How to tell Grafana using OAuth that some user is admin or belong to some org?

Question

I have CF UAA and try to use it with Grafana 4.0.2 through generic_oauth. I was able to configure login etc. and it works fine. What I'm missing is how to differentiate admin user between others. Also, I would like to differentiate users into separate organizations in Grafana.

Is it doable? If so, how? I was looking at https://docs.cloudfoundry.org/api/uaa/#user-info /userinfo endpoint (it is used in my Grafana generic_oauth setup) and it looks like it doesn't have enough information. Maybe this can be done somehow through scopes?

Answer 1

The generic oauth plugin doesn't provide a way to automatically add the user to a particular org or to designate their level of access.

Once the user has successfully authenticated to Grafana you can edit their user account and set their permission level etc.

It would be possible to extend the BasicUserInfo struct returned by the oauth modules to be able to hold a list of orgs the user should be a member of, and to update login_oauth.go to manage the user's org memberships if that element was returned by the oauth plugin. At that point it looks like the simplest approach would be to create an oauth_cloudfoundry plugin that could use the cloudfoundry group memberships to map to grafana org memberships.

Answer 2

Another option is to explicitly create a user in Grafana and then set him/her as admin in some org before the first OAuth login. Look at this post for more details: https://medium.com/@davidoha/how-to-restrict-user-access-with-to-grafana-with-generic-oauth-656a1a660a7b