The easiest way is to increase Grafana log level and you will see that JSON input (access/id token) in Grafana logs. Then play on https://jmespath.org/ and construct correct JMESPath which fits your needs.
But contains([].login, 'my-organization') && 'Editor' doesn’t seems to have any effect — users that are not in the team but in the organization are ‘Viewer’. It’s meant to be used against the third request (https://api.github.com/user/orgs?per_page=100).
It’s kind of confusing, because none of the 4 response_body has a “groups” entry (as used to map the ‘Admin’ user), so I’m still missing a bit here.
Use role_attribute_strict = true for “1. The world does not have access”.
For the path lookup, Grafana uses JSON obtained from querying GitHub’s API /api/user endpoint and a groups key containing all of the user’s teams (retrieved from /api/user/teams).
So teams result should be in groups key, so play with groups[*].login.
Point 1,2 and 4 are working as expected. For the point 3, so long I have been unable to find a way to map Editors on an Organization. Mapping on teams works well.
Yes, it is possible to match an organization with the role_attribute_path when using GitHub OAuth2. The role_attribute_path is used to specify the path in the OAuth2 response where the role or organization information is provided. This allows you to retrieve and utilize that information in your application.
When integrating GitHub OAuth2 into your application, you can include the scope parameter in your authentication request to request access to the necessary permissions and organization information. By specifying the appropriate scope, you can retrieve the required data related to the user’s organization membership or role.
Once the user has authenticated and granted the necessary permissions, you can make API requests to GitHub using the provided access token. These API requests can include retrieving organization-related data or checking SNAPKIT the user’s role within the organization.
Thanks @vicentevincenzo. I’m not sure that I understand how to apply your proposal to the initial request, but maybe you can provide an example of configuration including the JMESPath query ?
The first part of the expression checks if the user is in the ‘@someorganization/some-github-team’ group. If true, it assigns the role ‘Admin’.
If the user is not in the ‘@someorganization/some-github-team’ group, it moves to the second part of the top follow expression, which checks if the user is in the ‘@someorganization’ group. If true, it assigns the role ‘Editor’.
If the user is not in either of the specified groups, it assigns the role ‘Viewer’.
Yes, it is possible to use the role_attribute_path in Grafana to map roles based on the organization using JMESPath. To achieve the desired role mapping, you can modify the configuration as follows:
You can use the role_attribute_path in Grafana with JMESPath to achieve the role mapping based on the organization. To test your query and get the JSON input, you can use a tool like jq or online JMESPath evaluators. Simply replace the “contains(groups[*], ‘@someorganization/some-github-team’)” part in your configuration with the appropriate JMESPath expression for the organization. For example:
Remember to replace “@someorganization” with the actual Partner organization name you want to use in the query. This configuration should help you achieve the desired role mapping based on the organization. Good luck!
Yes, it’s possible to match an organization with the role_attribute_path in the context of GitHub OAuth2. By configuring the role_attribute_path properly, you can map the roles or attributes associated with a user’s GitHub organization to the corresponding roles within your application. This allows for seamless integration and authorization based on the repaire user’s organization and roles.
If you need more specific guidance, please provide additional details about your setup or requirements.
It’s great that you’re configuring Grafana with GitHub authentication. To achieve the role mapping you described, your use of the role_attribute_path seems appropriate. You can try using a JMESPath expression to achieve the desired result. You might use JSON input similar to this to test your query:
Based on this input, your role_attribute_path expression seems to be on the right track. Remember that JMESPath allows complex query operations, so you’re on the Top right path to implementing the role mapping you want. Good luck, and feel free to explore the JMESPath documentation further for assistance!
It’s great that you’re configuring Grafana with GitHub authentication. To achieve the role mapping you described, your use of the role_attribute_path seems appropriate. You can try using a JMESPath expression to achieve the desired result. You might use JSON input similar to this to test your query:
Based on this input, your role_attribute_path expression seems to be on the right track. Remember that JMESPath allows complex query operations, so you’re on the right path to implementing the role mapping you want. Good luck, and feel free to explore the JMESPath documentation further for assistance!
I see that you’re encountering challenges with the role_attribute_path configuration for GitHub API calls. It looks like the contains condition for ‘Editor’ role based on organization membership isn’t functioning as expected. Since none of the response_body entries include a “groups” field as used for mapping the ‘Admin’ user, there seems to be a missing piece in the setup. I recommend checking GitHub API documentation or seeking assistance from their support or community to clarify how to effectively configure the role_attribute_path for the desired ‘Editor’ role based on organization membership.
Your use case seems to require a specific JMESPath query to map roles based on organization and teams in Grafana. To test your query, you can try using sample Ikorodu JSON input in a JMESPath online evaluator, like the one provided by JMESPath.org. This will help you refine your role_attribute_path and achieve the desired role mapping. Best of luck with your Grafana configuration!
You’re on the right track with your role_attribute_path configuration. To achieve your desired mapping, you can use JMESPath to check for specific organizations and teams. Here’s a possible approach:
This configuration checks if users are in specific GitHub teams or organizations and assigns roles accordingly. As for testing, you can try using JSON data with SSSTok examples of user groups to verify your query.
