RBAC for GitHub

ENTERPRISE: Role based access controls are available for Sensu Enterprise users only.

Reference Documentation

What is RBAC for GitHub?

The Sensu Enterprise Dashboard offers support for built-in Role Based Access Controls (RBAC), which depends on using some external source of truth for authentication. The Sensu Enterprise Dashboard RBAC for GitHub driver provides support for using GitHub.com or a GitHub Enterprise installation for RBAC authentication.

RBAC for GitHub configuration

Example RBAC for GitHub definition

{
  "dashboard": {
    "host": "0.0.0.0",
    "port": 3000,
    "...": "",
    "github": {
      "clientId": "a8e43af034e7f2608780",
      "clientSecret": "b63968394be6ed2edb61c93847ee792f31bf6216",
      "server": "https://github.com",
      "roles": [
        {
          "name": "guests",
          "members": [
            "myorganization/guests"
          ],
          "datacenters": [
            "us-west-1"
          ],
          "subscriptions": [
            "webserver"
          ],
          "readonly": true
        },
        {
          "name": "operators",
          "members": [
            "myorganization/operators"
          ],
          "datacenters": [],
          "subscriptions": [],
          "readonly": false
        }
      ]
    }    
  }
}

RBAC for GitHub definition specification

github attributes

clientId
description The GitHub OAuth Application “Client ID” NOTE: requires registration of an OAuth application in GitHub.
required true
type String
example
"clientId": "a8e43af034e7f2608780"
clientSecret
description The GitHub OAuth Application “Client Secret” NOTE: requires registration of an OAuth application in GitHub.
required true
type String
example
"clientSecret": "b63968394be6ed2edb61c93847ee792f31bf6216"
server
description The location of the GitHub server you wish to authenticate against.
required true
type String
example
"server": "https://github.com"
roles
description An array of roles definitions.
required true
type Array
example
"roles": [
  {
    "name": "guests",
    "members": [
      "myorganization/guests"
    ],
    "datacenters": [
      "us-west-1"
    ],
    "subscriptions": [
      "webserver"
    ],
    "readonly": true
  },
  {
    "name": "operators",
    "members": [
      "myorganization/operators"
    ],
    "datacenters": [],
    "subscriptions": [],
    "readonly": false
  }
]

roles attributes

Please see the RBAC definition specification for information on how to configure RBAC roles.

Register an OAuth Application in GitHub

To use GitHub for authentication requires registration of your Sensu Enterprise Dashboard as a GitHub “application”. Please note the following instructions to register an OAuth application for Sensu Enterprise:

  1. To register a GitHub OAuth application, please navigate to your GitHub organization settings page (e.g. github.com/organizations/YOUR-GITHUB-ORGANIZATION/settings/applications), and selection “Applications” => “Register new application”.

    Register a new OAuth application in GitHub
  2. Give your application a name (e.g. “Sensu Enterprise Dashboard”)

  3. Provide the Authorization callback URL (e.g. {HOSTNAME}/login/callback)

    NOTE: this URL does not need to be publicly accessible - as long as a user has network access to both GitHub.com and the callback URL, s/he will be able to authenticate; for example, this will allow users to authenticate to a Sensu Enterprise Dashboard service running on a private network as long as the user has access to the network (e.g. locally or via VPN).

  4. Select “Register application” and note the application Client ID and Client Secret.

    Location of the Client ID and Client Secret for the registered GitHub OAuth application