Include grafana roles at a realm level

Update user roles to include grafana roles

Remove grafana roles at client level

Issue-ID: OAM-456
Change-Id: I70778375d9e1862394ac6dddce0c0648e19c0053
Signed-off-by: Ravi Pendurty <ravi.pendurty@highstreet-technologies.com>

diff --git a/solution/smo/common/identity/authentication.json b/solution/smo/common/identity/authentication.json
index 9ff99b6..e86482e 100644 (file)
--- a/solution/smo/common/identity/authentication.json
+++ b/solution/smo/common/identity/authentication.json
@@ -32,10 +32,7 @@
             ],
             "requiredActions": [
                 "UPDATE_PASSWORD"
-            ],
-            "clientRoles" : {
-                "grafana-ui.app" : [ "grafanaadmin" ]
-            }
+            ]
         },
         {
             "firstName": "Luke",
@@ -52,10 +49,7 @@
             ],
             "requiredActions": [
                 "UPDATE_PASSWORD"
-            ],
-            "clientRoles" : {
-                "grafana-ui.app" : [ "editor" ]
-            }
+            ]
         },
         {
             "firstName": "Jargo",
@@ -72,10 +66,7 @@
             ],
             "requiredActions": [
                 "UPDATE_PASSWORD"
-            ],
-            "clientRoles" : {
-                "grafana-ui.app" : [ "viewer" ]
-            }
+            ]
         },
         {
             "firstName": "Martin",
@@ -92,32 +83,29 @@
             ],
             "requiredActions": [
                 "UPDATE_PASSWORD"
-            ],
-            "clientRoles" : {
-                "grafana-ui.app" : [ "grafanaadmin" ]
-            }
+            ]
         }
     ],
     "grants": [
         {
             "username": "leia.organa",
-            "role": "administration"
+            "role": "administration,GrafanaAdmin"
         },
         {
             "username": "r2.d2",
-            "role": "administration"
+            "role": "administration,GrafanaAdmin"
         },
         {
             "username": "luke.skywalker",
-            "role": "provision"
+            "role": "administration,GrafanaEditor"
         },
         {
             "username": "jargo.fett",
-            "role": "supervision"
+            "role": "administration,GrafanaViewer"
         },
         {
             "username": "martin.skorupski",
-            "role": "administration"
+            "role": "administration,GrafanaAdmin"
         }
     ]
 }
\ No newline at end of file

diff --git a/solution/smo/common/identity/o-ran-sc-realm.json b/solution/smo/common/identity/o-ran-sc-realm.json
index 27cc221..00a99a8 100644 (file)
--- a/solution/smo/common/identity/o-ran-sc-realm.json
+++ b/solution/smo/common/identity/o-ran-sc-realm.json
@@ -71,6 +71,32 @@
         "containerId": "onap",
         "attributes": {}
       },
+      {
+        "id" : "92ba139a-ef35-4468-805a-49bd7d101a28",
+        "name" : "GrafanaAdmin",
+        "description" : "",
+        "composite" : false,
+        "clientRole" : false,
+        "containerId" : "onap",
+        "attributes" : { }
+      },
+      {
+        "id" : "83487680-381b-4d9e-a1eb-22700db49542",
+        "name" : "GrafanaViewer",
+        "description" : "",
+        "composite" : false,
+        "clientRole" : false,
+        "containerId" : "onap",
+        "attributes" : { }
+      }, {
+        "id" : "4ac3ada6-f147-48e9-a66a-caa8f2d4e235",
+        "name" : "GrafanaEditor",
+        "description" : "",
+        "composite" : false,
+        "clientRole" : false,
+        "containerId" : "onap",
+        "attributes" : { }
+      },
       {
         "id": "e344eb3a-8efe-4346-b5d4-93b9262cf0ec",
         "name": "offline_access",
@@ -305,33 +331,7 @@
       ],
       "odlux.app": [],
       "kafka-ui.app": [],
-      "grafana-ui.app": [
-        {
-          "id" : "b072ad1a-818e-4ff9-b98c-3179bd7f4228",
-          "name" : "editor",
-          "description" : "Grafana Read Write Role",
-          "composite" : false,
-          "clientRole" : true,
-          "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5",
-          "attributes" : { }
-        }, {
-          "id" : "09436bef-901c-44a5-b38d-508273d730ba",
-          "name" : "viewer",
-          "description" : "Read only access Role",
-          "composite" : false,
-          "clientRole" : true,
-          "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5",
-          "attributes" : { }
-        }, {
-          "id" : "37e3d5fc-41d6-4926-a9c9-e3d96f7f4d6a",
-          "name" : "grafanaadmin",
-          "description" : "Grafana Administrator Role",
-          "composite" : false,
-          "clientRole" : true,
-          "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5",
-          "attributes" : { }
-        }
-      ],
+      "grafana-ui.app": [],
       "security-admin-console": [],
       "admin-cli": [],
       "account-console": [],

diff --git a/solution/smo/oam/pm/docker-compose-grafana.yaml b/solution/smo/oam/pm/docker-compose-grafana.yaml
index 47f0b1b..86d27dc 100644 (file)
--- a/solution/smo/oam/pm/docker-compose-grafana.yaml
+++ b/solution/smo/oam/pm/docker-compose-grafana.yaml
@@ -7,7 +7,6 @@ services:
       environment:
         GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
         GF_AUTH_GENERIC_OAUTH_NAME: "Keycloak"
-        GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
         GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana-ui.app"
         GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "lVPuFWZlOV7yAbV1FIuaM0FOodD7cLTm"
         GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email offline_access roles"
@@ -16,7 +15,8 @@ services:
         GF_AUTH_GENERIC_OAUTH_API_URL: "https://identity.${HTTP_DOMAIN}/realms/onap/protocol/openid-connect/userinfo"
         GF_SERVER_ROOT_URL: "https://grafana.${HTTP_DOMAIN}"
         GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE: role
-        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(resource_access."grafana-ui.app".roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access."grafana-ui.app".roles[*], 'admin') && 'Admin' || contains(resource_access."grafana.app".roles[*], 'editor') && 'Editor' || 'Viewer'
+        #GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(resource_access."grafana-ui.app".roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access."grafana-ui.app".roles[*], 'admin') && 'Admin' || contains(resource_access."grafana.app".roles[*], 'editor') && 'Editor' || 'Viewer'
+        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(realm_access.roles[*], 'GrafanaAdmin') && 'Admin' || contains(realm_access.roles[*], 'GrafanaEditor') && 'Editor' || contains(realm_access.roles[*], 'GrafanaViewer') && 'Viewer' || 'Viewer'
         GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ROLES: true
         GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN: true
         GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: true