-
What Grafana version and what operating system are you using?
helm version 6.34.0 and grafana version 9.1.1
OS: linux ubuntu. Grafana on k8s cluster. helm version: v3.5.2 -
What are you trying to achieve?
Enable a newly created role in folder /etc/grafana/provisioning/access-control -
How are you trying to achieve it?
- mounting my customroles.yml file in that dir before helm applying grafana
- running
curl -XPOST -H "Content-Type: application/json" -u "admin:<my_pw> http://localhost:3002/api/admin/provisioning/access-control/reload
(afterkubectl port-forward -n grafana svc/grafana 3002:80)
- What happened?
❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/status
{"message":"Not found"}
❯ curl -XGET -H "Content-Type: application/json" -u "admin:<my_pw>" http://localhost:3002/api/access-control/roles
{"message":"Not found"}
-
What did you expect to happen?
status 200 -
Can you copy/paste the configuration(s) that you are having problems with?
grafana.ini:
auth.generic_oauth:
name: OAuth login
enabled: true
allow_sign_up: true
client_id: "{{ _keycloak_client_id }}"
client_secret: "{{ keycloak_client_secrets | dict_lookup( _keycloak_client_id, error=True) }}"
scopes: openid user email
auth_url: "{{ _keycloak_url }}/auth"
token_url: "{{ _keycloak_url }}/token"
api_url: "{{ _keycloak_url }}/userinfo"
login_attribute_path: preferred_username
role_attribute_path: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' || contains(roles[*], 'sre-editor')"
tls_skip_verify_insecure: "{{ (validate_certmanager_certificates | bool) | ternary(False,True) }}"
smtp:
enabled: true
host: "{{ grafana_smtp_host }}"
skip_verify: "{{ grafana_smtp_skip_verify }}"
from_address: "{{ grafana_smtp_from_address }}"
from_name: "{{ grafana_smtp_from_name }}"
rbac:
enabled: true
permission_cache: true
log:
level: debug
accessControl:
customroles.yaml:
apiVersion: 2
roles:
- name: 'sre-editor'
uid: sreeditor
description: 'Appropriate role for DSH SRE'
version: 1
global: true
permissions:
- action: 'users:read'
scope: 'users:*'
- action: 'users:write'
scope: 'users:*'
- action: 'dashboards:read'
scope: 'dashboards:*'
- action: 'dashboards:write'
scope: 'dashboards:*'
- action: 'datasources:read'
scope: 'datasources:*'
- action: 'datasources:write'
scope: 'datasources:*'
- action: 'folders:read'
scope: 'folders:*'
- action: 'folders:write'
scope: 'folders:*'
- action: 'org.users:read'
scope: 'users:*'
- action: 'org.users:write'
scope: 'users:*'
- action: 'reports:read'
scope: 'reports:*'
- action: 'reports:write'
scope: 'reports:*'
- Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
logger=context traceID=00000000000000000000000000000000 userId=1 orgId=1 uname=admin t=2022-08-30T10:48:37.961809326Z level=info msg="Request Completed" method=POST path=/api/admin/provisioning/access-control/reload status=404 remote_addr=127.0.0.1 time_ms=10 duration=10.885462ms size=24 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=1 orgId=1 uname=admin t=2022-08-30T10:49:06.386071775Z level=info msg="Request Completed" method=GET path=/api/access-control/status status=404 remote_addr=127.0.0.1 time_ms=11 duration=11.636589ms size=24 referer= traceID=00000000000000000000000000000000
- Did you follow any online instructions? If so, what is the URL?
Configure RBAC in Grafana | Grafana documentation
Grafana RBAC provisioning | Grafana documentation
