README
¶
Grafana Permission Sync
What does it do?
This tool assigns roles to users in Grafana - based on what Google Groups they are in. The mapping of what group results in what org/role is managed through the config file.
This tool is a full rewrite of (rewrite of grafana-gsuite-sync)
How does it work?
- Get all orgs and all users from grafana
- Fetch all relevant google groups (once every
settings.groupsFetchInterval) - For each user, compute what orgs they should be in and what role they should have. This "update plan" (the list of changes to be made) that will be printed to stdout, for example:
{"level":"info", "msg":"Promote user", "user":"Alice@COMPANY.com", "org":"Some Org Name [INT]", "oldRole":"Viewer", "role":"Admin"}`
{"level":"info", "msg":"Remove user from org", "user":"Alice@COMPANY.com", "org":"Controlling"}
{"level":"info", "msg":"Demote user", "user":"Alice@COMPANY.com", "org":"Some Org Name [PRD]", "oldRole":"Admin", "role":"Viewer"}
{"level":"info", "msg":"Add user to org", "user":"SomeOtherUser", "org":"Some Org Name [PRD]", "role":"Viewer"}
- Apply the changes slowly (capped at 10 operations per second)
- Wait for
settings.applyInterval, then repeat
Requirements
- Docker Image:
docker pull quay.io/google-cloud-tools/grafana-permission-sync - Google Service Account: credentials (in
.json) of a Google service account, which has permissions to impersonate a user that can see all groups (instructions on how to set that up) - Grafana Admin: credentails of a Grafana user that has 'server admin' set
- Config: use the example as a starting point and add your rules
Config
- By default the config file is loaded from
./config.yaml, but you can override the path using the configPath flag:--configPath=some/other/path/config.yaml
Take a look at the the demo config file to see all settings
-
The config supports hot reloading. When the file changes, it will be automatically reloaded. When a new config is loaded successfully (no parsing or validation errors), it will be applied (actually used) from the next iteration onwards. That basically just means a new config won't be applied in the middle of a running permission update.
-
Hot reloading does currently only affect changes to the
settings:andrules:blocks. Other blocks (google:,grafana:) are not updated and require the application to be restarted. (Will be fixed soon)
Rules
-
The
orgs:property supports regex, but only if the element is enclosed in//! That meansorgs: [ ".*" ]will not work, it will not be interpreted as a regex! For example: to match everything you'd writeorgs: [ /.*/ ]or with quotesorgs: [ "/.*/" ](because regex can contain all sorts of symbols). -
The
note:property will be shown as the reason for each change -
The only required property in each rule is
role:
Example:
rules: [
{
# Everyone in the technology group should be able to view the two grafana organizations
note: "tech viewers", # used to show in the reason field
groups: [technology@my-company.com],
orgs: ["Main Grafana Org", "Testing"],
role: Viewer,
},
{
# Also assign the Admin role to certain users
note: "global admins",
users: [ admin@my-company.com ], # individual users
orgs: ["/.*/"],
role: Admin,
},
]
Why are there two different time intervals?
-
settings.groupsFetchIntervalcontrols how often google groups are fetched. To avoid hitting googles rate limit, you probably want this to have a pretty high value (30 minutes or so). -
settings.applyIntervalcontrols how often the main loop runs. Grafana creates an account for a user when they login for the first time. When the new user account is created, grafana-permission-sync can assign the correct permissions (organization membership and roles) the next time it computes an update. So we want to do this pretty often (scanning for newly created users and assigning the right permissions to them).
Health/Liveness
Kubernetes ready and liveness probes: /admin/ready and /admin/alive
Directories