SipsOfCode/infrastructure
2
2
Fork 0
Code Issues 8 Pull requests 6 Releases Activity

feat(grafana)!: Variable for role attribute path mapping #443

Merged
saibotk merged 1 commit from grafana-keycloak-adjustments into main 2025-10-26 15:47:30 +01:00
Conversation 1 Commits 1 Files changed 2 +8 -3
saibotk commented 2025-10-23 00:42:54 +02:00
Owner
Copy link

BREAKING CHANGE: You need to add the role_attribute_path attribute to the monitoring_grafana_oauth dict.

We now allow to configure the role attribute path mapping, because Keycloak by default does not map its realm / client roles into a roles field, but instead uses resource_access.CLIENTID.roles.
This was changed for simpler setups with Keycloak.
Otherwise, you would need to create a custom mapper for the roles property and enable it on the Grafana client.
To do so, we now also request the roles scope.

Note: Our default now also explicitly maps users without a role to None instead of Viewer.

BREAKING CHANGE: You need to add the `role_attribute_path` attribute to the `monitoring_grafana_oauth` dict. We now allow to configure the role attribute path mapping, because Keycloak by default does not map its realm / client roles into a `roles` field, but instead uses `resource_access.CLIENTID.roles`. This was changed for simpler setups with Keycloak. Otherwise, you would need to create a custom mapper for the roles property and enable it on the Grafana client. To do so, we now also request the `roles` scope. Note: Our default now also explicitly maps users without a role to `None` instead of `Viewer`.
saibotk self-assigned this 2025-10-23 00:42:54 +02:00
feat(keycloak)!: Variable for role attribute path mapping
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
3ba6bf2475
 
BREAKING CHANGE: You need to add the `role_attribute_path` attribute to the `monitoring_grafana_oauth` dict.

We now allow to configure the role attribute path mapping, because Keycloak by default does not map its realm / client roles into a `roles` field, but instead uses `resource_access.CLIENTID.roles`.
This was changed for simpler setups with Keycloak.
Otherwise, you would need to create a custom mapper for the roles property and enable it on the Grafana client.
To do so, we now also request the `roles` scope.

Note: Our default now also explicitly maps users without a role to `None` instead of `Viewer`.
saibotk force-pushed grafana-keycloak-adjustments from 3ba6bf2475
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 83518a3834
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-23 01:05:28 +02:00 Compare
saibotk force-pushed grafana-keycloak-adjustments from 83518a3834
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to dc05b059f1
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-23 01:22:12 +02:00 Compare
histalek approved these changes 2025-10-23 07:48:52 +02:00
histalek left a comment
Owner
Copy link

LGTM

Changing the default role to 'None' was way overdue

LGTM Changing the default role to 'None' was way overdue
roles/monitoring/defaults/main.yml Outdated
@ -67,2 +67,4 @@
client_secret: "something-secret123"
allow_assign_grafana_admin: false
# For Keycloak: Instead of the lowercase grafana, please use the client id you chose.
role_attribute_path: "contains(resource_access.grafana.roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'None'" # noqa yaml[line-length]
histalek commented 2025-10-23 07:48:05 +02:00
Owner
Copy link

could we use multiline yaml here? splitting at the ORs maybe?

role_attribute_path: >
  "contains(resource_access.grafana.roles[*], 'GrafanaAdmin') && 'GrafanaAdmin'
  || contains(resource_access.grafana.roles[*], 'Admin') && 'Admin'
  || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor'
  || 'None'"
could we use multiline yaml here? splitting at the ORs maybe? ```yaml role_attribute_path: > "contains(resource_access.grafana.roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'None'" ```
👍 1
saibotk marked this conversation as resolved
saibotk changed title from feat(keycloak)!: Variable for role attribute path mapping to feat(grafana)!: Variable for role attribute path mapping 2025-10-26 15:37:57 +01:00
saibotk force-pushed grafana-keycloak-adjustments from dc05b059f1
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to d9f9056141
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-26 15:38:32 +01:00 Compare
saibotk force-pushed grafana-keycloak-adjustments from d9f9056141
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 9731ad41ab
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
ci/woodpecker/push/ansible-lint Pipeline was successful
Details
2025-10-26 15:46:09 +01:00 Compare
saibotk deleted branch grafana-keycloak-adjustments 2025-10-26 15:47:30 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
histalek
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
saibotk
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SipsOfCode/infrastructure!443
No description provided.