Gitlab oauth role_attribute_path doesn't work

Grafana Authentication
,
1

Idk is it a bug or i miss some important configuration piece. My Grafana installation isn’t assign roles to new users that i specified in “[auth.gitlab] role_attribute_path” config parameter. Event when i specify “[auth.gitlab] role_attribute_strict=true” and role “Invalid” in “[auth.gitlab] role_attribute_path” no errors appears in logs. Also in debug logs and in UI i can see that parameters from config were successfully merged and applied.

  • What Grafana version and what operating system are you using?
    11.1.0

  • What are you trying to achieve?
    Assign roles to users using “[auth.gitlab] role_attribute_path” param

  • What happened?
    Although i see in logs user can successfully auth through Gitlab, no role assigned to user except one specified in “[users] auto_assign_org_role”.

  • What did you expect to happen?
    I expect param “[auth.gitlab] role_attribute_path” to work as it described in docs.

  • Can you copy/paste the configuration(s) that you are having problems with?
    (this config is not i really want to have in production. the intention of role ‘Invalid’ is to get some error in logs during debug)

[analytics]
check_for_updates = true
[auth]
disable_login_form = true
[auth.gitlab]
allow_assign_grafana_admin = true
api_url = https://GITLAB_URL/api/v4
auth_url = https://GITLAB_URL/oauth/authorize
auto_login = true
client_id = $__file{/etc/secrets/oauth-gitlab/client_id}
client_secret = $__file{/etc/secrets/oauth-gitlab/client_secret}
enabled = true
role_attribute_path = 'Invalid'
role_attribute_strict = true
skip_org_role_sync = false
token_url = https://GITLAB_URL/oauth/token
[grafana_net]
url = https://grafana.net
[log]
mode = console
[log.console]
level = debug
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
domain = GRAFANA_URL
root_url = https://GRAFANA_URL
[users]
allow_sign_up = false
auto_assign_org_role = None
default_theme = system

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    No errors. Looks like part of code that should use this variable isn’t work when user sign-in.

  • Did you follow any online instructions? If so, what is the URL?
    Configure GitLab OAuth2 authentication | Grafana documentation

2

Ooookay. I found the problem after reading Grafana’s source code.

When i first tested Gitlab OAuth integration i made basic setup from UI, not from config file, to check it works fine. Then i start to add other configurations in config.ini.

The problem is that Grafana merges settings from its database (UI) and config.ini in a way, that all unspecified values in UI replaced by values from config.ini. That’s why in my setup i can successfully configure “org_mapping” (there no such field in UI), but value of “role_attribute_path” wasn’t overwritten from config.ini, as (i think) it was already in database (maybe some empty string).

Hopefully, i have a test setup and can recreate Grafana’s database from scratch. After that everything works as described in docs.

But it is rather confusing behavior :frowning: