DEV-1004 Manage Grafana Dashboard Permissions

3 years ago · 1bb111ce7f
parent 9c1b520636
commit 1bb111ce7f
12 changed files with 1908 additions and 1851 deletions
--- a/group_vars/all/grafana.yml
+++ b/group_vars/all/grafana.yml
@ -0,0 +1,16 @@
 ---
 # Define a list of unprivileged Grafana users which will be assigned to the 'Viewer' role
 # Set initial login password for all users, needs to be changed by the user afterwards!
 grafana_users:
  - name: "smardigo"
    login: "smardigo"
    email: "{{ grafana_smardigo_email }}"
    password: "{{ grafana_smardigo_password }}"
 # Define Grafana Dashboards which should be visible users without admin role
 # See uids from in hetzner-ansible/templates/prometheus/config/grafana/provisioning/dashboards/*.json
 grafana_dashboard_whitelist:
  - "hb7fSE0Zz" # Servers
  - "spring_boot_21" # Spring Boot Statistics
  - "000000039" # PostgreSQL Database
  - "549c2bf8936f7767ea6ac47c47b00f2a" # MySQL
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -24,7 +24,7 @@ ssh_ciphers:
  - aes256-ctr
  - aes128-gcm@openssh.com
  - aes256-gcm@openssh.com
-ssh_permit_root_login: 'yes'
+ssh_permit_root_login: "yes"
 docker_enabled: true
 docker_config_enabled: true
@ -36,7 +36,7 @@ node_exporter_enabled: true
 common_apt_dependencies:
  - mc
  - vim
-# TODO Check if we really want this
+  # TODO Check if we really want this
  - zip
  - curl
  - htop
@ -89,28 +89,20 @@ default_hetzner_ssh_keys:
  - "{{ gitlab_ansible_user_name }}@git.dev-at.de"
 hetzner_ssh_keys: "{{
-   default_hetzner_ssh_keys
+  default_hetzner_ssh_keys
-   + (custom_stage_hetzner_ssh_keys | default([]))
+  + (custom_stage_hetzner_ssh_keys | default([]))
-   }}"
+  }}"
 hetzner_server_labels: "stage={{ stage }}"
 admin_user: "root"
-sudo_groups: [
+sudo_groups:
-  {
+  [
-    id:   "CentOS",
+    { id: "CentOS", sudo_group: "wheel" },
-    sudo_group:   "wheel",
+    { id: "RedHat", sudo_group: "wheel" },
-  },
+    { id: "Ubuntu", sudo_group: "sudo" },
-  {
+  ]
    id:   "RedHat",
    sudo_group:   "wheel",
  },
  {
    id:   "Ubuntu",
    sudo_group:   "sudo",
  },
 ]
 sudo_group: "{{ sudo_groups
  | selectattr('id', 'match', '' + ansible_distribution + '' )
  | map(attribute='sudo_group')
@ -120,26 +112,26 @@ sudo_group: "{{ sudo_groups
 # whitelist for outdated user detection - they wont't be deleted at all
 default_users:
-  - 'nobody'
+  - "nobody"
-  - 'elastic'
+  - "elastic"
-  - 'postgres'
+  - "postgres"
-  - 'administrator'
+  - "administrator"
-  - '{{ admin_user }}'
+  - "{{ admin_user }}"
 default_plattform_users:
-  - 'claus.paetow'
+  - "claus.paetow"
-  - 'friedrich.goerz'
+  - "friedrich.goerz"
-  - 'sven.ketelsen'
+  - "sven.ketelsen"
-  - 'michael.haehnel'
+  - "michael.haehnel"
-  - 'hoan.to'
+  - "hoan.to"
-  - '{{ awx_ansible_user_name }}'
+  - "{{ awx_ansible_user_name }}"
-  - '{{ gitlab_ansible_user_name }}'
+  - "{{ gitlab_ansible_user_name }}"
 smardigo_plattform_users: "{{
-   default_plattform_users
+  default_plattform_users
-   + (custom_plattform_users | default([]))
+  + (custom_plattform_users | default([]))
-   + (custom_stage_plattform_users | default([]))
+  + (custom_stage_plattform_users | default([]))
-   }}"
+  }}"
 ip_whitelist_netgo:
  - "212.121.131.106/32" # netgo berlin
@ -156,17 +148,18 @@ docker_group: "{{ admin_user }}"
 docker_users: "{{ smardigo_plattform_users }}"
 docker_compose_path: "/usr/bin/docker-compose"
-service_base_path: '/etc/smardigo'
+service_base_path: "/etc/smardigo"
 devops_email_address: "nso.devops@netgo.de"
-gitea_admin_email: '{{ devops_email_address }}'
+gitea_admin_email: "{{ devops_email_address }}"
-lets_encrypt_email: '{{ devops_email_address }}'
+lets_encrypt_email: "{{ devops_email_address }}"
-connect_admin_email: '{{ devops_email_address }}'
+connect_admin_email: "{{ devops_email_address }}"
-keycloak_admin_email: '{{ devops_email_address }}'
+keycloak_admin_email: "{{ devops_email_address }}"
-pgadmin4_admin_email: '{{ devops_email_address }}'
+pgadmin4_admin_email: "{{ devops_email_address }}"
-harbor_oidc_admin_email: '{{ devops_email_address }}'
+harbor_oidc_admin_email: "{{ devops_email_address }}"
-grafana_admin_email: '{{ devops_email_address }}'
+grafana_admin_email: "{{ devops_email_address }}"
-argocd_admin_email: '{{ devops_email_address }}'
+grafana_smardigo_email: "{{ devops_email_address }}"
 argocd_admin_email: "{{ devops_email_address }}"
 http_port: "80"
 https_port: "443"
@ -223,12 +216,12 @@ k8s_basic_services:
  - kubelet
  - containerd
-selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}'
+selfsigned_ca_private_key_passphrase: "{{ selfsigned_ca_private_key_passphrase_vault }}"
 # hetzner upstream DNSservers
 upstream_dns_servers:
- 185.12.64.1
+  - 185.12.64.1
- 185.12.64.2
+  - 185.12.64.2
 harbor_username: "{{ docker_registry_username_vault }}"
 harbor_token: "{{ docker_registry_token_vault }}"
--- a/group_vars/stage_dev/grafana.yml
+++ b/group_vars/stage_dev/grafana.yml
@ -0,0 +1,2 @@
 ---
 grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -1,5 +1,4 @@
 ---
 stage: "dev"
 stage_kube: "{{ stage }}nso"
@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
 grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@ -104,7 +102,7 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"
 custom_stage_plattform_users:
  - hp.wissenbach
--- a/group_vars/stage_dev/vault.yml
+++ b/group_vars/stage_dev/vault.yml
--- a/group_vars/stage_prodnso/grafana.yml
+++ b/group_vars/stage_prodnso/grafana.yml
@ -0,0 +1,2 @@
 ---
 grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_prodnso/plain.yml
+++ b/group_vars/stage_prodnso/plain.yml
@ -1,5 +1,4 @@
 ---
 stage: "prodnso"
 stage_kube: "{{ stage }}"
@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
 grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@ -104,4 +102,4 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"
--- a/group_vars/stage_prodnso/vault.yml
+++ b/group_vars/stage_prodnso/vault.yml
--- a/group_vars/stage_qa/grafana.yml
+++ b/group_vars/stage_qa/grafana.yml
@ -0,0 +1,2 @@
 ---
 grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -1,5 +1,4 @@
 ---
 stage: "qa"
 stage_kube: "{{ stage }}nso"
@ -51,8 +50,7 @@ iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 grafana_admin_username: "grafana-admin"
 grafana_admin_password: "{{ grafana_admin_password_vault }}"
-grafana_user_smardigo_login: "smardigo"
+
 grafana_user_smardigo_password: "{{ grafana_user_smardigo_password_vault }}"
 grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
@ -104,4 +102,4 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
-gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"
--- a/group_vars/stage_qa/vault.yml
+++ b/group_vars/stage_qa/vault.yml
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -1,10 +1,10 @@
 ---
 ### tags:
 ###   update_config
 ###   update_deployment
 ###   update-digitalocean-metrics
 ###   update-hetzner-metrics
 ###   grafana-user-update
 - name: "Create/Resize LVM for datadir"
  include_role:
@ -28,7 +28,7 @@
 - name: "Check if {{ inventory_hostname }}/docker-compose.yml exists"
  stat:
-    path: '{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml'
+    path: "{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml"
  register: check_docker_compose_file
  tags:
    - update_config
@ -36,7 +36,7 @@
 - name: "Stop {{ inventory_hostname }}"
  community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    project_src: "{{ service_base_path }}/{{ inventory_hostname }}"
    state: absent
  when: check_docker_compose_file.stat.exists
  tags:
@ -58,7 +58,7 @@
 - name: "Update {{ inventory_hostname }}"
  community.docker.docker_compose:
-    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    project_src: "{{ service_base_path }}/{{ inventory_hostname }}"
    state: present
    pull: yes
  tags:
@ -69,40 +69,88 @@
  tags:
    - update_config
- name: "Wait for {{ http_s }}://{{ inventory_hostname }}-grafana.{{ domain }}"
+- name: Create or update Grafana users
  community.grafana.grafana_user:
    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}"
    url_username: "{{ grafana_admin_username }}"
    url_password: "{{ grafana_admin_password }}"
    name: "{{ item.name }}"
    email: "{{ item.email }}"
    login: "{{ item.login }}"
    password: "{{ item.password }}"
    is_admin: false
    state: present
  loop: "{{ grafana_users }}"
  tags:
    - grafana-user-update
 - name: "Get all Dashboard uids from {{ http_s }}://{{ inventory_hostname }}-grafana.{{ domain }}"
  uri:
-    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/admin/stats"
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/search"
    url_username: "{{ grafana_admin_username }}"
    url_password: "{{ grafana_admin_password }}"
    force_basic_auth: yes
    method: GET
    status_code: 200
    return_content: yes
-  register: grafana_stats
+  register: grafana_dashboards
-  until: grafana_stats.status == 200
+  until: grafana_dashboards.status == 200
  retries: 10
  delay: 60
  tags:
    - grafana-user-update
- name: Create grafana users
+- name: "Get all existing Dashboard uids"
  set_fact:
    grafana_dashboards_uids: "{{ grafana_dashboards.json | json_query('[].uid') }}"
  tags:
    - grafana-user-update
 - name: "Printing Grafana Dashboard IDs"
  debug:
    msg: "{{ grafana_dashboards_uids }}"
  tags:
    - grafana-user-update
  when:
    - debug
 - name: Restrict admin dashboard permissions
  uri:
-    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/admin/users"
+    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/dashboards/uid/{{ item }}/permissions"
    url_username: "{{ grafana_admin_username }}"
    url_password: "{{ grafana_admin_password }}"
    force_basic_auth: yes
    method: POST
-    status_code: 200
+    headers:
      Content-Type: application/json
    body_format: json
-    body: "{\"name\":\"{{ item.name }}\", \"email\":\"{{ item.email }}\", \"login\":\"{{ item.login }}\", \"password\":\"{{ item.password }}\" }"
+    body:
      items:
        - role: Admin
          permission: 4
    return_content: yes
  loop: "{{ grafana_dashboards_uids | difference(grafana_dashboard_whitelist) | list }}"
  tags:
    - grafana-user-update
 - name: Allow viewer dashboard permissions
  uri:
    url: "{{ http_s }}://{{ grafana_id }}.{{ domain }}/api/dashboards/uid/{{ item }}/permissions"
    url_username: "{{ grafana_admin_username }}"
    url_password: "{{ grafana_admin_password }}"
    force_basic_auth: yes
    method: POST
    headers:
      Content-Type: application/json
-  loop:
+    body_format: json
-     - {
+    body:
-      name: "{{ grafana_user_smardigo_login }}",
+      items:
-      login: "{{ grafana_user_smardigo_login }}",
+        - role: Viewer
-      password: "{{ grafana_user_smardigo_password }}",
+          permission: 1
-      email: "smardigo@netgo.de"
+    return_content: yes
-     }
+  loop: "{{ grafana_dashboard_whitelist }}"
-  when: grafana_stats.json.users == 1
+  tags:
    - grafana-user-update
 - name: "Create digitalocean api metric script from template"
  template:
		`@ -0,0 +1,2 @@`
							`---`
							`grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"`