search

grafana / helm-charts

Apache License 2.0
1.66k stars 2.28k forks source link

Error from access control system no resolver found and user token not found #1859

Open yaztriumph opened 2 years ago

yaztriumph commented 2 years ago

Stack is EKS, Route53 , Azure AD SSO, Istio VirtualService, grafana helm chart 6.38.6, terraform, Client VPN Can login through Azure Ad SSO, but can't do anything else. Getting Unauthorized error, and kicking out user. 

service.portName = service
service.targetPort = 3000 
service.port = 3000
service.type = ClusterIP

hosts = grafana-istio.${var.aws_region}.${var.environment}.abc.int

Grafana config: 

dashboardproviders.yaml
apiVersion: 1
providers:
- disableDeletion: false
  folder: istio
  name: istio
  options:
    path: /var/lib/grafana/dashboards/istio
  orgId: 1
  type: file
- disableDeletion: false
  folder: istio
  name: istio-services
  options:
    path: /var/lib/grafana/dashboards/istio-services
  orgId: 1
  type: file

datasources.yaml
apiVersion: 1
datasources:
- access: proxy
  editable: true
  isDefault: true
  jsonData:
    timeInterval: 5s
  name: Prometheus
  orgId: 1
  type: prometheus
  url: http://prometheus-istio-server.istio-system.svc.cluster.local

download_dashboards.sh
#!/usr/bin/env sh
set -euf
mkdir -p /var/lib/grafana/dashboards/istio
mkdir -p /var/lib/grafana/dashboards/istio-services

grafana.ini
auth.cookie_samesite = strict
auth.login_cookie_name = grafana_session
auth.login_maximum_inactive_lifetime_days = 7
auth.login_maximum_lifetime_days = 30
[analytics]
check_for_updates = true
[auth.azuread]
allow_sign_up = true
allowed_groups = redacted
auth_url = https://login.microsoftonline.com/redacted/oauth2/v2.0/authorize
client_id = redacted
client_secret = redacted
enabled = true
name = Azure AD
scopes = openid email profile
token_url = https://login.microsoftonline.com/redacted/oauth2/v2.0/token
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
domain = grafana-istio.us-west-2.dev.abc.int
enforce_domain = false
root_url = https://grafana-istio.us-west-2.dev.abc.int

grafana pod logs: 

msg="Failed to look up user based on cookie" error="user token not found"
level=error msg="Error from access control system" error="no resolver found"
Browser Network
Search:

Request URL: https://grafana-istio.us-west-2.dev.equipifi.int/api/search 
Request Method: GET
Status Code: 401 
Remote Address: 10.6.7.181:443
Referrer Policy: strict-origin-when-cross-origin
Home:

Request URL: https://grafana-istio.us-west-2.dev.abc.int/api/dashboards/home
Request Method: GET
Status Code: 401 
Remote Address: 10.6.7.181:443
Referrer Policy: strict-origin-when-cross-origin
Frontend-metrics:

Request URL: https://grafana-istio.us-west-2.dev.abc.int/api/frontend-metrics
Request Method: POST
Status Code: 401 
Remote Address: 10.6.7.181:443
Referrer Policy: strict-origin-when-cross-origin

Grafana VS

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: grafana-vs
  namespace: istio-system
spec:
  gateways:
  - gateway-gtw
  hosts:
  - grafana-istio.us-west-2.dev.abc.int
  http:
  - route:
    - destination:
        host: grafana-istio.istio-system.svc.cluster.local
        port:
          number: 3000
R-Studio commented 2 years ago

Same issue here with Github as OAuth2 authentication.