration information. See krb5.conf in Oracle’s documentation for more information.

Locations

The Oracle plugin uses default search paths defined by Oracle Instant Client. Setting the ORACLE_HOME environment variable can be used to override where the sqlnet.ora and tnsnames.ora config files are found.

When ORACLE_HOME is set to /opt/oracle, Oracle configuration files are located in the following directories:

You can use other search paths, and the following are all valid:

• /home/grafana/.sqlnet.ora

• /var/lib/grafana/plugins/grafana-oracle-datasource/lib/linux_x64/instantclient_12_2/network/admin/sqlnet.ora

• /home/grafana/.tnsnames.ora

• /etc/tnsnames.ora

Data source configuration

See Configure the Oracle data source for instructions on how to configure Oracle in Grafana. Use the data source connection option TNSNames Entry in the Connection section when you configure the Oracle data source. The name entered into the text field should use the following convention:

/@DBNAME

DBNAME must correspond to an entry in tnsnames.ora.

In the following example configuration file, the connection string is /@XE:

INI Copy

XE =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = krbclient1.plugins.grafana.net)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = XE)
    )
  )

Docker

The following Docker Compose file shows the expected configuration files mapped into a Docker container.

The main components are:

• location of krb5.conf
• mapping the ticket cache to the Grafana UID (472)
• location of tnsnames.ora
• location of sqlnet.ora

YAML Copy

version: '3.7'
services:
  grafana:
    image: grafana/grafana:latest
    ports:
      - 3000:3000
    volumes:
      - ./kerb5_client/krb5.conf:/etc/krb5.conf
      - ./ticketcache/krb5cc_1000:/tmp/krb5cc_472
      - ./plugin:/var/lib/grafana/plugins/grafana-oracle-datasource
      - ./network/admin/tnsnames.ora:/etc/tnsnames.ora
      - ./network/admin:/opt/oracle/network/admin
    extra_hosts:
      krb5.plugins.grafana.net: 172.16.0.4
      krbclient1.plugins.grafana.net: 172.16.0.11
    environment:
      - TERM=linux
      - ORACLE_HOME=/opt/oracle
      - GF_DATAPROXY_LOGGING=true
      - GF_LOG_LEVEL=debug
      - GF_LOG_FILTERS=oracle-datasource:debug
      - GF_PLUGINS_ORACLE_DATASOURCE_POOLSIZE=15

Kerberos

The example below shows a basic Oracle Kerberos configuration. Use Oracle’s Configuring Kerberos Authentication to integrate Oracle with Kerberos.

/opt/oracle/network/admin/krb5.conf

INI Copy

[libdefaults]
    default_realm = PLUGINS.GRAFANA.NET
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
[realms]
    PLUGINS.GRAFANA.NET = {
        kdc = krb5.plugins.grafana.net:9088
        admin_server = krb5.plugins.grafana.net:9749
    }
[domain_realm]
    .plugins.grafana.net = PLUGINS.GRAFANA.NET
    plugins.grafana.net = PLUGINS.GRAFANA.NET

sqlnet.ora configuration

The key items in this configuration file are:

• AUTHENTICATION_KERBEROS5_SERVICE
• SQLNET.KERBEROS5_CC_NAME
• SQLNET.KERBEROS5_KEYTAB

/opt/oracle/network/admin/sqlnet.ora

INI Copy

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oraclesvc
SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_472
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_LOCATION=/etc
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

Additional references

Configuring Kerberos Authentication

How to Install and Configure Kerberos in CentOS/RHEL 7

Setting up Kerberos for Ubuntu