Grafana----SSO配置对接Keycloak

一、修改grafana.ini

  • 目录: /etc/grafana/grafana.ini
  • 配置项:"[auth.generic_oauth]"
  • 添加内容:
    enabled = true
name = Keycloak-OAuth
allow_sign_up = true
client_id = grafana-oauth
client_secret = 7RwmurUMiptgAAwH6xIThPI6bk7xQjTD
scopes = openid email profile offline_access roles
email_attribute_path = email
login_attribute_path = username
name_attribute_path = full_name
auth_url = https://{domain}/auth/realms/Single-Sign-On/protocol/openid-connect/auth
token_url = https://{domain}/auth/realms/Single-Sign-On/protocol/openid-connect/token
api_url = https://{domain}/auth/realms/Single-Sign-On/protocol/openid-connect/userinfo
role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' ||   'Viewer'

二、注意问题

  • "client_secret" 此项需要在keycloak生成的,在keycloak修改后,同时需要修改grafana配置;
  • "auth_url","token_url","api_url" 这三项需要根据keycloak的配置填写,不建议直接复制黏贴,路径可能会有不同;
  • "role_attribute_path" 此项配置但未生效,可能是keycloak哪里配置的不对,欢迎指教;
  • 配置完成后,如果相同邮箱在grafana已注册使用,会与keycloak传递的用户信息冲突。
posted @ 2023-06-12 14:29  ヾ(o◕∀◕)ノヾ  阅读(540)  评论(0)    收藏  举报