Rbac enabling does not work on grafana 9.1.1

  • What Grafana version and what operating system are you using?
    helm version 6.34.0 and grafana version 9.1.1
    OS: linux ubuntu. Grafana on k8s cluster. helm version: v3.5.2

  • What are you trying to achieve?
    Enable a newly created role in folder /etc/grafana/provisioning/access-control

  • How are you trying to achieve it?

  1. mounting my customroles.yml file in that dir before helm applying grafana
  2. running curl -XPOST -H "Content-Type: application/json" -u "admin:<my_pw> http://localhost:3002/api/admin/provisioning/access-control/reload
    (after kubectl port-forward -n grafana svc/grafana 3002:80)
  • What happened?
❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/status
{"message":"Not found"}
❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/roles
{"message":"Not found"}

  • What did you expect to happen?
    status 200

  • Can you copy/paste the configuration(s) that you are having problems with?

grafana.ini:
  auth.generic_oauth:
    name: OAuth login
    enabled: true
    allow_sign_up: true
    client_id: "{{ _keycloak_client_id }}"
    client_secret: "{{ keycloak_client_secrets | dict_lookup( _keycloak_client_id, error=True) }}"
    scopes: openid user email
    auth_url: "{{ _keycloak_url }}/auth"
    token_url: "{{ _keycloak_url }}/token"
    api_url:  "{{ _keycloak_url }}/userinfo"
    login_attribute_path: preferred_username
    role_attribute_path: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' || contains(roles[*], 'sre-editor')"
    tls_skip_verify_insecure: "{{ (validate_certmanager_certificates | bool) | ternary(False,True) }}"
  smtp:
    enabled: true
    host: "{{ grafana_smtp_host }}"
    skip_verify: "{{ grafana_smtp_skip_verify }}"
    from_address: "{{ grafana_smtp_from_address }}"
    from_name: "{{ grafana_smtp_from_name }}"
  rbac:
    enabled: true
    permission_cache: true
  log:
    level: debug
accessControl:
  customroles.yaml:
    apiVersion: 2
    roles:
      - name: 'sre-editor'
        uid: sreeditor
        description: 'Appropriate role for DSH SRE'
        version: 1
        global: true
        permissions:
          - action: 'users:read'
            scope: 'users:*'
          - action: 'users:write'
            scope: 'users:*'
          - action: 'dashboards:read'
            scope: 'dashboards:*'
          - action: 'dashboards:write'
            scope: 'dashboards:*'
          - action: 'datasources:read'
            scope: 'datasources:*'
          - action: 'datasources:write'
            scope: 'datasources:*'
          - action: 'folders:read'
            scope: 'folders:*'
          - action: 'folders:write'
            scope: 'folders:*'
          - action: 'org.users:read'
            scope: 'users:*'
          - action: 'org.users:write'
            scope: 'users:*'
          - action: 'reports:read'
            scope: 'reports:*'
          - action: 'reports:write'
            scope: 'reports:*'
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
logger=context traceID=00000000000000000000000000000000 userId=1 orgId=1 uname=admin t=2022-08-30T10:48:37.961809326Z level=info msg="Request Completed" method=POST path=/api/admin/provisioning/access-control/reload status=404 remote_addr=127.0.0.1 time_ms=10 duration=10.885462ms size=24 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=1 orgId=1 uname=admin t=2022-08-30T10:49:06.386071775Z level=info msg="Request Completed" method=GET path=/api/access-control/status status=404 remote_addr=127.0.0.1 time_ms=11 duration=11.636589ms size=24 referer= traceID=00000000000000000000000000000000