Grafana報表系統

• Database 建立
  登入 192.168.10.209, 並切換 root 使用者後執行

 mysql -h 127.0.0.1 -u veriid -p

• 進入 mysql 後再執行

CREATE DATABASE dev_grafana DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
CREATE USER 'grafana'@'%' IDENTIFIED BY 'grafana16313302';
GRANT ALL PRIVILEGES ON dev_grafana.* TO 'grafana'@'%';
FLUSH PRIVILEGES;
EXIT;

• 複製原 grafana 至新目錄

 cp -r ./grafana ./grafana-new

• 調整目錄權限

 sudo chown -R 1001:1001 /home/ai/it-system-docker-compose/grafana-new/9/debian-11/volumes

• 調整 grafana.ini

[database]
type = mysql
host = 192.168.10.209:3306
name = dev_grafana
user = grafana
password = grafana16313302

• 調整 docker-compose.yml

version: '3'

services:
  grafana-new:
    image: docker.io/bitnami/grafana:9
    restart: always
    ports:
      - '3001:3000'
    environment:
      - 'GF_SECURITY_ADMIN_PASSWORD=admin16313302'
      - 'GF_SERVER_ROOT_URL=https://gfn-new.veri-id-dev.com/'
    volumes:
      - /home/ai/it-system-docker-compose/grafana-new/9/debian-11/volumes:/opt/bitnami/grafana/data
      - /home/ai/it-system-docker-compose/grafana-new/9/debian-11/conf:/opt/bitnami/grafana/conf
volumes:
  grafana_data:
    driver: local

• 啟動 grafana

 docker compose -f docker-compose.yml up -d

新增 team

INSERT INTO dev_grafana.team
(id, name, org_id, created, updated,  email)
VALUES(100, 'ACQFD', 1, '2024-12-26 17:47:36', '2024-12-26 17:47:36',  'acqfd@hitrust.com');
INSERT INTO dev_grafana.team
(id, name, org_id, created, updated,  email)
VALUES(101, 'ISRFD', 1, '2024-12-26 17:47:36', '2024-12-26 17:47:36',  'isrfd@hitrust.com');
INSERT INTO dev_grafana.team
(id, name, org_id, created, updated,  email)
VALUES(102, 'IBFD', 1, '2024-12-26 17:47:36', '2024-12-26 17:47:36',  'ibfd@hitrust.com');
INSERT INTO dev_grafana.team
(id, name, org_id, created, updated,  email)
VALUES(103, 'DIIA', 1, '2024-12-26 17:47:36', '2024-12-26 17:47:36',  'diia@hitrust.com');

• grafana 9 jwt 設定

#################################### Auth JWT ##########################
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
email_claim = email
username_claim = sub
;jwk_set_url = https://foo.bar/.well-known/jwks.json
jwk_set_file = /opt/bitnami/grafana/conf/jwks.json
;cache_ttl = 60m
;expect_claims = {"aud": ["foo", "bar"]}
;key_file = /path/to/key/file
;role_attribute_path =
;role_attribute_strict = false
auto_sign_up = true
url_login = true
;allow_assign_grafana_admin = false
enable_login_token = true
;username_attribute_path = veriid.username
;email_attribute_path = veriid.email
;name_attribute_path = veriid.name
;role_attribute_path = contains(veriid.roles[*], 'admin') && 'Admin' || contains(veriid.roles[*], 'editor') && 'Editor' || 'Viewer'
;org_attribute_path = to_number(veriid.orgId)

• grafana 11 jkt 設定

[auth.jwt]
enabled = true
;enable_login_token = false
header_name = X-JWT-Assertion
;email_claim = sub
;username_claim = sub
;email_attribute_path = jmespath.email
username_attribute_path = veriid.username
email_attribute_path = veriid.email
name_attribute_path = $.veriid.name
role_attribute_path = contains(veriid.roles[*], 'admin') && 'Admin' || contains(veriid.roles[*], 'editor') && 'Editor' || 'Viewer'
org_attribute_path = to_number(veriid.orgId)
;jwk_set_url = https://foo.bar/.well-known/jwks.json
jwk_set_file = /etc/grafana/jwks.json
;cache_ttl = 60m
;expect_claims = {"aud": ["foo", "bar"]}
;key_file = /etc/grafana/grafana.key.pub
# Use in conjunction with key_file in case the JWT token's header specifies a key ID in "kid" field
;key_id = some-key-id
;role_attribute_strict = false
;groups_attribute_path = hitrust.term
;auto_assign_org = true
auto_sign_up = true
url_login = true
allow_assign_grafana_admin = true
auto_assign_org_role = Viewer
;skip_org_role_sync = true
;signout_redirect_url =
enable_login_token = true