We have updated our Terms of Service, Code of Conduct, and Addendum.

Cribl setup in GitOps mode with Azure AD Auth

Options

Hello, I have my Cribl setup in GitOps mode (https://docs.cribl.io/stream/gitops/). I also have it setup to auth against Azure AD (https://docs.cribl.io/stream/usecase-azure-ad/).

Further, I have defined several Azure AD groups including one that I have assigned the GitOps role to (https://docs.cribl.io/stream/gitops/#user-role). When I attempt to follow the instructions (https://docs.cribl.io/stream/gitops/) about obtaining a Bearer token and use an account that is only in Azure AD, I always get “Invalid user or password”. However, if I use an account that exists internal to Cribl, it will succeed. I want to setup GitHub workflows to automate the sync once I complete a pull request. I realize I could create an internal user in Cribl and assign the GitOps role to it and just use that. But, I think I should be able to do this with an Azure AD user too. Has anyone run into this before and found a resolution? Thanks!

Answers

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod
    Options

    Is the AD mapping from AD groups to Cribl Roles works as expected to log into Cribl with the correct Cribl Role?

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod
    Options

    To validate the mapping .. if you go to Monitoring->Logs with the filter channel=="auth"  you can check log messages that might be helpful.

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    Additionally, I’m even having trouble getting this to work reliably via a local account. The sync API endpoint always returns forbidden when I try to use it

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    So it seems like fundamentally that the “login” endpoint will only attempt to use the local provider

  • Joshua Cook
    Joshua Cook Posts: 11
    edited August 2023
    Options

    When I just tried to get the token again, I got this:

    {
      "time": "2023-08-10T13:32:08.088Z",
      "cid": "api",
      "channel": "auth",
      "level": "warn",
      "message": "Failed login",
      "user": "email@addr.ess",
      "provider": "local",
      "details": {
        "message": "Invalid user or password"
      }
    }
    

    I notice that it is trying to use the “local” provider instead of the “sso” one