Grafana gitlab oauth - env variable not recognized

Grafana gitlab oauth : GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH not recognized

Hello,

trying to start grafana from a docker-compose stack, and minimize the modifications to the image, I’m overriding the grafana.ini settings with values from the environment.

Specifically, I have an issue with one variable correctly exported by docker, but not recognized by grafana for gitlab, while it is recognized for the generic oauth module (but not working with gitlab) :

docker-compose.yml extract :

version: '3.4'

networks:
  monitor-net:
    driver: bridge
  loki:

volumes:
    grafana_data: {}

services:

  grafana:
    #cf. https://github.com/grafana/grafana/releases
    image: grafana/grafana:8.5.1
    container_name: grafana
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards
      - ./grafana/provisioning/datasources:/etc/grafana/provisioning/datasources
    environment:
            # https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables
            GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER:-admin}
            GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-}
            GF_USERS_ALLOW_SIGN_UP: false
            GF_ALERTING_ENABLED: false
            GF_INSTALL_PLUGINS: grafana-worldmap-panel,jdbranham-diagram-panel,agenty-flowcharting-panel,yesoreyeram-boomtable-panel
            GF_SERVER_ROOT_URL: https://grafana.domain.tld
        #https://grafana.com/docs/grafana/latest/auth/gitlab/
            GF_AUTH_GITLAB_ENABLED: true
            GF_AUTH_GITLAB_ALLOW_SIGNUP: true
            GF_AUTH_GITLAB_CLIENT_ID: ${GRAFANA_GITAB_APP:-notset}
            GF_AUTH_GITLAB_CLIENT_SECRET: ${GRAFANA_GITAB_SECRET:-notset}
            GF_AUTH_GITLAB_SCOPES: read_user,read_api
            GF_AUTH_GITLAB_AUTH_URL:  https://gitlab.com/oauth/authorize
            GF_AUTH_GITLAB_TOKEN_URL: https://gitlab.com/oauth/token
            GF_AUTH_GITLAB_API_URL:   https://gitlab.com/api/v4
            GF_AUTH_GITLAB_ALLOWED_GROUPS: mygroup/subgroup

## CULRPIT Variable :
            GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: is_admin && 'Admin' || 'Viewer'

    restart: unless-stopped
    expose:
      - 3000
    networks:
      - monitor-net
      - loki
    labels:
      org.label-schema.group: "monitoring"
    healthcheck:
      test: ["CMD", "wget", "--tries=1", "--spider", "http://localhost:3000/"]
      interval: 60s
      timeout: 10s
$ sudo docker inspect grafana`
[...]
            "Env": [
[...]
                "GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH=is_admin && 'Admin' || 'Viewer'",
[...]

But when starting Grafana you can see that the variable is not recognized / detected since it’s absent from the list of Config overridden from Environment variables :

$ sudo docker-compose logs --tail=50 -tf grafana

grafana  | 2022-05-02T21:44:05.933798804Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Starting Grafana" version=8.5.1 commit=61fe4a1859 branch=HEAD compiled=2022-04-27T15:29:40Z
grafana  | 2022-05-02T21:44:05.933952494Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config loaded from" file=/usr/share/grafana/conf/defaults.ini
grafana  | 2022-05-02T21:44:05.933960131Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config loaded from" file=/etc/grafana/grafana.ini
grafana  | 2022-05-02T21:44:05.933962914Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.data=/var/lib/grafana"
grafana  | 2022-05-02T21:44:05.933965314Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.logs=/var/log/grafana"
grafana  | 2022-05-02T21:44:05.933967483Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.plugins=/var/lib/grafana/plugins"
grafana  | 2022-05-02T21:44:05.933969624Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.provisioning=/etc/grafana/provisioning"
grafana  | 2022-05-02T21:44:05.933971814Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.log.mode=console"
grafana  | 2022-05-02T21:44:05.933973959Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_DATA=/var/lib/grafana"
grafana  | 2022-05-02T21:44:05.933976107Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_LOGS=/var/log/grafana"
grafana  | 2022-05-02T21:44:05.933978235Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_PLUGINS=/var/lib/grafana/plugins"
grafana  | 2022-05-02T21:44:05.933988180Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_PROVISIONING=/etc/grafana/provisioning"
grafana  | 2022-05-02T21:44:05.933990681Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_ROOT_URL=https://grafana.domain.tld"
grafana  | 2022-05-02T21:44:05.933992855Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_SECURITY_ADMIN_USER=<redacted admin>"
grafana  | 2022-05-02T21:44:05.933995016Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_USERS_ALLOW_SIGN_UP=false"
grafana  | 2022-05-02T21:44:05.933997710Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_ENABLED=true"
grafana  | 2022-05-02T21:44:05.933999932Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_CLIENT_ID=redacted"
grafana  | 2022-05-02T21:44:05.934002345Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_CLIENT_SECRET=*********"
grafana  | 2022-05-02T21:44:05.934004455Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_SCOPES=read_user,read_api"
grafana  | 2022-05-02T21:44:05.934006586Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_AUTH_URL=https://gitlab.com/oauth/authorize"
grafana  | 2022-05-02T21:44:05.934008739Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_TOKEN_URL=https://gitlab.com/oauth/token"
grafana  | 2022-05-02T21:44:05.934010853Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_API_URL=https://gitlab.com/api/v4"
grafana  | 2022-05-02T21:44:05.934013001Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_ALLOWED_GROUPS=mygroup/subgroup"
grafana  | 2022-05-02T21:44:05.934015130Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_ALERTING_ENABLED=false"
grafana  | 2022-05-02T21:44:05.934017274Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Path Home" path=/usr/share/grafana

If I edit my docker-compose.yml configuration to use the generic module variable GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH, I see that the variable is printed during startup for the generic OAuth, but then it is not working when I am logging using Oauth from gitlab.

grafana  | 2022-05-02T21:59:44.405618391Z logger=settings t=2022-05-02T21:59:44.4+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=is_admin && 'Admin' || 'Viewer'"

Is it’s an issue with Grafana gitlab oauth plugin or is there a trick that I didn’t found ?

Thanks in advance for your help !

I would open issue for that. Maybe doc is not correct, because also grafana/defaults.ini at main · grafana/grafana · GitHub doesn’t contain this option for auth.gitlab section.

1 Like

Thanks for your confirmation @jangaraj, I wanted to double check with the community first.

I opened the following issue : Grafana gitlab oauth : GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH not recognized · Issue #48637 · grafana/grafana · GitHub

@jangaraj : do you know if there is a specific process within grafana project so that the bug gets noticed ?
Thanks in advance :slight_smile:

If you have enterprise version then contact support/your Grafana contact. Otherwise I guess the best approach is to create PR - it shouldn’t be a problem. You just need to “copy” that functionality from “generic oauth” to “gitlab oauth”.

1 Like

Hello @jangaraj
it’ll be my first PR on grafana, but I thing you referred to this small change ?
Add role_attribute_path and role_attribute_path_strict to auth.gitlab by copolycube · Pull Request #49147 · grafana/grafana · GitHub