Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
b5e90585
Commit
b5e90585
authored
Jul 06, 2021
by
Kristian Klausen
🎉
Browse files
Merge branch 'remove-keycloak-hack' into 'master'
grafana: Use builtin functionality to restrict access See merge request
!443
parents
a898f42e
e7aa7f09
Pipeline
#9474
passed with stage
in 54 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
roles/grafana/templates/grafana.ini.j2
View file @
b5e90585
...
...
@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c
;allowed_domains =
;team_ids =
;allowed_organizations =
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
|| contains(roles[*], 'Staff') && 'Viewer'
;
role_attribute_strict =
fals
e
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
role_attribute_strict =
tru
e
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
...
...
tf-stage2/keycloak.tf
View file @
b5e90585
...
...
@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" {
realm_id
=
"archlinux"
group_id
=
keycloak_group
.
staff_groups
[
"DevOps"
].
id
role_ids
=
[
keycloak_role
.
devops
.
id
,
keycloak_role
.
grafana_archlinux_devops
.
id
keycloak_role
.
devops
.
id
]
}
...
...
@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_access_token
=
false
}
// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
resource
"keycloak_role"
"grafana_archlinux_devops"
{
realm_id
=
"archlinux"
client_id
=
keycloak_openid_client
.
grafana_openid_client
.
id
name
=
"DevOps"
description
=
"Arch Linux Staff Grafana"
}
resource
"keycloak_generic_client_role_mapper"
"grafana_archlinux_devops_to_email"
{
realm_id
=
"archlinux"
role_id
=
keycloak_role
.
grafana_archlinux_devops
.
id
client_scope_id
=
keycloak_openid_client_scope
.
email
.
id
}
// This needs to be imported from the default client scopes created by Keycloak.
resource
"keycloak_openid_client_scope"
"email"
{
realm_id
=
"archlinux"
name
=
"email"
description
=
"OpenID Connect built-in scope: email"
include_in_token_scope
=
true
consent_screen_text
=
"
$
${
emailScopeConsentText
}
"
}
resource
"keycloak_openid_client"
"hedgedoc_openid_client"
{
realm_id
=
"archlinux"
client_id
=
"openid_hedgedoc"
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment