NotAuthorizedOrNotFound

[passarela]

Hello

I am configuring Datasource LOGS and I get the error Data source is not working when I click to test. Below is the Grafana log.

t=2023-05-05T15:58:16.806987315-03:00 level=error msg="Internal server error" error="[plugin.downstreamError] failed to query data: Failed to query data: rpc error: code = Unknown desc = Error returned by LogSearch Service. Http Status Code: 404. Error Code: NotAuthorizedOrNotFound.
Authorization failed or requested resource not found\nOperation Name: SearchLogs\nTimestamp: 2023-05-05 18:58:16 +0000 GMT\nClient Version: Oracle-GoSDK/65.23.0\nRequest Endpoint: POST https://logging. sa-saopaulo-1.oci.oraclecloud.com/20190909/search?limit=10\nTroubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_404__404_notauthorizedornotfound for more information about resolving this error.\nAlso see https://docs.oracle.com/iaas/api/#/en/logging-search/20190909/SearchResult/SearchLogs for details on this operation's requirements.\nTo get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.\nIf you are unable to resolve this LogSearch issue, please contact Oracle support and provide them this full error message."

1. I have the GrafanaLoggingUserGroup group created
2. I have user grafana_logs created within the above group.
3. I have the following polices below: allow group GrafanaLoggingUserGroup to read log-groups in tenancy allow group GrafanaLoggingUserGroup to read log-content in tenancy allow group GrafanaLoggingUserGroup to read compartments in tenancy

To make sure the problem was permission I added the permission below for testing: ALLOW GROUP GrafanaLoggingUserGroup to manage all-resources IN TENANCY and Datasource worked!

What am I doing wrong with the policies? what policies are missing?

[mamorett]

Hi. Policies look fine to me. I will try to replicate your scenario and see if I will got the same problem. Which version of the plugin are you using ?

[passarela]

Hi. Policies look fine to me. I will try to replicate your scenario and see if I will got the same problem. Which version of the plugin are you using ?

Hello, thanks for replying:

I'm using the following versions:

Grafana Community: 9.4.1 Oracle Cloud Infrastructure Logs Plugin: 3.0.0

[mamorett]

Good, I was able to reproduce the issue on my lab. Can you try to create a simple dashboard ignoring the error during datasource configuration ?

[passarela]

Good, I was able to reproduce the issue on my lab. Can you try to create a simple dashboard ignoring the error during datasource configuration ?

When performing a query looking for all the logs of a compartment, I get the following error:

I performed a test by adding my Grafana user to the "Tenancy ADMIN" group and the query worked. There is still a permission issue;

[passarela]

Through an SR it was suggested to me to use the policy:

allow the grafana group to read all resources in the tenancy

I performed the test and it worked, but I believe it is a policy error, as those mentioned in the documentation should work.

allow group GrafanaLoggingUserGroup to read log groups on tenancy
allow group GrafanaLoggingUserGroup to read log contents in tenancy
allow group GrafanaLoggingUserGroup to read compartments in tenancy

[mamorett]

Hi. YEs, the suggested policy looks too wide. However I noticed something strange in the rule you reported. In the documentation is stated that the following are required:

allow group grafana to read log-groups in tenancy
allow group grafana to read log-content in tenancy
allow group grafana to read compartments in tenancy

There is a "-" in log-groups and log-content.

[passarela]

Hi. YEs, the suggested policy looks too wide. However I noticed something strange in the rule you reported. In the documentation is stated that the following are required:

allow group grafana to read log-groups in tenancy
allow group grafana to read log-content in tenancy
allow group grafana to read compartments in tenancy

There is a "-" in log-groups and log-content.

It was just a typo here on github, these are my policies:

allow group ti_grafana to read metrics in tenancy
allow group ti_grafana to read compartments in tenancy
allow group ti_grafana to read log-groups in tenancy
allow group ti_grafana to read log-content in tenancy

By adding the policy suggested by oracle, the feature works, but this policy is very open. allow the grafana group to read all resources in the tenancy

Do we have a fix to make the policies work as documented?

[jedcanchola]

Adding the following policy make this work:

allow group grafana to read audit-events in tenancy