Is it possible to match organization with `role_attribute_path` and GitHub oAuth2?

Hello,

I’m using Grafana 9.5.2 with the GitHub authentication.

My configuration for the role_attribute_path is:

role_attribute_path = contains(groups[*], '@someorganization/some-github-team') && 'Admin' || 'Viewer'

I wonder if it is possible to use the role_attribute_path to map a role based on the organization. I’m trying to achieve the following mapping:

  1. Users in @someorganization/some-github-team are Admins
  2. Users in @someorganization are Editors
  3. Everyone else in allowed_organizations are Viewers
  4. No other access.

I understand this uses JMESPath but I don’t know how to get the JSON input to test my query.

Can someone provide some guidance here?

Thanks in advance!

The easiest way is to increase Grafana log level and you will see that JSON input (access/id token) in Grafana logs. Then play on https://jmespath.org/ and construct correct JMESPath which fits your needs.

@jangaraj Thank you, I see the different response_body from the request.

  1. The first one on https://api.github.com/user
  2. Then on https://api.github.com/user/teams?per_page=100
  3. Then on https://api.github.com/user/orgs?per_page=100
  4. And finally on https://api.github.com/user/emails

I’ve tried the following role_attribute_path:

contains(groups[*], '@someorganization/some-github-team') && 'Admin' 
         || contains([].login, 'my-organization') && 'Editor' 
         || 'Viewer'

But contains([].login, 'my-organization') && 'Editor' doesn’t seems to have any effect — users that are not in the team but in the organization are ‘Viewer’. It’s meant to be used against the third request (https://api.github.com/user/orgs?per_page=100).

It’s kind of confusing, because none of the 4 response_body has a “groups” entry (as used to map the ‘Admin’ user), so I’m still missing a bit here.

Those (api.github.com) are “userinfo” responses. You will have more “responses” - access/id token - there will be much more in your logs

contains([].login, 'my-organization') - is it really a valid JMESPth syntax JMESPath Specification — JMESPath or did you test it on https://jmespath.org/ ?

You didn’t provide those “responses”, so how someone can help you :man_shrugging:

Here is a full log of a login cycle: Grafana OAuth2 Github Login Logs - Pastebin.com

Yes, I did successfully test contains([].login, 'my-organization') on https://jmespath.org/. You can test it with this JSON.

I feel like the JMESPath query is applied to the structure defined here: grafana/login_oauth.go at main · grafana/grafana · GitHub which does not contain any information about GitHub organizations.

My goal is to map the roles in the following way:

  1. The world does not have access
  2. Users of GitHub organizations B, C and D are Viewers
  3. Users of GitHub organization A are Editors
  4. Users of the Z team of GitHub organization A (@A/Z) are Admins

At that point the simplest (but not the most convenient) would be to create and manage some users in another GitHub Team (@A/Y) for Editors.

1 Like

Use role_attribute_strict = true for “1. The world does not have access”.

For the path lookup, Grafana uses JSON obtained from querying GitHub’s API /api/user endpoint and a groups key containing all of the user’s teams (retrieved from /api/user/teams).

So teams result should be in groups key, so play with groups[*].login.

Point 1,2 and 4 are working as expected. For the point 3, so long I have been unable to find a way to map Editors on an Organization. Mapping on teams works well.

It will be nice to show how did you solve your problem. It will be here for the record for other users with similar problem.

Yes, it is possible to match an organization with the role_attribute_path when using GitHub OAuth2. The role_attribute_path is used to specify the path in the OAuth2 response where the role or organization information is provided. This allows you to retrieve and utilize that information in your application.

When integrating GitHub OAuth2 into your application, you can include the scope parameter in your authentication request to request access to the necessary permissions and organization information. By specifying the appropriate scope, you can retrieve the required data related to the user’s organization membership or role.

Once the user has authenticated and granted the necessary permissions, you can make API requests to GitHub using the provided access token. These API requests can include retrieving organization-related data or checking SNAPKIT the user’s role within the organization.

Thanks @vicentevincenzo. I’m not sure that I understand how to apply your proposal to the initial request, but maybe you can provide an example of configuration including the JMESPath query ?

To achieve the role mapping based on the organization using JMESPath in Grafana’s role_attribute_path, you can try the following configuration:

yamlCopy code

role_attribute_path = contains(groups[*], '@someorganization/some-github-team') ? 'Admin' : contains(groups[*], '@someorganization') ? 'Editor' : 'Viewer'

Explanation:

  • The first part of the expression checks if the user is in the ‘@someorganization/some-github-team’ group. If true, it assigns the role ‘Admin’.
  • If the user is not in the ‘@someorganization/some-github-team’ group, it moves to the second part of the top follow expression, which checks if the user is in the ‘@someorganization’ group. If true, it assigns the role ‘Editor’.
  • If the user is not in either of the specified groups, it assigns the role ‘Viewer’.

Yes, it is possible to use the role_attribute_path in Grafana to map roles based on the organization using JMESPath. To achieve the desired role mapping, you can modify the configuration as follows:

iniCopy code

role_attribute_path = contains(groups[*], '@someorganization/some-github-team') ? 'Admin' : contains(groups[*], '@someorganization') ? 'Editor' : 'Viewer'

This configuration uses the JMESPath ternary operator to check the conditions in sequence:

  1. If the user is part of the @someorganization/some-github-team group, they are assigned the role of ‘Admin’.
  2. If the user is part of the @someorganization group (but not the specific team), they are assigned the role of ‘Editor’.
  3. If the user is not part of either group ciclo di sustanon 350, they are assigned the role of ‘Viewer’.

Hello,

You can use the role_attribute_path in Grafana with JMESPath to achieve the role mapping based on the organization. To test your query and get the JSON input, you can use a tool like jq or online JMESPath evaluators. Simply replace the “contains(groups[*], ‘@someorganization/some-github-team’)” part in your configuration with the appropriate JMESPath expression for the organization. For example:

role_attribute_path = contains(groups, ‘@someorganization/some-github-team’) && ‘Admin’ || contains(groups, ‘@someorganization’) && ‘Editor’ || contains(allowed_organizations[*], ‘@someorganization’) && ‘Viewer’ || ‘No other access’

Remember to replace “@someorganization” with the actual Partner organization name you want to use in the query. This configuration should help you achieve the desired role mapping based on the organization. Good luck!

Yes, it’s possible to match an organization with the role_attribute_path in the context of GitHub OAuth2. By configuring the role_attribute_path properly, you can map the roles or attributes associated with a user’s GitHub organization to the corresponding roles within your application. This allows for seamless integration and authorization based on the repaire user’s organization and roles.

If you need more specific guidance, please provide additional details about your setup or requirements.

Hello,

It’s great that you’re configuring Grafana with GitHub authentication. To achieve the role mapping you described, your use of the role_attribute_path seems appropriate. You can try using a JMESPath expression to achieve the desired result. You might use JSON input similar to this to test your query:

jsonCopy code

{
  "groups": ["@someorganization/some-github-team"],
  "allowed_organizations": ["@someorganization"]
}

Based on this input, your role_attribute_path expression seems to be on the right track. Remember that JMESPath allows complex query operations, so you’re on the Top right path to implementing the role mapping you want. Good luck, and feel free to explore the JMESPath documentation further for assistance!

Best regards.

Hello,

It’s great that you’re configuring Grafana with GitHub authentication. To achieve the role mapping you described, your use of the role_attribute_path seems appropriate. You can try using a JMESPath expression to achieve the desired result. You might use JSON input similar to this to test your query:

jsonCopy code

{
  "groups": ["@someorganization/some-github-team"],
  "allowed_organizations": ["@someorganization"]
}

Based on this input, your role_attribute_path expression seems to be on the right track. Remember that JMESPath allows complex query operations, so you’re on the right path to implementing the role mapping you want. Good luck, and feel free to explore the JMESPath documentation further for assistance!

Best regards.

I see that you’re encountering challenges with the role_attribute_path configuration for GitHub API calls. It looks like the contains condition for ‘Editor’ role based on organization membership isn’t functioning as expected. Since none of the response_body entries include a “groups” field as used for mapping the ‘Admin’ user, there seems to be a missing piece in the setup. I recommend checking GitHub API documentation or seeking assistance from their support or community to clarify how to effectively configure the role_attribute_path for the desired ‘Editor’ role based on organization membership.

Hi there!

Your use case seems to require a specific JMESPath query to map roles based on organization and teams in Grafana. To test your query, you can try using sample Ikorodu JSON input in a JMESPath online evaluator, like the one provided by JMESPath.org. This will help you refine your role_attribute_path and achieve the desired role mapping. Best of luck with your Grafana configuration!