-
What Grafana version and what operating system are you using?
10.2.2 (Docker image 14bdea0920487c9b11b77cf48c90a7cd8868311d51f88ad54f4517cebe39f8a8) -
What are you trying to achieve?
I’m trying to assign roles to my users based on their groups from External Provider (Authentik) -
How are you trying to achieve it?
Mostly followed Grafana | authentik -
What happened?
Role assigned is always Viewers, or at least the “default” role in ROLE_ATTRIBUTE_PATH parameter
If I set
contains(groups[*], 'GrafanaAdmins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
Then it’s always viewer
If I set
contains(groups[*], 'GrafanaAdmins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Admin'
Then it’s always Admin
- What did you expect to happen?
Users in “GrafanaAdmins” groups should have the role Admin in grafana
- Can you copy/paste the configuration(s) that you are having problems with?
PATH=/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_HOME=/usr/share/grafana
GF_PATHS_LOGS=/var/log/grafana
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_AUTH_GENERIC_OAUTH_ENABLED=false
GF_AUTH_GENERIC_OAUTH_NAME=authentik
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=xxxxx
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=xxxxxx
GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https :// sso[.]xxxxxxxx[.]fr/application/o/authorize/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https :// sso[.]xxxxxxxx[.]fr/application/o/token/
GF_AUTH_GENERIC_OAUTH_API_URL=https :// sso[.]xxxxxxxxx[.]fr/application/o/userinfo/
GF_AUTH_SIGNOUT_REDIRECT_URL=https :// sso[.]xxxxxxxxx[.]fr/application/o/grafana/end-session/
GF_AUTH_OAUTH_AUTO_LOGIN=true
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
GF_SERVER_ROOT_URL=https :// grafana[.]xxxxxxxxxxxxx[.]fr
GF_AUTH_GENERIC_ALLOW_ASSIGN_GRAFANA_ADMIN=true
GF_AUTH_GENERIC_ROLE_ATTRIBUTE_STRICT=true
GF_LOG_LEVEL=debug
GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=groups
GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
- Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
No error but grafana logs show role affectation to Viewer despite the groups are found
- Did you follow any online instructions? If so, what is the URL?
Mostly digged in https :// grafana[.]com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/ + some forum post about related issue.
Also checked jmespath.org, seems good
Relevant Logs :
2023-12-06T23:25:47.168049424Z logger=http.server t=2023-12-06T23:25:47.167986603Z level=error msg="Failed to parse user ID" error="identifier is not initialized"
2023-12-06T23:25:47.170166401Z logger=context userId=0 orgId=0 uname= t=2023-12-06T23:25:47.170091981Z level=info msg="OAuth auto login enabled. Redirecting to /login/generic_oauth"
2023-12-06T23:25:47.170227071Z logger=context userId=0 orgId=0 uname= t=2023-12-06T23:25:47.170167471Z level=info msg="Request Completed" method=GET path=/login status=307 remote_addr=89.89.7.92 time_ms=8 duration=8.89369ms size=56 referer= handler=/login
2023-12-06T23:25:47.180905787Z logger=context userId=0 orgId=0 uname= t=2023-12-06T23:25:47.180774687Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr=89.89.7.92 time_ms=0 duration=173.371µs size=318 referer= handler=/login/:name
2023-12-06T23:25:47.699991154Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.699878433Z level=debug msg="Getting user info"
2023-12-06T23:25:47.700022384Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.699908093Z level=debug msg="Extracting user info from OAuth token"
2023-12-06T23:25:47.700189164Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.700111084Z level=debug msg="Received id_token" raw_json="{\"iss\":\"https :// sso[.]xxxxxxxxxxxxxx[.]fr/application/o/grafana/\",\"sub\":\"aaaaaaaa\",\"aud\":\"NQTEUnsPX7HNpPDkFJsKm3dRk0FO8hKpuBDT4jcL\",\"exp\":1704497147,\"iat\":1701905147,\"auth_time\":1701897703,\"acr\":\"goauthentik.io/providers/oauth2/default\",\"at_hash\":\"4aMPoNtjdLJ4xyBjwQZ2Ag\"}" data="Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"
2023-12-06T23:25:47.700204764Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.700140154Z level=debug msg="Getting user info from API"
2023-12-06T23:25:47.750272535Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750174465Z level=debug msg="HTTP GET" url=https :// sso[.]xxxxxxxxxxxxxx[.]fr/application/o/userinfo/ status="200 OK" response_body="{\"email\": \"zzzz@xxxxxxxxxxxxxx[.]fr\", \"email_verified\": true, \"name\": \"Arthur\", \"given_name\": \"Arthur\", \"preferred_username\": \"arthur\", \"nickname\": \"arthur\", \"groups\": [\"download access\", \"GrafanaAdmins\"], \"sub\": \"aaaaaaaa\"}"
2023-12-06T23:25:47.750336225Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750267445Z level=debug msg="Received user info response from API" raw_json="{\"email\": \"zzzz@xxxxxxxxxxxxxx[.]fr\", \"email_verified\": true, \"name\": \"Arthur\", \"given_name\": \"Arthur\", \"preferred_username\": \"arthur\", \"nickname\": \"arthur\", \"groups\": [\"download access\", \"GrafanaAdmins\"], \"sub\": \"aaaaaaaa\"}" data="Name: Arthur, Displayname: , Login: , Username: , Email: zzzz@xxxxxxxxxxxxxx[.]fr, Upn: , Attributes: map[]"
2023-12-06T23:25:47.750359535Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750292265Z level=debug msg="Processing external user info" source=token data="Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"
2023-12-06T23:25:47.750368495Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750314235Z level=debug msg="Unable to find user info name"
2023-12-06T23:25:47.750377625Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750327045Z level=debug msg="Searching for login among JSON" loginAttributePath=preferred_username
2023-12-06T23:25:47.750653586Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750599306Z level=debug msg="Processing external user info" source=API data="Name: Arthur, Displayname: , Login: , Username: , Email: zzzz@xxxxxxxxxxxxxx[.]fr, Upn: , Attributes: map[]"
2023-12-06T23:25:47.750672206Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750624496Z level=debug msg="Setting user info name from name field"
2023-12-06T23:25:47.750681766Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750637476Z level=debug msg="Searching for login among JSON" loginAttributePath=preferred_username
2023-12-06T23:25:47.750713786Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750687976Z level=debug msg="Set user info email from extracted email" email=zzzz@xxxxxxxxxxxxxx[.]fr
2023-12-06T23:25:47.750787257Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750745587Z level=debug msg="Setting user info groups from extracted groups"
2023-12-06T23:25:47.750802327Z logger=oauth.generic_oauth t=2023-12-06T23:25:47.750761217Z level=debug msg="User info result" result="Id: aaaaaaaa, Name: Arthur, Email: zzzz@xxxxxxxxxxxxxx[.]fr, Login: arthur, Role: Viewer, Groups: [download access GrafanaAdmins]"
2023-12-06T23:25:47.781118919Z logger=user.sync t=2023-12-06T23:25:47.781034419Z level=debug msg="Updating auth connection for user" id=
2023-12-06T23:25:47.806323274Z logger=login.authinfo.store t=2023-12-06T23:25:47.806213114Z level=debug msg="Updated user_auth" user_id=2 auth_id=aaaaaaaa auth_module=oauth_generic_oauth rows=1
2023-12-06T23:25:47.808886503Z logger=org.sync t=2023-12-06T23:25:47.808775222Z level=debug msg="Syncing organization roles" id=user:2 extOrgRoles=map[1:Viewer]
2023-12-06T23:25:47.813289308Z logger=accesscontrol.service t=2023-12-06T23:25:47.813188837Z level=debug msg="Fetch permissions from store" key=rbac-permissions-1-user-2
2023-12-06T23:25:47.815830386Z logger=accesscontrol.service t=2023-12-06T23:25:47.815757526Z level=debug msg="Cache permissions" key=rbac-permissions-1-user-2
Any idea ?
Thanks