Adding permissions in Grafana#
All Grafana deployments are configured via OAUTH using the Dex connector. Permissions are distributed by mapping Grafana
roles to OCP groups. This is done by updating the role_attribute_path
as described here via
the Grafana CR.
Give OCP group Grafana role#
Navigate to the Grafana CR, for the Grafana instance on the MOC environment here.
Find the attribute: role_attribute_path
under spec.config.auth.generic_oauth
You will see something like the following:
role_attribute_path: |
contains(groups[*], 'operate-first') && 'Admin' ||
contains(groups[*], 'data-science') && 'Viewer' ||
'Deny'
Add a line before Deny
in the form of contains(groups[*], '<YOUR_OCP_GROUP>') && '<GRAFANA_ROLE>' ||
.
For example if we wanted to give the OCP group “my-team” the “Editor” Grafana role, we would update the field like so:
role_attribute_path: |
contains(groups[*], 'operate-first') && 'Admin' ||
contains(groups[*], 'data-science') && 'Viewer' ||
contains(groups[*], 'my-team') && 'Editor' ||
'Deny'
Alternatively, if you do not want to create your own group and simply want read-only access to grafana, you can also just add yourself to the grafana-viewer
group.
Submit a PR with the changes.