Grafana oauth

Implement Helmholtz AAI Auth and Syncing of User Projects to Organizations/Teams on Grafana Login

What has been changed in TSM-orchestration?

• added worker-grafana-user-orgs to docker-compose.yml and docker-compose-dev.yml
• removed provisioned default datasource from grafana/provisioning and the respective ENVVARS from visualization
• added IF condition in proxy location /visualization
  • check if request_uri = "/visualization/login/generic_oauth" and http_sec_fetch_site = "same-origin"
  • if true then redirect request to /frontend/oidc/login/?next=/visualization/login/generic_oauth

User experience of logging into TSM-Grafana:

• user clicks on Sign in with Helmholtz-AAI
  • gets redirected to Frontend Oauth login
  • doesn't see anything from the Frontend because Helmholtz-AAI oauth process is started immediately
• user finishes Oauth login
  • Frontend publishes the eduperson_principal_name and eduperson_entitlement to the MQTT broker
  • dispatcher action in related MR tsm-dispatcher!71 (merged) sets user memberships in grafana organizations/teams
  • user is immediately redirected to Grafanas Oauth Login
• user gets automatically logged in to Grafana without any other clicking needed with memberships derived from users eduperson_entitlement
  • might need to reload to see all permissions, if logging in to grafana for the first time

requested review from @martin.abbrent

assigned to @joost.hemmen1

marked this merge request as draft

added 17 commits

• 27390dd7...f8002fb4 - 16 commits from branch main
• 9ca0e9ac - Merge branch 'main' into 'grafana-oauth'

Compare with previous version

added 1 commit

• 4e887cb2 - add ner worker-grafana-user-orgs and new mqtt readwrite topic for FRONTEND_MQTT_USER

Compare with previous version

added 1 commit

• 012bcdc7 - update nginx location to redirect to frontend login (and back) when clicking in grafana

Compare with previous version

added 1 commit

• 1bb311ce - log in to grafana via frontend redirectl URL if click on on grafana log in page

Compare with previous version

mentioned in merge request tsm-dispatcher!71 (merged)

added 1 commit

• 9111fb74 - remove default datasource, add scope 'eduperson_principal_name'

Compare with previous version

added 1 commit

• fab667cd - merge main into grafan-oauth

Compare with previous version

added 13 commits

• fab667cd...c8bd6c03 - 12 commits from branch main
• c763737e - Merge branch 'main' into 'grafana-oauth'

Compare with previous version

added 1 commit

• 85336601 - switch from email to user_principal_name as user login

Compare with previous version

marked this merge request as ready

changed the description

changed the description

added 1 commit

• a0cc06d9 - remove scope 'openid' from visualization to prevent having to repeatedly grant...

Compare with previous version

merged

approved this merge request

mentioned in commit 589ebdce

mentioned in issue #63 (closed)