Generic_OAuth: Cannot assign GrafanaAdmin

dmitrylesh · December 18, 2023, 4:58pm

Cannot assign GrafanaAdmin role with the following settings:

allow_assign_grafana_admin = true
skip_org_role_sync = false
oauth_skip_org_role_update_sync = true

In detalis:
I map user AD roles using generic_Oauth
here are the settings:

[auth.generic_oauth]
enabled = true
name = Account
allow_sign_up = true
client_id = ************************
client_secret = **************************
scopes = openid email profile
auth_url = https://login.microsoftonline.com/*************************/oauth2/authorize
token_url = https://login.microsoftonline.com/****************************/oauth2/token
;api_url = https://foo.bar/user
;teams_url =
;allowed_domains =
;team_ids =
;allowed_organizations =
role_attribute_path = contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Viewer') && 'Viewer'
role_attribute_strict = false
;groups_attribute_path =
;team_ids_attribute_path =
;use_pkce = false
;auth_style =
allow_assign_grafana_admin = true
skip_org_role_sync = false
oauth_skip_org_role_update_sync = true

When checking logs I see:

oauth.generic_oauth t=2023-12-13T10:55:07.103445987Z level=debug msg="Received id_token" raw_json="{..........................."roles":["GrafanaAdmin"],...........................................}" data="Name: Global_1 testuser, Displayname: , Login: , Username: , Email: global2@<strong>, Upn: uit2363@**************8, Attributes: map[]"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103482915Z level=debug msg="Getting user info from API"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103646402Z level=debug msg="No api url configured"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103662072Z level=debug msg="Processing external user info" source=token data="Name: Global_1 testuser, Displayname: , Login: , Username: , Email: global2@</strong> *, Upn: uit2363@* <em><strong>, Attributes: map[]"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103682298Z level=debug msg="Setting user info name from name field"
logger=oauth.generic_oauth t=2023-12-13T10:55:07.103697567Z level=debug msg="Set user info email from extracted email" email=global2@</strong></em>*********
logger=oauth.generic_oauth t=2023-12-13T10:55:07.104141778Z level=debug msg="Defaulting to using email for user info login" email=global2@******************
logger=oauth.generic_oauth t=2023-12-13T10:55:07.104165379Z level=debug msg="User info result" result="Id: O3a_urUs7tiqu8NF6_fFQ7G8ngV51tenI3yf0u1wOsY, Name: sysex_Global_1 testuser, Email: global2@**, Login: global2@**, Role: Admin, Groups: []"

What did you expect to happen?

The user supposed to have grafanaAdmin role, but when I access the UI I see it has only Viewer access

Did this work before?

It worked when assigning Admin role, but with GrafanaAdmin it does not work

jangaraj · December 18, 2023, 5:07pm

Why this config oauth_skip_org_role_update_sync = true?
Do you have Grafana version where assigning of GrafanaAdmin role is supported?

dmitrylesh · December 18, 2023, 5:18pm

I am following the instructions available on this page: Configure Grafana | Grafana documentation

I need to assign GrafanaAdmin roles by sync, BUT also enable admin users to modify roles by UI.

No, I do not have a functional version, but the usecase works when assigning the Admin role, not GrafanaAdmin

jangaraj · December 18, 2023, 5:32pm

I’m asking about your Grafana version, e.g. 8.5.11 (where I bet you can’t assign GrafanaAdmin role from oauth), 10.2.1 (recent version where this feature is available). There is no point to complain/try to solveit if you have a version which doesn’t support this feature. Please provide your version first and check documentation for your version if it is supported there.

dmitrylesh · December 18, 2023, 5:35pm

I am using the latest version 10.2.2

jangaraj · December 18, 2023, 5:57pm

Great, then oauth_skip_org_role_update_sync = true this doesn’t make sense. I would remove set oauth_skip_org_role_update_sync = false. You don’t want to skip it - you want to have role from oauth.

dmitrylesh · December 18, 2023, 6:09pm

I need GrafanaAdmin to log in using OAuth as server admin to be able to assign users to different organizations.
If I set oauth_skip_org_role_update_sync = false GrafanaAdmin will not be able to modify the roles of other users and assign them to different organizations.
Line 2 on the following table describes the use case I like to implement https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#example-skip_org_role_sync

jangaraj · December 18, 2023, 6:14pm

Then you have chicken and egg problem. I would use oauth_skip_org_role_update_sync = true + local admin user will set first Oauth user to have GrafanaAdmin role (then this user will be superadmin and local admin can be disabled).

dmitrylesh · December 18, 2023, 6:19pm

We considered this solution, but we would like to keep all authentication managed only by Active Directory.
I am wondering if GrafanaAdmin role mapping is something that considers implementing for the given scenario?

jangaraj · December 18, 2023, 6:55pm

If you do that, then there is no need to change of the user role in the UI ( oauth_skip_org_role_update_sync = true). All user roles will be synced from AD (based on configured role mapping).

dmitrylesh · December 18, 2023, 7:00pm

I have set this parameter to true.
My problem is not the roles, but the ability to assign users to multiple organizations. Once the roles are synced, users are automatically assigned to the default organization, and that cannot be modified.

jangaraj · December 18, 2023, 7:19pm

That sounds like a enterprise (=paid) feature - SAML should be able to do that (see assertion_attribute_org).

dmitrylesh · December 18, 2023, 7:22pm

Yes, but we would like to avoid switching to the enterprise version.