IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Add org to role mappings support to Google integration (#88891)

Browse Source 
* Auth: Implement org role mapping for google oauth provider

* Update docs

* Remove unused function

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
This commit is contained in:
Karl Persson
2024-06-07 14:07:35 +02:00
committed by GitHub
parent 5095ea84b2
commit f3efd95bb4
7 changed files with 148 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
View File

@@ -201,8 +201,7 @@ The user's role is retrieved using a [JMESPath](http://jmespath.org/examples.htm
To map the server administrator role, use the `allow_assign_grafana_admin` configuration option.
If no valid role is found, the user is assigned the role specified by [the `auto_assign_org_role` option]({{< relref "../../../configure-grafana#auto_assign_org_role" >}}).
You can disable this default role assignment by setting `role_attribute_strict = true`.
This setting denies user access if no role or an invalid role is returned.
You can disable this default role assignment by setting `role_attribute_strict = true`. This setting denies user access if no role or an invalid role is returned after evaluating the `role_attribute_path` and the `org_mapping` expressions.
To ease configuration of a proper JMESPath expression, go to [JMESPath](http://jmespath.org/) to test and evaluate expressions with custom payloads.
@@ -212,6 +211,20 @@ To ease configuration of a proper JMESPath expression, go to [JMESPath](http://j
This section includes examples of JMESPath expressions used for role mapping.
##### Org roles mapping example
The Google integration uses the external users' groups in the `org_mapping` configuration to map organizations and roles based on their Google group membership.
In this example, the user has been granted the role of a `Viewer` in the `org_foo` organization, and the role of an `Editor` in the `org_bar` and `org_baz` orgs.
The external user is part of the following Google groups: `group-1` and `group-2`.
Config:
```ini
org_mapping = group-1:org_foo:Viewer group-2:org_bar:Editor *:org_baz:Editor
```
###### Map roles using user information from OAuth token
In this example, the user with email `admin@company.com` has been granted the `Admin` role.