Add anonymous access prompt during setup#583
Conversation
|
Thanks @mccahan - I like the idea. However, if we make this a separate workflow ( Can we add logic to edit the grafana.env instead of just append? I think it could be as simple as |
|
@jasonacox good thoughts
|
|
I really like this addition / feature. Most of us run these dashboard for our private networks. Unless I'm wrong, in the worse case, the only thing a person could damage would be your customization of your dashboard. I do want to see if we can make this simpler, and cover a few more use cases. Instead of two questions, we could minimize it to a condensed single question with a default:
|
There was a problem hiding this comment.
Pull request overview
This PR adds an interactive prompt during the setup process to configure anonymous access to Grafana dashboards. Previously, these settings existed only as commented lines in the grafana.env.sample file, requiring manual configuration.
Key changes:
- New interactive script to configure anonymous access with read-only or read-write options
- Integration of the anonymous access prompt into the main setup workflow
- Fix for broken documentation anchor link
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| anonymous-access.sh | New script that prompts users to enable anonymous access and configures Grafana environment settings accordingly |
| setup.sh | Integrates the anonymous-access.sh script into the setup workflow after creating the Grafana environment file |
| README.md | Fixes broken anchor link to the Grafana Setup section |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ;; | ||
| *) | ||
| remove_existing_settings | ||
| read_only_anonymous |
There was a problem hiding this comment.
In the default/fallback case (when user enters an invalid option), the script enables read-only anonymous access without providing any feedback to the user. This is inconsistent with the other cases which all provide confirmation messages. Users should be informed that their invalid input defaulted to read-only access.
| read_only_anonymous | |
| read_only_anonymous | |
| # Feedback for invalid or empty selection | |
| echo "" | |
| echo "Invalid selection. Defaulting to anonymous read-only access." |
| echo "" | ||
| ./anonymous-access.sh | ||
| echo "-----------------------------------------" | ||
| echo "" | ||
|
|
||
| echo "" |
There was a problem hiding this comment.
The script is being executed without checking if it exists or is executable. If the file is missing or lacks execute permissions, the setup will fail. Consider adding existence and error checking, or make the script executable during setup, similar to how other scripts in the repository handle execution.
| echo "" | |
| ./anonymous-access.sh | |
| echo "-----------------------------------------" | |
| echo "" | |
| echo "" | |
| echo "" | |
| if [ ! -x "./anonymous-access.sh" ]; then | |
| if [ -f "./anonymous-access.sh" ]; then | |
| echo "Making anonymous-access.sh executable..." | |
| chmod +x "./anonymous-access.sh" | |
| else | |
| echo "ERROR: anonymous-access.sh not found. Cannot configure anonymous access." | |
| exit 1 | |
| fi | |
| fi | |
| ./anonymous-access.sh | |
| echo "-----------------------------------------" | |
| echo "" | |
| echo "" | |
| if [ ! -x "./tz.sh" ]; then | |
| if [ -f "./tz.sh" ]; then | |
| echo "Making tz.sh executable..." | |
| chmod +x "./tz.sh" | |
| else | |
| echo "ERROR: tz.sh not found. Cannot configure timezone." | |
| exit 1 | |
| fi | |
| fi |
| sed -i.bak '/^# Read-Only Anonymous Access/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_FEATURE_TOGGLES_PUBLICDASHBOARDS/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ENABLED/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' "${GF_ENV_FILE}" | ||
| rm -f "${GF_ENV_FILE}.bak" | ||
| fi | ||
| if grep -q "^GF_AUTH_DISABLE_LOGIN_FORM" "${GF_ENV_FILE}"; then | ||
| sed -i.bak '/^# Read-Write Anonymous Access/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_DISABLE_LOGIN_FORM/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ENABLED/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' "${GF_ENV_FILE}" | ||
| sed -i.bak '/^GF_USERS_ALLOW_SIGN_UP/d' "${GF_ENV_FILE}" |
There was a problem hiding this comment.
Multiple sequential sed operations with separate backup files is inefficient and could fail if a previous sed operation errors but the backup file is already created. Each sed creates a new .bak file that overwrites the previous one. Consider consolidating the sed operations into a single command with multiple -e expressions, or use a single backup creation followed by in-place edits without creating multiple backups.
| sed -i.bak '/^# Read-Only Anonymous Access/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_FEATURE_TOGGLES_PUBLICDASHBOARDS/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ENABLED/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' "${GF_ENV_FILE}" | |
| rm -f "${GF_ENV_FILE}.bak" | |
| fi | |
| if grep -q "^GF_AUTH_DISABLE_LOGIN_FORM" "${GF_ENV_FILE}"; then | |
| sed -i.bak '/^# Read-Write Anonymous Access/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_DISABLE_LOGIN_FORM/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ENABLED/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' "${GF_ENV_FILE}" | |
| sed -i.bak '/^GF_USERS_ALLOW_SIGN_UP/d' "${GF_ENV_FILE}" | |
| sed -i.bak \ | |
| -e '/^# Read-Only Anonymous Access/d' \ | |
| -e '/^GF_FEATURE_TOGGLES_PUBLICDASHBOARDS/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ENABLED/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' \ | |
| "${GF_ENV_FILE}" | |
| rm -f "${GF_ENV_FILE}.bak" | |
| fi | |
| if grep -q "^GF_AUTH_DISABLE_LOGIN_FORM" "${GF_ENV_FILE}"; then | |
| sed -i.bak \ | |
| -e '/^# Read-Write Anonymous Access/d' \ | |
| -e '/^GF_AUTH_DISABLE_LOGIN_FORM/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ENABLED/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ORG_NAME/d' \ | |
| -e '/^GF_AUTH_ANONYMOUS_ORG_ROLE/d' \ | |
| -e '/^GF_USERS_ALLOW_SIGN_UP/d' \ | |
| "${GF_ENV_FILE}" |
| rm -f "${GF_ENV_FILE}.bak" | ||
| fi | ||
|
|
||
| sed -i.bak 's/^GF_AUTH_ANONYMOUS/#GF_AUTH_ANONYMOUS/' "${GF_ENV_FILE}" |
There was a problem hiding this comment.
The sed command at line 48 will comment out any line starting with GF_AUTH_ANONYMOUS, but this runs regardless of whether any matching lines exist. This could modify unrelated GF_AUTH_ANONYMOUS settings that aren't part of the anonymous access configuration being managed here. Consider being more specific about which settings to comment out, or check if the lines exist before modifying them.
| sed -i.bak 's/^GF_AUTH_ANONYMOUS/#GF_AUTH_ANONYMOUS/' "${GF_ENV_FILE}" | |
| if grep -qE '^GF_AUTH_ANONYMOUS_(ENABLED|ORG_NAME|ORG_ROLE)' "${GF_ENV_FILE}"; then | |
| sed -i.bak -E 's/^(GF_AUTH_ANONYMOUS_(ENABLED|ORG_NAME|ORG_ROLE))/#\1/' "${GF_ENV_FILE}" | |
| fi |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
I saw settings for allowing anonymous access in the Grafana env sample, but figured it might be helpful to surface it as a question during the setup process.