Grafana & Generic OAuth — How to restrict access to specific authenticated users?
If you have successfully integrated Generic OAuth with Grafana, you might wonder as I did, how do you allow only specific authenticated users from your organization to access Grafana? and how do you set different access rights (admin, editor, viewer) to those users?
The first thing we need to do is to set disable sign up of new users and anonymous users. This can be done by editing grafana.ini file or setting env vars.
allow_sign_up = false[auth.anonymous]
enabled = false
This will allow only users that are already listed in Grafana’s user database to sign-in.
But how do we add users to Grafana?
Inviting a user using Grafana’s User management dashboard will not do the trick, as invited user is not an actual user until the first sign up.
But, we can add a user programmatically using the Admin HTTP API with an HTTP POST call:
Now all users added like this will be able to access Grafana.
Note that there is a tricky part here: Grafana is case sensitive to emails. So the Case of the email address of the user must match exactly to the case returned from the OAuth endpoint.
Now, how do we set permissions to specific users, such that some are viewers, some are editors and some are admins?
After you have added a user, her default access level is viewer. You can use the permissions API call to set a user as global Grafana admin:
You will probably also want to set a user as an organization admin/editor, to allow her to edit some dashboards (Global admin cannot do this until explicitly setting herself also as org admin). This can be done using the organization API:
That's it. Wrapping all up, here is a sample Python code that reads a user list from a CSV file and adds all of the entries Grafana users. Users with * as first char will be added as admins.