OAuth2 (gitlab) & roles matching (JSMEpath)

  • What Grafana version and what operating system are you using?
    9.0.2

  • What are you trying to achieve?
    I am trying to perform a mapping of roles between Gitlab and Grafana so that it’d be controled at group level:

gitlab role grafana role
admin admin
Owner (50) admin
Maintainer (40) admin
Developer (30) Editor
Reporter (20) Viewer
Guest (10) Viewer
Minimal access (5) Viewer
No access (0) (no access)

From Group and project access requests API | GitLab & Users API | GitLab

            # Minimal access (5)
            # Guest (10)
            # Reporter (20)
            # Developer (30)
            # Maintainer (40)
            # Owner (50).

The issue lays in role_attribute_path that I’m not managing to set.

            GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: 
   (contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' 
|| (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' 
|| 'Viewer'
  • How are you trying to achieve it?

starting grafana in docker-compose.yml:

  grafana:
    #cf. https://github.com/grafana/grafana/releases
    image: grafana/grafana:9.0.2
    container_name: grafana
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards
      - ./grafana/provisioning/datasources:/etc/grafana/provisioning/datasources
    environment:
            # https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables
            GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER}
            GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-}
            GF_USERS_ALLOW_SIGN_UP: false
            GF_ALERTING_ENABLED: false
            GF_INSTALL_PLUGINS: grafana-worldmap-panel,jdbranham-diagram-panel,agenty-flowcharting-panel,yesoreyeram-boomtable-panel,grafana-piechart-panel
            GF_SERVER_ROOT_URL: https://grafana.hostname.com
        #https://grafana.com/docs/grafana/latest/auth/gitlab/
            GF_AUTH_GITLAB_ENABLED: true
            GF_AUTH_GITLAB_ALLOW_SIGNUP: true
            GF_AUTH_GITLAB_CLIENT_ID: ${GRAFANA_GITAB_APP:-notset}
            GF_AUTH_GITLAB_CLIENT_SECRET: ${GRAFANA_GITAB_SECRET:-notset}
            GF_AUTH_GITLAB_SCOPES: read_user,read_api
            GF_AUTH_GITLAB_AUTH_URL:  https://gitlab.com/oauth/authorize
            GF_AUTH_GITLAB_TOKEN_URL: https://gitlab.com/oauth/token
            GF_AUTH_GITLAB_API_URL:   https://gitlab.com/api/v4
            GF_AUTH_GITLAB_ALLOWED_GROUPS: topgroup/subgrp
            GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: (contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'
    restart: always
    expose:
      - 3000
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"
    healthcheck:
      test: ["CMD", "wget", "--tries=1", "--spider", "http://localhost:3000/"]
      interval: 60s
      timeout: 10s

  • What happened?
    the JSMEPath is not recognized

I am trying to identify which gitlab API is called, so that I would be able to infer the JMESPath expression, but so far without luck.
In particular, I hoped to use https://gitlab.com/api/v4/users/:user_id/memberships but it’s retricted to gitlab admins, which I am not (only maintainer of a top-level group, and owner of a sublevel gitlab group).

  • What did you expect to happen?

be able to create a JMESPath expression to assign Admin, Editor or Viewer modes according to the membership levels

  • Can you copy/paste the configuration(s) that you are having problems with?

GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: (contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    grafana | 2022-07-27T19:46:55.507518884Z logger=oauth.gitlab t=2022-07-27T19:46:55.507238761Z level=error msg="Failed to extract role" error="failed to search user info JSON response with provided path: \"(contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}"

  • Did you follow any online instructions? If so, what is the URL?

https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/gitlab/

https://github.com/grafana/grafana/pull/30025
https://github.com/grafana/grafana/issues/28892

To sum-up, I am trying to identify which gitlab API is called by grafana to establish the group, to infer the corresponding JMESPath.

Thanks in advance for any suggestion !

Not sure if this is actually possible, after re-reading the doc and the gitlab API I think that only /users is queried.
=> thus opened a feature request discussion on github : Gitlab OAuth : query /group · Discussion #53495 · grafana/grafana · GitHub