Setting up Keycloak roles to define admin access and integration with Datahub for group management

Original Slack Thread

Question on using Keycloak as my IDP.
Its configure and working.
I want to have a role in keycloak that is published in the claim so I can define who is an admin.
The docs arnt quite clear about this.
I see there is a AUTH_OIDC_GROUPS_CLAIM and AUTH_OIDC_EXTRACT_GROUPS_ENABLED which means it pulls from the default groups
but how can that map to admin, edit, viewer?
I’ve done this before for grafana.
in grafana you configue it too look for the GrafanaAdmin or Admin or Editor or Viewer and the default if not found is viewer.
role_attribute_path = contains(resource_access.grafana_oauth.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana_oauth.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana_oauth.roles[*], 'editor') && 'Editor' || 'Viewer'
FYI. To get more advanced, my keycloak is configured using SAML so I actually pull the corp groups and can assign these to attributes of the keycloak user and then map them into actual group claim which would give me more of a AD driven admin setup… but getting the basics working 1st if my goal.

Any help would be great.

Hey <@U06EHHFPJ7L>,
Did you check this|post? This is how we’ve had it set up, but after upgrading Datahub to latest version for some reason it does not map the groups correctly.
I am currently looking into it since we’ve migrated from v0.9.6 to v0.12.1 so there might have been something that has changed.

I’ve managed to get it working. In the process of updating we switched from using Neo4J to Using Elasticsearch for our Graph service.
After running the restore indexes job, everything seems to be working.

<@U04G3HGFB88> This was exactly what I needed!!
I followed the suggested link in that thread…
And then went and created an policy in ‘admin’ policy in datahub using that group and it worked like a charm… (i never used a policy before but it was pretty intuitive)
I’d highly recommend taking that link and some info on creating a policy and adding it as a doc / example page in datahub for keycloak integration.


I’m glad it worked for you :slightly_smiling_face: