grafana / oncall

Developer-friendly incident response with brilliant Slack integration
GNU Affero General Public License v3.0
3.44k stars 276 forks source link

Users with role Editor are not able to use the grafana oncall plugin #3719

Closed ToonTijtgat2 closed 7 months ago

ToonTijtgat2 commented 8 months ago

What went wrong?

What happened:

Users with the admin role have no issue using the oncall plugin.

What did you expect to happen:

How do we reproduce it?

  1. Create or use a user in grafana with editor role permissions synced from azure ad.
  2. Log on to the grafana instance with this user account and try to view alertgroups in oncall plugin.

Grafana OnCall Version

oncall version: 1.3.89 plugin version: 1.3.89 grafana version: 10.2.3

Product Area

Auth

Grafana OnCall Platform?

Kubernetes

User's Browser?

Firefow/google chrome / edge...

Anything else to add?

I tried again with older versions of oncall plugin 1.3.87/86 but it has the same behaviour. also with grafana version 10.2.2 is the same. Only downgrading oncall itself has not been tried out of fear that doing this would brake the setup.

ToonTijtgat2 commented 8 months ago

strange thing is at the moment the request happens I see that the logs state the it could not find the user. but still give back the correct groups and userid and everything. but why does it get the 403 then? image

ToonTijtgat2 commented 8 months ago

These lines do not happen for admin users

ToonTijtgat2 commented 8 months ago

/api/internal/v1/teams?include_no_team=true&only_include_notifiable_teams=false&search=&short=true does result in an unauthorized message. maybe the api is not correct anymore?

ToonTijtgat2 commented 8 months ago

My new test user does not appear under the users in the oncall plugin.

ToonTijtgat2 commented 8 months ago

Maybe the 503 status is causing problems here? it states also that there would be an issue on certificates, but when I do a curl on the oncall pod to the same url, there is no issue. image

ToonTijtgat2 commented 8 months ago

however, when doing it with the admin account I see the same lines. image

But when the error happens for the editor user the error is in source=engine:celery and when doing it with the admin user, the source is engine:app

I don't see the reason for the difference in the 2 usecases!?

Matvey-Kuk commented 8 months ago

@ToonTijtgat2 just to verify, does the problem persist if you logout as Editor, log in as Admin, logout and log in as Editor again?

ToonTijtgat2 commented 8 months ago

@Matvey-Kuk I just tried, and indeed the issue persist.

ToonTijtgat2 commented 8 months ago

image it is probably related to the token.

ToonTijtgat2 commented 8 months ago

https://github.com/grafana/oncall/issues/3566

mderynck commented 7 months ago

This we resolved by keeping mirageSecretKey constant through an external secret.