v1.9.30 Permission issues when using org_id!=1 in Grafana OSS #5096
Comments
dinfdsooff
changed the title
|
Hello @joeyorlando, could you add your input on this topic with a comment it would be much appreciated! :) |
|
Same issue we can't make it work for other grafana organisations, we receive 403 error during setup |
|
oncall oss does not support multiple orgs (#598 (comment); OnCall on Grafana Cloud does however 🙂) |
|
Hello @joeyorlando does not support even when using different engines and databases per org? Here there is a comment that it works #598 (comment) however not for us. Unfortunately, we can use only Grafana Self Hosted in our company so this is a major blocker for us, probably will find a paid solution. |
|
From what my company has done, we can manually create a new service account in the right organization, and then try to connect to oncall. This has worked for us. We use the same naming scheme as the one created automatically by oncall, and just increment it each time. the service account needs admin permissions. (We also assigned each manually created service account all oncall permissions) First org service account: Second org service account: Third org service account: |
What went wrong?
What happened:
Plugin is not connected Unauthorized/Forbidden while accessing OnCall engine: /api/internal/v1/plugin/v2/status, status code: 403, check tokenWe use multiple organisations in Grafana OSS, and we want to connect
org_id=2with the engine, we managed to configure it for defaultorg_id=1but if we specify other organisation it breaks with permissions issues, the service account is created only inorg_id=1.Service account id
sa-1-extsvc-grafana-oncall-appis created only inorg_id=1and not in the specified organization, for exampleorg_id=2, so it works only fororg_id=1Tried to find any documentation or info how to configure the oncall plugin to work with other organisation other than the default and did not find any information
grafanaTokenandonCallApiTokenare not generated in the tablepublic.plugin_settingfororg_id!=1What did you expect to happen:
I would expect plugin service account
sa-2-extsvc-grafana-oncall-appto be generated fororg_id=2and authentication to work with the engine, or at least provide a way to create that manually.I would expect to have Documentation:
org_id!=1for Grafana OSS. It would be nice to include all the relevant info regarding this topic, such as current status and feature plans, env variables to configure, manual API calls that we need to trigger, if we need multiple Engines , DB, Redis, RabbitMQ, or one, how to do separation between organization data?org_idHow do we reproduce it?
curl -X POST -H "X-Grafana-Org-Id: 1" "https://grafana.xxxx.xxx/api/plugins/grafana-oncall-app/settings" \ -H "Content-Type: application/json" -H "Authorization: Basic xxxxxxxx" \ -d '{ "enabled": true, "jsonData": { "stackId": 5, "orgId": 100, "license":"OpenSource", "onCallApiUrl": "http://oncall-engine:8080/", "grafanaUrl": "http://grafana:80/" } }'curl -X POST -H "X-Grafana-Org-Id: 2" "https://grafana.xxxx.xxx/api/plugins/grafana-oncall-app/settings" \ -H "Content-Type: application/json" -H "Authorization: Basic xxxxxxxx" \ -d '{ "enabled": true, "jsonData": { "stackId": 5, "orgId": 2, "license":"OpenSource", "onCallApiUrl": "http://oncall-engine-second:8080/", "grafanaUrl": "http://grafana:80/" } }'curl -X POST -H "X-Grafana-Org-Id: 1" -H "Authorization: Basic xxxxxxx" 'https://grafana.xxxx.xxxx/api/plugins/grafana-oncall-app/resources/plugin/install'curl -X POST -H "X-Grafana-Org-Id: 2" -H "Authorization: Basic xxxxxxx" 'https://grafana.xxxx.xxxx/api/plugins/grafana-oncall-app/resources/plugin/install'org_id=1Grafana OnCall Version
v1.9.30
Product Area
Auth, API
Grafana OnCall Platform?
Kubernetes
User's Browser?
No response
Anything else to add?
Grafana version
11.2.0The text was updated successfully, but these errors were encountered: