Grafana gitlab oauth : GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH not recognized
Hello,
trying to start grafana from a docker-compose stack, and minimize the modifications to the image, I’m overriding the grafana.ini settings with values from the environment.
Specifically, I have an issue with one variable correctly exported by docker, but not recognized by grafana for gitlab, while it is recognized for the generic oauth module (but not working with gitlab) :
docker-compose.yml extract :
version: '3.4'
networks:
monitor-net:
driver: bridge
loki:
volumes:
grafana_data: {}
services:
grafana:
#cf. https://github.com/grafana/grafana/releases
image: grafana/grafana:8.5.1
container_name: grafana
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards
- ./grafana/provisioning/datasources:/etc/grafana/provisioning/datasources
environment:
# https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables
GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER:-admin}
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-}
GF_USERS_ALLOW_SIGN_UP: false
GF_ALERTING_ENABLED: false
GF_INSTALL_PLUGINS: grafana-worldmap-panel,jdbranham-diagram-panel,agenty-flowcharting-panel,yesoreyeram-boomtable-panel
GF_SERVER_ROOT_URL: https://grafana.domain.tld
#https://grafana.com/docs/grafana/latest/auth/gitlab/
GF_AUTH_GITLAB_ENABLED: true
GF_AUTH_GITLAB_ALLOW_SIGNUP: true
GF_AUTH_GITLAB_CLIENT_ID: ${GRAFANA_GITAB_APP:-notset}
GF_AUTH_GITLAB_CLIENT_SECRET: ${GRAFANA_GITAB_SECRET:-notset}
GF_AUTH_GITLAB_SCOPES: read_user,read_api
GF_AUTH_GITLAB_AUTH_URL: https://gitlab.com/oauth/authorize
GF_AUTH_GITLAB_TOKEN_URL: https://gitlab.com/oauth/token
GF_AUTH_GITLAB_API_URL: https://gitlab.com/api/v4
GF_AUTH_GITLAB_ALLOWED_GROUPS: mygroup/subgroup
## CULRPIT Variable :
GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: is_admin && 'Admin' || 'Viewer'
restart: unless-stopped
expose:
- 3000
networks:
- monitor-net
- loki
labels:
org.label-schema.group: "monitoring"
healthcheck:
test: ["CMD", "wget", "--tries=1", "--spider", "http://grafana.staged-by-discourse.com/"]
interval: 60s
timeout: 10s
$ sudo docker inspect grafana`
[...]
"Env": [
[...]
"GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH=is_admin && 'Admin' || 'Viewer'",
[...]
But when starting Grafana you can see that the variable is not recognized / detected since it’s absent from the list of Config overridden from Environment variables :
$ sudo docker-compose logs --tail=50 -tf grafana
grafana | 2022-05-02T21:44:05.933798804Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Starting Grafana" version=8.5.1 commit=61fe4a1859 branch=HEAD compiled=2022-04-27T15:29:40Z
grafana | 2022-05-02T21:44:05.933952494Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config loaded from" file=/usr/share/grafana/conf/defaults.ini
grafana | 2022-05-02T21:44:05.933960131Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config loaded from" file=/etc/grafana/grafana.ini
grafana | 2022-05-02T21:44:05.933962914Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.data=/var/lib/grafana"
grafana | 2022-05-02T21:44:05.933965314Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.logs=/var/log/grafana"
grafana | 2022-05-02T21:44:05.933967483Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.plugins=/var/lib/grafana/plugins"
grafana | 2022-05-02T21:44:05.933969624Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.paths.provisioning=/etc/grafana/provisioning"
grafana | 2022-05-02T21:44:05.933971814Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from command line" arg="default.log.mode=console"
grafana | 2022-05-02T21:44:05.933973959Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_DATA=/var/lib/grafana"
grafana | 2022-05-02T21:44:05.933976107Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_LOGS=/var/log/grafana"
grafana | 2022-05-02T21:44:05.933978235Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_PLUGINS=/var/lib/grafana/plugins"
grafana | 2022-05-02T21:44:05.933988180Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_PATHS_PROVISIONING=/etc/grafana/provisioning"
grafana | 2022-05-02T21:44:05.933990681Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_ROOT_URL=https://grafana.domain.tld"
grafana | 2022-05-02T21:44:05.933992855Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_SECURITY_ADMIN_USER=<redacted admin>"
grafana | 2022-05-02T21:44:05.933995016Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_USERS_ALLOW_SIGN_UP=false"
grafana | 2022-05-02T21:44:05.933997710Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_ENABLED=true"
grafana | 2022-05-02T21:44:05.933999932Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_CLIENT_ID=redacted"
grafana | 2022-05-02T21:44:05.934002345Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_CLIENT_SECRET=*********"
grafana | 2022-05-02T21:44:05.934004455Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_SCOPES=read_user,read_api"
grafana | 2022-05-02T21:44:05.934006586Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_AUTH_URL=https://gitlab.com/oauth/authorize"
grafana | 2022-05-02T21:44:05.934008739Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_TOKEN_URL=https://gitlab.com/oauth/token"
grafana | 2022-05-02T21:44:05.934010853Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_API_URL=https://gitlab.com/api/v4"
grafana | 2022-05-02T21:44:05.934013001Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GITLAB_ALLOWED_GROUPS=mygroup/subgroup"
grafana | 2022-05-02T21:44:05.934015130Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Config overridden from Environment variable" var="GF_ALERTING_ENABLED=false"
grafana | 2022-05-02T21:44:05.934017274Z logger=settings t=2022-05-02T21:44:05.93+0000 lvl=info msg="Path Home" path=/usr/share/grafana
If I edit my docker-compose.yml configuration to use the generic module variable GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH, I see that the variable is printed during startup for the generic OAuth, but then it is not working when I am logging using Oauth from gitlab.
grafana | 2022-05-02T21:59:44.405618391Z logger=settings t=2022-05-02T21:59:44.4+0000 lvl=info msg="Config overridden from Environment variable" var="GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=is_admin && 'Admin' || 'Viewer'"
Is it’s an issue with Grafana gitlab oauth plugin or is there a trick that I didn’t found ?
Thanks in advance for your help !
