From cc47bf6b9f732c5096bf5a94fc16000e06d822cb Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Fri, 24 Apr 2026 15:49:47 +0200 Subject: [PATCH] grafana access --- infra/values/base/grafana-values.yaml | 4 +++- infra/values/base/keycloak-values.yaml | 18 +++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/infra/values/base/grafana-values.yaml b/infra/values/base/grafana-values.yaml index a54164c..81e2dbf 100644 --- a/infra/values/base/grafana-values.yaml +++ b/infra/values/base/grafana-values.yaml @@ -35,7 +35,9 @@ grafana.ini: auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo - role_attribute_path: "" + role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'" + role_attribute_strict: true + allow_assign_grafana_admin: true auto_login: true auth: disable_login_form: true diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index d8f98e7..6fad310 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -115,7 +115,23 @@ keycloakConfigCli: "k8s.secret.name": "grafana-oidc-credentials", "k8s.secret.client-id-key": "client-id", "k8s.secret.client-secret-key": "client-secret" - } + }, + "protocolMappers": [ + { + "name": "client-roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "config": { + "claim.name": "resource_access.grafana.roles", + "jsonType.label": "String", + "multivalued": "true", + "usermodel.clientRoleMapping.clientId": "grafana", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] } ] }