Operation,  Spring & JVM

基于 Keycloak 集成 Grafana oidc 认证

1. Deploy on Docker

  • Recommand for testing
docker run -d \
--name=keycloak \
-p 8080:8080 \
-e PROXY_ADDRESS_FORWARDING=true \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \ quay.io/keycloak/keycloak:17.0.0 \
start-dev --hostname-strict-https=true
  • 注: 新版本(17.x)对nginx代理https外部请求时,默认配置可能导致加载 keycloak.js 使用http链接,导致UI渲染失败。需同时增加PROXY_ADDRESS_FORWARDING=true--hostname-strict-https=true才可生效,参考: #10817

2. Deploy on Kubernetes

3. Deploy Grafana on Docker

  • Recommand for testing
mkdir -p /mnt/disk1/grafana; chmod -R 777 /mnt/disk1/grafana
docker run -tid \
--name=grafana1 \
--network host \
--restart=always \
-p 3000:3000 \
-v /mnt/disk1/grafana:/var/lib/grafana \
docker.io/grafana/grafana:8.2.2

4. Configuring Keycloak and Grafana

TODO

  • grafana
sudo vim /proc/`d inspect grafana1 -f '{{.State.Pid}}'`/root/etc/grafana/grafana.ini

...
enabled = true         
name = OAuth           
client_id = grafana    
client_secret = 1lmrUgeYWRsbABJU3rm3WJmE14v3vRRG
id_token_attribute_name = id_token
# https://grafana.com/docs/grafana/latest/auth/generic-oauth/#login
login_attribute_path = 
role_attribute_path = contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'
allow_sign_up = true   
scopes = openid profile email
empty_scopes = false   
#role_attribute_path = 'True'&&'Admin'
#email_attribute_name = email
teams_url = https://www.baidu.com
#auth_url = http://wl4g.debug:18080/iam-web/oidc/v1/authorize
#token_url = http://wl4g.debug:18080/iam-web/oidc/v1/token
#api_url = http://wl4g.debug:18080/iam-web/oidc/v1/userinfo
...

留言

您的电子邮箱地址不会被公开。