Using Ambari Core Services
Also available as:
PDF
loading table of contents...

Set up https for Grafana

Limiting Grafana access to only HTTPS connections requires providing a certificate.

Using a self-signed certificate for initial trials is possible. Self-signed certificates are not recommended for production environments. If the self-signed certificate is used, to avoid bad gateway error on a secure cluster, the AMBARI_METRICS datasource in Grafana must be configured to either Skip TLS Verify process or use With CA Cert option. If you select With CA Cert, you must provide the content of the root CA certification that certifies the host, where the Metrics Collector resides. After you get your certificate, you must run a special setup command.
  1. Log in to the host on which Grafana resides.
  2. Browse to the Grafana configuration directory.
    cd /etc/ambari-metrics-grafana/conf/
  3. Locate your certificate.
    If you want to create a temporary self-signed certificate, you can use this as an example:
    openssl genrsa -out ams-grafana.key 2048
    openssl req -new -key ams-grafana.key -out ams-grafana.csr
    openssl x509 -req -days 365 -in ams-grafana.csr -signkey ams-grafana.key -out ams-grafana.crt
  4. Set the certificate, key file ownership, and permissions so that they are accessible to Grafana.
    chown ams:hadoop ams-grafana.crt
    chown ams:hadoop ams-grafana.key
    chmod 400 ams-grafana.crt 
    chmod 400 ams-grafana.key
    For a non-root Ambari user, use:
    chmod 444 ams-grafana.crt
    to enable the agent user to read the file.
  5. In Ambari Web, browse to Services > Ambari Metrics > Configs.
  6. Update the following properties in the Advanced ams-grafana-ini section:
    protocol
    https
    cert_file
    /etc/ambari-metrics-grafana/conf/ams-grafana.crt
    cert-Key
    /etc/ambari-metrics-grafana/conf/ams-grafana.key
  7. In Configs, click Save.
Restart services, as prompted.