Permission management in grafana - User without role sees any logs and metrics

Summary

A user is created in keycloak with no grafana role. He is meant for example to be a member of a workload cluster, and belongs to a specific group created in keycloak.

This user can connect to grafana and authenticate himself with his keycloak credentials.

After connecting, he has access to all the logs of the management cluster (Logging Dashboard), and all the metrics of the management cluster and workload clusters (when selecting the Thanos source) via the dashboards.

A partial workaround is to avoid this situation by granting the Viewer role only to users who are explicitly assigned a role in Keycloak, like grafanaviewer (similarly to the role grafanaadmin in keycloak which grants the role Admin in grafana).

But a user should only have a visibility on the data to which he is explicitly granted access.

To this effect, grafana supports the notion of teams.

team sync allows matching the grafana teams with the groups assigned in the Identity Provider. Unfortunately this feature is only allowed in Grafana enterprise and Grafana Cloud Advanced.

Permissions can be granted to a team on a dashboard (cf. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/#dashboard-permissions) or on a folder of dashboards. Actually it would make sense to organise the dashboards with one folder per cluster to ease the management of the permissions.

Only the users belonging to a keycloak group e.g. "management cluster metrics" should have access to the metrics of the management cluster, member of e.g. "management cluster logs" should have access to the logs of the management cluster, and the same for each workload cluster.
A user can be assigned to several groups in keycloak, and see the corresponding data on grafana.

For an access to the logs of a workload cluster, a data connector must be created with the same loki url as the current loki connector and with the loki credentials of this workload cluster- (the loki gateway sets the X-Scope-Org header), and dashboards can then be created to use this data connector. Then only the users belonging to a group with viewer permission on this dashboard can see it in grafana.

A similar approach should be taken for viewing the metrics of each cluster.

cc: @mihai.zaharia, @alinhg

Edited by Alain Thioliere