Auth: Add skip_org_role_sync setting to OAuth integration Google (#61572)

* WIP * Add: skip_org_role_sync for Google OAuth - add setting for frontend - add read of config - add config to sample and default * add: docs * spelling * Update pkg/login/social/social.go * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * removed unnessecary line Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2024-11-23 09:26:43 -06:00 · 2023-01-19 09:54:22 +01:00 · 2023-01-19 09:54:22 +01:00 · 0d42edddbf
commit 0d42edddbf
parent 50df85189c
8 changed files with 42 additions and 2 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -556,6 +556,7 @@ token_url = https://accounts.google.com/o/oauth2/token
 api_url = https://www.googleapis.com/oauth2/v1/userinfo
 allowed_domains =
 hosted_domain =
+skip_org_role_sync = false

 #################################### Grafana.com Auth ####################
 # legacy key names (so they work in env variables)
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -560,6 +560,7 @@
 ;api_url = https://www.googleapis.com/oauth2/v1/userinfo
 ;allowed_domains =
 ;hosted_domain =
+;skip_org_role_sync = false

 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
--- a/docs/sources/setup-grafana/configure-grafana/_index.md
+++ b/docs/sources/setup-grafana/configure-grafana/_index.md
@ -880,7 +880,7 @@ To prevent synchronization of organization roles for a specific OAuth integratio

 The setting `oauth_skip_org_role_update_sync` will be deprecated in favor of provider-specific settings.

-The following table shows the OAuth providers, the default value setting, and the skip org role sync setting.
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
 | OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
 | --- | --- | --- | --- |
 | AzureAD | false | false | will sync with AzureAD roles |
@ -888,6 +888,20 @@ The following table shows the OAuth providers, the default value setting, and th
 | AzureAD | false | true | skip org role sync for AzureAD users |
 | AzureAD | true | true | skip org role sync for AzureAD users and all other OAuth providers |

+### [auth.google] skip_org_role_sync
+
+Upon the first login from a user, we set the organization roles from the setting `AutoAssignOrgRole`. If you want to manage organizational roles, set the `skip_org_role_sync` option to `true`.
+
+> **Note:** There is a separate setting called `oauth_skip_org_role_update_sync` which has a different scope. While `skip_org_role_sync` only applies to the specific OAuth provider, `oauth_skip_org_role_update_sync` is a generic setting that affects all configured OAuth providers.
+
+The following table shows the OAuth provider's setting with the default value and the skip org role sync setting.
+| OAuth Provider | `oauth_skip_org_role_sync_update` | `skip_org_role_sync` | Behavior |
+| --- | --- | --- | --- |
+| Google | false | false | User organization roles are set with `defaultRole` and cannot be changed |
+| Google | true | false | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+| Google | false | true | User organization roles are set with `defaultRole` and the org role can be changed for Google synced users. |
+| Google | true | true | User organization roles are set with `defaultRole` for Google. For other providers, the synchronization will be skipped, and the org role can be changed, along with other OAuth provider users' org roles. |
+
 ### api_key_max_seconds_to_live

 Limit of API key seconds to live before expiration. Default is -1 (unlimited).
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md
@ -68,3 +68,13 @@ When a user logs in using an OAuth provider, Grafana verifies that the access to
 Grafana uses a refresh token to obtain a new access token without requiring the user to log in again. If a refresh token doesn't exist, Grafana logs the user out of the system after the access token has expired.

 By default, Grafana includes the `access_type=offline` parameter in the authorization request to request a refresh token.
+
+## Skip organization role sync
+
+We do not currently sync roles from Google and instead set the AutoAssigned role to the user at first login. To manage your user's organization role from within Grafana, set `skip_org_role_sync` to `true`.
+
+```ini
+[auth.google]
+# ..
+skip_org_role_sync = true
+```
--- a/packages/grafana-data/src/types/config.ts
+++ b/packages/grafana-data/src/types/config.ts
@ -226,5 +226,6 @@ export interface AuthSettings {
  JWTAuthSkipOrgRoleSync?: boolean;
  GrafanaComSkipOrgRoleSync?: boolean;
  AzureADSkipOrgRoleSync?: boolean;
+  GoogleSkipOrgRoleSync?: boolean;
  DisableSyncLock?: boolean;
 }
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@ -148,6 +148,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
 			"OAuthSkipOrgRoleUpdateSync": hs.Cfg.OAuthSkipOrgRoleUpdateSync,
 			"SAMLSkipOrgRoleSync":        hs.Cfg.SectionWithEnvOverrides("auth.saml").Key("skip_org_role_sync").MustBool(false),
 			"LDAPSkipOrgRoleSync":        hs.Cfg.LDAPSkipOrgRoleSync,
+			"GoogleSkipOrgRoleSync":      hs.Cfg.GoogleSkipOrgRoleSync,
 			"JWTAuthSkipOrgRoleSync":     hs.Cfg.JWTAuthSkipOrgRoleSync,
 			"GrafanaComSkipOrgRoleSync":  hs.Cfg.GrafanaComSkipOrgRoleSync,
 			"AzureADSkipOrgRoleSync":     hs.Cfg.AzureADSkipOrgRoleSync,
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -427,6 +427,9 @@ type Cfg struct {
 	// AzureAD
 	AzureADSkipOrgRoleSync bool

+	// Google
+	GoogleSkipOrgRoleSync bool
+
 	// LDAP
 	LDAPEnabled         bool
 	LDAPSkipOrgRoleSync bool
@ -1369,6 +1372,11 @@ func readAuthGrafanaComSettings(iniFile *ini.File, cfg *Cfg) {
 	cfg.GrafanaComSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
 }

+func readAuthGoogleSettings(iniFile *ini.File, cfg *Cfg) {
+	sec := iniFile.Section("auth.google")
+	cfg.GoogleSkipOrgRoleSync = sec.Key("skip_org_role_sync").MustBool(false)
+}
+
 func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	auth := iniFile.Section("auth")

@ -1417,6 +1425,9 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.AzureAuthEnabled = AzureAuthEnabled
 	readAuthAzureADSettings(iniFile, cfg)

+	// Google Auth
+	readAuthGoogleSettings(iniFile, cfg)
+
 	// anonymous access
 	AnonymousEnabled = iniFile.Section("auth.anonymous").Key("enabled").MustBool(false)
 	cfg.AnonymousEnabled = AnonymousEnabled
--- a/public/app/features/admin/UserAdminPage.tsx
+++ b/public/app/features/admin/UserAdminPage.tsx
@ -135,7 +135,8 @@ export class UserAdminPage extends PureComponent<Props> {
        (!config.auth.JWTAuthSkipOrgRoleSync && isJWTUser) ||
        // both OAuthSkipOrgRoleUpdateSync and specific provider settings needs to be false for a user to be synced
        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GrafanaComSkipOrgRoleSync && isGrafanaComUser) ||
-        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.AzureADSkipOrgRoleSync && isAzureADUser));
+        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.AzureADSkipOrgRoleSync && isAzureADUser) ||
+        (!config.auth.OAuthSkipOrgRoleUpdateSync && !config.auth.GoogleSkipOrgRoleSync && isGoogleUser));

    const pageNav: NavModelItem = {
      text: user?.login ?? '',