Hello,
I’m using Grafana 9.5.2 with the GitHub authentication.
My configuration for the role_attribute_path is:
role_attribute_path = contains(groups[*], '@someorganization/some-github-team') && 'Admin' || 'Viewer'
I wonder if it is possible to use the role_attribute_path to map a role based on the organization. I’m trying to achieve the following mapping:
- Users in
@someorganization/some-github-team are Admins
- Users in
@someorganization are Editors
- Everyone else in
allowed_organizations are Viewers
- No other access.
I understand this uses JMESPath but I don’t know how to get the JSON input to test my query.
Can someone provide some guidance here?
Thanks in advance!
The easiest way is to increase Grafana log level and you will see that JSON input (access/id token) in Grafana logs. Then play on https://jmespath.org/ and construct correct JMESPath which fits your needs.
@jangaraj Thank you, I see the different response_body from the request.
- The first one on https://api.github.com/user
- Then on https://api.github.com/user/teams?per_page=100
- Then on https://api.github.com/user/orgs?per_page=100
- And finally on https://api.github.com/user/emails
I’ve tried the following role_attribute_path:
contains(groups[*], '@someorganization/some-github-team') && 'Admin'
|| contains([].login, 'my-organization') && 'Editor'
|| 'Viewer'
But contains([].login, 'my-organization') && 'Editor' doesn’t seems to have any effect — users that are not in the team but in the organization are ‘Viewer’. It’s meant to be used against the third request (https://api.github.com/user/orgs?per_page=100).
It’s kind of confusing, because none of the 4 response_body has a “groups” entry (as used to map the ‘Admin’ user), so I’m still missing a bit here.
Those (api.github.com) are “userinfo” responses. You will have more “responses” - access/id token - there will be much more in your logs
contains([].login, 'my-organization') - is it really a valid JMESPth syntax JMESPath Specification — JMESPath or did you test it on https://jmespath.org/ ?
You didn’t provide those “responses”, so how someone can help you 
Here is a full log of a login cycle: Grafana OAuth2 Github Login Logs - Pastebin.com
Yes, I did successfully test contains([].login, 'my-organization') on https://jmespath.org/. You can test it with this JSON.
I feel like the JMESPath query is applied to the structure defined here: grafana/login_oauth.go at main · grafana/grafana · GitHub which does not contain any information about GitHub organizations.
My goal is to map the roles in the following way:
- The world does not have access
- Users of GitHub organizations B, C and D are Viewers
- Users of GitHub organization A are Editors
- Users of the Z team of GitHub organization A (
@A/Z) are Admins
At that point the simplest (but not the most convenient) would be to create and manage some users in another GitHub Team (@A/Y) for Editors.
1 Like
Use role_attribute_strict = true for “1. The world does not have access”.
For the path lookup, Grafana uses JSON obtained from querying GitHub’s API /api/user endpoint and a groups key containing all of the user’s teams (retrieved from /api/user/teams).
So teams result should be in groups key, so play with groups[*].login.
Point 1,2 and 4 are working as expected. For the point 3, so long I have been unable to find a way to map Editors on an Organization. Mapping on teams works well.
It will be nice to show how did you solve your problem. It will be here for the record for other users with similar problem.
Yes, it is possible to match an organization with the role_attribute_path when using GitHub OAuth2. The role_attribute_path is used to specify the path in the OAuth2 response where the role or organization information is provided. This allows you to retrieve and utilize that information in your application.
When integrating GitHub OAuth2 into your application, you can include the scope parameter in your authentication request to request access to the necessary permissions and organization information. By specifying the appropriate scope, you can retrieve the required data related to the user’s organization membership or role.
Once the user has authenticated and granted the necessary permissions, you can make API requests to GitHub using the provided access token. These API requests can include retrieving organization-related data or checking SNAPKIT the user’s role within the organization.
Thanks @vicentevincenzo. I’m not sure that I understand how to apply your proposal to the initial request, but maybe you can provide an example of configuration including the JMESPath query ?
