Era Software

No results match your query

Using RBAC with Grafana and Azure AD

Estimated reading time: 3 minutes
  • guide
  • erasearch
  • self-hosted
  • rbac
  • grafana
  • azure-ad

With EraSearch RBAC, you can map EraSearch roles to roles in external identity providers. This feature lets you integrate EraSearch into your existing authentication setup.

This guide shows how to manage EraSearch access in Grafana via Azure Active Directory (Azure AD). In the guide, you'll:

  • Create an app role and assign users to it in your Azure AD Grafana application.
  • Create an EraSearch role for reading specific indexes.
  • Map the roles together, letting only some users read EraSearch data in Grafana.

The content below is intended for existing self-hosted EraSearch users. Reach out to us at Era Software if you're interested in getting started with self-hosted EraSearch.

Before you begin
Copy
Copied!

This guide assumes you've installed and are using Azure AD, Grafana, and self-hosted EraSearch. Before you start:

Step 1: Create an app role in your Azure AD Grafana application
Copy
Copied!

Follow these steps to create an app role in your Azure AD Grafana application:

  1. In the Azure Portal, click the hamburger menu > Azure Active Directory.
  2. Click App registrations and then your existing Grafana application.
  3. To set up a new role, click App roles > + Create app role.
  4. Fill out the form:
    • For Display name, enter a name for the app role. Example: EraSearch - Read Logstash logs.
    • For Allowed member types, check Users/Groups.
    • For Value, enter the value you'll use to map this app role to the EraSearch role. Example: erasearch_read_logstash.
    • For Description, describe the role. Example: Read Logstash logs.
    • Check Do you want to enable this app role?
  5. Click Apply to create the app role and return to the App roles page.

Step 2: Add users to the app role
Copy
Copied!

Add users to your app role by following steps 1-11 in Azure's Assign users and groups to roles.

Step 3: Enable forward OAuth identity in Grafana
Copy
Copied!

Follow these steps to enable forward OAuth identity in your EraSearch data sources:

  1. In Grafana, click Configuration > Data sources.
  2. Click any relevant EraSearch data source.
  3. Under Auth, activate the Forward OAuth Identity option.
  4. Click Save & Test to save your changes.

Step 4: Create a read-only role in EraSearch
Copy
Copied!

Follow the steps below to create an EraSearch role for reading indexes starting with logstash-. While the example references Logstash, you can customize those values for your own setup.

  1. In your terminal, export these environment variables, replacing YOUR_KEY with the key you generated in Setting up RBAC:
    Copy
    Copied!
    $ export ADMIN_API_KEY="YOUR_KEY"
    $ export ERA_URL="localhost:9200"
    
  2. Define the EraSearch role by writing this content to logstash_readonly_role.json:
    Copy
    Copied!
    {
      "name": "read_logstash_logs",
      "database": [],
      "indexes": [
        {
          "names": [
            "logstash-*"
          ],
          "permissions": [
            "read"
          ]
        }
      ]
    }
    
  3. Create the role by entering the command below. EraSearch responds with details about the role, including its id, name, and permissions.
    Copy
    Copied!
    $ curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" --data-binary @logstash_readonly_role.json ${ERA_URL}/v1/roles
    

Step 5: Map the app role to the EraSearch role
Copy
Copied!

Connect the Azure AD app role to the EraSearch role:

  1. Define the mapping by writing the content below to logstash_role_mapping.json. Note that name matches the app role value in Azure AD, and roles matches the EraSearch role name.
    Copy
    Copied!
    {
      "name": "erasearch_read_logstash",
      "roles": [
        "read_logstash_logs"
      ]
    }
    
  2. Create the role mapping by entering the command below in your terminal. EraSearch responds with details about the role mapping, including its id, name, and roles.
    Copy
    Copied!
    $ curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" --data-binary @logstash_role_mapping.json  ${ERA_URL}/v1/role_mappings
    

Azure AD's erasearch_read_logstash app role now has the permissions in EraSearch's read_logstash_logs role.

Step 6: Verify your role mapping
Copy
Copied!

To verify your setup:

  1. Log into Grafana as a user assigned to the erasearch_read_logstash app role.
  2. Query data from any index starting with logstash-.

You're all set!

Next steps
Copy
Copied!

Visit User and role management and Giving RBAC write permissions to tools for more about EraSearch RBAC and the permissions you can work with.