opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-31 03:42:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/docs/sources/enterprise/access-control/enable-rbac-and-provisioning.md
Christopher Moyer a20b3e2d59 Docs: Fine-grained access control refactor (#47536) 
* fleshing out About topic

* docs, fgac refactor initial draft

* updated FGAC with service account details

* finalized restructure

* make prettier, corrects spelling

* fixes typo

* adds rollout strategy topic

* started name change

* renamed to rbac throughout docs

* copy edit to about and actions and scopes docs

* finishes content reorg

* draft of refactored refactored docs

* corrects relrefs

* formatting tweaks

* fixes typo

* copy updates to about rbac

* rbac rollout docs edits

* update rbac role assignment docs

* content update to manage rbac roles doc

* sort and reorder roles reference in rbac docs

* alphabetize permissions table

* Update docs/sources/enterprise/settings-updates.md

Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>

* incorporates feedback, makes prettier

* update http api references in rbac docs

* fix broken refs and improve wording on enabling RBAC provisioning

Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Mitchel Seaman <mitchel.seaman@gmail.com>
Co-authored-by: Mitch Seaman <mjseaman@users.noreply.github.com>
2022-04-27 09:51:56 -05:00

3.9 KiB
Raw Blame History

title menuTitle description aliases weight
Enable RBAC and provisioning in Grafana Enable RBAC and provisioning Learn how to enable RBAC and provisioning in Grafana.
30

Enable RBAC and provisioning

Before you assign RBAC roles to Grafana users and teams, you must enable it by:

  • Adding a feature toggle to the Grafana configuration file, or
  • Adding an environment variable to the Grafana configuration file

If you use provisioning to assign and manage roles, in addition to enabling RBAC, you must enable provisioning.

This topic includes instructions for both methods of enabling role-based access control, and steps for enabling provisioning.

Enable RBAC

This section describes how to enable RBAC by setting a feature flag or adding an environment variable to the Grafana configuration file. You choose one method to enable RBAC. You are not required to use both methods to enable RBAC.

Note: The environment variable overrides access control settings in the configuration file, if any exist.


Before you begin:

  • Ensure that you have administration privileges to the Grafana server.

To enable RBAC:

  1. Open the Grafana configuration file.

    For more information about the location of the Grafana configuration file, refer to [config file]({{< relref "../../administration/configuration.md#config-file-locations" >}}).

  2. To enable RBAC using the feature toggle:

    a. Locate the [feature toggles] section in the configuration file.

    b. Add the following feature toggle parameter:

    [feature_toggles]
# enable features, separated by spaces
enable = accesscontrol

  3. To enable RBAC by setting an environment variable, add the following environment variable to the configuration file:

    GF_FEATURE_TOGGLES_ENABLE = accesscontrol

    For more information about using environment variables in Grafana, refer to [Configuring with environment variables]({{< relref "../../administration/configuration.md#configure-with-environment-variables" >}}).

  4. Save your changes and restart the Grafana server.

  5. To verify that RBAC is enabled, send an HTTP request to the check endpoint.

    For more information about sending an HTTP request to the check endpoint, refer to [Check endpoint]({{< relref "../../http_api/access_control.md#check-if-enabled" >}}).

Enable role provisioning

You can create, change or remove [Custom roles]({{< relref "./manage-rbac-roles.md#create-custom-roles-using-provisioning" >}}) and create or remove [basic role assignments]({{< relref "./assign-rbac-roles.md#assign-a-fixed-role-to-a-basic-role-using-provisioning" >}}), by adding one or more YAML configuration files in the provisioning/access-control/ directory.

If you choose to use provisioning to assign and manage role, you must first enable it.

Grafana performs provisioning during startup. After you make a change to the configuration file, you can reload it during runtime. You do not need to restart the Grafana server for your changes to take effect.


Before you begin:

  • Ensure that you have access to files on the server where Grafana is running.

To manage and assign RBAC roles using provisioning:

  1. Sign in to the Grafana server.

  2. Locate the Grafana provisioning folder.

  3. Create a new YAML in the following folder: provisioning/access-control. For example, provisioning/access-control/custom-roles.yml

  4. Add RBAC provisioning details to the configuration file. See [manage RBAC roles]({{< relref "manage-rbac-roles.md" >}}) and [assign RBAC roles]({{< relref "assign-rbac-roles.md" >}}) for instructions, and see this [example role provisioning file]({{< relref "provisioning-roles-example.md" >}}) for a complete example of a provisioning file.

  5. Reload the provisioning configuration file.

    For more information about reloading the provisioning configuration at runtime, refer to [Reload provisioning configurations]({{< relref "../../http_api/admin/#reload-provisioning-configurations" >}}).