OAuth: Reject users, if they don't own specific roles

Grafana Authentication
1

Happy that https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-5/#generic-oauth-role-mapping (Generic OAuth and user role mapping) got implemented in Grafana 6.5.

Along with another fix provided in Grafana 6.6, so far it works for us to assign OAuth roles to Grafana roles:

oauth_role_grafana_admin -> Grafana Org_ID 1, role “Admin”
oauth_role_grafana_viewer -> Grafana Org_ID 1, role “Viewer”

But if a user doesn’t have any of the roles “oauth_role_grafana_admin” or “oauth_role_grafana_viewer”, Grafana still allows login and creates a new organization for the user, where the user has “Admin” role.

Rather we want Grafana to reject the login completely.

Is there a way to achieve this? We could make this logic work using LDAP authentication.

1 Like
2

Hello

I am also very interested in knowing how to do that.

I am using Grafana 6.6.2 configured for generic OAuth (using Keycloak). Roles mapping works as intended, but when the user roles do not match any of Grafana roles, I would like to either redirect to a “forbidden” error page, hide all dashboards/folders or reject login. For now, I managed only to fallback to an existing role.

I tried playing with the “role_attribute_path” property, but it always defaults to Viewer (in general).

4

Hello,

We have the same problem, but we have found a workaround.

By running a keycloak Gatekeeper before Grafana and linked with the same keycloak, we allow the access to Grafana just when users have a role.

I know this is not the perfect situation, but it is quite safe :slight_smile:

2 Likes
5

I am using 6.7.3. I have observed the same behavior - defaults to Viewer role. Can any one please help me how we can reject users if they don’t own specific roles?

6

Hi Magmax,

Could you give me any implementation detail? I am in the same situation as you. We have a full in-house RBAC system and would like to use it to gatekeep. How do you keep users from being authenticated to grafana and then exploring data sources or dashboards they do not have privileges for.

7

We have the same issue, that without a role in the user info it defaults to “Viewer” with this expression as the role_atttribute_path:

contains(keys("roles"), 'grafana-admin') && 'Admin' || contains(keys("roles"), 'grafana-editor') && 'Editor' || contains(keys("roles"), 'grafana-viewer') && 'Viewer'

And we use role_attribute_strict set to true. Shouldn’t this exactly prevent that users can login without a valid role according to our role_atttribute_path expression? Am I missing something here?

8

Nevermind, we were using a version of grafana < 8.0.0. Now it’s working.

1 Like
9

I set the following:
role_attribute_strict = true role_attribute_path = contains(memberof[*], 'Grafana Server Admin') && 'Admin' || contains(memberof[*], 'Grafana Admin') && 'Admin' || contains(memberof[*], 'Grafana Editor') && 'Editor' || contains(memberof[*], 'Grafana Viewer') && 'Viewer' || ''

(Grafana Server Admin is for preparing 9.2 having GrafanaAdmin allowed to be mapped, while we are using 9.1.1 now)

having user with none of the groups mapped above gets the following error:
logger=oauth.generic_oauth t=2022-11-09T15:14:06.163553929Z level=warn msg=“Failed to extract role” error=“failed to search user info JSON response with provided path: "contains(memberof[], ‘Grafana Server Admin’) && ‘Admin’ || contains(memberof[], ‘Grafana Admin’) && ‘Admin’ || contains(memberof[], ‘Grafana Editor’) && ‘Editor’ || contains(memberof[], ‘Grafana Viewer’) && ‘Viewer’": Invalid type for: , expected: jmespath.jpType{"array", "string"}”

I also tried to extend the search string with
...&& 'Viewer' || ''
means, having an empty string as a default.
Same result.