Auth: Add skip_org_role_sync setting to OAuth integration Google (#61572)

* WIP * Add: skip_org_role_sync for Google OAuth - add setting for frontend - add read of config - add config to sample and default * add: docs * spelling * Update pkg/login/social/social.go * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * removed unnessecary line Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-01-19 09:54:22 +01:00
parent 50df85189c
commit 0d42edddbf
8 changed files with 42 additions and 2 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -556,6 +556,7 @@ token_url = https://accounts.google.com/o/oauth2/token
 api_url = https://www.googleapis.com/oauth2/v1/userinfo
 allowed_domains =
 hosted_domain =
 skip_org_role_sync = false
 #################################### Grafana.com Auth ####################
 # legacy key names (so they work in env variables)
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -560,6 +560,7 @@
 ;api_url = https://www.googleapis.com/oauth2/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
 ;skip_org_role_sync = false
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
--- a/docs/sources/setup-grafana/configure-grafana/_index.md
+++ b/docs/sources/setup-grafana/configure-grafana/_index.md
@@ -880,7 +880,7 @@ To prevent synchronization of organization roles for a specific OAuth integratio
 The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.
-The following table shows the OAuth providers, the default value setting, and the skip org role sync setting.
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
 | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
 | --- | --- | --- | --- |
 | AzureAD | false | false | will sync with AzureAD roles |
@@ -888,6 +888,20 @@ The following table shows the OAuth providers, the default value setting, and th
 | AzureAD | false | true | skip org role sync for AzureAD users |
 | AzureAD | true | true | skip org role sync for AzureAD users and all other OAuth providers |
 ### [auth.google] skip_org_role_sync
 Upon the first login from a user, we set the organization roles from the setting `AutoAssignOrgRole`. If you want to manage organizational roles, set the `skip_org_role_sync` option to `true`.
 > **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
 The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
 | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
 | --- | --- | --- | --- |
 | Google | false | false | User organization roles are set with `defaultRole` and cannot be changed |
 | Google | true | false | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
 | Google | false | true | User organization roles are set with `defaultRole` and the org role can be changed for Google synced users. |
 | Google | true | true | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
 ### api_key_max_seconds_to_live
 Limit of API key seconds to live before expiration. Default is -1 (unlimited).
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
@@ -68,3 +68,13 @@ When a user logs in using an OAuth provider, Grafana verifies that the access to
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.
 By default, Grafana includes the `access_type=offline` parameter in the authorization request to request a refresh token.
 ## Skip organization role sync
 We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. To manage your user's organization role from within Grafana, set `skip_org_role_sync` to `true`.
 ```ini
 [auth.google]
 # ..
 skip_org_role_sync = true
 ```
--- a/packages/grafana-data/src/types/config.ts
+++ b/packages/grafana-data/src/types/config.ts
@@ -226,5 +226,6 @@ export interface AuthSettings {
  JWTAuthSkipOrgRoleSync?: boolean;
  GrafanaComSkipOrgRoleSync?: boolean;
  AzureADSkipOrgRoleSync?: boolean;
  GoogleSkipOrgRoleSync?: boolean;
  DisableSyncLock?: boolean;
 }
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -148,6 +148,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
 			"OAuthSkipOrgRoleUpdateSync": hs.Cfg.OAuthSkipOrgRoleUpdateSync,
 			"SAMLSkipOrgRoleSync":        hs.Cfg.SectionWithEnvOverrides("auth.saml").Key("skip_org_role_sync").MustBool(false),
 			"LDAPSkipOrgRoleSync":        hs.Cfg.LDAPSkipOrgRoleSync,
 			"GoogleSkipOrgRoleSync":      hs.Cfg.GoogleSkipOrgRoleSync,
 			"JWTAuthSkipOrgRoleSync":     hs.Cfg.JWTAuthSkipOrgRoleSync,
 			"GrafanaComSkipOrgRoleSync":  hs.Cfg.GrafanaComSkipOrgRoleSync,
 			"AzureADSkipOrgRoleSync":     hs.Cfg.AzureADSkipOrgRoleSync,
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -427,6 +427,9 @@ type Cfg struct {
 	// AzureAD
 	AzureADSkipOrgRoleSync bool
 	// Google
 	GoogleSkipOrgRoleSync bool
 	// LDAP
 	LDAPEnabled         bool
 	LDAPSkipOrgRoleSync bool
@@ -1369,6 +1372,11 @@ func readAuthGrafanaComSettings(iniFile *ini.File, cfg *Cfg) {
 	cfg.GrafanaComSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
 }
 func readAuthGoogleSettings(iniFile *ini.File, cfg *Cfg) {
 	sec := iniFile.Section("auth.google")
 	cfg.GoogleSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
 }
 func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	auth := iniFile.Section("auth")
@@ -1417,6 +1425,9 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.AzureAuthEnabled = AzureAuthEnabled
 	readAuthAzureADSettings(iniFile, cfg)
 	// Google Auth
 	readAuthGoogleSettings(iniFile, cfg)
 	// anonymous access
 	AnonymousEnabled = iniFile.Section("auth.anonymous").Key("enabled").MustBool(false)
 	cfg.AnonymousEnabled = AnonymousEnabled
--- a/public/app/features/admin/UserAdminPage.tsx
+++ b/public/app/features/admin/UserAdminPage.tsx
@@ -135,7 +135,8 @@ export class UserAdminPage extends PureComponent<Props> {
        (!config.auth.JWTAuthSkipOrgRoleSync && isJWTUser) ||
        // both OAuthSkipOrgRoleUpdateSync and specific provider settings needs to be false for a user to be synced
        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GrafanaComSkipOrgRoleSync && isGrafanaComUser) ||
-        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.AzureADSkipOrgRoleSync && isAzureADUser));
+        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.AzureADSkipOrgRoleSync && isAzureADUser) ||
        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GoogleSkipOrgRoleSync && isGoogleUser));
    const pageNav: NavModelItem = {
      text: user?.login ?? '',