egekorkan
commented
2 months ago In today's meeting, the idea was to use the github teams after asking Eclipse. This can be easily added during deployment via role attribute field role_attribute_path = contains(groups[*], '@my-github-organization/my-github-team') && 'Editor' || 'Viewer' (see https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/#org-roles-mapping-example). We do not even need Editor role
Closes #36.
Here, I added a forward auth mechanism. Therefore traefik forwards requests for prometheus, cadvisor and traefik to GitHub authentication. We need to set an environment variable (WHITELISTED_EMAILS) to whitelist emails. Also, we need to create a GitHub OAuth application and use its configuration to successfully log in.
Grafana and Portainer use their own authentication mechanisms and we need to configure them using their UIs. For Grafana, it is possible to give permissions depending on the user's GitHub data. A simple role attribute path would be
[email==<USER_EMAIL>] && 'Admin' || 'Viewer'to give specific USER_EMAIL admin permissions and all other viewer permissions. Check Grafana documentation for more details. Furthermore, it is possible to create teams and limit access to dashboards to certain teams and users.