feat: grafana role mapping from keycloak client roles

etc/bento.env

@@ -453,6 +453,8 @@ BENTO_GRAFANA_IMAGE=grafana/grafana
 BENTO_GRAFANA_IMAGE_VERSION=11.1.3
 BENTO_GRAFANA_CONTAINER_NAME=${BENTOV2_PREFIX}-grafana
 BENTO_GRAFANA_LIB_DIR=${BENTO_SLOW_DATA_DIR}/grafana/lib
+BENTO_GRAFANA_ROLE_ATTRIBUTE_PATH="contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer' || 'None'"
+BENTO_GRAFANA_SIGNOUT_REDIRECT_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2F${BENTOV2_PORTAL_DOMAIN}%2Fapi%2Fgrafana%2Flogin
 BENTO_PROMTAIL_IMAGE=grafana/promtail
 BENTO_PROMTAIL_IMAGE_VERSION=2.9.10
 BENTO_PROMTAIL_CONTAINER_NAME=${BENTOV2_PREFIX}-promtail

lib/logs/docker-compose.logs.yaml

@@ -9,25 +9,28 @@ services:
       - GF_SECURITY_COOKIE_SAMESITE=none
       - GF_SECURITY_COOKIE_SECURE=true
       - GF_SECURITY_ALLOW_EMBEDDING=true
-      - GF_LOG_LEVEL=debug
       - GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION=true
       - GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true
       - GF_AUTH_GENERIC_OAUTH_ENABLED=true
       - GF_AUTH_GENERIC_OAUTH_NAME=Keycloak-OAuth
-      - GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=false
+      - GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
       - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${BENTO_GRAFANA_CLIENT_ID}
       - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=${BENTO_GRAFANA_CLIENT_SECRET}
       - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile offline_access roles
       - GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
       - GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=preferred_username
       - GF_AUTH_GENERIC_OAUTH_USE_PKCE=true
-      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/bentov2/protocol/openid-connect/auth
-      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/bentov2/protocol/openid-connect/token
-      - GF_AUTH_GENERIC_OAUTH_API_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/bentov2/protocol/openid-connect/userinfo
-      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH='GrafanaAdmin'
+      - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/auth
+      - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/token
+      - GF_AUTH_GENERIC_OAUTH_API_URL=https://${BENTOV2_AUTH_DOMAIN}/realms/${BENTOV2_AUTH_REALM}/protocol/openid-connect/userinfo
+      # Role mapping based on Grafana client role membership
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=${BENTO_GRAFANA_ROLE_ATTRIBUTE_PATH}
+      - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT=true
       # Allows authentication for users that don't have an email
       - GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email || preferred_username || sub
+      - GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL=${BENTO_GRAFANA_SIGNOUT_REDIRECT_URL}
       - GF_AUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true
+      - GF_LOG_LEVEL=debug
     entrypoint:
       - sh
       - -euc

py_bentoctl/other_helpers.py

@@ -222,6 +222,9 @@ def init_dirs():
         **({"auth": "BENTOV2_AUTH_VOL_DIR"} if not c.BENTOV2_USE_EXTERNAL_IDP else {}),
         #  - cBioPortal
         **({"cbioportal": "BENTO_CBIOPORTAL_STUDY_DIR"} if c.BENTO_FEATURE_CBIOPORTAL.enabled else {}),
+        #  - Monitoring: Grafana/Loki 
+        **({"grafana": "BENTO_GRAFANA_LIB_DIR"} if c.BENTO_FEATURE_MONITORING else {}),
+        **({"loki": "BENTO_LOKI_TEMP_DIR"} if c.BENTO_FEATURE_MONITORING else {}),
     }
 
     # Some of these don't use the Bento user inside their containers, so ignore if need be