I’m using keycloak and trying to get a user authenticated in Keycloak to get the correct permissions in Grafana, he should be set admin, but he is set a Viewer.
Here is my role_attribute_path statement in my ini file:
role_attribute_path = contains(roles[], ‘admin’) && ‘Admin’ || contains(roles[], ‘editor’) && ‘Editor’ || ‘Viewer’
Here is the info from the logs:
“realm_access”: {
“roles”: [
“Site_Admin”
]
},
“resource_access”: {
“grafana.XX.com”: {
“roles”: [
“admin”
]
}
},
“scope”: “openid profile email user open-id”,
“email_verified”: false,
“roles”: [
“admin”
],
Your Grafana is only 5.2.4 → you are trying to use feature, which is available only in future version.
BTW: also your IDP (it looks like a Keycloak) will need some better configuration - I’m missing point of custom open-id scope and so many role claims (especially, when you want to use only top level roles claim). Of course that’s optional part and it should be working also with this IDP config.
