Cribl setup in GitOps mode with Azure AD Auth
Hello, I have my Cribl setup in GitOps mode (https://docs.cribl.io/stream/gitops/). I also have it setup to auth against Azure AD (https://docs.cribl.io/stream/usecase-azure-ad/).
Further, I have defined several Azure AD groups including one that I have assigned the GitOps role to (https://docs.cribl.io/stream/gitops/#user-role). When I attempt to follow the instructions (https://docs.cribl.io/stream/gitops/) about obtaining a Bearer token and use an account that is only in Azure AD, I always get “Invalid user or password”. However, if I use an account that exists internal to Cribl, it will succeed. I want to setup GitHub workflows to automate the sync once I complete a pull request. I realize I could create an internal user in Cribl and assign the GitOps role to it and just use that. But, I think I should be able to do this with an Azure AD user too. Has anyone run into this before and found a resolution? Thanks!
Answers
-
Is the AD mapping from AD groups to Cribl Roles works as expected to log into Cribl with the correct Cribl Role?
0 -
To validate the mapping .. if you go to Monitoring->Logs with the filter
channel=="auth"you can check log messages that might be helpful.0 -
Additionally, I’m even having trouble getting this to work reliably via a local account. The
syncAPI endpoint always returns forbidden when I try to use it0 -
So it seems like fundamentally that the “login” endpoint will only attempt to use the local provider
0 -
When I just tried to get the token again, I got this:
{ "time": "2023-08-10T13:32:08.088Z", "cid": "api", "channel": "auth", "level": "warn", "message": "Failed login", "user": "email@addr.ess", "provider": "local", "details": { "message": "Invalid user or password" } }I notice that it is trying to use the “local” provider instead of the “sso” one
0
