Skip to content
Snippets Groups Projects

Grafana oauth

Merged Joost Hemmen requested to merge grafana-oauth into main

Implement Helmholtz AAI Auth and Syncing of User Projects to Organizations/Teams on Grafana Login

What has been changed in TSM-orchestration?

  • added worker-grafana-user-orgs to docker-compose.yml and docker-compose-dev.yml
  • removed provisioned default datasource from grafana/provisioning and the respective ENVVARS from visualization
  • added IF condition in proxy location /visualization
    • check if request_uri = "/visualization/login/generic_oauth" and http_sec_fetch_site = "same-origin"
    • if true then redirect request to /frontend/oidc/login/?next=/visualization/login/generic_oauth

User experience of logging into TSM-Grafana:

  • user clicks on Sign in with Helmholtz-AAI
    • gets redirected to Frontend Oauth login
    • doesn't see anything from the Frontend because Helmholtz-AAI oauth process is started immediately
  • user finishes Oauth login
    • Frontend publishes the eduperson_principal_name and eduperson_entitlement to the MQTT broker
    • dispatcher action in related MR tsm-dispatcher!71 (merged) sets user memberships in grafana organizations/teams
    • user is immediately redirected to Grafanas Oauth Login
  • user gets automatically logged in to Grafana without any other clicking needed with memberships derived from users eduperson_entitlement
    • might need to reload to see all permissions, if logging in to grafana for the first time
Edited by Joost Hemmen

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading