Missing `orgs:read` permission as "Admin" since upgrade to PMM v3.6.0

Percona Monitoring and Management (PMM) PMM 3.x
1

Although I have the “Admin” role (provisioned using generic OAuth), I cannot open PMM v3.6.0’s:

  • Opening “Configuration” > “Org. management” > “Organizations”, results in:

    image
    image1707×933 61.6 KB

  • While opening “Configuration” > “Org. management” > “Stats and licenses”, results in:

    image
    image696×953 43.3 KB

So it looks like I am missing the orgs:read permission.

2

Hi, seems you hit a bug. Would you mind opening a ticket at Jira

3

Hi Ivan,

Somehow I am unable to create issues in your Jira (also mentioned this in my other topic UI annoyances when PMM upgrades are disabled in v3.6.0):

image
image1448×774 138 KB

Or I’m doing something wrong, but this is what happens when I click the large blue “+ Create” button in the top menu.

4

Hi @hvtilborg

Would you be able to provide us with concrete steps on how reproduce it? Apart from the UI, how can we achieve the same behavior? What configuration parameters do we need to apply?

5

Hello Alex,

We are using Grafana’s generic OAuth options, so authentication (and authorization) at Grafana is handled by our Dex instance. The Dex instance also provides the groups the user is a member of, which we use for authorization.

The configuration looks like this environment variable-wise:

GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=Dex
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=pmm
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=pmm-client-secret-at-dex
GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile groups
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<Dex public URL>/auth
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<Dex public URL>/token
GF_AUTH_GENERIC_OAUTH_API_URL=https://<Dex public URL>/userinfo

# Allow Grafana to make a user administrator if the role attribute path gives reason to that
GF_AUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true

# Needed so that automatically an account is created after their first successful authentication
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true

GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=(contains(groups[*], 'group_servermgmt@example.com') && 'Admin') || (contains(groups[*], 'group_dev@example.com') && 'Viewer') || (contains(groups[*], 'group_viewer@example.com') && 'Viewer') || 'None'

# Do not set a default role if no match is made by the "role_attribute_path" expression
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT=true

I myself am a part of the group_servermgmt@example.com group, which gives me the Admin role.