Commit b5e90585 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Merge branch 'remove-keycloak-hack' into 'master'

grafana: Use builtin functionality to restrict access

See merge request !443
parents a898f42e e7aa7f09
Pipeline #9474 passed with stage
in 54 seconds
...@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c ...@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c
;allowed_domains = ;allowed_domains =
;team_ids = ;team_ids =
;allowed_organizations = ;allowed_organizations =
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer' role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
;role_attribute_strict = false role_attribute_strict = true
;tls_skip_verify_insecure = false ;tls_skip_verify_insecure = false
;tls_client_cert = ;tls_client_cert =
;tls_client_key = ;tls_client_key =
......
...@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" { ...@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" {
realm_id = "archlinux" realm_id = "archlinux"
group_id = keycloak_group.staff_groups["DevOps"].id group_id = keycloak_group.staff_groups["DevOps"].id
role_ids = [ role_ids = [
keycloak_role.devops.id, keycloak_role.devops.id
keycloak_role.grafana_archlinux_devops.id
] ]
} }
...@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp ...@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_access_token = false add_to_access_token = false
} }
// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
resource "keycloak_role" "grafana_archlinux_devops" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "DevOps"
description = "Arch Linux Staff Grafana"
}
resource "keycloak_generic_client_role_mapper" "grafana_archlinux_devops_to_email" {
realm_id = "archlinux"
role_id = keycloak_role.grafana_archlinux_devops.id
client_scope_id = keycloak_openid_client_scope.email.id
}
// This needs to be imported from the default client scopes created by Keycloak.
resource "keycloak_openid_client_scope" "email" {
realm_id = "archlinux"
name = "email"
description = "OpenID Connect built-in scope: email"
include_in_token_scope = true
consent_screen_text = "$${emailScopeConsentText}"
}
resource "keycloak_openid_client" "hedgedoc_openid_client" { resource "keycloak_openid_client" "hedgedoc_openid_client" {
realm_id = "archlinux" realm_id = "archlinux"
client_id = "openid_hedgedoc" client_id = "openid_hedgedoc"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment