Skip to content

Grafana oauth

Joost Hemmenrequested to merge
grafana-oauth into main

Implement Helmholtz AAI Auth and Syncing of User Projects to Organizations/Teams on Grafana Login

What has been changed in TSM-orchestration?

  • added worker-grafana-user-orgs to docker-compose.yml and docker-compose-dev.yml
  • removed provisioned default datasource from grafana/provisioning and the respective ENVVARS from visualization
  • added IF condition in proxy location /visualization
    • check if request_uri = "/visualization/login/generic_oauth" and http_sec_fetch_site = "same-origin"
    • if true then redirect request to /frontend/oidc/login/?next=/visualization/login/generic_oauth

User experience of logging into TSM-Grafana:

  • user clicks on Sign in with Helmholtz-AAI
    • gets redirected to Frontend Oauth login
    • doesn't see anything from the Frontend because Helmholtz-AAI oauth process is started immediately
  • user finishes Oauth login
    • Frontend publishes the eduperson_principal_name and eduperson_entitlement to the MQTT broker
    • dispatcher action in related MR tsm-dispatcher!71 (merged) sets user memberships in grafana organizations/teams
    • user is immediately redirected to Grafanas Oauth Login
  • user gets automatically logged in to Grafana without any other clicking needed with memberships derived from users eduperson_entitlement
    • might need to reload to see all permissions, if logging in to grafana for the first time
Edited by Joost Hemmen

Merge request reports

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog