Skip to content
GitLab
Commit b5e90585 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Merge branch 'remove-keycloak-hack' into 'master' 

grafana: Use builtin functionality to restrict access

See merge request !443
parents a898f42e e7aa7f09
Pipeline #9474 passed with stage
in 54 seconds
Hide whitespace changes
Inline Side-by-side
roles/grafana/templates/grafana.ini.j2
View file @ b5e90585
......@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c
;allowed_domains =
;team_ids =
;allowed_organizations =
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
;role_attribute_strict = false
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
role_attribute_strict = true
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
......
tf-stage2/keycloak.tf
View file @ b5e90585
......@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" {
realm_id = "archlinux"
group_id = keycloak_group.staff_groups["DevOps"].id
role_ids = [
keycloak_role.devops.id,
keycloak_role.grafana_archlinux_devops.id
keycloak_role.devops.id
]
}
......@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_access_token = false
}
// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
resource "keycloak_role" "grafana_archlinux_devops" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "DevOps"
description = "Arch Linux Staff Grafana"
}
resource "keycloak_generic_client_role_mapper" "grafana_archlinux_devops_to_email" {
realm_id = "archlinux"
role_id = keycloak_role.grafana_archlinux_devops.id
client_scope_id = keycloak_openid_client_scope.email.id
}
// This needs to be imported from the default client scopes created by Keycloak.
resource "keycloak_openid_client_scope" "email" {
realm_id = "archlinux"
name = "email"
description = "OpenID Connect built-in scope: email"
include_in_token_scope = true
consent_screen_text = "$${emailScopeConsentText}"
}
resource "keycloak_openid_client" "hedgedoc_openid_client" {
realm_id = "archlinux"
client_id = "openid_hedgedoc"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment