feat(docs/grafana): Add role mapping info (#756)
* feat(docs/grafana): Add role mapping info * feat(docs/grafana): More info on role mappings
This commit is contained in:
parent
10b45a8dea
commit
ef080900a4
|
@ -52,8 +52,10 @@ environment:
|
|||
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
|
||||
GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
|
||||
GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<Slug of the application from above>/end-session/"
|
||||
# Optionally enable auto-login
|
||||
# Optionally enable auto-login (bypasses Grafana login screen)
|
||||
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
|
||||
# Optionally map user groups to Grafana roles
|
||||
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem value="standalone">
|
||||
|
@ -74,6 +76,22 @@ scopes = openid email profile
|
|||
auth_url = https://authentik.company/application/o/authorize/
|
||||
token_url = https://authentik.company/application/o/token/
|
||||
api_url = https://authentik.company/application/o/userinfo/
|
||||
# Optionally map user groups to Grafana roles
|
||||
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
```
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
### Role Mappings
|
||||
|
||||
In the configuration above you can see an example of a role mapping. Upon login, this configuration looks at the groups of which the current user is a member. If any of the specified group names are found, the user will be granted the resulting role in Grafana.
|
||||
|
||||
In the example shown above, one of the specified group names is "Grafana Admins". If the user is a member of this group, they will be granted the "Admin" role in Grafana.
|
||||
If the user is not a member of the "Grafana Admins" group, it moves on to see if the user is a member of the "Grafana Editors" group. If they are, they are granted the "Editor" role. Finally, if the user is not found to be a member of either of these groups, it fails back to granting the "Viewer" role.
|
||||
|
||||
```text
|
||||
contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
^ attribute to search ^ group to search for ^ role to grant ^ or grant "Viewer" role.
|
||||
```
|
||||
|
||||
For more information on group/role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).
|
||||
|
|
Reference in a new issue