Issue when using group based role for grafana oauth plugin

  • What Grafana version and what operating system are you using?
    Grafana is running in kubernetes

  • What are you trying to achieve?
    We have two keycloak groups for which we need to give admin role in grafana

  • How are you trying to achieve it?
    We have used below configuration in grafana oauth plugin

“contains(groups[], ‘devops-Members’, ‘support-Members’) && ‘Admin’ || contains(groups[], ‘IT-Members’) && ‘Editor’ || ‘Viewer’”

  • What happened?
    It did not work for support-Member group with admin role. Got below error log
    incorrect number of args"
    t=2021-10-17T05:33:45+0000 lvl=eror msg=“Failed to extract role” logger=oauth.generic_oauth error=“failed to search user info JSON response with provided path: “contains(groups[], ‘devops-Members’, ‘support-Members’) && ‘Admin’ || contains(groups[], ‘IT-Members’) && ‘Editor’ || ‘Viewer’”: incorrect number of args”

  • What did you expect to happen?

support-Members group(along with devops-Members group) should have admin access in grafana

  • Can you copy/paste the configuration(s) that you are having problems with?
    Done

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    Shared the error log in above query

  • Did you follow any online instructions? If so, what is the URL?
    I didn’t find any proper solution url for this error

Hi @mishrasiman

This might fall under Role Based Access Control, which is an enterprise feature:

That depends how used Keycloak client is configured. Increase Grafana log level and watch Grafana logs. There will be generated payload of the tokens/userinfo response, which is used for JMESPath mapping.

1 Like