I'm trying to integrate Grafana with Keycloak but I'm receiving the following errors when I'm setup the "Scopes = openid profile email" on grafana.ini :
t=2021-11-03T05:51:22-0400 lvl=eror msg="**Error getting email address**" logger=oauth.generic_oauth url=http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails error="{\"error\":\"RESTEASY003210: C**ould not find resource for full path: http://101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails**\"}"
t=2021-11-03T05:51:22-0400 lvl=eror msg="login.OAuthLogin(get info from generic_oauth)" logger=context userId=0 orgId=0 uname= error="Error getting email address: {\"error\":\"RESTEASY003210: Could not find resource for full path: http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails\"}"
Definitely, is not getting any email addreess when I'm trying to call the "http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo/emails" - Page not found.
My grafana.ini config looks like below:
[auth.generic_oauth]
enabled = true
allow_sign_up = true
team_ids =
allowed_organizations =
name = Keycloak
scopes = openid profile email
client_id = grafana
client_secret = ba342011-3705-483c-8e04-7f95be561cd5
auth_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/token
api_url = http://192.168.101.221:8080/auth/realms/grafana/protocol/openid-connect/userinfo
I found the solution:
Step 1. Create an user on keycloak , for example : grafana and set an password and also you can add you email address or whatever email address you want :
keycloak user
Related
I'm trying to have GitHub OAuth integration for Grafana and I am following this document:
https://grafana.com/docs/grafana/latest/auth/github/
Accordingly, I've configured my values.yaml file with similar configuration as shown below:
## grafana Authentication can be enabled with the following values on grafana.ini
server:
# The full public facing url you use in browser, used for redirects and emails
root_url: https://grafana.example.space
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
auth.github:
enabled: true
allow_sign_up: true
scopes: user:email,read:org
auth_url: https://github.com/login/oauth/authorize
token_url: https://github.com/login/oauth/access_token
api_url: https://api.github.com/user
team_ids: 259420
allowed_organizations: Orgs
client_id: 123456
client_secret: 123456
My Github OAuth app URLs are configured as shown below:
Homepage URL:
https://grafana.example.space
Authorization callback URL:
https://grafana.example.space/login/github
But, while I try to login using the Github authentication, I can see an error as below:
t=2022-01-02T12:33:03+0000 lvl=eror msg="Failed to look up user based on cookie" logger=context error="user token not found"
t=2022-01-02T12:33:03+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/live/ws status=401 remote_addr=49.206.14.15 time_ms=0 size=32 referer=
Can someone please help me as to where am I missing out here?
I'm trying to integrate keycloak with Grafana dashboards but when I'm trying to login on grafana via keycloak I'm receiving invalid redirect URL.
keycloack grafana settings
I've added the bellow config on grafana.ini
[auth.generic_oauth]
enabled = true
scopes = openid email profile
name = Keycloak
tls_skip_verify_insecure = true
allow_sign_up = true
client_id = grafana
client_secret = ba342011-3705-483c-8e04-7f95be561cd5
auth_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/token
api_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/userinfo
url_redirect invalid
Everytime when I am trying to login, this is redirecting to localhost:3000, but I didn't set up this on the keycloak.
I found many cases on the google but no luck for my side.
2021-11-02 12:43:06,838 WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=grafana, clientId=grafana, userId=null, ipAddress=172.18.212.8, error=invalid_redirect_uri, redirect_uri=http://localhost:3000/login/generic_oauth
I want to mention that the Grafana and Keycloak are installed on the same server..
You have missed the doc https://grafana.com/docs/grafana/latest/auth/generic-oauth/:
You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.
You didn't set root URL so incorrect redirect URL is generated http://localhost:3000/login/generic_oauth instead of domain/IP:port, which you have used in the browser. Fix that and it should be fine.
When a task/DAG fails I want to send an email to someone, and this does not work. We are using Office365 for this within the organisation and there should not be a need to authenticate with credentials user or password, as it is not done in other running projects. We are using the latest Airflow version released: 2.1.4
I have tried with the configuration in airflow config:
[email]
email_backend = airflow.utils.email.send_email_smtp
email_conn_id = smtp_default
default_email_on_retry = True
default_email_on_failure = True
[smtp]
smtp_host = <the smtp host(Office365)>
smtp_starttls = True
smtp_ssl = False
smtp_port = 25
smtp_mail_from = <the from email>
smtp_timeout = 30
smtp_retry_limit = 5
As I try this I get the following error in the airflow log when a task fails:
WARNING - section/key [smtp/smtp_user] not found in config
...
ERROR - Failed to send email to: ['<my email>']
Therefore I suppose I need to have a user if I use these options in the config.
There is also this information in the log:
PendingDeprecationWarning: Fetching SMTP credentials from configuration variables will be deprecated in a future release. Please set credentials using a connection instead.
I have been looking at this airflow documentation:
https://airflow.apache.org/docs/apache-airflow/stable/howto/email-config.html
But it does not help me to understand how I should set up a connection to our smtp-server that is with Office365. The problem is as well that I don't have a user or password. I could possibly get them, but as it works without them in other running projects I am looking to do something similar.
Does anybody have some guidance in this matter?
Thank you
I have two client setup SMTP with authorizaiton, just setup as manual then work. My new client, their mail relay have no need to authenticate with user or password, I just config empty string as folow then works.
It will left PendingDeprecationWarning in log.
[smtp]
...
smtp_starttls = False
smtp_ssl = False
smtp_user =
smtp_password =
I have an issue with login via AAD authentication.
I have iframe where is panel and the iframe is inside a web page with a user authenticated against AAD.
When the iframe opens it redirects me to the login page:
(it is supposed that we are authenticated but ...)
And if I press Sign in with Microsft, I get the error:
In grafana's logs I see:
t=2021-07-06T15:06:36+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=302 remote_addr=**XX.XX.181.X** time_ms=0 size=400 referer=https://**mydomain**.westeurope.cloudapp.azure.com:3000/login
t=2021-07-06T15:06:39+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/azuread status=500 remote_addr=**XX.XX.181.X** time_ms=0 size=1743 referer=https://login.microsoftonline.com/
But I don't know which is the problem ... any idea?
You may have a problem with same site cookie config. Try GF_SECURITY_COOKIE_SAMESITE=none (but I don't guarantee that's a solution, because you didn't provide https://stackoverflow.com/help/minimal-reproducible-example, your browser console may give you ideas what's blocked and why)
Generally: Grafana in the iframe is (will be) a problem, because browsers limit (or will limit in near future) this kind of access - see recent 2021 Chrome’s SameSite cookie update. Safari is also very strict in this limitation. So you may solve it, but some browser may still have this problem or may have this problem soon.
services:
grafana:
image: grafana/grafana:latest
pid :
ports:
- 3000:3000
volumes:
- C:\Users\suraj.kalloli\grafana\keycloak.ini:/etc/grafana/grafana.ini
keycloak:
image: quay.io/keycloak/keycloak:latest
command:
- start-dev
- --import-realm
ports:
- "8080:8080"
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
volumes:
- ./keycloak-config/:/opt/keycloak/data/import/
[auth.generic_oauth]
name = OAuth login
icon = signin
enabled = true
scopes = openid
client_id = grafanatest
client_secret = 90z3ONKTTDSB9scsIevXebC2Ek6O6Ue8
use_pkce = false
allow_sign_up = true
auth_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/auth
token_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/token
api_url = http://host.docker.internal:8080/realms/master/protocol/openid-connect/userinfo
login_attribute_path = preferred_username
role_attribute_path: "contains(realm_access.roles[*], 'Admin') && 'Admin' || contains(realm_access.roles[*], 'Editor') && 'Editor' || 'Editor'"
role_attribute_strict = true
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[plugins]
allow_loading_unsigned_plugins = camptocamp-prometheus-alertmanager-datasource
#log level
[log.file]
level = debug
-Add valid mapper to the client and make email verify ON for the user with respect to email,if you given scope as openid email or openid,
-Mention Firstname and lastname to the user in keycloak so grafana can take the assigned names.
-First snippet is docker compose file
-Second one keycloak.ini file
I've setup my own test Gerrit server. I've been able to register my email address and make a couple of commits. However, I deleted my email address in order to get another confirmation email from my server, since I wanted to test the tweak I made to the SMTP server configuration. Going back to my Settings page on the GUI, I noticed the 'Register new email' button had vanished, as pictured below.
Though the email appears in the drop-down box, my email address was deleted, since 1) Settings > Identities does not show any email address, and 2) when I try to 'Edit config' on a Project, the GUI pops up the message:
I've also tried adding the email using the ssh shell, since I'm admin:
$ ssh -p 29418 myUsername#my.server.com gerrit set-account myUsername --add-email foo#bar.com
fatal: realm does not allow adding emails
What's the matter?
EDIT : Here is my etc/gerrit.config file. Yes, I've restarted Gerrit after I've changed it. For sendemail configuration, I've also tried setting the port to 465 and encryption to ssl and restart Gerrit, but it's still the same.
[gerrit]
basePath = git
serverId = [alphanumeric string]
canonicalWebUrl = http://my.server.com:8012/
[database]
type = h2
database = /home/gerrit2/gerrit/db/ReviewDB
[auth]
type = OAUTH
[receive]
enableSignedPush = false
[user]
name = gerrit2
email = foo.noreply#gmail.com
[sendemail]
from = USER
smtpServer = smtp.gmail.com
smtpServerPort = 587
smtpEncryption = tls
smtpUser = foo.noreply#gmail.com
smtpPass = [foo.noreply#gmail.com 's Pass]
sslVerify = false
[container]
user = root
javaHome = /usr/lib/jvm/java-8-openjdk-amd64/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8012/
[cache]
directory = cache
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = [Google client ID]
link-to-existing-openid-accounts = true
[plugin "gerrit-oauth-provider-github-oauth"]
client-id = [GitHub client ID]
[plugin "gerrit-oauth-provider-bitbucket-oauth"]
client-id = [BitBucket client ID]
When
auth.type = OAUTH
You need to add explicitly
[oauth]
allowRegisterNewEmail = true
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#oauth.allowRegisterNewEmail