From 1a8fb518e159bdc2a69ee0bf7160ee08962922cc Mon Sep 17 00:00:00 2001 From: Ravi Pendurty Date: Fri, 9 May 2025 15:04:03 +0530 Subject: [PATCH] Include grafana roles at a realm level Update user roles to include grafana roles Remove grafana roles at client level Issue-ID: OAM-456 Change-Id: I70778375d9e1862394ac6dddce0c0648e19c0053 Signed-off-by: Ravi Pendurty --- solution/smo/common/identity/authentication.json | 30 ++++--------- solution/smo/common/identity/o-ran-sc-realm.json | 54 ++++++++++++------------ solution/smo/oam/pm/docker-compose-grafana.yaml | 4 +- 3 files changed, 38 insertions(+), 50 deletions(-) diff --git a/solution/smo/common/identity/authentication.json b/solution/smo/common/identity/authentication.json index 9ff99b6..e86482e 100644 --- a/solution/smo/common/identity/authentication.json +++ b/solution/smo/common/identity/authentication.json @@ -32,10 +32,7 @@ ], "requiredActions": [ "UPDATE_PASSWORD" - ], - "clientRoles" : { - "grafana-ui.app" : [ "grafanaadmin" ] - } + ] }, { "firstName": "Luke", @@ -52,10 +49,7 @@ ], "requiredActions": [ "UPDATE_PASSWORD" - ], - "clientRoles" : { - "grafana-ui.app" : [ "editor" ] - } + ] }, { "firstName": "Jargo", @@ -72,10 +66,7 @@ ], "requiredActions": [ "UPDATE_PASSWORD" - ], - "clientRoles" : { - "grafana-ui.app" : [ "viewer" ] - } + ] }, { "firstName": "Martin", @@ -92,32 +83,29 @@ ], "requiredActions": [ "UPDATE_PASSWORD" - ], - "clientRoles" : { - "grafana-ui.app" : [ "grafanaadmin" ] - } + ] } ], "grants": [ { "username": "leia.organa", - "role": "administration" + "role": "administration,GrafanaAdmin" }, { "username": "r2.d2", - "role": "administration" + "role": "administration,GrafanaAdmin" }, { "username": "luke.skywalker", - "role": "provision" + "role": "administration,GrafanaEditor" }, { "username": "jargo.fett", - "role": "supervision" + "role": "administration,GrafanaViewer" }, { "username": "martin.skorupski", - "role": "administration" + "role": "administration,GrafanaAdmin" } ] } \ No newline at end of file diff --git a/solution/smo/common/identity/o-ran-sc-realm.json b/solution/smo/common/identity/o-ran-sc-realm.json index 27cc221..00a99a8 100644 --- a/solution/smo/common/identity/o-ran-sc-realm.json +++ b/solution/smo/common/identity/o-ran-sc-realm.json @@ -71,6 +71,32 @@ "containerId": "onap", "attributes": {} }, + { + "id" : "92ba139a-ef35-4468-805a-49bd7d101a28", + "name" : "GrafanaAdmin", + "description" : "", + "composite" : false, + "clientRole" : false, + "containerId" : "onap", + "attributes" : { } + }, + { + "id" : "83487680-381b-4d9e-a1eb-22700db49542", + "name" : "GrafanaViewer", + "description" : "", + "composite" : false, + "clientRole" : false, + "containerId" : "onap", + "attributes" : { } + }, { + "id" : "4ac3ada6-f147-48e9-a66a-caa8f2d4e235", + "name" : "GrafanaEditor", + "description" : "", + "composite" : false, + "clientRole" : false, + "containerId" : "onap", + "attributes" : { } + }, { "id": "e344eb3a-8efe-4346-b5d4-93b9262cf0ec", "name": "offline_access", @@ -305,33 +331,7 @@ ], "odlux.app": [], "kafka-ui.app": [], - "grafana-ui.app": [ - { - "id" : "b072ad1a-818e-4ff9-b98c-3179bd7f4228", - "name" : "editor", - "description" : "Grafana Read Write Role", - "composite" : false, - "clientRole" : true, - "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5", - "attributes" : { } - }, { - "id" : "09436bef-901c-44a5-b38d-508273d730ba", - "name" : "viewer", - "description" : "Read only access Role", - "composite" : false, - "clientRole" : true, - "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5", - "attributes" : { } - }, { - "id" : "37e3d5fc-41d6-4926-a9c9-e3d96f7f4d6a", - "name" : "grafanaadmin", - "description" : "Grafana Administrator Role", - "composite" : false, - "clientRole" : true, - "containerId" : "9fc6cecf-f3a8-48a8-8065-b2fc80b8b2f5", - "attributes" : { } - } - ], + "grafana-ui.app": [], "security-admin-console": [], "admin-cli": [], "account-console": [], diff --git a/solution/smo/oam/pm/docker-compose-grafana.yaml b/solution/smo/oam/pm/docker-compose-grafana.yaml index 47f0b1b..86d27dc 100644 --- a/solution/smo/oam/pm/docker-compose-grafana.yaml +++ b/solution/smo/oam/pm/docker-compose-grafana.yaml @@ -7,7 +7,6 @@ services: environment: GF_AUTH_GENERIC_OAUTH_ENABLED: "true" GF_AUTH_GENERIC_OAUTH_NAME: "Keycloak" - GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true" GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana-ui.app" GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "lVPuFWZlOV7yAbV1FIuaM0FOodD7cLTm" GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email offline_access roles" @@ -16,7 +15,8 @@ services: GF_AUTH_GENERIC_OAUTH_API_URL: "https://identity.${HTTP_DOMAIN}/realms/onap/protocol/openid-connect/userinfo" GF_SERVER_ROOT_URL: "https://grafana.${HTTP_DOMAIN}" GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE: role - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(resource_access."grafana-ui.app".roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access."grafana-ui.app".roles[*], 'admin') && 'Admin' || contains(resource_access."grafana.app".roles[*], 'editor') && 'Editor' || 'Viewer' + #GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(resource_access."grafana-ui.app".roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access."grafana-ui.app".roles[*], 'admin') && 'Admin' || contains(resource_access."grafana.app".roles[*], 'editor') && 'Editor' || 'Viewer' + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(realm_access.roles[*], 'GrafanaAdmin') && 'Admin' || contains(realm_access.roles[*], 'GrafanaEditor') && 'Editor' || contains(realm_access.roles[*], 'GrafanaViewer') && 'Viewer' || 'Viewer' GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ROLES: true GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN: true GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: true -- 2.16.6