Adding grafana role for admin and viewer

1
votes

My group is using Grafana from the Prometheus operator chart https://github.com/helm/charts/blob/master/stable/prometheus-operator/values.yaml#L486

Grafana is working and we where able to access using Oauth. Now we have defied a role in our OAuth OIDC server which we need to define (and accept) in Grafana, each user will get his roles according the OAuth server definition.

e.g. role "UserViewer"

How should I configure it in Grafana ? I see this https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping but It doesn't explain chart installation. any idea how can I configure the role?

if someone know how to configure it on Grafana chart, I mean how should I pass this role json. file it will be helpful https://github.com/grafana/helm2-grafana

How should I do it with helm (update the prom chart with the config) and in addition to monitor the user (in dev) to verify that the role was added to the token.

1
oauthopenid-connectgrafanakubernetes-helmprometheus-operator
I had similar usecase, I using ldap though and in my own custom helm chart, I defined the ldap.toml file in a config map and then mounted that at path /etc/grafana/ldap.toml to replace the default file. This could be a similar use case?Pankaj Saini
@PankajSaini - ahh we dont use custom helm charts, we use promtheus operator chart which include Grafana, do you know pherhaps how should I configure it ? also for just grafana chart it will be OKJenny M

1 Answers

1
votes

Modify grafana.ini, e.g. (syntax can be wrong, just to give you idea):

helm install \
  -f values.yaml \
  --set grafana."grafana\.ini"."auth\.generic_oauth".role_attribute_path=contains(info.groups[*], 'admin') && 'Admin' || contains(info.groups[*], 'editor') && 'Editor' || 'Viewer'
  ...

Or directly in used values.yaml. Of course role_attribute_path must be valid config for your use case (role claim name, group names, ....).

Keep in mind that the token has the role may not work as you are expecting - see https://github.com/grafana/grafana/issues/23218. Authenticated users will have at least Viewer role. If you really need "deny behavior" then use different approach (e.g. custom auth proxy where authentication and authorization will be done and Grafana in Auth Proxy mode)