grafana oauth config

testserver/docker_grafana/Documentation.md

+
+# Overview 
+
+* Anonymous Access is possible with Viewer permissions
+* Authentication to Grafana is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'grafana_access' can access the Application and get Editor permissions
+* Users with group 'grafana_admin' get administrative privileges in Grafana
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup in Grafana
+
+All setup is done in the grafana.ini
+References: 
+* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/
+* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
+
+## Setup in uffd
+
+Create Groups:
+
+- grafana_access: General Access to Grafana
+- grafana_admin: Admin Access to Grafana
+
+Create a Service / OAuth Client: 
+
+Only Users with goup grafana_access can access Wordpress 
+
+Client-ID: grafana
+Client-Secret: from file oauth_client_secret on the server
+Redirect-URIs: 
+* https://grafana.test-warpzone.de/login/generic_oauth
+

testserver/docker_grafana/tasks/main.yml

@@ -3,6 +3,7 @@
 - include_tasks: ../functions/get_secret.yml
   with_items:
     - { path: "{{ basedir }}/secrets/grafana_admin_pass", length: 12 }
+    - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 32 }
 #    - { path: "/srv/mqtt/influxdb_token", length: -1 }
 
 - name: create folder struct for grafana

testserver/docker_grafana/templates/docker-compose.yml

@@ -2,7 +2,7 @@ services:
 
   app:
 
-    image: grafana/grafana:latest
+    image: grafana/grafana-oss:latest
     restart: always
     volumes:
       - "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"
@@ -10,6 +10,8 @@ services:
     environment:
       GF_SERVER_ROOT_URL: "https://{{ domain }}"
       GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
+      GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
+      GF_LOG_LEVEL: "debug"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)

testserver/docker_grafana/templates/grafana.ini

@@ -108,7 +108,7 @@ allow_org_create = false
 auto_assign_org = true
 
 # Default role new users will be automatically assigned (if disabled above is set to true)
-auto_assign_org_role = Viewer
+# auto_assign_org_role = Viewer
 
 # Background text for the user field on the login page
 login_hint = Fallback account
@@ -119,7 +119,7 @@ default_theme = dark
 [auth]
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false
-disable_login_form = false
+disable_login_form = true
 
 # Auto Login via OAuth 
 oauth_auto_login = true
@@ -127,6 +127,7 @@ oauth_auto_login = true
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 
+
 #################################### Anonymous Auth ##########################
 [auth.anonymous]
 # enable anonymous access
@@ -135,6 +136,38 @@ enabled = true
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.
 
+# Role for unauthenticated users, other valid values are `Editor` and `Admin`
+org_role = Viewer
+
+#################################### Generic OAuth ##########################
+[auth.generic_oauth]
+
+# Enable OAuth Authentication 
+enabled = true
+name = OAuth
+
+# Users cann be created by OAuth login 
+allow_sign_up = true
+
+
+# OAuth Client Settings
+client_id = grafana
+client_secret = {{ oauth_client_secret}}
+scopes = profile
+auth_url = {{ oauth_global.authorize_url }}
+token_url = {{ oauth_global.token_url }}
+api_url = {{ oauth_global.userinfo_url }}
+
+# Attribute Mappings
+#login_attribute_path = nickname
+#name_attribute_path = nickname
+
+# Role Mapping
+skip_org_role_sync = false
+allow_assign_grafana_admin = true
+role_attribute_path = contains(groups[*], 'grafana_admin') && 'GrafanaAdmin' || 'Editor'
+
+
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features