How to assign Access Role's to specific LDAP groups

Percona Monitoring and Management (PMM) PMM 2.x
1

Hi All.

We would like to assign a few Access Roles to only particular LDAP groups. How can we achieve it?
Can someone please help me?

2

Are you using LDAP auth to begin with? I’m going to assume you’ve at least got LDAP/AD authentication working and you’re only now trying to get group membership–>role mapping working.

I use AD so my settings will be different than what LDAP would be but close enough to demonstrate:

#Search parameters
group_search_filter = "(member:1.2.840.113556.1.4.1941:=CN=%s,CN=Users,DC=*domain*,DC=net)"
group_search_filter_user_attribute = "cn"
group_search_base_dns = ["ou=groups,dc=*domain*,dc=net"]

What you see above allows for nested groups. You’ll see below I have a group called “PMM_Admin” that I can add individuals to in AD but a larger org likely also has “Domain Admins” or “DBA Team” so using nested groups I can just add the Domain Admins group to PMM_Admin group and then anyone in PMM_Admin becomes and admin.

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=PMM_Admin,ou=groups,dc=*domain*,dc=net"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "cn=PMM_Editor,ou=groups,dc=*domain*,dc=net"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "cn=PMM_Viewer,ou=groups,dc=*domain*,dc=net"
# uncomment the line below if you prefer any authenticated user be given view permission
#group_dn = "*"
org_role = "Viewer"

Hope this helps!

3

Hi @steve.hoffman

Thanks for the details, I have tried exactly with the above settings. But we want to change the custom access role like below.

[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

group_dn = “cn=PMM_Viewer,ou=groups,dc=domain,dc=net”

uncomment the line below if you prefer any authenticated user be given view permission

#group_dn = “*”
org_role = “QAN-DS”

If I replace Viewer role with QAN-DS role then it is not working.

image
image1829×821 49.8 KB

4

Ahhh, I’m not sure if that’s possible. @Roma_Novikov may know better if and where that is on the overall roadmap. What you highlighted is the first iteration of Role Based Access Controls (RBAC) so may be missing some features.

5

Okay fine @steve.hoffman

I will raise a new request for the same.
Thanks for the details.