Grafana openshift monitoring OAuth Proxy: The request is missing a required parameter

Question

I am using a brand new installation of openshift:

oc v3.11.0+62803d0-1
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://master.mydomain.fr:8443
openshift v3.11.0+2bcedfc-77
kubernetes v1.11.0+d4cacc0

I have 3 nodes:

[root@master centos]# oc get node
NAME                 STATUS    ROLES     AGE       VERSION
master.mydomain.fr   Ready     master    1d        v1.11.0+d4cacc0
node1.mydomain.fr    Ready     infra     1d        v1.11.0+d4cacc0
node2.mydomain.fr    Ready     compute   1d        v1.11.0+d4cacc0
node3.mydomain.fr    Ready     compute   1d        v1.11.0+d4cacc0
node4.mydomain.fr    Ready     compute   1d        v1.11.0+d4cacc0

I successfully configured everything but now I am trying to access to my grafana dashboards. I created a route:

grafana.mydomain.fr

I am redirected to the Login Button of the OauthProxy. When I click on Login I am redirected to a blank page with Json:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.","state":"7f3a18c95ae8237d39d35bf8ff317ae4:/"}

Here is the URI I am getting:

https://master.mydomain.fr:8443/oauth/authorize?approval_prompt=force&client_id=system%3Aserviceaccount%3Aopenshift-monitoring%3Agrafana&redirect_uri=https%3A%2F%2Fgrafana.mydomain.fr%2Foauth%2Fcallback&response_type=code&scope=user%3Ainfo+user%3Acheck-access&state=7f3a18c95ae8237d39d35bf8ff317ae4%3A%2F

After looking at the log I am getting:

no RBAC policy matched

I am pretty sure it is linked to my configuration (maybe the redirect URI is not correct) but to be honnest I don't know how to configure it. Do you have an idea ?

Thanks in advance

Answer 1

I was facing the exact same issue while trying to expose Prometheus (OpenShift 3.11) and this is how I solved the issue.

As the question does not make it clear about the route name and in case you have created a route other than grafana which is the default account that comes with openshift. Then one of the reasons could be the route name and that's because the serviceAccount that is being used in the authentication process is expecting to be used with a route named grafana according to the section:

# Taken from grafana's serviceAccount
metadata:
  annotations:
    serviceaccounts.openshift.io/oauth-redirectreference.grafana: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana"}}'

This makes the authentication work specifically with a route named grafana, so either modify the original route with the desired domain or modify this annotation with the new router that you have created.