Grafana & Generic OAuth — How to restrict access to specific authenticated users?

If you have successfully integrated Generic OAuth with Grafana, you might wonder as I did, how do you allow only specific authenticated users from your organization to access Grafana? and how do you set different access rights (admin, editor, viewer) to those users?

Image for post
Image for post

The first thing we need to do is to set disable sign up of new users and anonymous users. This can be done by editing grafana.ini file or setting env vars.

allow_sign_up = false

This will allow only users that are already listed in Grafana’s user database to sign-in.

Image for post
Image for post

But how do we add users to Grafana?

Inviting a user using Grafana’s User management dashboard will not do the trick, as invited user is not an actual user until the first sign up.

But, we can add a user programmatically using the Admin HTTP API with an HTTP POST call:

Now all users added like this will be able to access Grafana.
Note that there is a tricky part here: Grafana is case sensitive to emails. So the Case of the email address of the user must match exactly to the case returned from the OAuth endpoint.

Now, how do we set permissions to specific users, such that some are viewers, some are editors and some are admins?

After you have added a user, her default access level is viewer. You can use the permissions API call to set a user as global Grafana admin:

You will probably also want to set a user as an organization admin/editor, to allow her to edit some dashboards (Global admin cannot do this until explicitly setting herself also as org admin). This can be done using the organization API:

That's it. Wrapping all up, here is a sample Python code that reads a user list from a CSV file and adds all of the entries Grafana users. Users with * as first char will be added as admins.

Image for post
Image for post
User list after running

Written by

Software developer & research staff member @ IBM (Haifa Research Lab)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store