Grafana oauth
Implement Helmholtz AAI Auth and Syncing of User Projects to Organizations/Teams on Grafana Login
What has been changed in TSM-orchestration?
- added
worker-grafana-user-orgs
todocker-compose.yml
anddocker-compose-dev.yml
- removed provisioned default datasource from
grafana/provisioning
and the respective ENVVARS fromvisualization
- added IF condition in proxy location
/visualization
- check if
request_uri = "/visualization/login/generic_oauth"
andhttp_sec_fetch_site = "same-origin"
- if true then redirect request to
/frontend/oidc/login/?next=/visualization/login/generic_oauth
- check if
User experience of logging into TSM-Grafana:
- user clicks on
Sign in with Helmholtz-AAI
- gets redirected to Frontend Oauth login
- doesn't see anything from the Frontend because Helmholtz-AAI oauth process is started immediately
- user finishes Oauth login
- Frontend publishes the
eduperson_principal_name
andeduperson_entitlement
to the MQTT broker - dispatcher action in related MR tsm-dispatcher!71 (merged) sets user memberships in grafana organizations/teams
- user is immediately redirected to Grafanas Oauth Login
- Frontend publishes the
- user gets automatically logged in to Grafana without any other clicking needed with memberships derived from users
eduperson_entitlement
- might need to reload to see all permissions, if logging in to grafana for the first time
Edited by Joost Hemmen
Merge request reports
Activity
requested review from @martin.abbrent
assigned to @joost.hemmen1
added 17 commits
-
27390dd7...f8002fb4 - 16 commits from branch
main
- 9ca0e9ac - Merge branch 'main' into 'grafana-oauth'
-
27390dd7...f8002fb4 - 16 commits from branch
added 1 commit
- 4e887cb2 - add ner worker-grafana-user-orgs and new mqtt readwrite topic for FRONTEND_MQTT_USER
added 1 commit
- 012bcdc7 - update nginx location to redirect to frontend login (and back) when clicking in grafana
added 1 commit
- 1bb311ce - log in to grafana via frontend redirectl URL if click on on grafana log in page
mentioned in merge request tsm-dispatcher!71 (merged)
added 1 commit
- 9111fb74 - remove default datasource, add scope 'eduperson_principal_name'
added 13 commits
-
fab667cd...c8bd6c03 - 12 commits from branch
main
- c763737e - Merge branch 'main' into 'grafana-oauth'
-
fab667cd...c8bd6c03 - 12 commits from branch
added 1 commit
- 85336601 - switch from email to user_principal_name as user login
added 1 commit
- a0cc06d9 - remove scope 'openid' from visualization to prevent having to repeatedly grant...
mentioned in commit 589ebdce
mentioned in issue #63 (closed)
Please register or sign in to reply