-
What Grafana version and what operating system are you using?
9.0.2 -
What are you trying to achieve?
I am trying to perform a mapping of roles between Gitlab and Grafana so that it’d be controled at group level:
| gitlab role | grafana role |
|---|---|
| admin | admin |
| Owner (50) | admin |
| Maintainer (40) | admin |
| Developer (30) | Editor |
| Reporter (20) | Viewer |
| Guest (10) | Viewer |
| Minimal access (5) | Viewer |
| No access (0) | (no access) |
From Group and project access requests API | GitLab & Users API | GitLab
# Minimal access (5)
# Guest (10)
# Reporter (20)
# Developer (30)
# Maintainer (40)
# Owner (50).
The issue lays in role_attribute_path that I’m not managing to set.
GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH:
(contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin'
|| (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor'
|| 'Viewer'
- How are you trying to achieve it?
starting grafana in docker-compose.yml:
grafana:
#cf. https://github.com/grafana/grafana/releases
image: grafana/grafana:9.0.2
container_name: grafana
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards
- ./grafana/provisioning/datasources:/etc/grafana/provisioning/datasources
environment:
# https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables
GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER}
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-}
GF_USERS_ALLOW_SIGN_UP: false
GF_ALERTING_ENABLED: false
GF_INSTALL_PLUGINS: grafana-worldmap-panel,jdbranham-diagram-panel,agenty-flowcharting-panel,yesoreyeram-boomtable-panel,grafana-piechart-panel
GF_SERVER_ROOT_URL: https://grafana.hostname.com
#https://grafana.com/docs/grafana/latest/auth/gitlab/
GF_AUTH_GITLAB_ENABLED: true
GF_AUTH_GITLAB_ALLOW_SIGNUP: true
GF_AUTH_GITLAB_CLIENT_ID: ${GRAFANA_GITAB_APP:-notset}
GF_AUTH_GITLAB_CLIENT_SECRET: ${GRAFANA_GITAB_SECRET:-notset}
GF_AUTH_GITLAB_SCOPES: read_user,read_api
GF_AUTH_GITLAB_AUTH_URL: https://gitlab.com/oauth/authorize
GF_AUTH_GITLAB_TOKEN_URL: https://gitlab.com/oauth/token
GF_AUTH_GITLAB_API_URL: https://gitlab.com/api/v4
GF_AUTH_GITLAB_ALLOWED_GROUPS: topgroup/subgrp
GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: (contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'
restart: always
expose:
- 3000
networks:
- monitor-net
labels:
org.label-schema.group: "monitoring"
healthcheck:
test: ["CMD", "wget", "--tries=1", "--spider", "http://grafana.staged-by-discourse.com/"]
interval: 60s
timeout: 10s
- What happened?
the JSMEPath is not recognized
I am trying to identify which gitlab API is called, so that I would be able to infer the JMESPath expression, but so far without luck.
In particular, I hoped to use https://gitlab.com/api/v4/users/:user_id/memberships but it’s retricted to gitlab admins, which I am not (only maintainer of a top-level group, and owner of a sublevel gitlab group).
- What did you expect to happen?
be able to create a JMESPath expression to assign Admin, Editor or Viewer modes according to the membership levels
- Can you copy/paste the configuration(s) that you are having problems with?
GF_AUTH_GITLAB_ROLE_ATTRIBUTE_PATH: (contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'
-
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
grafana | 2022-07-27T19:46:55.507518884Z logger=oauth.gitlab t=2022-07-27T19:46:55.507238761Z level=error msg="Failed to extract role" error="failed to search user info JSON response with provided path: \"(contains(info.access_level[*], '50') || contains(info.roles[*], 'admin' || is_admin) ) && 'Admin' || (contains(info.access_level[*], '40') || contains(info.roles[*], 'editor')) && 'Editor' || 'Viewer'\": Invalid type for: <nil>, expected: []jmespath.jpType{\"array\", \"string\"}" -
Did you follow any online instructions? If so, what is the URL?
https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/gitlab/
https://github.com/grafana/grafana/pull/30025
https://github.com/grafana/grafana/issues/28892
To sum-up, I am trying to identify which gitlab API is called by grafana to establish the group, to infer the corresponding JMESPath.
Thanks in advance for any suggestion !