v1.9.30 Permission issues when using org_id!=1 in Grafana OSS

[dinfdsooff]

What went wrong?

What happened:

• Plugin is not connected Unauthorized/Forbidden while accessing OnCall engine: /api/internal/v1/plugin/v2/status, status code: 403, check token
  
  

• We use multiple organisations in Grafana OSS, and we want to connect org_id=2 with the engine, we managed to configure it for default org_id=1 but if we specify other organisation it breaks with permissions issues, the service account is created only in org_id=1.

• Service account id sa-1-extsvc-grafana-oncall-app is created only in org_id=1 and not in the specified organization, for example org_id=2, so it works only for org_id=1

• Tried to find any documentation or info how to configure the oncall plugin to work with other organisation other than the default and did not find any information

• grafanaToken and onCallApiToken are not generated in the table public.plugin_setting for org_id!=1

What did you expect to happen:

• I would expect plugin service account sa-2-extsvc-grafana-oncall-app to be generated for org_id=2 and authentication to work with the engine, or at least provide a way to create that manually.

• I would expect to have Documentation:

  • a ReadMe or some info on how to setup OnCall plugin and Engine for organisation with org_id!=1 for Grafana OSS. It would be nice to include all the relevant info regarding this topic, such as current status and feature plans, env variables to configure, manual API calls that we need to trigger, if we need multiple Engines , DB, Redis, RabbitMQ, or one, how to do separation between organization data?
  • I would expect to have also some documentation or readme to explain the authentication flow between grafana <-> plugin <-> engine, for example if we need to create grafana token manually and configure them on the engine so it can access the API, and how to specify the org_id

How do we reproduce it?

1. Install Grafana Oncall Plugin
2. Enable the Grafana Plugin for both orgs
3. curl -X POST -H "X-Grafana-Org-Id: 1" "https://grafana.xxxx.xxx/api/plugins/grafana-oncall-app/settings" \ -H "Content-Type: application/json" -H "Authorization: Basic xxxxxxxx" \ -d '{ "enabled": true, "jsonData": { "stackId": 5, "orgId": 100, "license":"OpenSource", "onCallApiUrl": "http://oncall-engine:8080/", "grafanaUrl": "http://grafana:80/" } }'
4. curl -X POST -H "X-Grafana-Org-Id: 2" "https://grafana.xxxx.xxx/api/plugins/grafana-oncall-app/settings" \ -H "Content-Type: application/json" -H "Authorization: Basic xxxxxxxx" \ -d '{ "enabled": true, "jsonData": { "stackId": 5, "orgId": 2, "license":"OpenSource", "onCallApiUrl": "http://oncall-engine-second:8080/", "grafanaUrl": "http://grafana:80/" } }'
5. curl -X POST -H "X-Grafana-Org-Id: 1" -H "Authorization: Basic xxxxxxx" 'https://grafana.xxxx.xxxx/api/plugins/grafana-oncall-app/resources/plugin/install'
6. curl -X POST -H "X-Grafana-Org-Id: 2" -H "Authorization: Basic xxxxxxx" 'https://grafana.xxxx.xxxx/api/plugins/grafana-oncall-app/resources/plugin/install'
7. Connect to the engine succesfully for org_id=1

Grafana OnCall Version

v1.9.30

Product Area

Auth, API

Grafana OnCall Platform?

Kubernetes

User's Browser?

No response

Anything else to add?

Grafana version 11.2.0

[dinfdsooff]

Hello @joeyorlando, could you add your input on this topic with a comment it would be much appreciated! :)

[sdwerwed]

Same issue we can't make it work for other grafana organisations, we receive 403 error during setup

[joeyorlando]

oncall oss does not support multiple orgs (#598 (comment); OnCall on Grafana Cloud does however 🙂)

[sdwerwed]

Hello @joeyorlando does not support even when using different engines and databases per org? Here there is a comment that it works #598 (comment) however not for us.

Unfortunately, we can use only Grafana Self Hosted in our company so this is a major blocker for us, probably will find a paid solution.