IT-ASDF: MONIT Grafana integration with CERN e-groups

Europe/Zurich
513/1-024 (CERN)

513/1-024

CERN

50
Show room on map
Videoconference
Zoom Meeting ID
63445832154
Description
IT Activities and Services Discussion Forum (ASDF)
Host
Jorge Garcia Cuervo
Alternative hosts
Charles Delort, Karolina Przerwa, Stefan Nicolae Stancu, Enrico Bocchi, Nikos Papakyprianou, Pablo Martin Zamora, Ismael Posada Trobo
Useful links
Join via phone
Zoom URL

ASDF 11/07/24 - Minutes

MONIT Grafana integration with CERN e-groups

Speaker: Nikolay Tsvetkov

Q/A


Q - Slide 5. Is the login page allowing local accounts? Can be removed/hidden?
A - That’s only for MONIT admins, it cannot be removed as we would lose access to the admin panel. To be seen if that could be hidden.


Q - Slide 7. How you actually manage permissions?
A - Permissions are managed per dashboard/folder level. By default Grafana teams does not have any permission so is the organization admin the one responsable to define permissions to the teams.


Q - Can a Grafana team be administrator of the whole organization?
A - No, Grafana teams cannot be administrators of the organization. This is why Teams are complement to the access level that you get from the organization.


Q - Are permissions on Grafana folders recursive?
A - Yes, if you grant to the General folder it also grants for everything within.


Q - How Team only access level works if you cannot have teams as organization admins?
A - There are still users who are administrators of the organization itself. The administrators are excluded from the synchronization process. Now when you request a new organization we can set an administrator e-group. All the members of this e-group will became administrators of the Organization itself, although they will be shown as individual users.


Q - Are nested e-groups expanded for the synchronization?
A - Yes


Q - Slide 6. Are Public, Private, CERN Only access levels defaults by Grafana?
A - There are not Grafana defaults. These are defined since 2016 and this is our way to synchronize users across Organizations.

Q - Would it make sense to align this to the CERN data classification (CERN Internal, restricted to, …)
A - We can, but this names are arbitrary and exists only in internal configuration. Nobody sees this.


Q - Is CERN Only access evaluated against e-mail address or CERN account?
A - We only check if the account used in Grafana is a cern.ch account. We understand that this is a bit limiting. This was done based on a request to limit non CERN users. However with new integration of Teams with e-group it may allow to complement this via extra teams of people excluded from the organization but that still needs access to it.

Q - Maybe to have an e-group with all CERN accounts?
A - This we would like to avoid, as teams should be small. We currently impose a limit of sychronization of groups with maximum of 1,000 members. The recommended way for a CERN Only Organization with requirements of external access is to setup an extra team by the administrator and give it access to the organization.

Q - It could maybe be interesting to have a more generic discussion about what “having a @cern.ch address” means. There may be better ways to get what you actually want (that the person is affiliated with CERN) from the SSO token (or from Auth API) instead of an email matching. The problem is more general than just this service however, so this could be something for the ARB?
A - For Grafana users when they login SSO for the first time, we use the standart Grafana OAUTH integration we don’t query the authentication service. With the old sso we used a middle-access level accounts between the lightweight and CERN accounts but with the new SSO this kind of accounts are not working as expected.

Q - In your case, maybe you could use some custom SSO roles for that? (as no public access is needed)
A - We can discuss further, thanks for the suggestion.


There are minutes attached to this event. Show them.