Add info about Windows permissions #3863
Conversation
clayton-cornell
added
type/docs
|
💻 Deploy preview available: |
|
I'm definitely not an expert by any means on Alloy on Windows, but the docs contents read well and make sense to me. The only thing that might help me close the loop might be a link out to a place in the Windows ecosystem that talks about how you assign permissions to users or add members to groups, etc. Is this all done via Active Directory? |
|
I added some links back to the MS docs. |
| @@ -115,5 +115,53 @@ To expose the UI to other machines, complete the following steps: | |||
|
|
|||
| To listen on all interfaces, replace _`<LISTEN_ADDR>`_ with `0.0.0.0`. | |||
|
|
|||
| ## Configure Windows permissions | |||
There was a problem hiding this comment.
Some things that I think need clarifying: Do I need to perform all these steps? How do I perform them? If I install following the set-up guide do I still need to give these permissions explicitly for things to work (I don't think so?).
I don't know for sure, but I'm guessing that our set-up procedures already set these permissions automatically, but we want them documented for more security-conscious users who want to have tighter control over what is given? Or so that they can do a threat level assessment?
There was a problem hiding this comment.
I agree that specifying the exacts steps users should take would be nice... I just don't know if it's very realistic? I don't know how complicated these things can get. But if we can at least point users in the right direction or including links to MS docs with information how to configure aspects of Windows then that'd be nice.
There was a problem hiding this comment.
I don't think you need to do these steps if you used an installer, right?
I think that's the thing I want to clarify more so than 'how' to do it.
There was a problem hiding this comment.
I haven't checked, but I'd be very surprised if the installer sets up all the things listed below. I doubt that it updates firewall and proxy settings for example.
|
Hello Grafana Labs, We uses your Grafana Cloud solution for the observability of our systems and applications. And we deployed recently Alloy agent (v1.9.0) on our MSSQL servers (Windows Server 2029), we need to configure a AD service account on the "Alloy" Windows service to be capable to connect to the MSSQL instance and to get mssql metrics. We did some tests with a lot of several connection strings in the Alloy mssql config file but since I configured my AD service account to run the "Alloy" Windows service, this one don't start. I want to stay my AD service account on my MSSQL server in the "Users" local group, I don't want to define this AD service account in the "Administrators" group. Please may you define the documentation to explain to everyone how to configure a Windows account / AD Windows service account with the most limited permissions on the Windows server ? And also please may you do your tests on your side to validate that all your documentation points works fine in the practice. At D-EDGE we really need of these ones, and our RSSI want to decrease at maximum the permissions of the windows account which run the "Alloy" agent. And for the moment we are really blocked about that. cc @annelaurefroment @ahadjidj regards, |
| @@ -115,5 +115,53 @@ To expose the UI to other machines, complete the following steps: | |||
|
|
|||
| To listen on all interfaces, replace _`<LISTEN_ADDR>`_ with `0.0.0.0`. | |||
|
|
|||
| ## Configure Windows permissions | |||
There was a problem hiding this comment.
I agree that specifying the exacts steps users should take would be nice... I just don't know if it's very realistic? I don't know how complicated these things can get. But if we can at least point users in the right direction or including links to MS docs with information how to configure aspects of Windows then that'd be nice.
|
Hi, @jbouchet-dedge 👋 I'm honestly not sure if the first iteration of this doc could include a lot of detailed steps. For example, I don't know if there are multiple ways to configure security settings - maybe not everyone uses AD? Also, it'd be hard to find the minimum requirements for each Alloy component. The page looks ok as a starting point, but I hope our solutions engineers could extend it over time with more concrete steps that they would normally do when setting up Alloy for customers. Regarding your specific issue - maybe it's worth running Process Monitor to see if Alloy failed to retrieve something like a registry key or a file? |
PR Description
Add info about Windows permissions and security requirements for running Alloy
Which issue(s) this PR fixes
Fixes #3619
Notes to the Reviewer
PR Checklist