Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
David Runge
infrastructure
Commits
649568e7
Commit
649568e7
authored
Dec 10, 2020
by
Sven-Hendrik Haase
Committed by
Jelle van der Waa
Dec 11, 2020
Browse files
Restrict Grafana access to Arch Linux Staff group on Keycloak (fixes #151)
parent
cfa10ae5
Changes
1
Hide whitespace changes
Inline
Side-by-side
tf-stage2/keycloak.tf
View file @
649568e7
...
...
@@ -415,7 +415,8 @@ resource "keycloak_group_roles" "staff" {
realm_id
=
"archlinux"
group_id
=
keycloak_group
.
staff
.
id
role_ids
=
[
keycloak_role
.
staff
.
id
keycloak_role
.
staff
.
id
,
keycloak_role
.
grafana_archlinux_staff
.
id
]
}
...
...
@@ -761,3 +762,26 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_id_token
=
false
add_to_access_token
=
false
}
// All of the below is to restrict access to Grafana to members in the Arch Linux Staff group.
resource
"keycloak_role"
"grafana_archlinux_staff"
{
realm_id
=
"archlinux"
client_id
=
keycloak_openid_client
.
grafana_openid_client
.
id
name
=
"Staff"
description
=
"Arch Linux Staff Grafana"
}
resource
"keycloak_generic_client_role_mapper"
"grafana_archlinux_staff_to_email"
{
realm_id
=
"archlinux"
role_id
=
keycloak_role
.
grafana_archlinux_staff
.
id
client_scope_id
=
keycloak_openid_client_scope
.
email
.
id
}
// This needs to be imported from the default client scopes created by Keycloak.
resource
"keycloak_openid_client_scope"
"email"
{
realm_id
=
"archlinux"
name
=
"email"
description
=
"OpenID Connect built-in scope: email"
include_in_token_scope
=
true
consent_screen_text
=
"
$
${
emailScopeConsentText
}
"
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment