Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updates to scopes and comments #62

Closed
wants to merge 4 commits into from
Closed

updates to scopes and comments #62

wants to merge 4 commits into from

Conversation

rcgottlieb
Copy link

Changes proposed in this pull request:

  • Modified manifest to include new scopes and comment documenting them

security considerations

None

jameshochadel
jameshochadel reviewed Feb 28, 2024
View reviewed changes
manifest.yml Outdated
@@ -439,12 +440,12 @@ instance_groups:
# Monitoring auth
prometheus-staging:
<<: *client-template
scope: openid,email,profile
scope: openid,email,profile,prometheus.support,concourse.pages,concourse.admin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with this part of the ops-login manifest; can you tell me more about the additional scopes being granted?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't either before McG showed me. Basically we're making fine grain access to Grafana right now.

The new perm is prometheus.support, so named for a future ticket that will tackle prometheus itself. concourse.pages and concourse.admin are the overall perms currently given to platform folks and pages folks respectively.

So the perms are really just a new scope for uaa and a way to control access to Grafana, rather than just any uaa user.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, those roles make sense. Just to confirm — Is this configuring OpsUAA with scopes related to Prometheus? E.g. is this the full list of scopes related to Prometheus that can be assigned to users?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this is the set for Grafana only. Prometheus will be in another ticket (currently in our IP backlog). So this will be the full list for Grafana.

jameshochadel
jameshochadel previously approved these changes Feb 29, 2024
View reviewed changes
ChrisMcGowan
ChrisMcGowan requested changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@ChrisMcGowan ChrisMcGowan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the prometheus-production and prometheus-staging clients don't need scope changes here. Please revert back to just openid,email,profile

manifest.yml Outdated
@@ -439,12 +441,12 @@ instance_groups:
# Monitoring auth
prometheus-staging:
<<: *client-template
scope: openid,email,profile
scope: openid,email,profile, prometheus-support, concourse.pages, concourse.admin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the spaces around the commas

manifest.yml Outdated
redirect-uri: https://prometheus.fr-stage.cloud.gov/oauth2/callback,https://alertmanager.fr-stage.cloud.gov/oauth2/callback,https://grafana.fr-stage.cloud.gov/oauth2/callback,https://grafana.fr-stage.cloud.gov/login/generic_oauth
secret: ((prometheus_client_secret_staging))
prometheus-production:
<<: *client-template
scope: openid,email,profile
scope: openid,email,profile, prometheus-support, concourse.pages, concourse.admin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the spaces around the commas

@rcgottlieb rcgottlieb closed this Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrisMcGowan ChrisMcGowan ChrisMcGowan requested changes

@jameshochadel jameshochadel jameshochadel left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rcgottlieb @jameshochadel @ChrisMcGowan