Limiting Grafana access
to only HTTPS connections requires providing a certificate.
Using a self-signed certificate for initial trials is
possible. Self-signed certificates are not recommended for production environments. If the
self-signed certificate is used, to avoid bad gateway error on a secure cluster, the
AMBARI_METRICS
datasource in Grafana must be configured to either
Skip TLS Verify process or use With CA
Cert option. If you select With CA Cert, you must
provide the content of the root CA certification that certifies the host, where the
Metrics Collector resides. After you get your certificate, you
must run a special setup command.-
Log in to the host on which Grafana resides.
-
Browse to the Grafana configuration directory.
cd /etc/ambari-metrics-grafana/conf/
-
Locate your certificate.
If you want to create a temporary self-signed certificate, you can use this as an
example:
openssl genrsa -out ams-grafana.key 2048
openssl req -new -key ams-grafana.key -out ams-grafana.csr
openssl x509 -req -days 365 -in ams-grafana.csr -signkey ams-grafana.key -out ams-grafana.crt
-
Set the certificate, key file ownership, and permissions so that they are
accessible to Grafana.
chown ams:hadoop ams-grafana.crt
chown ams:hadoop ams-grafana.key
chmod 400 ams-grafana.crt
chmod 400 ams-grafana.key
For a non-root Ambari user, use:
chmod 444 ams-grafana.crt
to
enable the agent user to read the file.
-
In Ambari Web, browse to .
- Update the following properties in the Advanced ams-grafana-ini section:
- protocol
- https
- cert_file
- /etc/ambari-metrics-grafana/conf/ams-grafana.crt
- cert-Key
- /etc/ambari-metrics-grafana/conf/ams-grafana.key
-
In Configs, click Save.
Restart services, as prompted.