Adding permissions in Grafana#

All Grafana deployments are configured via OAUTH using the Dex connector. Permissions are distributed by mapping Grafana roles to OCP groups. This is done by updating the role_attribute_path as described here via the Grafana CR.

Give OCP group Grafana role#

Navigate to the Grafana CR, for the Grafana instance on the MOC environment here. Find the attribute: role_attribute_path under spec.config.auth.generic_oauth

You will see something like the following:

  role_attribute_path: |
    contains(groups[*], 'operate-first') && 'Admin' ||
    contains(groups[*], 'data-science') && 'Viewer' ||
    'Deny'

Add a line before Deny in the form of contains(groups[*], '<YOUR_OCP_GROUP>') && '<GRAFANA_ROLE>' ||. For example if we wanted to give the OCP group “my-team” the “Editor” Grafana role, we would update the field like so:

  role_attribute_path: |
    contains(groups[*], 'operate-first') && 'Admin' ||
    contains(groups[*], 'data-science') && 'Viewer' ||
    contains(groups[*], 'my-team') && 'Editor' ||
    'Deny'

Alternatively, if you do not want to create your own group and simply want read-only access to grafana, you can also just add yourself to the grafana-viewer group.

Submit a PR with the changes.