GitLab oauth2 role_attribute_path and org_mapping issues

Grafana Authentication
1
  • What Grafana version and what operating system are you using?

Grafana version : 12.0.2

operating system: busybox:1.31.1 image from dockerhub

  • What are you trying to achieve?

I try since 2 days to apply rules and rights on the grafana server depending on the gitalb’s user groups.

  • How are you trying to achieve it?

By reading the documentation of grafana sources.

  • What happened?

The settings about role attribute and org mapping are not applied.

  • What did you expect to happen?

A user coming from an expected groups has not his rule set in grafana
A user not coming from an expected group can access to grafana even if role_attribute_strict is true

  • Can you copy/paste the configuration(s) that you are having problems with?
grafana:

  ingress:
    enabled: false

  rbac:
    create: false

  service:
    port: 3000

  persistence: 
    enabled: true
    volumeName: "equipment-status-tracker-grafana-volume"
    size: 1Gi

  grafana.ini:
    server:
      root_url: https://some.url.io

    auth.gitlab:
      name: GitLab
      icon: gitlab
      enabled: true
      allow_sign_up: true
      auto_login: true
      scopes: "openid email profile read_api read_user"
      auth_url: https://gitlab.xxx.io/oauth/authorize
      token_url: https://gitlab.xxx.io/oauth/token
      api_url: https://gitlab.xxx.io/api/v4
      client_id: xxx
      client_secret: xxx
      allow_assign_grafana_admin: true
      role_attribute_path: "email==\"nicolas.xxx@xxx.io\" && \"GrafanaAdmin\""
      org_mapping: "equipment-status-tracker-user-access/admins:1:Admin equipment-status-tracker-user-access/editors:1:Editor equipment-status-tracker-user-access/viewers:1:Viewer"
      skip_org_role_sync: false
      allowed_groups:
        - "equipment-status-tracker-user-access"
      role_attribute_strict: true

It doesn’t work either with a group without subgroups

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

Logs from kubernetes pod didn’t contains error or related message (only login succesfull or logout succesfull)

  • Did you follow any online instructions? If so, what is the URL?

I followed the official grafana documentation Configure GitLab OAuth authentication | Grafana documentation

I tried chatgpt (lost of time)

2

I finally resolved my issue,
Even if my Grafana pod restarted with new grafana.ini config, it didn’t read it because the configuration in his consistant data is priority over the .ini (that is logical).
I just had to go with GrafanaAdmin account into administration/authentification/gitlab (only available with the admin account in the .ini file) and click to the three dot at the bottom of the page, then click in “Reset to default value” to force the read of the new grafana.ini.

That was written in the official documentation, but a bit inconspicuous and it doesn’t tell how to reset.

If you need to reset changes you made in the UI back to the default values, click Reset. After you have reset the changes, Grafana will apply the configuration from the Grafana configuration file (if there is any configuration) or the default values.

I hope my solve will help another devops :slight_smile:

1 Like