7eb17bccca
* Set every page to have defaults of 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration pages to have of 'Cloud', 'Enterprise', and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/enterprise-licensing pages to have 'Enterprise' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/organization-management pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/provisioning pages to have 'Enterprise' and 'Open source' labels Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/recorded-queries pages to have labels cloud,enterprise * Set administration/roles-and-permissions/access-control pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set administration/stats-and-license pages to have labels cloud,enterprise * Set alerting pages to have labels cloud,enterprise,oss * Set breaking-changes pages to have labels cloud,enterprise,oss * Set dashboards pages to have labels cloud,enterprise,oss * Set datasources pages to have labels cloud,enterprise,oss * Set explore pages to have labels cloud,enterprise,oss * Set fundamentals pages to have labels cloud,enterprise,oss * Set introduction/grafana-cloud pages to have labels cloud Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix introduction pages products Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set panels-visualizations pages to have labels cloud,enterprise,oss * Set release-notes pages to have labels cloud,enterprise,oss * Set search pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/audit-grafana pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-authentication pages to have labels cloud,enterprise,oss * Set setup-grafana/configure-security/configure-authentication/enhanced-ldap pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-authentication/saml pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault pages to have labels cloud,enterprise * Set setup-grafana/configure-security/configure-request-security pages to have labels cloud,enterprise,oss Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/configure-team-sync pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set setup-grafana/configure-security/export-logs pages to have labels cloud,enterprise Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Set troubleshooting pages to have labels cloud,enterprise,oss * Set whatsnew pages to have labels cloud,enterprise,oss * Apply updated labels from review Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com> --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Isabel <76437239+imatwawana@users.noreply.github.com>
3.4 KiB
| aliases | description | labels | menuTitle | title | weight | |||||
|---|---|---|---|---|---|---|---|---|---|---|
|
RBAC troubleshooting guide. |
|
Troubleshooting RBAC | Troubleshooting RBAC | 80 |
Troubleshooting RBAC
In this section, you’ll learn about logs that are available for RBAC and you’ll find the most common RBAC issues.
Enable debug logging
You can enable debug log messages for RBAC in the Grafana configuration file. Debug logs are added to the Grafana server logs.
[log]
filters = accesscontrol:debug accesscontrol.evaluator:debug dashboard.permissions:debug
Enable audit logging
{{% admonition type="note" %}} Available in [Grafana Enterprise]({{< relref "../../introduction/grafana-enterprise/" >}}) version 7.3 and later, and Grafana Cloud. {{% /admonition %}}
You can enable auditing in the Grafana configuration file.
[auditing]
enabled = true
All permission and role updates, and role assignments are added to audit logs. Learn more about [access control audit logs]({{< relref "../../../../setup-grafana/configure-security/audit-grafana/#access-control" >}}).
Missing dashboard, folder or data source permissions
[Dashboard and folder permissions]({{< relref "../../#dashboard-permissions" >}}) and [data source permissions]({{< relref "../../#data-source-permissions" >}}) can go out of sync if a Grafana instance version is upgraded, downgraded and then upgraded again. This happens when an instance is downgraded from a version that uses RBAC to a version that uses the legacy access control, and dashboard, folder or data source permissions are updated. These permission updates will not be applied to RBAC, so permissions will be out of sync when the instance is next upgraded to a version with RBAC.
{{% admonition type="note" %}} the steps provided below will set all dashboard, folder and data source permissions to what they are set to with the legacy access control. If you have made dashboard, folder or data source permission updates with RBAC enabled, these updates will be wiped. {{% /admonition %}}
To resynchronize the permissions:
- make a backup of your database
- run the following SQL queries
DELETE FROM builtin_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM team_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM user_role where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM permission where role_id IN (SELECT id FROM role WHERE name LIKE 'managed:%'); DELETE FROM role WHERE name LIKE 'managed:%'; DELETE FROM migration_log WHERE migration_id IN ('teams permissions migration', 'dashboard permissions', 'dashboard permissions uid scopes', 'data source permissions', 'data source uid permissions', 'managed permissions migration', 'managed folder permissions alert actions repeated migration', 'managed permissions migration enterprise'); - restart your Grafana instance