I currently have Grafana setup running in a container (latest grafana/grafana image) with users logging in via OAuth from AWS Cognitio.
I can assign users to be Grafana or Server Admin roles by adding them to cognito groups and configuring the GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH environment variable with a JMESPath expression. This is working perfectly.
I now need to setup different Grafana Organisations and would like to assign users to organisations using the same approach: adding users to Cognito groups, and then using a JMESPath expression to assign them to the organisation.
Is this possible? If not, is there a different approach I can take to control my users membership to organisations via Cognito groups?
Thanks for the link.
If I understand correctly the PR referenced in the linked post was never merged. The solution used in the above post was to use a Grafana Enterprise feature?
Unfortunately I’m not a Grafana Enterprise customer. Is there no way to achieve this with the open source version of Grafana?
I would say that is enterprise feature, so you enteprise version is the right one for this use case.
Of course, nobody is stopping you to create own code/implementation for Grafana OSS - but will it be worth it?
Yeah it’s not worth maintaining a fork for just my own needs, even if the above linked PR was still mergeable with minimal effort (seems unlikely).
I did notice that it’s possible to assign teams via JMESPath with the auth.generic_oauth config vars:
Originally I wanted to isolate my datasources and dashboards based on organisations, but based on reading the differences between teams and organisations, it seems I can achieve this isolation using teams instead?
Assuming this is the case, I should be able to use the two above config variables to assign teams using a JMESPath expression based on the cognito:groups field passed from cognito?
I’m struggling to find a working example of this though. Specifically I’m struggling to understand the difference between the two variables and how they work together.
Are there any working examples of a config that uses these two variables (not specifically with cognito)?