Verified Commit a434870b authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Restrict Grafana access to DevOps

As our grafana now contains Loki logs, we don't want non devops to view
logs which potentially contain sensitive data. As Grafana does not have
a system to easily restrict data sources to roles we use Keycloak.
parent f7dc2802
......@@ -413,7 +413,8 @@ resource "keycloak_group_roles" "devops" {
realm_id = "archlinux"
group_id = keycloak_group.staff_groups["DevOps"].id
role_ids = [
keycloak_role.devops.id
keycloak_role.devops.id,
keycloak_role.grafana_archlinux_devops.id
]
}
......@@ -421,8 +422,7 @@ resource "keycloak_group_roles" "staff" {
realm_id = "archlinux"
group_id = keycloak_group.staff.id
role_ids = [
keycloak_role.staff.id,
keycloak_role.grafana_archlinux_staff.id
keycloak_role.staff.id
]
}
......@@ -769,17 +769,17 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_access_token = false
}
// All of the below is to restrict access to Grafana to members in the Arch Linux Staff group.
resource "keycloak_role" "grafana_archlinux_staff" {
// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
resource "keycloak_role" "grafana_archlinux_devops" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "Staff"
name = "DevOps"
description = "Arch Linux Staff Grafana"
}
resource "keycloak_generic_client_role_mapper" "grafana_archlinux_staff_to_email" {
resource "keycloak_generic_client_role_mapper" "grafana_archlinux_devops_to_email" {
realm_id = "archlinux"
role_id = keycloak_role.grafana_archlinux_staff.id
role_id = keycloak_role.grafana_archlinux_devops.id
client_scope_id = keycloak_openid_client_scope.email.id
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment