Access to your Sauron endpoints:
You can access your Sauron endpoints in following ways:
- Oracle SSO
- Basic Authentication
- Oauth 2.0 Bearer token
Oracle SSO
You can enable SSO for your Sauron endpoints based on instructions here
Basic Authentication
Sauron supports 3 types of users with Basic Authentication access.
- Admin user - This is user created by default for your Sauron. Credentials for this user is in email you received after Sauron was provisioned by us.
- Secondary Admin user - You can optionally create a Secondary Admin user for your Sauron. Steps to create Secondary Admin user are here.
- Reporter user - This is another user created by default for your Sauron. Credentials for this user is in email you received after Sauron was provisioned by us. If there is no reporter user created for your Sauron (specifically for old Saurons), you can create one. This user can be used by your clients (e.g. Filebeat, Journalbeat, Metricbeat, PushProx) to send logs or metrics to your Sauron, so you don't have to user your Admin credentials for security reasons. This user can only access OpenSearch and PushProx Sauron endpoints. Steps to create Reporter user are here.
User Accessibility Matrix
| User | Grafana | Prometheus | Alertmanager | Thanos | API | Help | OpenSearch | PushProx |
|---|---|---|---|---|---|---|---|---|
| Admin | x | x | x | x | x | x | x | x |
| Secondary Admin | x | x | x | x | x | x | x | x |
| Reporter | x | x |
Steps to create Secondary Admin User
- Go to PUT /v1/user/create API, click
Try it Outand make suresecondaryselected in dropdown. - Enter your password in
passwordandconfirmPasswordfields and clickExecute - Your Secondary Admin User is now created. You can use it to access any Sauron endpoint with admin access.
- Username for Secondary Admin user is [Admin username] + [2]. e.g. if Admin username is
test, Secondary Admin username will betest2
Steps to create Reporter User
- Go to PUT /v1/user/create API, click
Try it Outand make surereporterselected in dropdown. - Enter your password in
passwordandconfirmPasswordfields and clickExecute - Your Reporter User is now created. You can use it to configure your logs or metrics client.
- Username for Reporter user is [Admin username] + [-reporter]. e.g. if Admin username is
test, Reporter username will betest-reporter
Steps to reset password
- Go to PUT /v1/user/password API, click
Try it Out. - Enter
userName,oldPassword,newPasswordandconfirmNewPasswordand clickExecute - Your password is now reset. Give 1-2 minutes for the process to complete.
Access with above users will continue even after enabling SSO for your Sauron endpoints. To enable SSO follow steps here.
Oauth 2.0 Bearer token
Grafana endpoint
Sauron supports both service account tokens (Grafana 9.1+) and API keys (deprecated) to access your Sauron Grafana API endpoints.
Service account token:
Once you generate your service account token using Grafana UI, you can use this token to access your Grafana endpoint. e.g.
curl -H "Authorization: Bearer glsa_7vKPK7C8ltrjmi6hCoLPHb9CuzdytADu_191be43e" https://grafana.handu-phx.handu.developers.oracledx.com
API key (deprecated in Grafana 9.1+):
Once you generate Grafana API key, use it to access your Grafana endpoint. (Note: API keys are deprecated. Grafana recommends using service account tokens) e.g.
echo -n '{"k":"7ol3JwhIgoNx1VavCirYEgmUcLW9l1qI","n":"grafanatoken","id":1}' | base64
eyJrIjoiN29sM0p3aElnb054MVZhdkNpcllFZ21VY0xXOWwxcUkiLCJuIjoiZ3JhZmFuYXRva2VuIiwiaWQiOjF9
curl -H "Authorization: Bearer eyJrIjoiN29sM0p3aElnb054MVZhdkNpcllFZ21VY0xXOWwxcUkiLCJuIjoiZ3JhZmFuYXRva2VuIiwiaWQiOjF9" https://grafana.handu-phx.handu.developers.oracledx.com
Non-Grafana endpoints
Sauron supports OAuth 2.0 Bearer token access to your SSO enabled non-Grafana endpoints.
You can create a bearer token with one of the following roles:
- admin (has full access to all endpoints)
- reporter (has access to only OpenSearch, PushProx endpoints)
You can create maximum 2 tokens for each role so that you can rotate them on client side without any down time:
- admin1, admin2 tokens for admin role
- reporter1, reporter2 tokens for reporter role
Use PUT /v1/oauth2/token API to generate a new Oauth 2.0 Bearer token for admin or reporter roles.
Once you generate a token, you can access your endpoint as shown below:
# Assume generated token is 51036ca8da91169984f6be5d1629e76f29f938c9. First base64 encode it
$ echo -n 51036ca8da91169984f6be5d1629e76f29f938c9 | base64
NTEwMzZjYThkYTkxMTY5OTg0ZjZiZTVkMTYyOWU3NmYyOWY5MzhjOQ==
# curl your endpoint with base64 encoded token. It should return 200
$ curl -o /dev/null -s -w %{http_code} -H "Authorization: Bearer NTEwMzZjYThkYTkxMTY5OTg0ZjZiZTVkMTYyOWU3NmYyOWY5MzhjOQ==" https://api.handu-phx.handu.developers.oracledx.com
200
Note:
-
You need to enable SSO for your endpoints in order to support this feature. Steps to enable SSO are here
-
PUT /v1/oauth2/token API can be accessed only by basic-auth admin users or users that belong to [Team]Admin OIM entitlements. All other users will receive
403 Access Denied -
Generating a new Bearer token using this API invalidates previous token for that role. e.g. if you generate new token for admin1, previous admin1 token is no longer valid. If you use old admin1 token to access your endpoint, you will receive
403 Access Denied.